Feed
andrewg's website
Posted August 27th, 2007 by andrewgandrewg's website
| Feed URL | http://felinemenace.org/~andrewg/andrewg ... |
| Last checked | 24 weeks 13 hours ago |
| Time until next refresh | 0 sec left |
- Login or register to post comments
- Visit site
- View items
MikroTik Router Security Analysis: Weak password storage / encryption
Posted January 3rd, 2008 by andrewg(added 3/1/2008)
On the 3rd January, manio [at] skyboo [dot] net e-mailed me asking for some
hints / tips / advice about how the passwords are stored in the MikroTik
Router OS image. (To his credit, he said he realised it was XOR based pretty
much after he hit sent the mail). The user/password information is stored in/nova/store/user.dat. His homepage ishttp://manio.skyboo.net/mikrotik/.
According to him, the following passwords had the following encrypted text:
Feed: andrewg's website
- Login or register to post comments
- Read more
- Read original article.
Ruxcon 2008
Posted November 20th, 2007 by andrewg(added 20/11/2007)
Despite what many have thought, ruxcon will be
making a comeback in 2008 :) Not too much has been planned at the moment, but
by the looks of it, things are back on track. Somewhat recently, a ddos kiddie
from South Australia packeted the box, causing the hosting provider to null
route the ip… however that issue was sorted out.
I will be attempting to do a talk at ruxcon, not
sure exactly what, but probably regarding hardened linux, and covering such
things as PaX / grsecurity
and other assorted things.
Depending on how things are going, I will probably set up a capture the flag
game as well.
If you are interested in speaking at Ruxcon 2008, drop a note to
chris@ruxcon.org.au indicating your interest.
Hope to see you all there :D
Feed: andrewg's website
- Login or register to post comments
- Read original article.
MikroTik Router Security Analysis: Insecure Network Protocol
Posted October 11th, 2007 by andrewg(started 22/8/2007, added 11/10/2007)
The MikroTik Wireless Router is a
Linux embedded wireless router, focusing on various functionality such as
bandwidth management, Firewalling, VPN server/client, and various other
things. As with all embedded linux based software, it is interesting to pull
it apart :)
It has been around for a while now… a couple of years ago when I analysed
the software / pulling it apart, it had drivers/firmware to turn standard Orinoco
wireless cards into an Access Point (which as far as I know isn't possible
otherwise, at least not when I was looking at it.)
For the purposes of this article, I am looking at mikrotik-2.9.46.iso
(MD5sum: 65aa908dd748ccf72ad9f588613dfe31, SHA1sum:5e5ed13498db8d9745a701f75e58da3ef6701e58). For the most part, I have usedQEMU to emulate the hardware/software
environment to install it on. This has several advantages, such as being able
to edit the "disk" it's using easily, amongst other things.
Initial observations
After installing MikroTik, strings was ran on the resulting disk image, to see
what could be initially noticed.
Inconsistent / random GCC versions used
One of the most amusing things that was noticed, was the various GCC version
strings that were in the output:
box $ strings -a mikrotik.img | grep ^GCC: | sort | uniq GCC: (GNU) 2.7.2.3 GCC: (GNU) 2.95.4 20011002 (Debian prerelease) GCC: (GNU) 3.0.4 GCC: (GNU) 3.4.6 (Debian 3.4.6-5) GCC: (GNU) 4.0.3 (Debian 4.0.3-1) GCC: (GNU) egcs-2.91.66 19990314/Linux (egcs-1.1.2 release)
Observations
-
They don't strip debugging information from binaries / libraries, which
usually is a good idea when you're concerned about disk usage (more so for
embedded systems). -
The differing GCC versions seem to indicate that they haven't ran a make
clean on the source code in ages, or they have lost the source code. Doesn't
bode well for quality control, at any rate. This is more noticable when
looking at output without sort/uniq being performed
The 1999 egcs result is most amusing :) Also in the output is a banner for
their code, the copyright on the banner is interesting:
MMM MMM KKK TTTTTTTTTTT KKK MMMM MMMM KKK TTTTTTTTTTT KKK MMM MMMM MMM III KKK KKK RRRRRR OOOOOO TTT III KKK KKK MMM MM MMM III KKKKK RRR RRR OOO OOO TTT III KKKKK MMM MMM III KKK KKK RRRRRR OOO OOO TTT III KKK KKK MMM MMM III KKK KKK RRR RRR OOOOOO TTT III KKK KKK MikroTik routerOS V2.4 (c) 1999-2001 http://mikrotik.com/ ... Tip: Read the manual.
Interesting kernel modules
In the strings output was a bunch of filenames, which look interesting, and
for further analysis. Output as follows:
ipt_helper.o ipt_connbytes.o ipt_length.o ipt_physdev.o ipt_ulog.o ipt_snif.o ipt_PASSTHR.o ipt_p2p.o addrlist.o ipt_prmark.o ipt_PRMARK.o ipt_hsmark.o logfw.o trafflow.o ulog.o snif.o logring.o panics.o` p2p.o btest.o checkmod.o
The addrlist.o, snif.o, logring.o, panics.o, p2p.o, btest.o,checkmod.o don't look familar to me, based on my (somewhat limited)
experience with Linux Kernel. We'll look at this further later on and see
what's happening.
Interesting file names
Additionally in the strings output, there are some interesting filenames which
would be worth following up later on :)
telnet.jpg winbox.jpg roteros.dll 00roteros.info winbox.exe system.dll system.info
Exploring the filesystem image
Another thanks to Steven for pointing out how
easy it is to mount partitions from disk images using the loopback device.
To get started, the partition table needs to be extracted, so we can calcuate
the applicable offset into the disk image that was created when the MikroTik
router package was installed in QEMU.
[box] $ /sbin/fdisk -l -u mikrotik.img
last_lba(): I don't know how to handle files with mode 81a4
You must set cylinders.
You can do this from the extra functions menu.
Disk mikrotik.img: 0 MB, 0 bytes
255 heads, 63 sectors/track, 0 cylinders, total 0 sectors
Units = sectors of 1 * 512 = 512 bytes
Device Boot Start End Blocks Id System
mikrotik.img1 * 1 1044224 522112 83 LinuxSo according the above url, we can access the partition via the calcuationstart_sector * 512, which is just 512 :) Testing this out, we get:
[box] # mkdir /mnt/mikro [box] # mount -o loop,offset=512 mikrotik.img /mnt/mikro/ [box] # dmesg | tail -n 6 loop: module loaded kjournald starting. Commit interval 5 seconds EXT3 FS on loop0, internal journal EXT3-fs: recovery complete. EXT3-fs: mounted filesystem with ordered data mode. SELinux: initialized (dev loop0, type ext3), uses xattr
Which looks good, so far.
The files that we can see are as follows:
# find . . ./lost+found ./etc ./etc/lilo.conf ./etc/fstab ./etc/rc.d ./etc/rc.d/run.d ./etc/rc.d/run.d/S02panic ./etc/rc.d/run.d/C90restore ./etc/rc.d/run.d/S08softdog ./etc/rc.d/run.d/S06modules ./etc/rc.d/run.d/S06vlanmodules ./etc/rc.d/run.d/R99wblk ./etc/rc.d/run.d/S02logring ./etc/rc.d/run.d/S10nova ./etc/rc.d/run.d/K90nova ./etc/rc.d/run.d/S01init ./etc/rc.d/run.d/C20nova ./etc/rc.d/run.d/S05syslog ./etc/rc.d/run.d/S06ticker ./etc/rc.d/run.d/C95panic ./etc/rc.d/run.d/S01modules ./etc/rc.d/run.d/C99hwclock ./etc/rc.d/run.d/S09usb ./etc/rc.d/run.d/S09pcmcia ./etc/rc.d/run.d/S01hwclock ./etc/rc.d/run.d/S09sshd ./etc/rc.d/run.d/C30prism ./etc/rc.d/run.d/S06prismmodules ./etc/rc.d/rc.postinstall ./etc/rc.d/rc.start ./etc/rc.d/rc.install ./etc/rc.d/rc.sysinit ./etc/rc.d/rc.stop ./etc/profile ./etc/hosts ./etc/host.conf ./etc/passwd ./etc/license ./etc/ld.so.conf ./etc/services ./etc/protocols ./etc/nsswitch.conf ./etc/group ./etc/modules.conf ./etc/pcmcia ./etc/pcmcia/config ./etc/pcmcia/network ./etc/pcmcia/wavelan.conf ./etc/pcmcia/prism.conf ./etc/ld.so.cache ./etc/issue.net ./etc/ident ./etc/issue ./etc/ssh_host_key ./etc/ssh_host_key.pub ./etc/ssh_host_dsa_key ./etc/ssh_host_dsa_key.pub ./.nofsck ./proc ./nova ./nova/etc ./nova/etc/serial ./nova/etc/font_8x10.raw ./nova/etc/font_8x16.raw ./nova/etc/font_8x8.raw ./nova/etc/lognames ./nova/etc/upnp ./nova/etc/upnp/logo16.gif ./nova/etc/upnp/logo32.gif ./nova/etc/upnp/logo48.gif ./nova/etc/upnp/osinfo.xml ./nova/etc/upnp/wancommonifcfg.xml ./nova/etc/upnp/wanipconn.xml ./nova/etc/loader ./nova/etc/loader/system.x3 ./nova/etc/loader/adv-tools.x3 ./nova/etc/loader/calea.x3 ./nova/etc/loader/dhcp.x3 ./nova/etc/loader/security.x3 ./nova/etc/loader/wireless.x3 ./nova/etc/starter ./nova/etc/starter/system.x3 ./nova/etc/starter/adv-tools.x3 ./nova/etc/starter/calea.x3 ./nova/etc/starter/dhcp.x3 ./nova/etc/starter/security.x3 ./nova/etc/modules ./nova/etc/modules/system.x3 ./nova/etc/modules/wireless.x3 ./nova/etc/pciinfo ./nova/etc/pciinfo/system.x3 ./nova/etc/pciinfo/wireless.x3 ./nova/etc/ports ./nova/etc/ports/system.x3 ./nova/etc/services ./nova/etc/services/system.x3 ./nova/etc/services/security.x3 ./nova/etc/system_names ./nova/etc/system_names/system.x3 ./nova/etc/user ./nova/etc/user/system.x3 ./nova/etc/www ./nova/etc/www/system.x3 ./nova/etc/net-remote ./nova/etc/net-remote/system.x3 ./nova/etc/net-remote/wireless.x3 ./nova/etc/log-prefix ./nova/etc/log-prefix/system.x3 ./nova/etc/radius ./nova/etc/radius/system.x3 ./nova/etc/logo.orig ./nova/etc/url.orig ./nova/etc/url ./nova/etc/logo ./nova/bin ./nova/bin/chfont ./nova/bin/milo ./nova/bin/loader ./nova/bin/starter ./nova/bin/stopper ./nova/bin/ping ./nova/bin/resolver ./nova/bin/moduler ./nova/bin/pcipnp ./nova/bin/hotplug ./nova/bin/havecardbus ./nova/bin/installer ./nova/bin/mkissue ./nova/bin/pckgchecker ./nova/bin/takeover ./nova/bin/eep ./nova/bin/convertbr ./nova/bin/convertqueue ./nova/bin/user ./nova/bin/log ./nova/bin/net ./nova/bin/blink ./nova/bin/netpcmcia ./nova/bin/undo ./nova/bin/btest2 ./nova/bin/bserv2 ./nova/bin/run_test ./nova/bin/traceroute ./nova/bin/bridge ./nova/bin/sys2 ./nova/bin/updwblk ./nova/bin/ftpd ./nova/bin/watty ./nova/bin/email ./nova/bin/trafflow ./nova/bin/traflog ./nova/bin/traf_con ./nova/bin/watchdog ./nova/bin/portman ./nova/bin/sendmsg ./nova/bin/backup ./nova/bin/restore ./nova/bin/sermgr ./nova/bin/cerm ./nova/bin/licupgr ./nova/bin/telser ./nova/bin/pacman ./nova/bin/fileman ./nova/bin/traffic ./nova/bin/ippool ./nova/bin/keyman ./nova/bin/keyinfo ./nova/bin/arpd ./nova/bin/radius ./nova/bin/snmp ./nova/bin/mepty ./nova/bin/vrrp ./nova/bin/www ./nova/bin/upnp ./nova/bin/sniffer ./nova/bin/console ./nova/bin/login ./nova/bin/autoupdate ./nova/bin/mrgcx ./nova/bin/append ./nova/bin/info ./nova/bin/logmaker ./nova/bin/graphing ./nova/bin/discover ./nova/bin/mactel ./nova/bin/macping ./nova/bin/route ./nova/bin/mproxy ./nova/bin/wproxy ./nova/bin/webcfg ./nova/bin/socks ./nova/bin/panicsl ./nova/bin/ninstall ./nova/bin/memtest ./nova/bin/cputest ./nova/bin/sigwatch ./nova/bin/netwatch ./nova/bin/fping ./nova/bin/pspeed ./nova/bin/ddns ./nova/bin/macscan ./nova/bin/scanner ./nova/bin/calea ./nova/bin/dhcp ./nova/bin/dhcpclient ./nova/bin/sshd ./nova/bin/scp ./nova/bin/sftp-server ./nova/bin/ssh ./nova/bin/ssh-keygen ./nova/bin/sshell ./nova/bin/racoon ./nova/bin/wireless ./nova/bin/info2 ./nova/bin/convertprofile ./nova/bin/convertprism ./nova/bin/convertacl ./nova/lib ./nova/lib/install ./nova/lib/install/profile.sh ./nova/lib/reset ./nova/lib/reset/all.reset ./nova/lib/reset/keep-users.reset ./nova/lib/www ./nova/lib/www/traflog.p ./nova/lib/www/index.p ./nova/lib/www/winbox.p ./nova/lib/www/webgraph.p ./nova/lib/www/webcfg.p ./nova/lib/snmp ./nova/lib/snmp/system.so ./nova/lib/snmp/ip.so ./nova/lib/snmp/interface.so ./nova/lib/snmp/bridge.so ./nova/lib/snmp/dhcp.so ./nova/lib/snmp/wireless.so ./nova/lib/console ./nova/lib/console/system.xi ./nova/lib/console/port-numbers.enum ./nova/lib/console/mac-protocol.enum ./nova/lib/console/ip-protocol.enum ./nova/lib/console/0.defaults.hlp ./nova/lib/console/bonding.hlp ./nova/lib/console/radius.hlp ./nova/lib/console/script.hlp ./nova/lib/console/system.hlp ./nova/lib/console/logo.txt.orig ./nova/lib/console/sublogo.txt.orig ./nova/lib/console/logo.txt.org ./nova/lib/console/advanced-tools.xi ./nova/lib/console/advanced-tools.hlp ./nova/lib/console/calea.xi ./nova/lib/console/calea.hlp ./nova/lib/console/dhcp.xi ./nova/lib/console/dhcp.hlp ./nova/lib/console/security.xi ./nova/lib/console/ipsec.hlp ./nova/lib/console/wireless.xi ./nova/lib/console/wavelan.hlp ./nova/lib/console/wireless.hlp ./nova/lib/console/logo.txt ./nova/lib/console/console.x3 ./nova/lib/logmaker ./nova/lib/logmaker/0010..proc.lom ./nova/lib/logmaker/0020..acct.lom ./nova/lib/logmaker/0030..startup.lom ./nova/lib/logmaker/0040..debug.lom ./nova/lib/logmaker/0100.backup.lom ./nova/lib/logmaker/0100.resource.lom ./nova/lib/logmaker/0110.log.lom ./nova/lib/logmaker/1000.export.lom ./nova/lib/logmaker/2010.interface.lom ./nova/lib/logmaker/2020.address.lom ./nova/lib/logmaker/2025.arp.lom ./nova/lib/logmaker/2030.route.lom ./nova/lib/logmaker/2040.firewall.lom ./nova/lib/logmaker/2041.firewall-stats.lom ./nova/lib/logmaker/2045.bridge.lom ./nova/lib/logmaker/2050.queue.lom ./nova/lib/logmaker/2051.queue-packets.lom ./nova/lib/logmaker/2052.queue-bytes.lom ./nova/lib/logmaker/2060.ippool.lom ./nova/lib/logmaker/2061.certificate.lom ./nova/lib/logmaker/2070.neighbor.lom ./nova/lib/logmaker/2080.license.lom ./nova/lib/logmaker/2090.package.lom ./nova/lib/logmaker/2095.instchk.lom ./nova/lib/logmaker/2100.oops.lom ./nova/lib/logmaker/2105.backtrace.lom ./nova/lib/logmaker/2070.dhcp.lom ./nova/lib/logmaker/3010.wireless.lom ./nova/lib/logmaker/3011.wirelessdump.lom ./nova/lib/xmlnames2 ./nova/lib/net ./nova/lib/net/aironet.np ./nova/lib/net/wvlan.np ./nova/logs ./nova/logs/VERSION ./nova/logs/backtrace.log ./nova/logs/temp_panic.log ./nova/logs/logsocket ./nova/store ./nova/store/net ./nova/store/net/simplequeues.idx ./nova/store/net/simplequeues.dat ./nova/store/net/simplequeues.lock ./nova/store/net/address-list.lock ./nova/store/net/address-list.dat ./nova/store/net/address-list.idx ./nova/store/net/queuetypes.lock ./nova/store/net/queuetypes.dat ./nova/store/net/queuetypes.idx ./nova/store/net/devices.lock ./nova/store/net/devices.dat ./nova/store/net/devices.idx ./nova/store/net/addrs.lock ./nova/store/net/addrs.dat ./nova/store/net/addrs.idx ./nova/store/net/module.lock ./nova/store/net/module.dat ./nova/store/net/module.idx ./nova/store/net/bridgefw.lock ./nova/store/net/bridgefw.dat ./nova/store/net/bridgefw.idx ./nova/store/net/ebt-filter.lock ./nova/store/net/ebt-filter.dat ./nova/store/net/ebt-filter.idx ./nova/store/net/ebt-calea.lock ./nova/store/net/ebt-calea.dat ./nova/store/net/ebt-calea.idx ./nova/store/net/ebt-nat.lock ./nova/store/net/ebt-nat.dat ./nova/store/net/ebt-nat.idx ./nova/store/net/ebt-broute.lock ./nova/store/net/ebt-broute.dat ./nova/store/net/ebt-broute.idx ./nova/store/net/raw.lock ./nova/store/net/raw.dat ./nova/store/net/raw.idx ./nova/store/net/mangle.lock ./nova/store/net/mangle.dat ./nova/store/net/mangle.idx ./nova/store/net/ipt-mangle.lock ./nova/store/net/ipt-mangle.dat ./nova/store/net/ipt-mangle.idx ./nova/store/net/ipt-calea.lock ./nova/store/net/ipt-calea.dat ./nova/store/net/ipt-calea.idx ./nova/store/net/ipt-filter.lock ./nova/store/net/ipt-filter.dat ./nova/store/net/ipt-filter.idx ./nova/store/net/ipt-nat.lock ./nova/store/net/ipt-nat.dat ./nova/store/net/ipt-nat.idx ./nova/store/net/arp.lock ./nova/store/net/arp.dat ./nova/store/net/arp.idx ./nova/store/net/queuetree.lock ./nova/store/net/queuetree.dat ./nova/store/net/queuetree.idx ./nova/store/net/routes.lock ./nova/store/net/routes.dat ./nova/store/net/routes.idx ./nova/store/mproxy.lock ./nova/store/mproxy.dat ./nova/store/mproxy.idx ./nova/store/system.lock ./nova/store/system.dat ./nova/store/system.idx ./nova/store/taffic-scripts.lock ./nova/store/taffic-scripts.dat ./nova/store/taffic-scripts.idx ./nova/store/watchdog.lock ./nova/store/watchdog.dat ./nova/store/watchdog.idx ./nova/store/chfont.lock ./nova/store/chfont.dat ./nova/store/chfont.idx ./nova/store/sermgr.lock ./nova/store/sermgr.dat ./nova/store/sermgr.idx ./nova/store/bserv.lock ./nova/store/bserv.dat ./nova/store/bserv.idx ./nova/store/macping.lock ./nova/store/macping.dat ./nova/store/macping.idx ./nova/store/bridgeports.lock ./nova/store/bridgeports.dat ./nova/store/bridgeports.idx ./nova/store/mactel.lock ./nova/store/mactel.dat ./nova/store/mactel.idx ./nova/store/discover.lock ./nova/store/discover.dat ./nova/store/discover.idx ./nova/store/ppacker.lock ./nova/store/ppacker.dat ./nova/store/ppacker.idx ./nova/store/log-actions.lock ./nova/store/log-actions.dat ./nova/store/log-actions.idx ./nova/store/log-rules.lock ./nova/store/log-rules.dat ./nova/store/log-rules.idx ./nova/store/serial-login.lock ./nova/store/serial-login.dat ./nova/store/serial-login.idx ./nova/store/sercon.lock ./nova/store/sercon.dat ./nova/store/sercon.idx ./nova/store/wirelessalign.lock ./nova/store/wirelessalign.dat ./nova/store/wirelessalign.idx ./nova/store/wireless.lock ./nova/store/wireless.dat ./nova/store/wireless.idx ./nova/store/wirelessccl.lock ./nova/store/wirelessccl.dat ./nova/store/wirelessccl.idx ./nova/store/wirelessprofile.lock ./nova/store/wirelessprofile.dat ./nova/store/wirelessprofile.idx ./nova/store/port_lock.lock ./nova/store/port_lock.dat ./nova/store/port_lock.idx ./nova/store/ssh-keys.lock ./nova/store/ssh-keys.dat ./nova/store/ssh-keys.idx ./nova/store/routing ./nova/store/routing/rule.lock ./nova/store/routing/rule.dat ./nova/store/routing/rule.idx ./nova/store/routing/filter.lock ./nova/store/routing/filter.dat ./nova/store/routing/filter.idx ./nova/store/wirelesssniffer.lock ./nova/store/wirelesssniffer.dat ./nova/store/wirelesssniffer.idx ./nova/store/wirelesssnoop.lock ./nova/store/wirelesssnoop.dat ./nova/store/wirelesssnoop.idx ./nova/store/group.lock ./nova/store/group.dat ./nova/store/group.idx ./nova/store/user.lock ./nova/store/user.dat ./nova/store/user.idx ./nova/store/user ./nova/store/user/aaa.lock ./nova/store/user/aaa.dat ./nova/store/user/aaa.idx ./nova/store/user/prefs ./nova/store/command ./nova/store/command/speclogin.lock ./nova/store/command/speclogin.dat ./nova/store/command/speclogin.idx ./nova/store/command/sysnote.lock ./nova/store/command/sysnote.dat ./nova/store/command/sysnote.idx ./nova/store/scripts.lock ./nova/store/scripts.dat ./nova/store/scripts.idx ./nova/store/scheduler.lock ./nova/store/scheduler.dat ./nova/store/scheduler.idx ./nova/store/echosave ./nova/run ./var ./var/pdb ./var/pdb/system ./var/pdb/system/oninstall ./var/pdb/system/onuninstall ./var/pdb/system/crc ./var/pdb/system/version ./var/pdb/system/deps ./var/pdb/system/files ./var/pdb/advanced-tools ./var/pdb/advanced-tools/oninstall ./var/pdb/advanced-tools/onuninstall ./var/pdb/advanced-tools/crc ./var/pdb/advanced-tools/version ./var/pdb/advanced-tools/deps ./var/pdb/advanced-tools/files ./var/pdb/calea ./var/pdb/calea/oninstall ./var/pdb/calea/onuninstall ./var/pdb/calea/crc ./var/pdb/calea/version ./var/pdb/calea/deps ./var/pdb/calea/files ./var/pdb/dhcp ./var/pdb/dhcp/oninstall ./var/pdb/dhcp/onuninstall ./var/pdb/dhcp/crc ./var/pdb/dhcp/version ./var/pdb/dhcp/deps ./var/pdb/dhcp/files ./var/pdb/security ./var/pdb/security/oninstall ./var/pdb/security/onuninstall ./var/pdb/security/crc ./var/pdb/security/version ./var/pdb/security/deps ./var/pdb/security/files ./var/pdb/wireless ./var/pdb/wireless/oninstall ./var/pdb/wireless/onuninstall ./var/pdb/wireless/crc ./var/pdb/wireless/version ./var/pdb/wireless/deps ./var/pdb/wireless/files ./var/deinstall ./var/lock ./var/pckg ./var/post ./var/run ./var/run/utmp ./var/tmp ./bin ./bin/bash_login ./bin/mlogin ./bin/ask ./bin/catlog ./bin/pakp ./bin/pacd ./bin/busybox ./bin/basename ./bin/cat ./bin/chmod ./bin/chown ./bin/cp ./bin/date ./bin/expr ./bin/find ./bin/hostname ./bin/ln ./bin/mkdir ./bin/mknod ./bin/mv ./bin/rm ./bin/touch ./bin/uname ./bin/usleep ./bin/mount ./bin/umount ./bin/echo ./bin/[ ./bin/test ./bin/ash ./bin/bash ./bin/telnet ./bin/gosh ./bin/login ./bin/shell ./bin/burnP5 ./bin/burnP6 ./bin/burnK6 ./bin/burnK7 ./home ./home/web ./home/web/webpda ./home/web/webpda/ip_address.html ./home/web/webpda/simple_queues.html ./home/web/webpda/reset.html ./home/web/webpda/status.html ./home/web/webpda/style.css ./home/web/webpda/snooper.html ./home/web/webpda/common.html ./home/web/webpda/bridge.html ./home/web/webpda/buttons.html ./home/web/webpda/edit_lease.html ./home/web/webpda/ppp.html ./home/web/webpda/interface.html ./home/web/webpda/top.html ./home/web/webpda/password.html ./home/web/webpda/edit_simple_queue.html ./home/web/webpda/bground.jpg ./home/web/webpda/routes.html ./home/web/webpda/registration_table.html ./home/web/webpda/edit_ip_address.html ./home/web/webpda/message.html ./home/web/webpda/upgrade.html ./home/web/webpda/dashboard.html ./home/web/webpda/access_list.html ./home/web/webpda/wireless.html ./home/web/webpda/toplogo.jpg ./home/web/webpda/edit_access_list.html ./home/web/webpda/edit_route.html ./home/web/webpda/dhcp_server.html ./home/web/webpda/firewall.html ./home/web/webpda/edit_interface_name.html ./home/web/webpda/login.html ./home/web/webpda/fail.html ./home/web/help ./home/web/help/openssh.html ./home/web/help/ldso-license.html ./home/web/help/expat.html ./home/web/help/racoon.html ./home/web/help/license.html ./home/web/help/gpl.html ./home/web/help/openssl.html ./home/web/help/mpl.html ./home/web/help/telnet.html ./home/web/help/pcmcia.html ./home/web/help/lgpl.html ./home/web/help/ppp.html ./home/web/help/ntp.html ./home/web/help/ldso.html ./home/web/help/stl.html ./home/web/help/bsd.html ./home/web/img ./home/web/img/yellow.gif ./home/web/img/mem.gif ./home/web/img/client.gif ./home/web/img/station.gif ./home/web/img/fishy.gif ./home/web/img/edit.gif ./home/web/img/enable.gif ./home/web/img/static.gif ./home/web/img/cpu.gif ./home/web/img/rx.gif ./home/web/img/tx.gif ./home/web/img/clock.gif ./home/web/img/remove.gif ./home/web/img/toplogo.jpg ./home/web/img/dhcp1.gif ./home/web/img/hdd.gif ./home/web/img/ap.gif ./home/web/img/dhcp2.gif ./home/web/img/green.gif ./home/web/img/gray.gif ./home/web/img/connected.gif ./home/web/img/disable.gif ./home/web/img/uptime.gif ./home/web/img/bar.gif ./home/web/img/calendar.gif ./home/web/img/red.gif ./home/web/webcfg ./home/web/webcfg/simple_queues.html ./home/web/webcfg/reset.html ./home/web/webcfg/status.html ./home/web/webcfg/pppoe.html ./home/web/webcfg/style.css ./home/web/webcfg/snooper.html ./home/web/webcfg/jsrsClient.js ./home/web/webcfg/common.html ./home/web/webcfg/reboot.html ./home/web/webcfg/edit_lease.html ./home/web/webcfg/buttons.html ./home/web/webcfg/ppp.html ./home/web/webcfg/common.js ./home/web/webcfg/interface.html ./home/web/webcfg/top.html ./home/web/webcfg/password.html ./home/web/webcfg/edit_simple_queue.html ./home/web/webcfg/bground.jpg ./home/web/webcfg/registration_table.html ./home/web/webcfg/routes.html ./home/web/webcfg/edit_ip_address.html ./home/web/webcfg/message.html ./home/web/webcfg/upgrade.html ./home/web/webcfg/dashboard.html ./home/web/webcfg/access_list.html ./home/web/webcfg/wireless.html ./home/web/webcfg/snooper_frame.html ./home/web/webcfg/toplogo.jpg ./home/web/webcfg/edit_access_list.html ./home/web/webcfg/snooper_refresh.html ./home/web/webcfg/edit_route.html ./home/web/webcfg/dhcp_server.html ./home/web/webcfg/firewall.html ./home/web/webcfg/edit_interface_name.html ./home/web/webcfg/login.html ./home/web/webcfg/fail.html ./home/web/toplogo.jpg ./home/web/mtlogos.jpg ./home/web/webboxs.jpg ./home/web/grap.jpg ./home/web/winboxs.jpg ./home/web/docss.jpg ./home/web/telnets.jpg ./home/web/index2.html.orig ./home/web/winbox ./home/web/winbox/roteros.dll ./home/web/winbox/00roteros.info ./home/web/winbox/winbox.exe ./home/web/winbox/system.dll ./home/web/winbox/system.info ./home/web/winbox/index ./home/web/winbox/advtool.dll ./home/web/winbox/advtool.info ./home/web/winbox/dhcp.dll ./home/web/winbox/dhcp.info ./home/web/winbox/secure.dll ./home/web/winbox/secure.info ./home/web/winbox/wlan2.dll ./home/web/winbox/wlan2.info ./home/web/logo.gif ./home/web/telnet.jpg ./home/web/winbox.jpg ./home/web/index2.html ./sbin ./sbin/halt ./sbin/reboot ./sbin/ldconfig ./sbin/hwclock ./sbin/cardmgr ./sbin/fsck.ext2 ./sbin/fsck ./sbin/tune2fs ./sbin/diskman ./sbin/init ./sbin/loconf ./sbin/shif ./sbin/syslogd ./sbin/klogd ./sbin/chroot ./sbin/modprobe ./sbin/insmod ./sbin/rmmod ./sbin/lsmod ./sbin/clock ./sbin/fsck.ext3 ./sbin/hotplug ./boot ./boot/milo.conf ./boot/vmlinuz ./boot/initrd.rgz ./boot/map ./boot/memtest.bin ./lib ./lib/libnss_files-2.3.6.so ./lib/ld-2.3.6.so ./lib/libgcc_s.so.1 ./lib/libresolv-2.3.6.so ./lib/libm-2.3.6.so ./lib/libnsl-2.3.6.so ./lib/libutil-2.3.6.so ./lib/libpthread-0.10.so ./lib/libdl-2.3.6.so ./lib/libcrypt-2.3.6.so ./lib/libc-2.3.6.so ./lib/modules ./lib/modules/2.4.31 ./lib/modules/2.4.31/drivers ./lib/modules/2.4.31/drivers/net ./lib/modules/2.4.31/drivers/net/mii.o ./lib/modules/2.4.31/drivers/net/slhc.o ./lib/modules/2.4.31/drivers/net/via-rhine.o ./lib/modules/2.4.31/drivers/net/hp100.o ./lib/modules/2.4.31/drivers/net/8390.o ./lib/modules/2.4.31/drivers/net/ne2k-pci.o ./lib/modules/2.4.31/drivers/net/ne.o ./lib/modules/2.4.31/drivers/net/lance.o ./lib/modules/2.4.31/drivers/net/3c509.o ./lib/modules/2.4.31/drivers/net/3c59x.o ./lib/modules/2.4.31/drivers/net/sis900.o ./lib/modules/2.4.31/drivers/net/8139too.o ./lib/modules/2.4.31/drivers/net/pcnet32.o ./lib/modules/2.4.31/drivers/net/winbond-840.o ./lib/modules/2.4.31/drivers/net/tulip ./lib/modules/2.4.31/drivers/net/tulip/tulip.o ./lib/modules/2.4.31/drivers/net/ns83820.o ./lib/modules/2.4.31/drivers/net/sundance.o ./lib/modules/2.4.31/drivers/net/dmfe.o ./lib/modules/2.4.31/drivers/net/e100 ./lib/modules/2.4.31/drivers/net/e100/e100.o ./lib/modules/2.4.31/drivers/net/tg3.o ./lib/modules/2.4.31/drivers/net/natsemi.o ./lib/modules/2.4.31/drivers/net/b44.o ./lib/modules/2.4.31/drivers/net/tlan.o ./lib/modules/2.4.31/drivers/net/bonding ./lib/modules/2.4.31/drivers/net/bonding/bonding.o ./lib/modules/2.4.31/drivers/net/imq.o ./lib/modules/2.4.31/drivers/net/pcmcia ./lib/modules/2.4.31/drivers/net/pcmcia/pcnet_cs.o ./lib/modules/2.4.31/drivers/net/il.o ./lib/modules/2.4.31/drivers/net/sk98lin.o ./lib/modules/2.4.31/drivers/net/velocityget.o ./lib/modules/2.4.31/drivers/net/r8169.o ./lib/modules/2.4.31/drivers/net/e1000.o ./lib/modules/2.4.31/drivers/net/ipsec.o ./lib/modules/2.4.31/drivers/net/wireless ./lib/modules/2.4.31/drivers/net/wireless/hermes.o ./lib/modules/2.4.31/drivers/net/wireless/orinoco.o ./lib/modules/2.4.31/drivers/net/wireless/orinoco_cs.o ./lib/modules/2.4.31/drivers/char ./lib/modules/2.4.31/drivers/char/softdog.o ./lib/modules/2.4.31/drivers/char/cyclades.o ./lib/modules/2.4.31/drivers/char/pcmcia ./lib/modules/2.4.31/drivers/char/pcmcia/serial_cs.o ./lib/modules/2.4.31/drivers/char/ticker.o ./lib/modules/2.4.31/drivers/char/databooster.o ./lib/modules/2.4.31/drivers/char/mxser.o ./lib/modules/2.4.31/drivers/pnp ./lib/modules/2.4.31/drivers/pnp/isa-pnp.o ./lib/modules/2.4.31/drivers/usb ./lib/modules/2.4.31/drivers/usb/acm.o ./lib/modules/2.4.31/drivers/usb/usbcore.o ./lib/modules/2.4.31/drivers/usb/host ./lib/modules/2.4.31/drivers/usb/host/usb-uhci.o ./lib/modules/2.4.31/drivers/usb/host/usb-ohci.o ./lib/modules/2.4.31/drivers/usb/hid.o ./lib/modules/2.4.31/drivers/usb/rtl8150.o ./lib/modules/2.4.31/drivers/usb/pegasus.o ./lib/modules/2.4.31/drivers/usb/serial ./lib/modules/2.4.31/drivers/usb/serial/usbserial.o ./lib/modules/2.4.31/drivers/usb/serial/mtusbserial.o ./lib/modules/2.4.31/drivers/pcmcia ./lib/modules/2.4.31/drivers/pcmcia/yenta_socket.o ./lib/modules/2.4.31/drivers/pcmcia/ds.o ./lib/modules/2.4.31/drivers/pcmcia/pcmcia_core.o ./lib/modules/2.4.31/drivers/pcmcia/i82365.o ./lib/modules/2.4.31/lib ./lib/modules/2.4.31/lib/crc32.o ./lib/modules/2.4.31/net ./lib/modules/2.4.31/net/8021q ./lib/modules/2.4.31/net/8021q/8021q.o ./lib/modules/2.4.31/net/bridge ./lib/modules/2.4.31/net/bridge/bridge.o ./lib/modules/2.4.31/net/bridge/netfilter ./lib/modules/2.4.31/net/bridge/netfilter/ebtables.o ./lib/modules/2.4.31/net/bridge/netfilter/ebtable_broute.o ./lib/modules/2.4.31/net/bridge/netfilter/ebtable_filter.o ./lib/modules/2.4.31/net/bridge/netfilter/ebtable_nat.o ./lib/modules/2.4.31/net/bridge/netfilter/ebt_802_3.o ./lib/modules/2.4.31/net/bridge/netfilter/ebt_arp.o ./lib/modules/2.4.31/net/bridge/netfilter/ebt_arpreply.o ./lib/modules/2.4.31/net/bridge/netfilter/ebt_dnat.o ./lib/modules/2.4.31/net/bridge/netfilter/ebt_ip.o ./lib/modules/2.4.31/net/bridge/netfilter/ebt_limit.o ./lib/modules/2.4.31/net/bridge/netfilter/ebt_mark.o ./lib/modules/2.4.31/net/bridge/netfilter/ebt_mark_m.o ./lib/modules/2.4.31/net/bridge/netfilter/ebt_pkttype.o ./lib/modules/2.4.31/net/bridge/netfilter/ebt_redirect.o ./lib/modules/2.4.31/net/bridge/netfilter/ebt_snat.o ./lib/modules/2.4.31/net/bridge/netfilter/ebt_stp.o ./lib/modules/2.4.31/net/bridge/netfilter/ebt_vlan.o ./lib/modules/2.4.31/net/bridge/ebt_ulog.o ./lib/modules/2.4.31/net/bridge/ebt_snif.o ./lib/modules/2.4.31/net/unix ./lib/modules/2.4.31/net/unix/unix.o ./lib/modules/2.4.31/net/packet ./lib/modules/2.4.31/net/packet/af_packet.o ./lib/modules/2.4.31/net/sched ./lib/modules/2.4.31/net/sched/sch_htb.o ./lib/modules/2.4.31/net/sched/sch_red.o ./lib/modules/2.4.31/net/sched/sch_sfq.o ./lib/modules/2.4.31/net/sched/cls_fw.o ./lib/modules/2.4.31/net/sched/cls_linear.o ./lib/modules/2.4.31/net/sched/sch_agr.o ./lib/modules/2.4.31/net/sched/proto_agr.o ./lib/modules/2.4.31/net/sched/sch_pcq.o ./lib/modules/2.4.31/net/sched/sch_rate.o ./lib/modules/2.4.31/net/ipv4 ./lib/modules/2.4.31/net/ipv4/ipip.o ./lib/modules/2.4.31/net/ipv4/netfilter ./lib/modules/2.4.31/net/ipv4/netfilter/ip_tables.o ./lib/modules/2.4.31/net/ipv4/netfilter/iptable_filter.o ./lib/modules/2.4.31/net/ipv4/netfilter/iptable_nat.o ./lib/modules/2.4.31/net/ipv4/netfilter/iptable_mangle.o ./lib/modules/2.4.31/net/ipv4/netfilter/iptable_raw.o ./lib/modules/2.4.31/net/ipv4/netfilter/nfnetlink.o ./lib/modules/2.4.31/net/ipv4/netfilter/ip_nat_ftp.o ./lib/modules/2.4.31/net/ipv4/netfilter/ip_nat_irc.o ./lib/modules/2.4.31/net/ipv4/netfilter/ip_nat_h323.o ./lib/modules/2.4.31/net/ipv4/netfilter/ip_nat_proto_gre.o ./lib/modules/2.4.31/net/ipv4/netfilter/ip_nat_pptp.o ./lib/modules/2.4.31/net/ipv4/netfilter/ip_nat_quake3.o ./lib/modules/2.4.31/net/ipv4/netfilter/ip_nat_tftp.o ./lib/modules/2.4.31/net/ipv4/netfilter/ip_conntrack.o ./lib/modules/2.4.31/net/ipv4/netfilter/ip_conntrack_ftp.o ./lib/modules/2.4.31/net/ipv4/netfilter/ip_conntrack_irc.o ./lib/modules/2.4.31/net/ipv4/netfilter/ip_conntrack_h323.o ./lib/modules/2.4.31/net/ipv4/netfilter/ip_conntrack_proto_gre.o ./lib/modules/2.4.31/net/ipv4/netfilter/ip_conntrack_pptp.o ./lib/modules/2.4.31/net/ipv4/netfilter/ip_conntrack_quake3.o ./lib/modules/2.4.31/net/ipv4/netfilter/ip_conntrack_tftp.o ./lib/modules/2.4.31/net/ipv4/netfilter/nfnetlink_conntrack.o ./lib/modules/2.4.31/net/ipv4/netfilter/ipt_MASQUERADE.o ./lib/modules/2.4.31/net/ipv4/netfilter/ipt_REJECT.o ./lib/modules/2.4.31/net/ipv4/netfilter/ipt_TCPMSS.o ./lib/modules/2.4.31/net/ipv4/netfilter/ipt_REDIRECT.o ./lib/modules/2.4.31/net/ipv4/netfilter/ipt_MARK.o ./lib/modules/2.4.31/net/ipv4/netfilter/ipt_FTOS.o ./lib/modules/2.4.31/net/ipv4/netfilter/ipt_NOTRACK.o ./lib/modules/2.4.31/net/ipv4/netfilter/ipt_CONNMARK.o ./lib/modules/2.4.31/net/ipv4/netfilter/ipt_IPV4OPTSSTRIP.o ./lib/modules/2.4.31/net/ipv4/netfilter/ipt_TARPIT.o ./lib/modules/2.4.31/net/ipv4/netfilter/ipt_SAME.o ./lib/modules/2.4.31/net/ipv4/netfilter/ipt_NETMAP.o ./lib/modules/2.4.31/net/ipv4/netfilter/ipt_TTL.o ./lib/modules/2.4.31/net/ipv4/netfilter/ipt_limit.o ./lib/modules/2.4.31/net/ipv4/netfilter/ipt_mac.o ./lib/modules/2.4.31/net/ipv4/netfilter/ipt_mark.o ./lib/modules/2.4.31/net/ipv4/netfilter/ipt_tos.o ./lib/modules/2.4.31/net/ipv4/netfilter/ipt_connlimit.o ./lib/modules/2.4.31/net/ipv4/netfilter/ipt_state.o ./lib/modules/2.4.31/net/ipv4/netfilter/ipt_connmark.o ./lib/modules/2.4.31/net/ipv4/netfilter/ipt_string.o ./lib/modules/2.4.31/net/ipv4/netfilter/ipt_iprange.o ./lib/modules/2.4.31/net/ipv4/netfilter/ipt_dstlimit.o ./lib/modules/2.4.31/net/ipv4/netfilter/ipt_time.o ./lib/modules/2.4.31/net/ipv4/netfilter/ipt_random.o ./lib/modules/2.4.31/net/ipv4/netfilter/ipt_psd.o ./lib/modules/2.4.31/net/ipv4/netfilter/ipt_nth.o ./lib/modules/2.4.31/net/ipv4/netfilter/ipt_ipv4options.o ./lib/modules/2.4.31/net/ipv4/netfilter/ipt_addrtype.o ./lib/modules/2.4.31/net/ipv4/netfilter/ipt_tcpmss.o ./lib/modules/2.4.31/net/ipv4/netfilter/ipt_helper.o ./lib/modules/2.4.31/net/ipv4/netfilter/ipt_connbytes.o ./lib/modules/2.4.31/net/ipv4/netfilter/ipt_length.o ./lib/modules/2.4.31/net/ipv4/netfilter/ipt_physdev.o ./lib/modules/2.4.31/net/ipv4/netfilter/ipt_ulog.o ./lib/modules/2.4.31/net/ipv4/netfilter/ipt_snif.o ./lib/modules/2.4.31/net/ipv4/netfilter/ipt_PASSTHR.o ./lib/modules/2.4.31/net/ipv4/netfilter/ipt_p2p.o ./lib/modules/2.4.31/net/ipv4/netfilter/addrlist.o ./lib/modules/2.4.31/net/ipv4/netfilter/ipt_prmark.o ./lib/modules/2.4.31/net/ipv4/netfilter/ipt_PRMARK.o ./lib/modules/2.4.31/net/ipv4/netfilter/ipt_hsmark.o ./lib/modules/2.4.31/net/ipv4/gre.o ./lib/modules/2.4.31/net/ipv4/eogre.o ./lib/modules/2.4.31/net/ath.o ./lib/modules/2.4.31/net/a5212_pci.o ./lib/modules/2.4.31/net/a5212.o ./lib/modules/2.4.31/net/a5211.o ./lib/modules/2.4.31/net/a5211_pci.o ./lib/modules/2.4.31/net/prism.o ./lib/modules/2.4.31/net/prism2_cs.o ./lib/modules/2.4.31/net/prism2_pci.o ./lib/modules/2.4.31/net/aironet.o ./lib/modules/2.4.31/net/anet-isa.o ./lib/modules/2.4.31/net/anet-pci.o ./lib/modules/2.4.31/net/a5210.o ./lib/modules/2.4.31/net/a5210_pci.o ./lib/modules/2.4.31/misc ./lib/modules/2.4.31/misc/logfw.o ./lib/modules/2.4.31/misc/trafflow.o ./lib/modules/2.4.31/misc/ulog.o ./lib/modules/2.4.31/misc/snif.o ./lib/modules/2.4.31/misc/logring.o ./lib/modules/2.4.31/misc/panics.o ./lib/modules/2.4.31/misc/p2p.o ./lib/modules/2.4.31/misc/btest.o ./lib/modules/2.4.31/misc/checkmod.o ./lib/modules/2.4.31/misc/wlan.o ./lib/modules/2.4.31/modules.dep.system ./lib/modules/2.4.31/modules.dep.security ./lib/modules/2.4.31/pcmcia ./lib/modules/2.4.31/pcmcia/arlan_cs.o ./lib/modules/2.4.31/modules.dep.wireless ./lib/modules/2.4.31/modules.dep ./lib/libuc++.so ./lib/libz.so ./lib/libumsg.so ./lib/libuxml++.so ./lib/libinstall.so ./lib/libufiber.so ./lib/libubox.so ./lib/liburadius.so ./lib/libnetext.so ./lib/libmac.so ./lib/libauth.so ./lib/libsnmp.so ./lib/libwebs.so ./lib/libwebc.so ./lib/libcrypto.so.0.9.8 ./lib/libssl.so.0.9.8 ./lib/libexpat.so.1.5.0 ./lib/libexpat.so.1 ./lib/libc.so.6 ./lib/libcrypt.so.1 ./lib/libdl.so.2 ./lib/libpthread.so.0 ./lib/libutil.so.1 ./lib/libnsl.so.1 ./lib/libm.so.6 ./lib/libresolv.so.2 ./lib/ld-linux.so.2 ./lib/libnss_files.so.2 ./lib/libudhcp.so ./lib/libssh.so ./lib/libauth2.so ./old ./old/system ./old/system/update ./old/system/halt ./old/system/reboot ./old/wireless ./old/wireless/update ./usr ./usr/sbin ./usr/sbin/telnetd ./usr/lib ./dev ./dev/autobaud ./dev/boot ./dev/btest ./dev/console ./dev/cua0 ./dev/cua1 ./dev/fancon ./dev/fd ./dev/fd0 ./dev/flash ./dev/full ./dev/hda ./dev/hda1 ./dev/hda2 ./dev/hdb ./dev/hdb1 ./dev/hdb2 ./dev/hdc ./dev/hdc1 ./dev/hdc2 ./dev/hdd ./dev/hdd1 ./dev/hdd2 ./dev/hiddev0 ./dev/hiddev1 ./dev/hiddev10 ./dev/hiddev11 ./dev/hiddev12 ./dev/hiddev13 ./dev/hiddev14 ./dev/hiddev15 ./dev/hiddev2 ./dev/hiddev3 ./dev/hiddev4 ./dev/hiddev5 ./dev/hiddev6 ./dev/hiddev7 ./dev/hiddev8 ./dev/hiddev9 ./dev/kmem ./dev/log0 ./dev/log1 ./dev/log10 ./dev/log100 ./dev/log101 ./dev/log102 ./dev/log103 ./dev/log104 ./dev/log105 ./dev/log106 ./dev/log107 ./dev/log108 ./dev/log109 ./dev/log11 ./dev/log110 ./dev/log111 ./dev/log112 ./dev/log113 ./dev/log114 ./dev/log115 ./dev/log116 ./dev/log117 ./dev/log118 ./dev/log119 ./dev/log12 ./dev/log120 ./dev/log121 ./dev/log2 ./dev/log122 ./dev/log123 ./dev/log124 ./dev/log125 ./dev/log126 ./dev/log127 ./dev/log13 ./dev/log14 ./dev/log15 ./dev/log16 ./dev/log17 ./dev/log18 ./dev/log19 ./dev/log20 ./dev/log21 ./dev/log22 ./dev/log23 ./dev/log24 ./dev/log240 ./dev/log241 ./dev/log242 ./dev/log243 ./dev/log244 ./dev/log245 ./dev/log246 ./dev/log247 ./dev/log248 ./dev/log249 ./dev/log25 ./dev/log255 ./dev/log26 ./dev/log27 ./dev/log28 ./dev/log29 ./dev/log3 ./dev/log30 ./dev/log31 ./dev/log32 ./dev/log33 ./dev/log34 ./dev/log35 ./dev/log36 ./dev/log37 ./dev/log38 ./dev/log39 ./dev/log4 ./dev/log40 ./dev/log41 ./dev/log42 ./dev/log43 ./dev/log44 ./dev/log45 ./dev/log46 ./dev/log47 ./dev/log48 ./dev/log49 ./dev/log5 ./dev/log50 ./dev/log51 ./dev/log52 ./dev/log53 ./dev/log54 ./dev/log55 ./dev/log56 ./dev/log6 ./dev/log57 ./dev/log58 ./dev/log59 ./dev/log60 ./dev/log61 ./dev/log62 ./dev/log63 ./dev/log64 ./dev/log65 ./dev/log66 ./dev/log67 ./dev/log68 ./dev/log69 ./dev/log7 ./dev/log70 ./dev/log71 ./dev/log72 ./dev/log73 ./dev/log74 ./dev/log75 ./dev/log76 ./dev/log77 ./dev/log78 ./dev/log79 ./dev/log8 ./dev/log80 ./dev/log81 ./dev/log82 ./dev/log83 ./dev/log84 ./dev/log85 ./dev/log86 ./dev/log87 ./dev/log88 ./dev/log89 ./dev/log9 ./dev/log90 ./dev/log91 ./dev/log92 ./dev/log93 ./dev/log94 ./dev/log95 ./dev/log96 ./dev/log97 ./dev/log98 ./dev/log99 ./dev/logfw ./dev/mem ./dev/null ./dev/panics ./dev/port ./dev/ptmx ./dev/pts ./dev/ram ./dev/ram1 ./dev/random ./dev/root ./dev/rtc ./dev/ticker ./dev/trafflow ./dev/tty ./dev/tty0 ./dev/tty1 ./dev/tty2 ./dev/tty3 ./dev/tty4 ./dev/tty5 ./dev/tty6 ./dev/tty7 ./dev/tty8 ./dev/tty9 ./dev/ttyACM0 ./dev/ttyACM1 ./dev/ttyACM10 ./dev/ttyACM11 ./dev/ttyACM12 ./dev/ttyACM13 ./dev/ttyACM14 ./dev/ttyACM15 ./dev/ttyACM16 ./dev/ttyACM17 ./dev/ttyACM18 ./dev/ttyACM19 ./dev/ttyACM2 ./dev/ttyACM20 ./dev/ttyACM21 ./dev/ttyACM22 ./dev/ttyACM23 ./dev/ttyACM24 ./dev/ttyACM25 ./dev/ttyACM26 ./dev/ttyACM27 ./dev/ttyACM28 ./dev/ttyACM29 ./dev/ttyACM3 ./dev/ttyACM30 ./dev/ttyACM31 ./dev/ttyACM4 ./dev/ttyACM5 ./dev/ttyACM6 ./dev/ttyACM7 ./dev/ttyACM8 ./dev/ttyACM9 ./dev/ttyC0 ./dev/ttyC1 ./dev/ttyC10 ./dev/ttyC11 ./dev/ttyC12 ./dev/ttyC13 ./dev/ttyC14 ./dev/ttyC15 ./dev/ttyC16 ./dev/ttyC17 ./dev/ttyC18 ./dev/ttyC19 ./dev/ttyC2 ./dev/ttyC20 ./dev/ttyC21 ./dev/ttyC22 ./dev/ttyC23 ./dev/ttyC24 ./dev/ttyC25 ./dev/ttyC26 ./dev/ttyC27 ./dev/ttyC28 ./dev/ttyC29 ./dev/ttyC3 ./dev/ttyC30 ./dev/ttyC31 ./dev/ttyC4 ./dev/ttyC5 ./dev/ttyC6 ./dev/ttyC7 ./dev/ttyC8 ./dev/ttyC9 ./dev/ttyDB0 ./dev/ttyDB1 ./dev/ttyDB10 ./dev/ttyDB11 ./dev/ttyDB12 ./dev/ttyDB13 ./dev/ttyDB14 ./dev/ttyDB15 ./dev/ttyDB16 ./dev/ttyDB17 ./dev/ttyDB18 ./dev/ttyDB19 ./dev/ttyDB2 ./dev/ttyDB20 ./dev/ttyDB21 ./dev/ttyDB22 ./dev/ttyDB23 ./dev/ttyDB24 ./dev/ttyDB25 ./dev/ttyDB26 ./dev/ttyDB27 ./dev/ttyDB28 ./dev/ttyDB29 ./dev/ttyDB3 ./dev/ttyDB30 ./dev/ttyDB31 ./dev/ttyDB4 ./dev/ttyDB5 ./dev/ttyDB6 ./dev/ttyDB7 ./dev/ttyDB8 ./dev/ttyDB9 ./dev/ttyS0 ./dev/ttyS1 ./dev/ttyS16 ./dev/ttyS17 ./dev/ttyS18 ./dev/ttyS19 ./dev/ttyS2 ./dev/ttyS3 ./dev/ttySI0 ./dev/ttySI1 ./dev/ttySI10 ./dev/ttySI11 ./dev/ttySI12 ./dev/ttySI13 ./dev/ttySI14 ./dev/ttySI15 ./dev/ttySI16 ./dev/ttySI17 ./dev/ttySI18 ./dev/ttySI19 ./dev/ttySI2 ./dev/ttySI20 ./dev/ttySI21 ./dev/ttySI22 ./dev/ttySI23 ./dev/ttySI24 ./dev/ttySI25 ./dev/ttySI26 ./dev/ttySI27 ./dev/ttySI28 ./dev/ttySI29 ./dev/ttySI3 ./dev/ttySI30 ./dev/ttySI31 ./dev/ttySI4 ./dev/ttySI5 ./dev/ttySI6 ./dev/ttySI7 ./dev/ttySI8 ./dev/ttySI9 ./dev/ttyUSB0 ./dev/ttyUSB1 ./dev/ttyUSB10 ./dev/ttyUSB11 ./dev/ttyUSB12 ./dev/ttyUSB13 ./dev/ttyUSB14 ./dev/ttyUSB15 ./dev/ttyUSB2 ./dev/ttyUSB3 ./dev/ttyUSB4 ./dev/ttyUSB5 ./dev/ttyUSB6 ./dev/ttyUSB7 ./dev/ttyUSB8 ./dev/ttyUSB9 ./dev/ttyp0 ./dev/ttyp1 ./dev/ttyp2 ./dev/ttyp3 ./dev/ttyp4 ./dev/ttyp5 ./dev/ttyp6 ./dev/ttyp7 ./dev/ttyp8 ./dev/ttyp9 ./dev/ttypa ./dev/ttypb ./dev/ttypc ./dev/ttypd ./dev/ttype ./dev/ttypf ./dev/urandom ./dev/watchdog ./dev/zero ./dev/log ./initrd ./tmp ./tmp/pacdsock ./tmp/novasock ./tmp/.fibnet ./tmp/zserv.api ./root ./root/prism.hex ./CDINSTALL ./ram ./.asked
This has opened up the embedded device rather nicely for us, which will makes
things a lot easier for us.
