Introduction

This blog post is my special RIP for my grandmother (Nyachula), written on the day of her send-off.

A tale of how it all started...

Being an enthusiastic security researcher, the whole story started months ago, when I came across an vulnerability impacting Mikrotik running RouterOS versions:

  • Longterm: 6.30.1 - 6.40.7
  • Stable: 6.29 - 6.42
  • Beta: 6.29rc1 - 6.43rc3

The vulnerability allowed an attacker to achieve remote code execution on vulnerable versions.

The exploit leverages the path traversal vulnerability CVE-2018-14847 to extract the admin password and create an "option" package to enable the developer backdoor. Post exploitation the attacker can connect to Telnet or SSH using the root user "devel" with the admin's password. For more information on this vulnerability you can read the advisory https://blog.mikrotik.com/security/winbox-vulnerability.html

A working PoC for this vulnerability can be found in https://github.com/tenable/routeros/tree/master/poc/bytheway, contains the compilation and usage instructions.

At that time, my then ISP was impacted by this particular vulnerability and bingo, I was able to obtain admin credentials.

We can now successfully authenticate to the Mikrotik router.

And now we can obtain information such as, SSID & WiFi passwords.

SSID and WiFi key

RADIUS server and secret key

RADIUS Server and Secret Key

Post Exploitation - Packet Sniffing

Now think about this, imagine if we could be in a position to obtain every traffic going through the gateway, couldn't it be amazing, no need of ARP spoofing for we are listening capturing all traffic going through the router.

Yeah using this hypothesis, I was able to discover an inbuilt packet sniffer integrated in Mikrotik, worked fine except for one disadvantage, the router's memory is not big enough so it has got size limitation on the size of the pcap file.

On further research, I noticed that one could do remote packet streaming, to a remote host running wireshark.

Welcome TaZmen Sniffer Protocol (TZSP)

From Wikipedia, TZSP is an encapsulation protocol used to wrap other protocols. It is commonly used to wrap 802.11 wireless packets to support Intrusion Detection Systems (IDS), wireless tracking, or other wireless applications.

For Mikrotik's implementation it encapsulates other protocols into a UDP datagram and sends it to a remote host on UDP port 37008.

So we create a Wireshark filter on our receiving host, and start listening on the interface with that particular filter.

Start wireshark -—> click on the capture tab and select capture filter —> add a capture filter as shown below

TZSP capture filter

Go back and click ...using this filter and select the new capture filter that you had created.

On your mikrotik, head over to the tools tab, then packet sniffer, enable remote streaming and set your IP address that traffic should be forwarded to, the protocols to send (kindly choose in order not to overload the router's memory), finally select the interface you want to sniff traffic from.

Finally watch traffic flow in your wireshark.

traffic livestream to wireshark

And boom, we are in a position to collect passwords and session cookies for non-https websites

HTTP POST login request

Scapy - The packet scripting ninja

Now, necessity being the mother of all inventions, a need to script and automate the analysis of captured traffic arose, and scapy was the sword in mind.

So quickly looking at the saved pcap from wireshark using wireshark it's obvious that it is not properly recognized and only upto the raw UDP encapsulated data is seen.

After a long research on an available TZSP protocol dissector or converter, I soon realized that there is TZSP implementation in scapy contribs.

So let's load the TZSP contrib, and try to decode it.

TZSP contrib help 

So, we pass the packet as an argument of the TZSP class.

error

I quickly realized that the argument to be passed is not the whole packet, but just the raw UDP data, so trying it again we get:

TZSP properly decoded

To automate the whole process I created this simple script to read and print the original packets.

from scapy.all import *
import sys

load_contrib("tzsp")

def x_udp_data(pkt):
	udp_data = pkt[UDP].load
	dump_tzsp(udp_data)

def dump_tzsp(udp_data):
	print("[*] Dumping TZSP encapsulated data...")
	tzsp_pkt = TZSP(udp_data)
	tzsp_pkt.show()
	print("====================================================================\n\n")

def main():
	print("[*] Starting packet reading...")
	for pkt in PcapReader(sys.argv[1]):
		x_udp_data(pkt)
	print("[+] All done!!!")


if __name__=="__main__":
	main()

In an update, we will integrate this module into net-creds.