Exploring the kernel modules
As mentioned above, a bunch of the kernel modules appear to have non-standard
filenames (which would appear to be custom modules). Let's have a more through
look at them (with additional formatting to make it easier to read):
[box] $ find . -type f -iname *o -exec modinfo '{}' \;
filename: ./drivers/net/mii.o
kernel_version: 2.4.31
author: Jeff Garzik
description: MII hardware support library
license: GPL
filename: ./drivers/net/slhc.o
kernel_version: 2.4.31
license: Dual BSD/GPL
filename: ./drivers/net/via-rhine.o
kernel_version: 2.4.31
author: Donald Becker
description: VIA Rhine PCI Fast Ethernet driver
license: GPL
parm_max_interrupt_work:i
parm_debug: i
parm_disable_sleep_mode:i
parm_rx_copybreak:i
parm_backoff: i
parm_options: 1-8i
parm_full_duplex:1-8i
parm_desc_max_interrupt_work:VIA Rhine maximum events handled per interrupt
parm_desc_debug:VIA Rhine debug level (0-7)
parm_desc_disable_sleep_mode:VIA Rhine d3 state disable (1)
parm_desc_rx_copybreak:VIA Rhine copy breakpoint for copy-only-tiny-frames
parm_desc_backoff:VIA Rhine: Bits 0-3: backoff algorithm
parm_desc_options:VIA Rhine: Bits 0-3: media type, bit 17: full duplex
parm_desc_full_duplex:VIA Rhine full duplex setting(s) (1)
filename: ./drivers/net/hp100.o
kernel_version: 2.4.31
parm_hp100_rx_ratio:1i
parm_hp100_priority_tx:1i
parm_hp100_mode:1i
license: GPL
author: Jaroslav Kysela , Siegfried "Frieder" Loeffler (dg1sek)
description: HP CASCADE Architecture Driver for 100VG-AnyLan Network Adapters
parm_hp100_port:1-5i
parm_hp100_name:1-5c16
filename: ./drivers/net/8390.o
kernel_version: 2.4.31
license: GPL
filename: ./drivers/net/ne2k-pci.o
kernel_version: 2.4.31
author: Donald Becker / Paul Gortmaker
description: PCI NE2000 clone driver
license: GPL
parm_debug: i
parm_options: 1-8i
parm_full_duplex:1-8i
parm_desc_debug:debug level (1-2)
parm_desc_options:Bit 5: full duplex
parm_desc_full_duplex:full duplex setting(s) (1)
filename: ./drivers/net/ne.o
kernel_version: 2.4.31
parm_io: 1-4i
parm_irq: 1-4i
parm_bad: 1-4i
parm_desc_io: I/O base address(es),required
parm_desc_irq: IRQ number(s)
parm_desc_bad: Accept card(s) with bad signatures
description: NE1000/NE2000 ISA/PnP Ethernet driver
license: GPL
filename: ./drivers/net/lance.o
kernel_version: 2.4.31
parm_io: 1-8i
parm_dma: 1-8i
parm_irq: 1-8i
parm_lance_debug:i
parm_desc_io: LANCE/PCnet I/O base address(es),required
parm_desc_dma: LANCE/PCnet ISA DMA channel (ignored for some devices)
parm_desc_irq: LANCE/PCnet IRQ number (ignored for some devices)
parm_desc_lance_debug:LANCE/PCnet debug level (0-7)
license: GPL
filename: ./drivers/net/3c509.o
kernel_version: 2.4.31
parm_debug: i
parm_irq: 1-8i
parm_xcvr: 1-12i
parm_max_interrupt_work:i
parm_desc_debug:debug level (0-6)
parm_desc_irq: IRQ number(s) (assigned)
parm_desc_xcvr: tranceiver(s) (0=internal, 1=external)
parm_desc_max_interrupt_work:maximum events handled per interrupt
description: 3Com Etherlink III (3c509, 3c509B) ISA/PnP ethernet driver
license: GPL
filename: ./drivers/net/3c59x.o
kernel_version: 2.4.31
author: Donald Becker
description: 3Com 3c59x/3c9xx ethernet driver LK1.1.18 1 July 2002
license: GPL
parm_debug: i
parm_global_options:i
parm_options: 1-8i
parm_global_full_duplex:i
parm_full_duplex:1-8i
parm_hw_checksums:1-8i
parm_flow_ctrl: 1-8i
parm_global_enable_wol:i
parm_enable_wol:1-8i
parm_rx_copybreak:i
parm_max_interrupt_work:i
parm_compaq_ioaddr:i
parm_compaq_irq:i
parm_compaq_device_id:i
parm_watchdog: i
parm_desc_debug:3c59x debug level (0-6)
parm_desc_options:3c59x: Bits 0-3: media type, bit 4: bus mastering, bit 9: full duplex
parm_desc_global_options:3c59x: same as options, but applies to all NICs if options is unset
parm_desc_full_duplex:3c59x full duplex setting(s) (1)
parm_desc_global_full_duplex:3c59x: same as full_duplex, but applies to all NICs if options is unset
parm_desc_hw_checksums:3c59x Hardware checksum checking by adapter(s) (0-1)
parm_desc_flow_ctrl:3c59x 802.3x flow control usage (PAUSE only) (0-1)
parm_desc_enable_wol:3c59x: Turn on Wake-on-LAN for adapter(s) (0-1)
parm_desc_global_enable_wol:3c59x: same as enable_wol, but applies to all NICs if options is unset
parm_desc_rx_copybreak:3c59x copy breakpoint for copy-only-tiny-frames
parm_desc_max_interrupt_work:3c59x maximum events handled per interrupt
parm_desc_compaq_ioaddr:3c59x PCI I/O base address (Compaq BIOS problem workaround)
parm_desc_compaq_irq:3c59x PCI IRQ number (Compaq BIOS problem workaround)
parm_desc_compaq_device_id:3c59x PCI device ID (Compaq BIOS problem workaround)
parm_desc_watchdog:3c59x transmit timeout in milliseconds
filename: ./drivers/net/sis900.o
kernel_version: 2.4.31
author: Jim Huang , Ollie Lho
description: SiS 900 PCI Fast Ethernet driver
license: GPL
parm_multicast_filter_limit:i
parm_max_interrupt_work:i
parm_debug: i
parm_desc_multicast_filter_limit:SiS 900/7016 maximum number of filtered multicast addresses
parm_desc_max_interrupt_work:SiS 900/7016 maximum events handled per interrupt
parm_desc_debug:SiS 900/7016 debug level (2-4)
filename: ./drivers/net/8139too.o
kernel_version: 2.4.31
author: Jeff Garzik
description: RealTek RTL-8139 Fast Ethernet driver
license: GPL
parm_multicast_filter_limit:i
parm_max_interrupt_work:i
parm_media: 1-8i
parm_full_duplex:1-8i
parm_debug: i
parm_desc_debug:8139too bitmapped message enable number
parm_desc_multicast_filter_limit:8139too maximum number of filtered multicast addresses
parm_desc_max_interrupt_work:8139too maximum events handled per interrupt
parm_desc_media:8139too: Bits 4+9: force full duplex, bit 5: 100Mbps
parm_desc_full_duplex:8139too: Force full duplex for board(s) (1)
filename: ./drivers/net/pcnet32.o
kernel_version: 2.4.31
parm_debug: i
parm_desc_debug:pcnet32 debug level
parm_max_interrupt_work:i
parm_desc_max_interrupt_work:pcnet32 maximum events handled per interrupt
parm_rx_copybreak:i
parm_desc_rx_copybreak:pcnet32 copy breakpoint for copy-only-tiny-frames
parm_tx_start_pt:i
parm_desc_tx_start_pt:pcnet32 transmit start point (0-3)
parm_pcnet32vlb:i
parm_desc_pcnet32vlb:pcnet32 Vesa local bus (VLB) support (0/1)
parm_options: 1-8i
parm_desc_options:pcnet32 initial option setting(s) (0-15)
parm_full_duplex:1-8i
parm_desc_full_duplex:pcnet32 full duplex setting(s) (1)
parm_homepna: 1-8i
parm_desc_homepna:pcnet32 mode for 79C978 cards (1 for HomePNA, 0 for Ethernet, default Ethernet
author: Thomas Bogendoerfer
description: Driver for PCnet32 and PCnetPCI based ethercards
license: GPL
filename: ./drivers/net/winbond-840.o
kernel_version: 2.4.31
author: Donald Becker
description: Winbond W89c840 Ethernet driver
license: GPL
parm_max_interrupt_work:i
parm_debug: i
parm_rx_copybreak:i
parm_multicast_filter_limit:i
parm_options: 1-8i
parm_full_duplex:1-8i
parm_desc_max_interrupt_work:winbond-840 maximum events handled per interrupt
parm_desc_debug:winbond-840 debug level (0-6)
parm_desc_rx_copybreak:winbond-840 copy breakpoint for copy-only-tiny-frames
parm_desc_multicast_filter_limit:winbond-840 maximum number of filtered multicast addresses
parm_desc_options:winbond-840: Bits 0-3: media type, bit 17: full duplex
parm_desc_full_duplex:winbond-840 full duplex setting(s) (1)
filename: ./drivers/net/tulip/tulip.o
kernel_version: 2.4.31
author: The Linux Kernel Team
description: Digital 21*4* Tulip ethernet driver
license: GPL
parm_tulip_debug:i
parm_max_interrupt_work:i
parm_rx_copybreak:i
parm_csr0: i
parm_options: 1-8i
parm_full_duplex:1-8i
filename: ./drivers/net/ns83820.o
kernel_version: 2.4.31
author: Benjamin LaHaise
description: National Semiconductor DP83820 10/100/1000 driver
license: GPL
parm_lnksts: i
parm_desc_lnksts:Polarity of LNKSTS bit
parm_ihr: i
parm_desc_ihr: Time in 100 us increments to delay interrupts (range 0-127)
parm_reset_phy: i
parm_desc_reset_phy:Set to 1 to reset the PHY on startup
filename: ./drivers/net/sundance.o
kernel_version: 2.4.31
author: Donald Becker
description: Sundance Alta Ethernet driver
license: GPL
parm_debug: i
parm_rx_copybreak:i
parm_media: 1-8s
parm_flowctrl: i
parm_desc_debug:Sundance Alta debug level (0-5)
parm_desc_rx_copybreak:Sundance Alta copy breakpoint for copy-only-tiny-frames
parm_desc_flowctrl:Sundance Alta flow control [0|1]
filename: ./drivers/net/dmfe.o
kernel_version: 2.4.31
author: Sten Wang, sten_wang@davicom.com.tw
description: Davicom DM910X fast ethernet driver
license: GPL
parm_debug: i
parm_mode: i
parm_cr6set: i
parm_chkmode: i
parm_HPNA_mode: i
parm_HPNA_rx_cmd:i
parm_HPNA_tx_cmd:i
parm_HPNA_NoiseFloor:i
parm_SF_mode: i
parm_desc_debug:Davicom DM9xxx enable debugging (0-1)
parm_desc_mode: Davicom DM9xxx: Bit 0: 10/100Mbps, bit 2: duplex, bit 8: HomePNA
parm_desc_SF_mode:Davicom DM9xxx special function (bit 0: VLAN, bit 1 Flow Control, bit 2: TX pause packet)
filename: ./drivers/net/e100/e100.o
kernel_version: 2.4.31
author: Intel Corporation,
description: Intel(R) PRO/100 Network Driver
license: GPL
parm_TxDescriptors:1-16i
parm_desc_TxDescriptors:Number of transmit descriptors
parm_RxDescriptors:1-16i
parm_desc_RxDescriptors:Number of receive descriptors
parm_XsumRX: 1-16i
parm_desc_XsumRX:Disable or enable Receive Checksum offload
parm_e100_speed_duplex:1-16i
parm_desc_e100_speed_duplex:Speed and Duplex settings
parm_ucode: 1-16i
parm_desc_ucode:Disable or enable microcode loading
parm_ber: 1-16i
parm_desc_ber: Value for the BER correction algorithm
parm_flow_control:1-16i
parm_desc_flow_control:Disable or enable Ethernet PAUSE frames processing
parm_IntDelay: 1-16i
parm_desc_IntDelay:Value for CPU saver's interrupt delay
parm_BundleSmallFr:1-16i
parm_desc_BundleSmallFr:Disable or enable interrupt bundling of small frames
parm_BundleMax: 1-16i
parm_desc_BundleMax:Maximum number for CPU saver's packet bundling
parm_IFS: 1-16i
parm_desc_IFS: Disable or enable the adaptive IFS algorithm
kernel_version: 2.4.31
kernel_version: 2.4.31
kernel_version: 2.4.31
kernel_version: 2.4.31
filename: ./drivers/net/tg3.o
kernel_version: 2.4.31
author: David S. Miller (davem@redhat.com) and Jeff Garzik (jgarzik@pobox.com)
description: Broadcom Tigon3 ethernet driver
license: GPL
parm_tg3_debug: i
parm_desc_tg3_debug:Tigon3 bitmapped debugging message enable value
filename: ./drivers/net/natsemi.o
kernel_version: 2.4.31
author: Donald Becker
description: National Semiconductor DP8381x series PCI Ethernet driver
license: GPL
parm_max_interrupt_work:i
parm_mtu: i
parm_debug: i
parm_rx_copybreak:i
parm_intr_holdoff_value:i
parm_options: 1-8i
parm_full_duplex:1-8i
parm_desc_max_interrupt_work:DP8381x maximum events handled per interrupt
parm_desc_mtu: DP8381x MTU (all boards)
parm_desc_debug:DP8381x default debug level
parm_desc_rx_copybreak:DP8381x copy breakpoint for copy-only-tiny-frames
parm_desc_intr_holdoff_value:DP83816 interrupt holdoff in usec (DP83816 only)
parm_desc_options:DP8381x: Bits 0-3: media type, bit 17: full duplex
parm_desc_full_duplex:DP8381x full duplex setting(s) (1)
filename: ./drivers/net/b44.o
kernel_version: 2.4.31
author: David S. Miller (davem@redhat.com)
description: Broadcom 4400 10/100 PCI ethernet driver
license: GPL
parm_b44_debug: i
parm_desc_b44_debug:B44 bitmapped debugging message enable value
filename: ./drivers/net/tlan.o
kernel_version: 2.4.31
author: Maintainer: Samuel Chessman
description: Driver for TI ThunderLAN based ethernet PCI adapters
license: GPL
parm_aui: 1-8i
parm_duplex: 1-8i
parm_speed: 1-8i
parm_debug: i
parm_bbuf: i
parm_desc_aui: ThunderLAN use AUI port(s) (0-1)
parm_desc_duplex:ThunderLAN duplex setting(s) (0-default, 1-half, 2-full)
parm_desc_speed:ThunderLAN port speen setting(s) (0,10,100)
parm_desc_debug:ThunderLAN debug mask
parm_desc_bbuf: ThunderLAN use big buffer (0-1)
filename: ./drivers/net/bonding/bonding.o
kernel_version: 2.4.31
parm_devname: s
parm_desc_devname:Network device name to create
parm_miimon: i
parm_desc_miimon:Link check interval in milliseconds
parm_updelay: i
parm_desc_updelay:Delay before considering link up, in milliseconds
parm_downdelay: i
parm_desc_downdelay:Delay before considering link down, in milliseconds
parm_use_carrier:i
parm_desc_use_carrier:Use netif_carrier_ok (vs MII ioctls) in miimon; 0 for off, 1 for on (default)
parm_mode: s
parm_desc_mode: Mode of operation : 0 for round robin, 1 for active-backup, 2 for xor
parm_primary: s
parm_desc_primary:Primary network device to use
parm_lacp_rate: s
parm_desc_lacp_rate:LACPDU tx rate to request from 802.3ad partner (slow/fast)
parm_arp_interval:i
parm_desc_arp_interval:arp interval in milliseconds
parm_arp_ip_target:1-16s
parm_desc_arp_ip_target:arp targets in n.n.n.n form
license: GPL
description: Ethernet Channel Bonding Driver, v2.6.0
author: Thomas Davis, tadavis@lbl.gov and many others
device: most ethernet devices
filename: ./drivers/net/imq.o
kernel_version: 2.4.31
license: GPL
filename: ./drivers/net/pcmcia/pcnet_cs.o
kernel_version: 2.4.31
author: David Hinds
description: NE2000 compatible PCMCIA ethernet driver
license: GPL
parm_irq_mask: i
parm_irq_list: 1-4i
parm_if_port: i
parm_use_big_buf:i
parm_mem_speed: i
parm_delay_output:i
parm_delay_time:i
parm_use_shmem: i
parm_full_duplex:i
parm_hw_addr: 6i
filename: ./drivers/net/il.o
kernel_version: 2.4.31
kernel_version: 2.4.31
filename: ./drivers/net/sk98lin.o
kernel_version: 2.4.31
author: Mirko Lindner
description: SysKonnect SK-NET Gigabit Ethernet SK-98xx driver
license: GPL
parm_Speed_A: 1-16s
parm_Speed_B: 1-16s
parm_AutoNeg_A: 1-16s
parm_AutoNeg_B: 1-16s
parm_DupCap_A: 1-16s
parm_DupCap_B: 1-16s
parm_FlowCtrl_A:1-16s
parm_FlowCtrl_B:1-16s
parm_Role_A: 1-16s
parm_Role_B: 1-16s
parm_ConType: 1-16s
parm_PrefPort: 1-16s
parm_RlmtMode: 1-16s
parm_IntsPerSec:1-16i
parm_Moderation:1-16s
parm_ModerationMask:1-16s
parm_LowLatency:1-16s
kernel_version: 2.4.31
kernel_version: 2.4.31
kernel_version: 2.4.31
kernel_version: 2.4.31
kernel_version: 2.4.31
kernel_version: 2.4.31
kernel_version: 2.4.31
kernel_version: 2.4.31
kernel_version: 2.4.31
kernel_version: 2.4.31
kernel_version: 2.4.31
kernel_version: 2.4.31
kernel_version: 2.4.31
kernel_version: 2.4.31
kernel_version: 2.4.31
kernel_version: 2.4.31
kernel_version: 2.4.31
kernel_version: 2.4.31
filename: ./drivers/net/velocityget.o
kernel_version: 2.4.31
author: VIA Networking Technologies, Inc.
license: GPL
description: VIA Networking Velocity Family Gigabit Ethernet Adapter Driver
parm_RxDescriptors:1-8i
parm_desc_RxDescriptors:Number of receive descriptors
parm_TxDescriptors:1-8i
parm_desc_TxDescriptors:Number of transmit descriptors
parm_VID_setting:1-8i
parm_desc_VID_setting:802.1Q VLAN ID
parm_rx_thresh: 1-8i
parm_desc_rx_thresh:Receive fifo threshold
parm_DMA_length:1-8i
parm_desc_DMA_length:DMA length
parm_enable_tagging:1-8i
parm_desc_enable_tagging:Enable 802.1Q tagging
parm_IP_byte_align:1-8i
parm_desc_IP_byte_align:Enable IP header dword aligned
parm_txcsum_offload:1-8i
parm_desc_txcsum_offload:Enable transmit packet checksum offload
parm_flow_control:1-8i
parm_desc_flow_control:Enable flow control ability
parm_speed_duplex:1-8i
parm_desc_speed_duplex:Setting the speed and duplex mode
parm_ValPktLen: 1-8i
parm_desc_ValPktLen:Receiving or Drop invalid 802.3 frame
parm_wol_opts: 1-8i
parm_desc_wol_opts:Wake On Lan options
parm_int_works: 1-8i
parm_desc_int_works:Number of packets per interrupt services
parm_EnableMRDPL:1-8i
parm_desc_EnableMRDPL:Memory-Read-Multiple ability
kernel_version: 2.4.31
kernel_version: 2.4.31
filename: ./drivers/net/r8169.o
kernel_version: 2.4.31
author: Realtek
description: RealTek RTL-8169 Gigabit Ethernet driver
parm_media: 1-8i
license: GPL
filename: ./drivers/net/e1000.o
kernel_version: 2.4.31
author: Intel Corporation,
description: Intel(R) PRO/1000 Network Driver
license: GPL
parm_debug: i
parm_desc_debug:Debug level (0=none,...,16=all)
kernel_version: 2.4.31
kernel_version: 2.4.31
parm_TxDescriptors:1-32i
parm_desc_TxDescriptors:Number of transmit descriptors
parm_RxDescriptors:1-32i
parm_desc_RxDescriptors:Number of receive descriptors
parm_Speed: 1-32i
parm_desc_Speed:Speed setting
parm_Duplex: 1-32i
parm_desc_Duplex:Duplex setting
parm_AutoNeg: 1-32i
parm_desc_AutoNeg:Advertised auto-negotiation setting
parm_FlowControl:1-32i
parm_desc_FlowControl:Flow Control setting
parm_XsumRX: 1-32i
parm_desc_XsumRX:Disable or enable Receive Checksum offload
parm_TxIntDelay:1-32i
parm_desc_TxIntDelay:Transmit Interrupt Delay
parm_TxAbsIntDelay:1-32i
parm_desc_TxAbsIntDelay:Transmit Absolute Interrupt Delay
parm_RxIntDelay:1-32i
parm_desc_RxIntDelay:Receive Interrupt Delay
parm_RxAbsIntDelay:1-32i
parm_desc_RxAbsIntDelay:Receive Absolute Interrupt Delay
parm_InterruptThrottleRate:1-32i
parm_desc_InterruptThrottleRate:Interrupt Throttling Rate
kernel_version: 2.4.31
kernel_version: 2.4.31
filename: ./drivers/net/ipsec.o
kernel_version: 2.4.31
kernel_version: 2.4.31
kernel_version: 2.4.31
kernel_version: 2.4.31
kernel_version: 2.4.31
kernel_version: 2.4.31
kernel_version: 2.4.31
kernel_version: 2.4.31
filename: ./drivers/net/wireless/hermes.o
kernel_version: 2.4.31
description: Low-level driver helper for Lucent Hermes chipset and Prism II HFA384x wireless MAC controller
author: David Gibson
license: Dual MPL/GPL
filename: ./drivers/net/wireless/orinoco.o
kernel_version: 2.4.31
author: David Gibson
description: Driver for Lucent Orinoco, Prism II based and similar wireless cards
license: Dual MPL/GPL
filename: ./drivers/net/wireless/orinoco_cs.o
kernel_version: 2.4.31
author: David Gibson
description: Driver for PCMCIA Lucent Orinoco, Prism II based and similar wireless cards
license: Dual MPL/GPL
parm_irq_mask: i
parm_irq_list: 1-4i
parm_ignore_cis_vcc:i
filename: ./drivers/char/softdog.o
kernel_version: 2.4.31
parm_soft_margin:i
parm_soft_noboot:i
license: GPL
parm_nowayout: i
parm_desc_nowayout:Watchdog cannot be stopped once started (default=CONFIG_WATCHDOG_NOWAYOUT)
filename: ./drivers/char/cyclades.o
kernel_version: 2.4.31
parm_maddr: 1-4l
parm_irq: 1-4i
license: GPL
filename: ./drivers/char/pcmcia/serial_cs.o
kernel_version: 2.4.31
author: David Hinds
description: PCMCIA serial card driver
license: Dual MPL/GPL
parm_irq_mask: i
parm_irq_list: 1-4i
parm_do_sound: i
parm_buggy_uart:i
filename: ./drivers/char/ticker.o
kernel_version: 2.4.31
filename: ./drivers/char/databooster.o
kernel_version: 2.4.31
description: TCL DataBooster serial driver
author: Mansour R
filename: ./drivers/char/mxser.o
kernel_version: 2.4.31
author: William Chen
description: MOXA Smartio/Industio Family Multiport Board Device Driver
parm_ioaddr: 1-4i
parm_ttymajor: i
parm_calloutmajor:i
parm_verbose: i
filename: ./drivers/pnp/isa-pnp.o
kernel_version: 2.4.31
author: Jaroslav Kysela
description: Generic ISA Plug & Play support
parm_isapnp_disable:i
parm_desc_isapnp_disable:ISA Plug & Play disable
parm_isapnp_rdp:i
parm_desc_isapnp_rdp:ISA Plug & Play read data port
parm_isapnp_reset:i
parm_desc_isapnp_reset:ISA Plug & Play reset all cards
parm_isapnp_allow_dma0:i
parm_desc_isapnp_allow_dma0:Allow dma value 0 during auto activation
parm_isapnp_skip_pci_scan:i
parm_desc_isapnp_skip_pci_scan:ISA Plug & Play skip PCI resource scanning
parm_isapnp_verbose:i
parm_desc_isapnp_verbose:ISA Plug & Play verbose mode
parm_isapnp_reserve_irq:1-16i
parm_desc_isapnp_reserve_irq:ISA Plug & Play - reserve IRQ line(s)
parm_isapnp_reserve_dma:1-8i
parm_desc_isapnp_reserve_dma:ISA Plug & Play - reserve DMA channel(s)
parm_isapnp_reserve_io:1-16i
parm_desc_isapnp_reserve_io:ISA Plug & Play - reserve I/O region(s) - port,size
parm_isapnp_reserve_mem:1-16i
parm_desc_isapnp_reserve_mem:ISA Plug & Play - reserve memory region(s) - address,size
license: GPL
kernel_version: 2.4.31
filename: ./drivers/usb/acm.o
kernel_version: 2.4.31
author: Armin Fuerst, Pavel Machek, Johannes Erdfelt, Vojtech Pavlik
description: USB Abstract Control Model driver for USB modems and ISDN adapters
license: GPL
filename: ./drivers/usb/usbcore.o
kernel_version: 2.4.31
license: GPL
kernel_version: 2.4.31
kernel_version: 2.4.31
kernel_version: 2.4.31
filename: ./drivers/usb/host/usb-uhci.o
kernel_version: 2.4.31
author: Georg Acher, Deti Fliegl, Thomas Sailer, Roman Weissgaerber
description: USB Universal Host Controller Interface driver
license: GPL
filename: ./drivers/usb/host/usb-ohci.o
kernel_version: 2.4.31
author: Roman Weissgaerber , David Brownell
description: USB OHCI Host Controller Driver
license: GPL
filename: ./drivers/usb/hid.o
kernel_version: 2.4.31
author: Andreas Gal, Vojtech Pavlik
description: USB HID support drivers
license: GPL
kernel_version: 2.4.31
kernel_version: 2.4.31
filename: ./drivers/usb/rtl8150.o
kernel_version: 2.4.31
author: Petko Manolov
description: rtl8150 based usb-ethernet driver
license: GPL
filename: ./drivers/usb/pegasus.o
kernel_version: 2.4.31
author: Petko Manolov
description: Pegasus/Pegasus II USB Ethernet driver
license: GPL
parm_loopback: i
parm_mii_mode: i
parm_desc_loopback:Enable MAC loopback mode (bit 0)
parm_desc_mii_mode:Enable HomePNA mode (bit 0),default=MII mode = 0
filename: ./drivers/usb/serial/usbserial.o
kernel_version: 2.4.31
author: Greg Kroah-Hartman, greg@kroah.com, http://www.kroah.com/linux-usb/
description: USB Serial Driver core
license: GPL
parm_debug: i
parm_desc_debug:Debug enabled or not
parm_vendor: h
parm_desc_vendor:User specified USB idVendor
parm_product: h
parm_desc_product:User specified USB idProduct
filename: ./drivers/usb/serial/mtusbserial.o
kernel_version: 2.4.31
filename: ./drivers/pcmcia/yenta_socket.o
kernel_version: 2.4.31
kernel_version: 2.4.31
parm_override_bios:i
parm_desc_override_bios:yenta ignore bios resource allocation
license: GPL
filename: ./drivers/pcmcia/ds.o
kernel_version: 2.4.31
author: David Hinds
description: PCMCIA Driver Services 3.1.22
license: Dual MPL/GPL
filename: ./drivers/pcmcia/pcmcia_core.o
kernel_version: 2.4.31
parm_cis_width: i
kernel_version: 2.4.31
parm_probe_mem: i
parm_probe_io: i
parm_mem_limit: i
kernel_version: 2.4.31
kernel_version: 2.4.31
author: David Hinds
description: Linux Kernel Card Services 3.1.22
options: [pci] [cardbus]
license: Dual MPL/GPL
parm_setup_delay:i
parm_resume_delay:i
parm_shutdown_delay:i
parm_vcc_settle:i
parm_reset_time:i
parm_unreset_delay:i
parm_unreset_check:i
parm_unreset_limit:i
parm_cis_speed: i
parm_io_speed: i
parm_do_apm: i
kernel_version: 2.4.31
filename: ./drivers/pcmcia/i82365.o
kernel_version: 2.4.31
parm_i365_base: i
parm_ignore: i
parm_extra_sockets:i
parm_irq_mask: i
parm_irq_list: 1-16i
parm_cs_irq: i
parm_async_clock:i
parm_cable_mode:i
parm_wakeup: i
parm_do_scan: i
parm_poll_interval:i
parm_cycle_time:i
parm_has_dma: i
parm_has_led: i
parm_has_ring: i
parm_dynamic_mode:i
parm_freq_bypass:i
parm_setup_time:i
parm_cmd_time: i
parm_recov_time:i
license: Dual MPL/GPL
filename: ./lib/crc32.o
kernel_version: 2.4.31
author: Matt Domsch
description: Ethernet CRC32 calculations
license: GPL
filename: ./net/8021q/8021q.o
kernel_version: 2.4.31
license: GPL
kernel_version: 2.4.31
filename: ./net/bridge/bridge.o
kernel_version: 2.4.31
license: GPL
kernel_version: 2.4.31
filename: ./net/bridge/netfilter/ebtables.o
kernel_version: 2.4.31
license: GPL
filename: ./net/bridge/netfilter/ebtable_broute.o
kernel_version: 2.4.31
license: GPL
filename: ./net/bridge/netfilter/ebtable_filter.o
kernel_version: 2.4.31
license: GPL
filename: ./net/bridge/netfilter/ebtable_nat.o
kernel_version: 2.4.31
license: GPL
filename: ./net/bridge/netfilter/ebt_802_3.o
kernel_version: 2.4.31
license: GPL
filename: ./net/bridge/netfilter/ebt_arp.o
kernel_version: 2.4.31
license: GPL
filename: ./net/bridge/netfilter/ebt_arpreply.o
kernel_version: 2.4.31
license: GPL
filename: ./net/bridge/netfilter/ebt_dnat.o
kernel_version: 2.4.31
license: GPL
filename: ./net/bridge/netfilter/ebt_ip.o
kernel_version: 2.4.31
license: GPL
filename: ./net/bridge/netfilter/ebt_limit.o
kernel_version: 2.4.31
license: GPL
filename: ./net/bridge/netfilter/ebt_mark.o
kernel_version: 2.4.31
license: GPL
filename: ./net/bridge/netfilter/ebt_mark_m.o
kernel_version: 2.4.31
license: GPL
filename: ./net/bridge/netfilter/ebt_pkttype.o
kernel_version: 2.4.31
license: GPL
filename: ./net/bridge/netfilter/ebt_redirect.o
kernel_version: 2.4.31
license: GPL
filename: ./net/bridge/netfilter/ebt_snat.o
kernel_version: 2.4.31
license: GPL
filename: ./net/bridge/netfilter/ebt_stp.o
kernel_version: 2.4.31
license: GPL
filename: ./net/bridge/netfilter/ebt_vlan.o
kernel_version: 2.4.31
parm_debug: 0-1b
parm_desc_debug:debug=1 is turn on debug messages
author: Nick Fedchik
description: 802.1Q match module (ebtables extension), v0.6
license: GPL
filename: ./net/bridge/ebt_ulog.o
kernel_version: 2.4.31
filename: ./net/bridge/ebt_snif.o
kernel_version: 2.4.31
filename: ./net/unix/unix.o
kernel_version: 2.4.31
license: GPL
kernel_version: 2.4.31
filename: ./net/packet/af_packet.o
kernel_version: 2.4.31
license: GPL
filename: ./net/sched/sch_htb.o
kernel_version: 2.4.31
license: GPL
filename: ./net/sched/sch_red.o
kernel_version: 2.4.31
license: GPL
filename: ./net/sched/sch_sfq.o
kernel_version: 2.4.31
license: GPL
filename: ./net/sched/cls_fw.o
kernel_version: 2.4.31
license: GPL
filename: ./net/sched/cls_linear.o
kernel_version: 2.4.31
filename: ./net/sched/sch_agr.o
kernel_version: 2.4.31
filename: ./net/sched/proto_agr.o
kernel_version: 2.4.31
filename: ./net/sched/sch_pcq.o
kernel_version: 2.4.31
filename: ./net/sched/sch_rate.o
kernel_version: 2.4.31
filename: ./net/ipv4/ipip.o
kernel_version: 2.4.31
license: GPL
filename: ./net/ipv4/netfilter/ip_tables.o
kernel_version: 2.4.31
license: GPL
filename: ./net/ipv4/netfilter/iptable_filter.o
kernel_version: 2.4.31
parm_forward: i
license: GPL
filename: ./net/ipv4/netfilter/iptable_nat.o
kernel_version: 2.4.31
license: GPL
kernel_version: 2.4.31
kernel_version: 2.4.31
kernel_version: 2.4.31
filename: ./net/ipv4/netfilter/iptable_mangle.o
kernel_version: 2.4.31
license: GPL
filename: ./net/ipv4/netfilter/iptable_raw.o
kernel_version: 2.4.31
license: GPL
filename: ./net/ipv4/netfilter/nfnetlink.o
kernel_version: 2.4.31
license: GPL
filename: ./net/ipv4/netfilter/ip_nat_ftp.o
kernel_version: 2.4.31
parm_ports: 1-8i
license: GPL
filename: ./net/ipv4/netfilter/ip_nat_irc.o
kernel_version: 2.4.31
author: Harald Welte
description: IRC (DCC) network address translation module
license: GPL
parm_ports: 1-8i
parm_desc_ports:port numbers of IRC servers
filename: ./net/ipv4/netfilter/ip_nat_h323.o
kernel_version: 2.4.31
author: Jozsef Kadlecsik
description: H.323 'brute force' connection tracking module
license: GPL
filename: ./net/ipv4/netfilter/ip_nat_proto_gre.o
kernel_version: 2.4.31
license: GPL
author: Harald Welte
description: Netfilter NAT protocol helper module for GRE
filename: ./net/ipv4/netfilter/ip_nat_pptp.o
kernel_version: 2.4.31
license: GPL
author: Harald Welte
description: Netfilter NAT helper module for PPTP
filename: ./net/ipv4/netfilter/ip_nat_quake3.o
kernel_version: 2.4.31
author: Filip Sneppe
description: Netfilter NAT helper for Quake III Arena
license: GPL
parm_ports: 1-8i
parm_desc_ports:port numbers of Quake III master servers
filename: ./net/ipv4/netfilter/ip_nat_tftp.o
kernel_version: 2.4.31
author: Magnus Boden
description: Netfilter NAT helper for tftp
license: GPL
parm_ports: 1-8i
parm_desc_ports:port numbers of tftp servers
filename: ./net/ipv4/netfilter/ip_conntrack.o
kernel_version: 2.4.31
license: GPL
kernel_version: 2.4.31
parm_hashsize: i
kernel_version: 2.4.31
filename: ./net/ipv4/netfilter/ip_conntrack_ftp.o
kernel_version: 2.4.31
parm_ports: 1-8i
parm_loose: i
license: GPL
filename: ./net/ipv4/netfilter/ip_conntrack_irc.o
kernel_version: 2.4.31
author: Harald Welte
description: IRC (DCC) connection tracking module
license: GPL
parm_ports: 1-8i
parm_desc_ports:port numbers of IRC servers
parm_max_dcc_channels:i
parm_desc_max_dcc_channels:max number of expected DCC channels per IRC session
parm_dcc_timeout:i
parm_desc_dcc_timeout:timeout on for unestablished DCC channels
filename: ./net/ipv4/netfilter/ip_conntrack_h323.o
kernel_version: 2.4.31
author: Jozsef Kadlecsik
description: H.323 'brute force' connection tracking module
license: GPL
filename: ./net/ipv4/netfilter/ip_conntrack_proto_gre.o
kernel_version: 2.4.31
license: GPL
author: Harald Welte
description: netfilter connection tracking protocol helper for GRE
filename: ./net/ipv4/netfilter/ip_conntrack_pptp.o
kernel_version: 2.4.31
license: GPL
author: Harald Welte
description: Netfilter connection tracking helper module for PPTP
filename: ./net/ipv4/netfilter/ip_conntrack_quake3.o
kernel_version: 2.4.31
author: Filip Sneppe
description: Netfilter connection tracking module for Quake III Arena
license: GPL
parm_ports: 1-8i
parm_desc_ports:port numbers of Quake III master servers
filename: ./net/ipv4/netfilter/ip_conntrack_tftp.o
kernel_version: 2.4.31
author: Magnus Boden
description: Netfilter connection tracking module for tftp
license: GPL
parm_ports: 1-8i
parm_desc_ports:port numbers of tftp servers
filename: ./net/ipv4/netfilter/nfnetlink_conntrack.o
kernel_version: 2.4.31
license: GPL
filename: ./net/ipv4/netfilter/ipt_MASQUERADE.o
kernel_version: 2.4.31
license: GPL
filename: ./net/ipv4/netfilter/ipt_REJECT.o
kernel_version: 2.4.31
license: GPL
filename: ./net/ipv4/netfilter/ipt_TCPMSS.o
kernel_version: 2.4.31
license: GPL
filename: ./net/ipv4/netfilter/ipt_REDIRECT.o
kernel_version: 2.4.31
license: GPL
filename: ./net/ipv4/netfilter/ipt_MARK.o
kernel_version: 2.4.31
license: GPL
filename: ./net/ipv4/netfilter/ipt_FTOS.o
kernel_version: 2.4.31
license: GPL
filename: ./net/ipv4/netfilter/ipt_NOTRACK.o
kernel_version: 2.4.31
license: GPL
filename: ./net/ipv4/netfilter/ipt_CONNMARK.o
kernel_version: 2.4.31
filename: ./net/ipv4/netfilter/ipt_IPV4OPTSSTRIP.o
kernel_version: 2.4.31
author: Fabrice MARIE
description: Strip all options in IPv4 packets
license: GPL
filename: ./net/ipv4/netfilter/ipt_TARPIT.o
kernel_version: 2.4.31
license: GPL
filename: ./net/ipv4/netfilter/ipt_SAME.o
kernel_version: 2.4.31
license: GPL
author: Martin Josefsson
description: iptables special SNAT module for consistent sourceip
filename: ./net/ipv4/netfilter/ipt_NETMAP.o
kernel_version: 2.4.31
license: GPL
author: Svenning Soerensen
description: iptables 1:1 NAT mapping of IP networks target
filename: ./net/ipv4/netfilter/ipt_TTL.o
kernel_version: 2.4.31
author: Harald Welte
description: IP tables TTL modification module
license: GPL
filename: ./net/ipv4/netfilter/ipt_limit.o
kernel_version: 2.4.31
license: GPL
filename: ./net/ipv4/netfilter/ipt_mac.o
kernel_version: 2.4.31
license: GPL
filename: ./net/ipv4/netfilter/ipt_mark.o
kernel_version: 2.4.31
license: GPL
filename: ./net/ipv4/netfilter/ipt_tos.o
kernel_version: 2.4.31
license: GPL
filename: ./net/ipv4/netfilter/ipt_connlimit.o
kernel_version: 2.4.31
license: GPL
filename: ./net/ipv4/netfilter/ipt_state.o
kernel_version: 2.4.31
license: GPL
filename: ./net/ipv4/netfilter/ipt_connmark.o
kernel_version: 2.4.31
filename: ./net/ipv4/netfilter/ipt_string.o
kernel_version: 2.4.31
filename: ./net/ipv4/netfilter/ipt_iprange.o
kernel_version: 2.4.31
license: GPL
author: Jozsef Kadlecsik
description: iptables arbitrary IP range match module
filename: ./net/ipv4/netfilter/ipt_dstlimit.o
kernel_version: 2.4.31
license: GPL
author: Harald Welte
description: iptables match for limiting per destination
filename: ./net/ipv4/netfilter/ipt_time.o
kernel_version: 2.4.31
author: Fabrice MARIE
description: Match arrival timestamp
license: GPL
filename: ./net/ipv4/netfilter/ipt_random.o
kernel_version: 2.4.31
license: GPL
filename: ./net/ipv4/netfilter/ipt_psd.o
kernel_version: 2.4.31
license: GPL
author: Dennis Koslowski
filename: ./net/ipv4/netfilter/ipt_nth.o
kernel_version: 2.4.31
license: GPL
author: Fabrice Marie
filename: ./net/ipv4/netfilter/ipt_ipv4options.o
kernel_version: 2.4.31
license: GPL
filename: ./net/ipv4/netfilter/ipt_addrtype.o
kernel_version: 2.4.31
license: GPL
filename: ./net/ipv4/netfilter/ipt_tcpmss.o
kernel_version: 2.4.31
license: GPL
filename: ./net/ipv4/netfilter/ipt_helper.o
kernel_version: 2.4.31
license: GPL
filename: ./net/ipv4/netfilter/ipt_connbytes.o
kernel_version: 2.4.31
license: GPL
filename: ./net/ipv4/netfilter/ipt_length.o
kernel_version: 2.4.31
author: James Morris
description: IP tables packet length matching module
license: GPL
filename: ./net/ipv4/netfilter/ipt_physdev.o
kernel_version: 2.4.31
license: GPL
filename: ./net/ipv4/netfilter/ipt_ulog.o
kernel_version: 2.4.31
filename: ./net/ipv4/netfilter/ipt_snif.o
kernel_version: 2.4.31
filename: ./net/ipv4/netfilter/ipt_PASSTHR.o
kernel_version: 2.4.31
filename: ./net/ipv4/netfilter/ipt_p2p.o
kernel_version: 2.4.31
filename: ./net/ipv4/netfilter/addrlist.o
kernel_version: 2.4.31
filename: ./net/ipv4/netfilter/ipt_prmark.o
kernel_version: 2.4.31
license: GPL
filename: ./net/ipv4/netfilter/ipt_PRMARK.o
kernel_version: 2.4.31
license: GPL
filename: ./net/ipv4/netfilter/ipt_hsmark.o
kernel_version: 2.4.31
license: GPL
filename: ./net/ipv4/gre.o
kernel_version: 2.4.31
filename: ./net/ipv4/eogre.o
kernel_version: 2.4.31
filename: ./net/ath.o
kernel_version: 2.4.31
kernel_version: 2.4.31
kernel_version: 2.4.31
kernel_version: 2.4.31
kernel_version: 2.4.31
kernel_version: 2.4.31
kernel_version: 2.4.31
kernel_version: 2.4.31
kernel_version: 2.4.31
kernel_version: 2.4.31
filename: ./net/a5212_pci.o
kernel_version: 2.4.31
filename: ./net/a5212.o
kernel_version: 2.4.31
filename: ./net/a5211.o
kernel_version: 2.4.31
filename: ./net/a5211_pci.o
kernel_version: 2.4.31
filename: ./net/prism.o
kernel_version: 2.4.31
kernel_version: 2.4.31
kernel_version: 2.4.31
kernel_version: 2.4.31
kernel_version: 2.4.31
kernel_version: 2.4.31
kernel_version: 2.4.31
kernel_version: 2.4.31
kernel_version: 2.4.31
filename: ./net/prism2_cs.o
kernel_version: 2.4.31
parm_irq_mask: i
filename: ./net/prism2_pci.o
kernel_version: 2.4.31
filename: ./net/aironet.o
kernel_version: 2.4.31
filename: ./net/anet-isa.o
kernel_version: 2.4.31
parm_io: i
filename: ./net/anet-pci.o
kernel_version: 2.4.31
filename: ./net/a5210.o
kernel_version: 2.4.31
filename: ./net/a5210_pci.o
kernel_version: 2.4.31
filename: ./misc/logfw.o
kernel_version: 2.4.31
filename: ./misc/trafflow.o
kernel_version: 2.4.31
filename: ./misc/ulog.o
kernel_version: 2.4.31
license: GPL
author: Harald Welte
description: IP tables userspace logging module
parm_nlbufsiz: i
parm_desc_nlbufsiz:netlink buffer size
parm_flushtimeout:i
parm_desc_flushtimeout:buffer flush timeout
filename: ./misc/snif.o
kernel_version: 2.4.31
filename: ./misc/logring.o
kernel_version: 2.4.31
filename: ./misc/panics.o
kernel_version: 2.4.31
parm_device: l
parm_slave: l
filename: ./misc/p2p.o
kernel_version: 2.4.31
filename: ./misc/btest.o
kernel_version: 2.4.31
filename: ./misc/wlan.o
kernel_version: 2.4.31
kernel_version: 2.4.31
kernel_version: 2.4.31
kernel_version: 2.4.31
kernel_version: 2.4.31
kernel_version: 2.4.31
kernel_version: 2.4.31
filename: ./pcmcia/arlan_cs.o
kernel_version: 2.4.31
parm_irq_mask: iInterestingly, Harald Welte runs / is involved with thegpl-violations.org project.
(More so in the /misc/ directory, not other "standard" locations).
Googling for various filenames in there (such as trafflow), or strings from
certain modules (such as BUFFAILURE: 0 len frag (idx %u) or w_node_unblock:
SHIT, not blocked!!! from wlan.o, which I would expect from public source
code) didn't return anything useful.. However, apparently, you can send them
some money, and they'll send you some media with the gpl sources they have.
I'm a bit unwilling to spend some money like that to verify if the modified
sources are available.
If you want, you can download the kernel and associated moduleshere
if you so wish. If you find anything interesting, it'd be appreciated if you
let me know :)
Initial analysis of WinBox
Looking at the directory tree, we see some interesting files in the/mnt/mikro/home/web/winbox directory:
[box] $ ls -alFh total 1.1M drwxr-xr-x 2 root root 1.0K 2007-08-21 22:28 ./ drwxr-xr-x 7 root root 1.0K 2007-08-21 22:57 ../ -rw-r--r-- 1 root root 37 2007-08-10 19:59 00roteros.info -rw-r--r-- 1 root root 32K 2007-08-10 20:05 advtool.dll -rw-r--r-- 1 root root 36 2007-08-10 20:05 advtool.info -rw-r--r-- 1 root root 40K 2007-08-10 20:09 dhcp.dll -rw-r--r-- 1 root root 32 2007-08-10 20:09 dhcp.info lrwxrwxrwx 1 root root 15 2007-08-21 22:28 index -> /ram/winbox.idx -rw-r--r-- 1 root root 491K 2007-08-10 19:59 roteros.dll -rw-r--r-- 1 root root 325K 2007-08-10 20:08 secure.dll -rw-r--r-- 1 root root 36 2007-08-10 20:08 secure.info -rw-r--r-- 1 root root 4.8K 2007-08-10 19:59 system.dll -rw-r--r-- 1 root root 33 2007-08-10 19:59 system.info -rwxr-xr-x 1 root root 35K 2007-08-10 19:59 winbox.exe* -rw-r--r-- 1 root root 91K 2007-08-10 20:17 wlan2.dll -rw-r--r-- 1 root root 34 2007-08-10 20:17 wlan2.info
Checking out the info files, we see:
[box] $ cat *info 1439693345 502314 roteros.dll 2.9.46 2665359431 32731 advtool.dll 2.9.46 845655727 40608 dhcp.dll 2.9.46 3039506695 332195 secure.dll 2.9.46 192902660 4849 system.dll 2.9.46 1703254547 93131 wlan2.dll 2.9.46
Which appear to be a checksum?, filesize, filename, and DLL version.
Looking at the other files, we find the following information:
[box] $ file * | grep -v \\.info advtool.dll: gzip compressed data, was "advtool.dll", from Unix, last modified: Fri Aug 10 20:05:57 2007 dhcp.dll: gzip compressed data, was "dhcp.dll", from Unix, last modified: Fri Aug 10 20:09:35 2007 index: broken symbolic link to `/ram/winbox.idx' roteros.dll: gzip compressed data, was "roteros.dll", from Unix, last modified: Fri Aug 10 19:59:00 2007 secure.dll: gzip compressed data, was "secure.dll", from Unix, last modified: Fri Aug 10 20:08:43 2007 system.dll: gzip compressed data, was "system.dll", from Unix, last modified: Fri Aug 10 19:59:16 2007 winbox.exe: MS-DOS executable PE for MS Windows (GUI) Intel 80386 32-bit, UPX compressed wlan2.dll: gzip compressed data, was "wlan2.dll", from Unix, last modified: Fri Aug 10 20:17:05 2007
Interestingly, the dll's have been gzip'd, and the executable has been compressed
with UPX, both probably in an attempt to save
disk space.
Gunzipping the dll's is relatively straight forward as well:
[box] $ gunzip -f s.dll [box] $ file s.dll s.dll: MS-DOS executable PE for MS Windows (DLL) (console) Intel 80386 32-bit
The executable can be easily decompressed via the upx -d command, as
follows:
[box] $ upx -d winbox.exe
Ultimate Packer for eXecutables
Copyright (C) 1996,1997,1998,1999,2000,2001,2002,2003,2004,2005,2006,2007
UPX 3.01 Markus Oberhumer, Laszlo Molnar & John Reiser Jul 31st 2007
File size Ratio Format Name
-------------------- ------ ----------- -----------
94720 <- 35328 37.30% win32/pe winbox.exe
Unpacked 1 file.Doing another quick cursory analysis of the WinBox executable provides some
interesting reading:
Note .crc %u %u %31s %15s loading %s pluging %s is damaged file truncated %d, expected=%d DLL %s ver=%s size=%u DLLLoader::fetch index .\%s linking %s lib %s loaded runEx lib %s not loaded error=%ld ... Could not connect to %s (port %u) - %s! index GET /winbox HTTP/1.0 GET /winbox/%s HTTP/1.0 getting %s bad request ... fetching %s could not request plugin %s! could not get %s: %s! rfile ... inflate 1.1.3 Copyright 1995-1998 Mark Adler -LIBGCCW32-EH-2-MINGW32
This makes me think they download and load the DLL files off the webserver at
run time - which would make it vulnerable to a man in the middle attack to
load custom dll's on a victims machine..
Interesting broadcast network traffic
22:22:47.633158 IP 192.168.254.2.rrac > 255.255.255.255.rrac: UDP, length 68
0x0000: 4500 0060 0000 4000 4011 7be2 c0a8 fe02
0x0010: ffff ffff 162e 162e 004c ba4d 0400 0000
0x0020: 0001 0006 5254 0012 3456 0005 0008 4d69
0x0030: 6b72 6f54 696b 0007 0006 322e 392e 3436
0x0040: 0008 0008 4d69 6b72 6f54 696b 000a 0004
0x0050: f800 0000 000b 0008 5a53 5a4e 2d32 3254
..
22:25:47.676826 CDPv1, ttl: 120s, Device-ID 'MikroTik', length 63
0x0000: aaaa 0300 000c 2000 0178 93d9 0001 000c
0x0010: 4d69 6b72 6f54 696b 0002 0011 0000 0001
0x0020: 0101 cc00 04c0 a8fe 0200 0400 0800 0000
0x0030: 0100 0500 0a32 2e39 2e34 3600 0600 0c4d
0x0040: 696b 726f 5469 6bThe first network packet looks interesting, it seems to be a tag / length
/ data style network protocol, as at various offsets.
For example on the first packet:
-
0x2d is 0x08, and there is 8 bytes following it (4d69 6b72 6f54 696b
being MikroTik). -
0x43 is 0x08, and there is 8 bytes following it (4d69 6b72 6f54 696b
being MikroTik). -
0x57 is 0x08, and there is 8 bytes following it (5a53 5a4e 2d32 3254
being ZSZN-22T, which is the software license version (as viewable in the
messages displayed when you log in.)
The second packet looks like a standard cisco discovery protocol (CDP) packet.
Both packets are good news however; they provide us with network daemons to
audit for security issues. Performing a strings -f * | grep discovery on/mnt/mikro/nova/bin leads us to the discover binary, which we'll look at
later on for security issues.
[box] $ strings -f * | grep -i discovery dhcp: BUG: TESTING state without storedDiscovery! discover: discovery setting discover: DISCOVERY: sendto failed discover: DISCOVERY: send raw failed: discover: failed discovery socket on: discover: cannot enable raw discovery: no mac address discover: failed raw discovery socket on:
Running strings on the discover shows that it is probably responsible for
processing the CDP packets as well.
Network ports open by default
Moving onto more active network attacks, we'll use nmap to identify the
service running services on the machine.
[box] $ nmap -sS -A 192.168.254.2 -TInsane -oA /tmp/nmap -p 1-65535 Starting Nmap 4.20 ( http://insecure.org ) at 2007-08-25 08:17 EST Interesting ports on 192.168.254.2: Not shown: 65528 closed ports PORT STATE SERVICE VERSION 21/tcp open ftp MikroTik router ftpd 2.9.46 22/tcp open ssh OpenSSH 2.3.0 mikrotik 2.9 (protocol 1.99) 23/tcp open telnet Linux telnetd 80/tcp open http MikroTik router http config 2000/tcp open callbook? 3986/tcp open mapper-ws_ethd? 8291/tcp open unknown 1 service unrecognized despite returning data. If you know the service/version, please submit the following fingerprint at http://www.insecure.org/cgi-bin/servicefp-submit.cgi : SF-Port2000-TCP:V=4.20%I=7%D=8/25%Time=46CF592D%P=i686-redhat-linux-gnu%r( SF:NULL,4,"\x01\0\0\0")%r(GenericLines,4,"\x01\0\0\0")%r(GetRequest,18,"\x SF:01\0\0\0\x02\0\0\0\xd3\xbew\xc0\x1f\x99\xedA\xfd\xa0\x0e\xc6>\x9a\xb3x" SF:)%r(HTTPOptions,18,"\x01\0\0\0\x02\0\0\0\xa9\x9a\x8f\xba\xfc\xb6\xeaW\x SF:7f\xbac!b\xfc\x98{")%r(RTSPRequest,18,"\x01\0\0\0\x02\0\0\0xM\xe7`\xe6\ SF:rNb\x82\xaer\xf3}\xcc6\xe1")%r(RPCCheck,18,"\x01\0\0\0\x02\0\0\0\x96#\x SF:0b\xcd\xbej\xb2\xd9\xd7\xbf\x97\xda\xd4C\x8b=")%r(DNSStatusRequest,4,"\ SF:x01\0\0\0")%r(Help,4,"\x01\0\0\0")%r(X11Probe,4,"\x01\0\0\0")%r(FourOhF SF:ourRequest,18,"\x01\0\0\0\x02\0\0\0<\xc3\xbde#\xf8\xe8\xd8l\xdf:Q\xdau% SF:\x97")%r(LPDString,4,"\x01\0\0\0")%r(LDAPBindReq,4,"\x01\0\0\0")%r(LAND SF:esk-RC,4,"\x01\0\0\0")%r(TerminalServer,4,"\x01\0\0\0")%r(NotesRPC,18," SF:\x01\0\0\0\x02\0\0\0fu\x9d\x8f\+2\x80}y\xe5\x99\xfa\xf8\xea_\x85")%r(Ne SF:ssusTPv10,4,"\x01\0\0\0"); MAC Address: 52:54:00:12:34:56 (QEMU virtual NIC) Device type: general purpose|WAP|storage-misc Running: Linux 2.4.X, Linksys Linux 2.4.X, Asus Linux 2.4.X, Maxtor Linux 2.4.X OS details: Linux 2.4.18-10 (Red Hat 7.3), Linux 2.4.20 - 2.4.32, Linux-based embedded device (Linksys WRT54GL WAP, Buffalo AirStation WLA-G54 WAP, Maxtor Shared Storage Drive, or Asus Wireless Storage Router) Uptime: 0.004 days (since Sat Aug 25 08:14:28 2007) Network Distance: 1 hop Service Info: Host: MikroTik; OS: Linux; Device: router
Even more services to be analysed. There is probably a bunch more udp services
as well that can be analysed. The more software running on this the better it
is for attackers, as they only need one security hole most likely to get a
foot hold on a network.
Experimenting with WinBox
Overview
So far we've identified a potential issue regarding the WinBox software, where
it vaguely looks like it will download dll's off the router, and load them
into the process, possibly via HTTP.
We can use Wine to run the WinBox software in/mnt/mikro/home/web/winbox/ (as I mostly use linux, and didn't want to
emulate Windows for this article) and run a network sniffer (most likelytcpdump to log, andWireShark for analysis) to identify what traffic is being
sent across the network, and what we can do with it.
For the purposes of this article, 192.168.254.2 is the Mikrotek router,
and 192.168.254.1 is the analysis environment.
The Winbox software was configured to connect to 192.168.254, with an
(invalid) username and password pair of blah and blah.
When the Winbox software is told to connect to the remote host, as expected,
it first asks the remote server (without any authentication) for a list of
DLL's, and proceeds to download those files, and load them into the remote
process.
Network protocol analysis
After the three way handshake, the client sends the below packet:
Client -> Server
Packet data starts at 0x42
0000 52 54 00 12 34 56 00 ff fb 19 fe 96 08 00 45 00 RT..4V.. ......E.
0010 00 48 ca 02 40 00 40 06 f3 57 c0 a8 fe 01 c0 a8 .H..@.@. .W......
0020 fe 02 df 5e 20 63 d0 21 ad 27 f4 36 ac c8 80 18 ...^ c.! .'.6....
0030 00 2e 82 f3 00 00 01 01 08 0a 1d e3 67 2a 00 00 ........ ....g*..
0040 7b 4d 12 02 69 6e 64 65 78 00 00 00 00 00 00 00 {M..inde x.......
0050 ff ed 00 00 00 00The first byte of the packet (offset of 0x42) appears to be the length of the packet (0x12 being 18 bytes,
and where 0x55 - 0x43 equals 18). The second byte of the packet is 0x02,
which probably indicates what type of packet it is. After that is appears to
be an asciiz encoding of index. So far, the rest of the
doesn't mean so much, but more will make sense as we attempt to decode it.
Looking at the response from the server (to the client):
Server -> Client
Packet data starts at 0x42
0000 00 ff fb 19 fe 96 52 54 00 12 34 56 08 00 45 00 ......RT ..4V..E.
0010 01 18 d7 86 40 00 40 06 e5 03 c0 a8 fe 02 c0 a8 ....@.@. ........
0020 fe 01 20 63 df 5e f4 36 ac c8 d0 21 ad 3b 80 18 .. c.^.6 ...!.;..
0030 16 a0 b5 72 00 00 01 01 08 0a 00 00 7b 4d 1d e3 ...r.... ....{M..
0040 67 2a e2 02 69 6e 64 65 78 00 00 00 00 00 00 01 g*..inde x.......
0050 00 d0 00 00 00 00 31 34 33 39 36 39 33 33 34 35 ......14 39693345
0060 20 35 30 32 33 31 34 20 72 6f 74 65 72 6f 73 2e 502314 roteros.
0070 64 6c 6c 20 32 2e 39 2e 34 36 0a 32 36 36 35 33 dll 2.9. 46.26653
0080 35 39 34 33 31 20 33 32 37 33 31 20 61 64 76 74 59431 32 731 advt
0090 6f 6f 6c 2e 64 6c 6c 20 32 2e 39 2e 34 36 0a 38 ool.dll 2.9.46.8
00a0 34 35 36 35 35 37 32 37 20 34 30 36 30 38 20 64 45655727 40608 d
00b0 68 63 70 2e 64 6c 6c 20 32 2e 39 2e 34 36 0a 33 hcp.dll 2.9.46.3
00c0 30 33 39 35 30 36 36 39 35 20 33 33 32 31 39 35 03950669 5 332195
00d0 20 73 65 63 75 72 65 2e 64 6c 6c 20 32 2e 39 2e secure. dll 2.9.
00e0 34 36 0a 31 39 32 39 30 32 36 36 30 20 34 38 34 46.19290 2660 484
00f0 39 20 73 79 73 74 65 6d 2e 64 6c 6c 20 32 2e 39 9 system .dll 2.9
0100 2e 34 36 0a 31 37 30 33 32 35 34 35 34 37 20 39 .46.1703 254547 9
0110 33 31 33 31 20 77 6c 61 6e 32 2e 64 6c 6c 20 32 3131 wla n2.dll 2
0120 2e 39 2e 34 36 0a .9.46.Looking at the first byte of the packet (0xe2) we see that is 226 bytes
long. The second byte of the packet is 0x02, which is the same as the first
packet. At 0x4f is a 0x01. On the first packet is a 0x00, this may
indicate it is a reply to the packet. The 0xd0 at 0x51 may possibly be a
length of the data indicator. The rest of the packet looks familar, from when
we originally/briefly investigated the Winbox files. Going back to the *.info
files, we see:
[box] $ cat *info | wc -c 208 [box]$ printf "%02x\n" 208 d0
So the 0xd0 at 0x51 seems to be (at least) indicate the length of the
data. So far, so good.
Moving onto the next packet from the server, we see:
Client -> Server:
Packet data starts at 0x42:
0000 52 54 00 12 34 56 00 ff fb 19 fe 96 08 00 45 00 RT..4V.. ......E.
0010 00 48 ca 04 40 00 40 06 f3 55 c0 a8 fe 01 c0 a8 .H..@.@. .U......
0020 fe 02 df 5e 20 63 d0 21 ad 3b f4 36 ad ac 80 18 ...^ c.! .;.6....
0030 00 36 2a e5 00 00 01 01 08 0a 1d e3 67 2d 00 00 .6*..... ....g-..
0040 7b 4d 12 02 72 6f 74 65 72 6f 73 2e 64 6c 6c 00 {M..rote ros.dll.
0050 ff ed 00 00 00 00Another packet with length / tag information, and another file download. The
file name appears to be mispelt (roteros.dll verus routeros.dll, which
would seem to indicate the filename field is of fixed length. We still don't
have much more information regarding the bytes at 0x50 - 0x55.
Moving onto the response from the server (this should get more interesting, as
it's a more "dynamic" request, and presumbly much larger):
Server -> Client
Packet data starts at 0x42:
0000 00 ff fb 19 fe 96 52 54 00 12 34 56 08 00 45 00 ......RT ..4V..E.
0010 05 dc d7 87 40 00 40 06 e0 3e c0 a8 fe 02 c0 a8 ....@.@. .>......
0020 fe 01 20 63 df 5e f4 36 ad ac d0 21 ad 4f 80 10 .. c.^.6 ...!.O..
0030 16 a0 30 af 00 00 01 01 08 0a 00 00 7b 4f 1d e3 ..0..... ....{O..
0040 67 2d ff 02 72 6f 74 65 72 6f 73 2e 64 6c 6c 01 g-..rote ros.dll.
0050 ff ed 00 00 00 00 1f 8b 08 08 e4 36 bc 46 00 03 ........ ...6.F..
0060 72 6f 74 65 72 6f 73 2e 64 6c 6c 00 e4 fd 0d 7c roteros. dll....|
0070 14 d5 d5 38 00 cf 26 4b b2 e2 62 16 58 35 6a d4 ...8..&K ..b.X5j.
0080 a8 51 a1 a0 26 1a 95 14 b0 21 61 93 a8 44 27 19 .Q..&... .!a..D'.
0090 f6 2b 31 09 2a da 35 45 8d 64 17 50 09 06 37 b1 .+1.*.5E .d.P..7.
00a0 8c e3 b4 54 c1 8f aa 15 95 b6 56 6d a5 16 11 15 ...T.... ..Vm....
00b0 35 92 3c 59 50 6c 11 d3 8a 82 1a 35 ea c5 c4 36 5..
00d0 e7 7d 7f 2f 3f cd ee ce dc 8f 73 cf 3d f7 7c dd .}./?... ..s.=.|.
00e0 73 cf ad ae 5b 2e 64 0a 82 60 87 ff 35 4d 10 d6 s...[.d. .`..5M..
00f0 0b fc 5f a9 f0 fd ff da e1 ff c3 8e 7f f6 30 61 .._..... ......0a
0100 ed 21 af 9e b0 de 36 eb d5 13 66 87 ae 6a cd 6f .!....6. ..f..j.o
0110 99 7f ed 4f e7 5f 7a 75 fe e5 97 5e 73 cd b5 e1 ...O._zu ...^s...
0120 fc cb ae c8 9f 1f b9 26 ff aa 6b f2 67 5e 2c e5 .......& ..k.g^,.
0130 5f 7d ed dc 2b 4e 1f 33 66 74 81 de 86 e8 11 84 _}..+N.3 ft......
0140 59 b6 d1 ff ff c2 c0 39 1b 2a 8c 76 fb 85 c3 4e Y......9 .*.v...N
0150 3a d4 96 31 45 c8 ca 11 84 39 e3 05 e1 38 78 e8 :..1E... .9...8x.
0160 d2 ff cf cf 11 e8 1b 7e cf e0 70 db 74 f8 e9 df .......~ ..p.t...
0170 f0 78 fa 91 3b 77 3c 8d 0b 2a f0 7a f8 c7 c5 8b .x..;w<. .*.z....
0180 d0 47 cb 58 61 ff 95 d8 d9 58 61 2d b6 2f 8c 13 .G.Xa... .Xa-./..
0190 da 3f 4f 37 ca f1 02 7b ef 20 90 f1 03 ff 9d 1e .?O7...{ . ......
01a0 be 62 51 18 3e 99 3d 87 03 84 63 b5 5b cb cc 81 .bQ.>.=. ..c.[...
01b0 ff 4e 9f 7b 69 f8 52 f8 3e 77 9c c0 c7 ee 86 cf .N.{i.R. >w......
01c0 d1 39 96 72 a5 82 d0 75 fa e5 e1 6b e7 b7 ea 4d .9.r...u ...k...M
01d0 94 e6 10 6e 84 e3 d2 94 9b 6b 2a 27 ea e5 f2 d3 ...n.... .k*'....
01e0 94 9b cf 3b de fe 3e 60 77 0e bc 1f 80 cf 13 53 ...;..>` w......S
01f0 ca 95 9e 7e 59 6b 2b fd 38 16 db 1b 9b 76 ac ed ...~Yk+. 8....v..
0200 d8 de 15 bc 3d c2 39 e0 5e 08 e1 98 ad e5 a9 bd ....=.9. ^.......
0210 ab 78 39 9a 13 98 1b 9c 3e e1 9a 94 72 00 5f eb .x9..... >...r._.
0220 fc cb b1 6d 9a 33 40 ce 97 f0 f1 8b 74 e5 ae 98 ...m.3@. ....t...
0230 77 2d 14 e4 73 08 b4 f1 3e 7c dc 3c 2e b9 5c 59 w-..s... >|.<..\Y
0240 5a c0 ff ff ff ff e0 9f 57 fe d0 ef 93 a2 43 4e Z....... W.....CN
0250 a5 cd 19 d5 6c 39 1d 8f c1 43 79 71 81 5d 69 70 ....l9.. .Cyq.]ip
0260 29 d5 0e f9 92 02 87 ec 2c 60 67 7c 31 4a 90 7b )....... ,`g|1J.{
0270 a1 18 96 59 b1 b1 a8 ab 73 77 ce 8a ae ce 8d e1 ...Y.... sw......
0280 7a e5 70 98 76 57 e7 b6 b0 47 39 d6 05 df 06 c7 z.p.vW.. .G9.....
0290 2c 37 ff 8b 0e da 4b 5e 9f 7f 94 92 d9 d9 15 fe ,7....K^ ........
02a0 42 db ca 4b d3 c3 d6 41 35 7c 8a 20 bb 0b 58 60 B..K...A 5|. ..X`
02b0 47 b6 50 b4 4d a6 57 31 3b 71 06 56 0c cf 3a b5 G.P.M.W1 ;q.V..:.
02c0 88 cb 68 3e 52 51 b4 9b ca 0f ab 57 7c 59 df d8 ..h>RQ.. ...W|Y..
02d0 d4 b0 d1 29 e0 6f 28 df 6e 94 7f 98 8a 76 85 e7 ...).o(. n....v..
02e0 c5 68 68 0f 23 38 ec c2 ee 6c 81 fd 63 63 b6 b0 .hh.#8.. .l..cc..
02f0 eb 14 4d d3 96 73 20 d5 05 82 ba e1 54 2c 74 10 ..M..s . ....T,t.
0300 f0 15 69 6c dd 5b d9 82 3c dd 0c df 0a 78 b2 eb ..il.[.. <....x..
0310 5a 68 91 3d 0a df 62 82 13 1e 16 75 ed 6a 82 27 Zh.=..b. ...u.j.'
0320 ea 3a 2c a1 b7 ef 7d 16 fb 93 3f 8c 0e e5 3e 83 .:,...}. ..?...>.
0330 f5 15 8f 43 9e 0d 38 9d 55 60 97 ed 05 6c 3a 54 ...C..8. U`...l:T
0340 de 1c dd 6b 3b ff ff aa ab 9b 57 f3 3e 13 2f ff ...k;... ..W.>./.
0350 ac 51 7e 56 01 d6 a1 f2 63 b0 7c b7 09 bf 5e 2c .Q~V.... c.|...^,
0360 ea 60 2b fb b2 11 15 ab 66 8c 75 ad cf c7 06 66 .`+..... f.u....f
0370 16 d8 d9 9a 1e 2c ac ae 3d c5 0c 0f 95 d7 8b b2 .....,.. =.......
0380 c6 de a4 e6 b0 3d e8 b2 e1 a1 52 68 a4 1b 7f e5 .....=.. ..Rh....
0390 ac 1b 85 df 1b ba e3 ef a5 66 27 fb 9f 37 b3 85 ........ .f'..7..
03a0 ba 98 f0 c8 52 97 4b ee 56 4b ed 5a c4 21 b2 f7 ....R.K. VK.Z.!..
03b0 4f cb 10 82 b1 72 07 f6 13 90 b7 2b 0d df 6e ee O....r.. ...+..n.
03c0 86 f2 ec 94 c3 04 41 71 61 11 ad b6 60 33 b5 ca ......Aq a...`3..
03d0 c6 99 9e e5 e3 b3 a2 2e f9 43 24 44 97 12 71 28 ........ .C$D..q(
03e0 0d ce e8 12 a7 10 29 eb dc 11 ce 56 32 25 4d 74 ......). ...V2%Mt
03f0 04 14 9f 13 88 2c 5b c9 a8 d5 44 67 40 6e 74 aa .....,[. ..Dg@nt.
0400 0d 4c 62 af 1d 92 21 28 59 72 5e 01 90 4a 68 9c .Lb...!( Yr^..Jh.
0410 b0 5f f0 69 e2 6c 89 2d 38 12 20 59 8f 72 41 bd ._.i.l.- 8. Y.rA.
0420 62 6f 7d 63 03 f5 c9 5b 6f 70 28 e5 4e 98 6c cf bo}c...[ op(.N.l.
0430 54 8f 33 52 aa 46 98 8f dd 86 8d 64 ca c5 d4 c8 T.3R.F.. ...d....
0440 78 68 04 3a 9c a9 ff ff 48 ce 68 8f cb d4 65 ac xh.:.... H.h...e.
0450 1c e7 58 f0 b1 a3 a0 f1 00 35 3e 98 51 d4 a5 77 ..X..... .5>.Q..w
0460 c0 d7 11 c2 de 06 7d b8 b5 88 33 94 2d 68 0e 89 ......}. ..3.-h..
0470 65 9f 42 10 36 b8 a2 3d 4e b9 cd 29 43 89 aa 29 e.B.6..= N..)C..)
0480 3a 0d 6b ef 2d 1f b1 de df 4e 4e ad 37 cd 52 cf :.k.-... .NN.7.R.
0490 a7 44 5c 12 8c a7 d9 16 1a 25 68 00 d8 16 ac 52 .D\..... .%h....R
04a0 ee 80 0a a5 72 b9 43 0c 65 41 43 3e 76 0b 3c 85 ....r.C. eAC>v.<.
04b0 47 4a a6 0f 1a 87 91 4d 81 22 66 ac 24 b7 72 4b GJ.....M ."f.$.rK
04c0 da 56 4a 93 5a 99 66 6d 25 fd 18 0e 4d 33 86 aa .VJ.Z.fm %...M3..
04d0 83 18 fb eb 05 a9 f5 66 25 d7 83 c9 54 1b 06 a0 .......f %...T...
04e0 ba 5b 69 73 b0 4d d9 19 b8 00 50 9a 85 ec d4 c8 .[is.M.. ..P.....
04f0 2f 0a 08 62 9c 53 07 3d 68 a3 56 e1 51 49 85 3d /..b.S.= h.V.QI.=
0500 9c e3 0b 1d 22 68 f9 12 eb 3c 89 0f 2c 5b 82 fe ...."h.. .<..,[..
0510 fd 9a 18 90 d8 94 c3 f1 91 4b ef b0 3b de 5f 3e ........ .K..;._>
0520 74 d4 6c 03 e2 a4 1e fc 2c d7 45 55 8b b6 55 85 t.l..... ,.EU..U.
0530 1b 80 52 c7 35 0b d4 93 9f 69 39 19 82 9c 09 af ..R.5... .i9.....
0540 a2 6d 2e 21 3c 4d 8d ff ff f4 01 a4 3e f6 d7 7b .m.!..{
0550 80 8b 14 17 50 c7 7e 89 79 ec 54 7d 6a 83 2b 7c ....P.~. y.T}j.+|
0560 28 74 ee 62 2b ee cf 16 82 4d 12 5b 74 77 36 cc (t.b+... .M.[tw6.
0570 c3 7c f8 1b a8 7b 96 13 f1 97 f2 56 2b 2c b3 61 .|...{.. ...V+,.a
0580 ca 34 18 7a 24 17 6a e2 94 b0 3f ed d7 b4 98 67 .4.z$.j. ..?....g
0590 15 30 20 0d 80 8f b6 e5 09 72 2c 3c 4e d4 5a 81 .0 ..... .r,...xV
05c0 c9 de ed 9d db 64 cf 26 9d e4 1d 81 d0 6d 6e 07 .....d.& .....mn.
05d0 70 a0 4d aa b7 af 56 92 3d 3b 55 cf 5a 91 fd f8 p.M...V. =;U.Z...
05e0 d6 6c 41 f1 ac 45 9c 79 b7 cb .lA..E.y ..OK… that's a lot of data. Starting from the packet start (0x42), we see:
0040 67 2d ff 02 72 6f 74 65 72 6f 73 2e 64 6c 6c 01 g-..rote ros.dll. 0050 ff ed 00 00 00 00 1f 8b 08 08 e4 36 bc 46 00 03 ........ ...6.F..
Breakdown:
-
0x42: packet length? of the response, this would indicate 255 bytes.
-
0x43: packet type
-
0x44-0x4e: roteros.dll
-
0x4f: Indicates a response?
-
0x50-0x51: Still not sure what this is: static/indicator of some type?
-
0x52-0x55: Still not sure what this is?
-
0x56-onwards: this data looks familar..
On a hunch / obvious sign, we check what the roteros.dll file contains:
[box] $ xxd roteros.dll | head 0000000: 1f8b 0808 e436 bc46 0003 726f 7465 726f .....6.F..rotero 0000010: 732e 646c 6c00 e4fd 0d7c 14d5 d538 00cf s.dll....|...8.. 0000020: 264b b2e2 6216 5835 6ad4 a851 a1a0 261a &K..b.X5j..Q..&. 0000030: 9514 b021 6193 a844 2719 f62b 3109 2ada ...!a..D'..+1.*. 0000040: 3545 8d64 1750 0906 37b1 8ce3 b454 c18f 5E.d.P..7....T.. 0000050: aa15 95b6 566d a516 1115 3592 3c59 506c ....Vm....5...}./?. 0000080: eece dc8f 73cf 3df7 7cdd 73cf adae 5b2e ....s.=.|.s...[. 0000090: 640a 8260 87ff 354d 10d6 0bfc 5fa9 f0fd d..`..5M...._...
So, we've got the start of the file in the network traffic. We still need to
indentify some of the data in the packet. On another hunch, we check the
filesize of the roteros.dll:
[box] $ ls -alF roteros.dll -rw-r--r-- 1 root root 502314 2007-08-10 19:59 roteros.dll [box] $ printf "%02x\n" 502314 7aa2a
Ok, so far not so good. With not much else to go on, let's try and find the
next packet marker and go from there. However, just having the routeros.dll
available to us gives us a significant advantage: we have known plaintext to
work from.
Based on our network analysis so far, it should be at 0x44 + 0xff == 0x143.
Server -> Client 0130 5f 7d ed dc 2b 4e 1f 33 66 74 81 de 86 e8 11 84 _}..+N.3 ft...... 0140 59 b6 d1 ff ff c2 c0 39 1b 2a 8c 76 fb 85 c3 4e Y......9 .*.v...N
Hmm, looking around in roteros.dll we see:
roteros.dll: 00000e0: 1f33 6674 81de 86e8 1184 59b6 d1c2 c039 .3ft......Y....9 00000f0: 1b2a 8c76 fb85 c34e 3ad4 9631 45c8 ca11 .*.v...N:..1E... 0000100: 8439 e305 e138 78e8 d2ff cfcf 11e8 1b7e .9...8x........~
We can synchronize our network traffic from 0x136 to our roteros.dll file at0xe0. The synchronization stops at 0x142 in the network stream, and
continues at 0x145. There are no breaks in the roteros.dll file between0xec and 0xed.
This gives us the two bytes 0xff 0xff which would be another 255 byte block,
with a tag of 0xff, which would probably mean "continue from last packet
stream read in".
We have enough knowledge of the network protocol for what we've seen so far to
process the network stream, and decode it.
We take a look at the next client -> server protocol, looking for a PSH|ACK
from 192.168.254.2 to 192.168.254.1:
Client -> Server
Packet data starts at 0x42
0000 52 54 00 12 34 56 00 ff fb 19 fe 96 08 00 45 00 RT..4V.. ......E.
0010 00 48 ca 14 40 00 40 06 f3 45 c0 a8 fe 01 c0 a8 .H..@.@. .E......
0020 fe 02 df 5e 20 63 d0 21 ad 4f f4 37 af ad 80 18 ...^ c.! .O.7....
0030 01 f5 26 d2 00 00 01 01 08 0a 1d e3 67 78 00 00 ..&..... ....gx..
0040 7b 52 12 02 72 6f 74 65 72 6f 73 2e 64 6c 6c 00 {R..rote ros.dll.
0050 ff ed 00 00 ff ed ......Packet breakdown
-
0x42: We see it is an 18 byte packet request
-
0x43: We see it is a file request
-
0x44-0x4e: Filename to download (roteros.dll).
-
0x4f: Request packet?
-
0x50-0x51: Total amount to send
-
0x52-0x53: Not sure just yet
-
0x54-0x55: seek() offset into file?
Having a look at the response to the client request, we see:
Server -> Client
Data packet starts at 0x42
0000 00 ff fb 19 fe 96 52 54 00 12 34 56 08 00 45 00 ......RT ..4V..E.
0010 05 dc d7 b5 40 00 40 06 e0 10 c0 a8 fe 02 c0 a8 ....@.@. ........
0020 fe 01 20 63 df 5e f4 37 af ad d0 21 ad 63 80 10 .. c.^.7 ...!.c..
0030 16 a0 41 ec 00 00 01 01 08 0a 00 00 7b 55 1d e3 ..A..... ....{U..
0040 67 78 ff 02 72 6f 74 65 72 6f 73 2e 64 6c 6c 01 gx..rote ros.dll.
0050 ff ed 00 00 ff ed 87 18 a9 ee 3f e8 98 43 af 88 ........ ..?..C..
0060 56 b4 e2 e5 51 3e 00 8d 74 8c 65 74 da 95 a0 88 V...Q>.. t.et....
0070 06 df c1 00 93 c6 e3 61 aa d9 2b a3 88 39 78 46 .......a ..+..9xF
0080 4d e3 b6 11 9a 46 59 48 d3 e0 aa 7b c7 63 61 4d M....FYH ...{.caM
0090 e3 8b 6d 61 4d 63 f0 d7 61 4d e3 ce 5b c2 9a c6 ..maMc.. aM..[...
00a0 15 8f 86 35 0d ff 86 09 9a 6a ba 11 c7 35 86 1f ...5.... .j...5..
00b0 3f 1b 37 3c 22 cd f0 b6 5d f2 a5 da 36 8b 67 8d ?.7<"... ]...6.g.
00c0 45 e3 fa f1 88 76 0d f0 76 b9 0a 63 b8 59 94 52 E....v.. v..c.Y.R
00d0 36 77 98 52 96 42 a8 24 d5 86 95 b2 1c 37 ea 3d 6w.R.B.$ .....7.=
00e0 11 ac de 68 8c c5 4a b5 44 8d 42 ea c1 2f 70 e5 ...h..J. D.B../p.
00f0 a2 14 da ea 51 6d 50 77 fc 69 bc 66 d4 fc 3f f8 ....QmPw .i.f..?.
0100 82 1a 41 eb 8f 7b 9c 3f 9b 58 7b e0 dc 5c f7 34 ..A..{.? .X{..\.4
0110 59 03 43 65 12 80 8a 40 19 bf 67 7c ac 25 2b 68 Y.Ce...@ ..g|.%+h
0120 a7 02 85 e9 c1 5c 83 72 02 87 5a c2 26 7c 81 81 .....\.r ..Z.&|..
0130 9f 13 c6 e2 65 29 30 e0 2e 69 8c e5 9b 77 e2 80 ....e)0. .i...w..
0140 9b 16 c5 ff ff c8 60 c0 06 57 1a 70 d3 fa 16 77 ......`. .W.p...w
0150 e8 3c 39 ca 06 59 1c bd e6 07 3f c7 f6 9c b1 e6 .<9..Y.. ..?.....
0160 3d cf c4 d4 3c e5 0c 35 f7 bb 46 a9 d9 31 7a cd =...<..5 ..F..1z.
0170 d3 3e c7 95 fd 8c 35 cf 8e ad f9 07 ab d1 43 56 .>....5. ......CV
0180 74 cd 59 c2 a0 6b 02 de 58 60 69 28 fe 95 c7 f4 t.Y..k.. X`i(....
0190 35 de 2c c1 ee 0b f7 dd 13 ff 46 ff bc fa 51 d6 5.,..... ..F...Q.
01a0 bb 8b 60 bd 7b e5 69 94 8d d2 e5 09 e1 bb d9 b1 ..`.{.i. ........
01b0 8b 9d 6c b7 e2 7a 27 58 68 b1 8b 8d 49 19 a9 23 ..l..z'X h...I..#
01c0 07 eb 08 aa e3 49 64 ce 3f 8e d7 54 94 e3 79 b6 .....Id. ?..T..y.
01d0 25 ca 3a 43 e4 db 5f e6 7d 82 a5 41 f8 42 8e e7 %.:C.._. }..A.B..
01e0 85 1d cc f0 6f ec 8c 78 1c 5c 27 22 c2 4d 09 08 ....o..x .\'".M..
01f0 37 df 97 d6 90 70 83 fb bb 28 7e 24 3e 1d 12 20 7....p.. .(~$>..
0200 7e fb 07 50 dd e5 78 92 6c fe f4 7b 10 5e e4 b3 ~..P..x. l..{.^..
0210 cb 86 89 35 25 36 b6 19 be 54 54 99 f7 d9 bf 68 ...5%6.. .TT....h
0220 88 f1 af cb 37 22 81 4e e1 6e a9 1f a4 01 d1 91 ....7".N .n......
0230 9d aa 2e 4a a3 77 cd a3 7f 8e e5 7f b7 ab 83 c2 ...J.w.. ........
0240 aa 76 8d 35 ff ff 76 0c a8 d3 a8 ce 12 a1 d4 34 .v.5..v. .......4
0250 ac 08 24 2e 77 10 2d 3f a5 3a 3e 6f f8 bc 55 ea ..$.w.-? .:>o..U.
0260 26 68 36 8d 8e 5f ef 67 df 0a bf e3 7b 63 f0 db &h6.._.g ....{c..
0270 ba fc 3b e3 57 fb d9 d8 f8 5d f7 d0 98 f8 65 7f ..;.W... .]....e.
0280 3b fc 4a 62 f1 1b ba ed 3b e3 f7 ce bf c6 c6 ef ;.Jb.... ;.......
0290 c3 ca 31 f1 db f1 af 6f 85 df 73 4f c5 e0 57 fa ..1....o ..sO..W.
02a0 dd f1 bb fa 0c f8 3d fb d8 98 f8 69 be 1d 7e d3 ......=. ...i..~.
02b0 62 f1 6b aa f9 ce f8 3d fa cf b1 f1 9b f8 c8 98 b.k....= ........
02c0 f8 2d fd e7 b7 c2 af f6 4f 31 f8 25 7e 77 fc 8e .-...... O1.%~w..
02d0 0f 8c 8d df 95 63 8f bf e6 81 28 fc c6 66 ad ef .....c.. ..(..f..
02e0 fc 31 06 bf ef df 36 9c a9 9f 99 4b 94 7f bb 5a .1....6. ...K...Z
02f0 ee 8c ad a5 a7 e6 bb d5 f2 65 80 96 c5 6f aa 65 ........ .e...o.e
0300 42 6c 2d d7 ac 38 43 2d 23 57 85 07 02 b4 a2 47 Bl-..8C- #W.....G
0310 2a 19 b1 32 fc 61 0f ae 3b 13 22 8a 50 91 45 5d *..2.a.. ;.".P.E]
0320 1c 54 35 e8 47 43 80 4a 24 62 dc 70 99 e1 f2 48 .T5.GC.J $b.p...H
0330 0d 28 64 44 4b 08 8b 9e 24 39 23 7c c7 26 b2 16 .(dDK... $9#|.&..
0340 0c 7d 1a 5a 0b ff ff b0 dc 37 ad 07 c6 3d a1 f5 .}.Z.... .7...=..
0350 e0 91 27 22 eb c1 af 76 8d b5 1e 78 f1 4b 59 ec ..'"...v ...x.KY.
0360 39 82 6c 07 a5 1f 54 7e 54 ed 25 9d 2b be b2 df 9.l...T~ T.%.+...
0370 05 38 8c fd d5 11 fa 1a be 79 16 ba 51 59 09 2d .8...... .y..QY.-
0380 6c 82 95 52 db 23 09 8d e6 e7 f4 9e 36 1d 39 68 l..R.#.. ....6.9h
0390 df 9b 25 ec 31 7b 12 f4 68 f4 39 6e 1e 7c ba ff ..%.1{.. h.9n.|..
03a0 a4 0e 6d a7 f4 79 e6 7d 9d 40 af 36 83 62 33 48 ..m..y.} .@.6.b3H
03b0 7e f4 38 f7 a6 f9 b9 41 69 a8 85 25 6e f8 07 7a ~.8....A i..%n..z
03c0 91 f3 f4 9a 31 0c cf d9 b5 71 8b 5c e3 02 e7 7b ....1... .q.\...{
03d0 86 f4 ae c9 81 b3 37 bc ae d1 9c d6 04 ce c2 e7 ......7. ........
03e0 d7 9a 40 3c 3e 83 1a cf 69 ad 92 13 34 fb 26 a2 ..@<>... i...4.&.
03f0 6b 97 21 83 f9 fe 47 a0 92 60 8a 6f f7 6a b3 25 k.!...G. .`.o.j.%
0400 a3 b9 fe 1a 8d 52 ae 35 6f 69 16 11 72 30 01 ed .....R.5 oi..r0..
0410 cc d9 8f 86 50 88 0b ce e6 49 08 46 63 54 ca 0d ....P... .I.FcT..
0420 f4 ed 9c 21 3a 81 e9 17 00 8a 52 0e 0d 99 ac b8 ...!:... ..R.....
0430 fb a2 32 26 4b 5d 8b 44 9b 43 b2 ef 66 6f ff 94 ..2&K].D .C..fo..
0440 07 4a a4 72 c1 63 ff ff 54 ce c1 d6 e2 da a3 af .J.r.c.. T.......
0450 dc dd af c7 c6 3e 37 1b 80 28 42 77 14 84 74 65 .....>7. .(Bw..te
0460 ee 1c 10 0a d8 f7 6a d4 03 e3 6e 91 20 e4 71 08 ......j. ..n. .q.
0470 f0 3b 70 55 a8 5c 7b 54 b9 54 b5 dc f1 9f a8 e5 .;pU.\{T .T......
0480 da 79 b9 07 ff a3 96 6b 17 a5 2f d8 e5 38 e9 fa .y.....k ../..8..
0490 ef 0f 11 43 d2 12 31 f6 03 31 a2 40 d5 53 c1 f1 ...C..1. .1.@.S..
04a0 27 d1 0d e6 b1 6a e8 02 af 43 cb 7b c6 db 6c de '....j.. .C.{..l.
04b0 22 b4 29 42 9b 58 c2 be 8f db f4 37 95 07 3e 8c ".)B.X.. ...7..>.
04c0 2a d9 40 25 d3 f1 66 93 e4 f7 1d 2b 33 7b 93 50 *.@%..f. ...+3{.P
04d0 61 d4 93 93 e5 fd 78 d9 ae 84 7d f4 00 a8 40 37 a.....x. ..}...@7
04e0 95 06 3e 8e 2a b7 83 ca 35 01 71 ab 7d c7 24 61 ..>.*... 5.q.}.$a
04f0 57 b9 d9 fb 31 ce 28 f7 0e f3 73 73 60 c0 28 75 W...1.(. ..ss`.(u
0500 7d e6 e7 8e 39 6c da 2f 4a d8 ba db a9 81 50 62 }...9l./ J.....Pb
0510 17 5b e7 98 a0 29 61 a9 b7 51 4a b0 70 87 bb ab .[...)a. .QJ.p...
0520 ff 0f 50 2e 0a f2 5e 82 fc d2 71 8c 24 0c 90 b7 ..P...^. ..q.$...
0530 01 4a 12 41 de 1a 82 dc 4d 84 93 00 f2 7e 67 08 .J.A.... M....~g.
0540 f2 36 36 20 21 e4 d3 ff ff 4e 15 f2 56 77 57 e0 .66 !... .N..VwW.
0550 e6 28 b0 bb 09 ac ff 18 91 48 12 36 57 bb ae 92 .(...... .H.6W...
0560 8e ab 10 85 76 15 a2 c8 6a 9c e1 ce 08 ba 37 b3 ....v... j.....7.
0570 4b 5d 78 ad 40 68 2f 17 d9 2e f8 52 ba d8 7d 28 K]x.@h/. ...R..}(
0580 28 ec 91 85 bd fd 83 a7 46 68 83 1b 06 78 14 56 (....... Fh...x.V
0590 10 0e 2d e8 42 60 87 cc 77 c2 12 8a 59 ff df d1 ..-.B`.. w...Y...
05a0 7f 52 d0 ec ad 1c 87 36 11 4d 34 cf 0a 4d 52 e1 .R.....6 .M4..MR.
05b0 7e ed 57 9e 3a ab 56 2a dc e6 2e 90 a1 44 ba 67 ~.W.:.V* .....D.g
05c0 5d b2 c6 8d 07 18 5f 3e 49 77 13 a4 36 91 3d bb ]....._> Iw..6.=.
05d0 0c 5e ab 92 ab 4a 03 d6 0e a1 4d 43 bd 19 5c 9d .^...J.. ..MC..\.
05e0 cc 6c 7c e4 e0 65 46 d0 75 93 .l|..eF. u.From the start of the packet, we have:
0040 67 78 ff 02 72 6f 74 65 72 6f 73 2e 64 6c 6c 01 gx..rote ros.dll. 0050 ff ed 00 00 ff ed 87 18 a9 ee 3f e8 98 43 af 88 ........ ..?..C.. 0060 56 b4 e2 e5 51 3e 00 8d 74 8c 65 74 da 95 a0 88 V...Q>.. t.et....
Packet:
-
0x42: 255 byte packet
-
0x43: Request 0x02 (send file?)
-
0x44-0x4e: File name
-
0x4f: Response packet?
-
0x50-0x51: I think this is now the total length it is sending
-
0x52-0x53: Still not sure on this? Could be part of the offset size (see
next breakdown. -
0x54-0x55: I think this is the file offset for where it should start
writing
[box] $ expr $((0xffff)) - $((0xffed)) 18
Those 18 bytes can be accounted for by the file request/response structure overhead.
Looking at the next request from the client (PSH|ACK) at 192.168.254.1:
0000 52 54 00 12 34 56 00 ff fb 19 fe 96 08 00 45 00 RT..4V.. ......E.
0010 00 48 ca 1c 40 00 40 06 f3 3d c0 a8 fe 01 c0 a8 .H..@.@. .=......
0020 fe 02 df 5e 20 63 d0 21 ad 63 f4 38 b1 ae 80 18 ...^ c.! .c.8....
0030 01 f5 24 96 00 00 01 01 08 0a 1d e3 67 ab 00 00 ..$..... ....g...
0040 7b 57 12 02 72 6f 74 65 72 6f 73 2e 64 6c 6c 00 {W..rote ros.dll.
0050 ff ed 00 01 ff da ......The only major difference we see so far is that it appears 0x52 to 0x55 is
a 32bit index into the file from where to start reading/writing.
So far, we have a reasonably complete understanding of the network protocol
regarding transferring files, and this should be enough to test the loading of
arbitrary dll's into the winbox.exe process.
Proxying the network traffic
Summarising what is known about the network traffic, we have:
-
First byte represents the length of the packet, starting at the third byte
of the packet. We'll call this field "length" for now. -
The second byte represents the type of command it is. We'll call this field"command" for now.
-
The rest of the packet represents the data of the packet.
-
Currently, we know the command 0x02 relates to requesting files from the
server. We'll call this SEND_FILE for the lack of a better term.
SEND_FILE data:
00 01 02 03 04 05 06 07 08 09 0a 0b 0c 0d 0e 0f
0000 72 6f 74 65 72 6f 73 2e 64 6c 6c 00 ff ed 00 01
0010 ff daSEND_FILE
-
The first 0x00 to 0x0a bytes of the SEND_FILE data is the filename,
in the above example, this is roteros.dll. -
The 0x0b byte seems to reflect the direction the request is being sent.
When the WinBox.exe client is requesting a file, it is set to 0x00. When
the server is responding to the request, the field is set to 0x01. We'll
have to come back to this later on and see if it's possible to
overwrite/append files. For the above example, we are requesting the file. -
0x0c and 0x0d bytes: This is the size it is requesting to be sent.
Stored in network endian format (big endian). The 0xff 0xed requests
65517 bytes to be sent. -
The 0x0e-0x11 bytes represent the offset in the file to start from. In
case it indicates to start at an offset 0x01ffda, or 131034 bytes.
We'll start this work by writing a new simple proxy which will just look at
the length field/tag field, and pass it to the remote side. For ease of
implementation, we'll just point the WinBox client to the local IP address.
The proxy code can be foundhere, with the below
output displayed when we run it (after performing a quick find
~/.wine/drive_c/ -iname *wlan2* ; cd wine_path; rm *dll *crc).
--> Activity for fd 3
--> Connection from: ('192.168.254.1', 45335)
--> Activity for fd 4
--> In state ma