Quick Creds / Responder filling up LAN Turtle instantly.

5 posts in this topic

Hi All,

I'm new to this forum, but not so new to hak5. I have been following the products and videos for awhile. I recently got a LAN turtle. Obviously the LAN turtle's selling point is not it's storage capacity, which is fine. However, after reading the forums and trying to understand the Quickcreds module, I notice when I install it the turtle instantly fills up to the point where I can't even start QuickCreds at all without it telling me there is no space on the device. 

root@turtle:~# df -h
Filesystem                Size      Used Available Use% Mounted on
rootfs                    4.6M      4.3M    304.0K  94% /
/dev/root                10.3M     10.3M         0 100% /rom
tmpfs                    30.0M    600.0K     29.4M   2% /tmp
/dev/mtdblock3            4.6M      4.3M    304.0K  94% /overlay
overlayfs:/overlay        4.6M      4.3M    304.0K  94% /
tmpfs                   512.0K         0    512.0K   0% /dev

Is there any way around this ? I tried to search the forums and other problem tickets that mentioned it, but was unable to find anything. If i'm mis-understanding something i'm open to know what that may be. So far, i've had great luck getting OpenVPN to work and a couple other modules and enjoy learning how they work. 



Share this post

Link to post
Share on other sites

I've had this exact issue as well.

Something to do with either responder or QuickCreds for sure.

I ended up having to put the turtle in recovery mode and flash to stock to get it fixed again. Big bummer.


Share this post

Link to post
Share on other sites

Hello everyone,

First of all let me thanks all the falks and the community behind hak5.
I'm new to the forum, but I follow hak5 and use the tools since several years by now.

It seems the new version of QuickCreds module eat up all the available space on the turtle by downloading its dependencies.
Basically git and Responder occupy most of the overlay space since summed up they are about 4.4 MB.

A possible solution I see is to modify the installation process, in order to avoid installing git and downloading Responder as git repository.
In order to do this I would download the Responder ZIP archive from github (https://github.com/lgandx/Responder/archive/master.zip) to tmp, and extract it from there.
As of today the latest extracted master branch is approximately 2.1MB.
All the other dependencies need to be installed nevertheless, and I don't now if they are installed via git as well.

Long version
I' saw the issue pointed out by @wutanglan as well.
At first sight it seemed to be an issue related to updating QuickCreds to the latest version, since I didn't have such problems with previous versions.
I started from a fresh manual install of the firmware, and the situation with the occupied space was the following:

root@turtle:~# df -h
Filesystem                Size      Used Available Use% Mounted on
rootfs                    4.6M    404.0K      4.2M   9% /
/dev/root                10.3M     10.3M         0 100% /rom
tmpfs                    30.0M     84.0K     29.9M   0% /tmp
/dev/mtdblock3            4.6M    404.0K      4.2M   9% /overlay
overlayfs:/overlay        4.6M    404.0K      4.2M   9% /
tmpfs                   512.0K         0    512.0K   0% /dev

After updating the turtle from the gui and downloading just the QuickCreds module the situation was the same.
When I configured the module so that it downloaded all the dependencies the space situations was this one:

root@turtle:~# df -h
Filesystem                Size      Used Available Use% Mounted on
rootfs                    4.6M      4.3M    332.0K  93% /
/dev/root                10.3M     10.3M         0 100% /rom
tmpfs                    30.0M    608.0K     29.4M   2% /tmp
/dev/mtdblock3            4.6M      4.3M    332.0K  93% /overlay
overlayfs:/overlay        4.6M      4.3M    332.0K  93% /
tmpfs                   512.0K         0    512.0K   0% /dev

This is the occupied space on the /overlay partition

root@turtle:~# du -sh /overlay/*
3.6M	/overlay/etc
0	/overlay/root
2.4M	/overlay/usr

The occupied space for /overaly/usr/ is distributed in this way

root@turtle:~# du -sh /overlay/usr/*
945.0K	/overlay/usr/bin
996.0K	/overlay/usr/lib
218.5K	/overlay/usr/libexec
232.5K	/overlay/usr/sbin
17.5K	/overlay/usr/share
root@turtle:~# du -sh /overlay/usr/bin/*
924.5K	/overlay/usr/bin/git
0	/overlay/usr/bin/git-receive-pack
0	/overlay/usr/bin/git-shell
0	/overlay/usr/bin/git-upload-archive
0	/overlay/usr/bin/git-upload-pack
20.5K	/overlay/usr/bin/sleep
root@turtle:~# du -sh /overlay/usr/lib/*
0	/overlay/usr/lib/libsqlite3.so.0
513.0K	/overlay/usr/lib/libsqlite3.so.0.8.6
37.0K	/overlay/usr/lib/opkg
446.0K	/overlay/usr/lib/python2.7
root@turtle:~# du -sh /overlay/usr/libexec/*
218.5K	/overlay/usr/libexec/git-core
root@turtle:~# du -sh /overlay/usr/sbin/*
232.5K	/overlay/usr/sbin/screen

The occupied space for /overaly/etc/ is distributed in this way

root@turtle:~# du -sh /overlay/etc/*
21.0K	/overlay/etc/config
0	/overlay/etc/ethers
512	/overlay/etc/group
512	/overlay/etc/passwd
4.5K	/overlay/etc/rc.d
512	/overlay/etc/rc.local
512	/overlay/etc/screenrc
512	/overlay/etc/shadow
4.5K	/overlay/etc/ssh
3.5M	/overlay/etc/turtle
6.0K	/overlay/etc/uci-defaults
root@turtle:~# du -sh /overlay/etc/turtle/*
3.5M	/overlay/etc/turtle/Responder
0	/overlay/etc/turtle/autostart_modules
9.0K	/overlay/etc/turtle/modules
0	/overlay/etc/turtle/set_pass
root@turtle:~# du -sh /overlay/etc/turtle/Responder/*
2.0K	/overlay/etc/turtle/Responder/DumpHash.py
34.5K	/overlay/etc/turtle/Responder/LICENSE
10.0K	/overlay/etc/turtle/Responder/README.md
4.0K	/overlay/etc/turtle/Responder/Report.py
3.0K	/overlay/etc/turtle/Responder/Responder.conf
13.5K	/overlay/etc/turtle/Responder/Responder.py
4.0K	/overlay/etc/turtle/Responder/certs
26.5K	/overlay/etc/turtle/Responder/files
2.5K	/overlay/etc/turtle/Responder/fingerprint.py
0	/overlay/etc/turtle/Responder/logs
3.5K	/overlay/etc/turtle/Responder/odict.py
98.0K	/overlay/etc/turtle/Responder/packets.py
9.5K	/overlay/etc/turtle/Responder/poisoners
74.5K	/overlay/etc/turtle/Responder/servers
11.0K	/overlay/etc/turtle/Responder/settings.py
1.6M	/overlay/etc/turtle/Responder/tools
14.5K	/overlay/etc/turtle/Responder/utils.py
root@turtle:~# du -sh /overlay/etc/turtle/Responder/tools/*
4.5K	/overlay/etc/turtle/Responder/tools/BrowserListener.py
13.5K	/overlay/etc/turtle/Responder/tools/DHCP.py
2.0K	/overlay/etc/turtle/Responder/tools/DHCP_Auto.sh
2.5K	/overlay/etc/turtle/Responder/tools/FindSMB2UPTime.py
1.5K	/overlay/etc/turtle/Responder/tools/FindSQLSrv.py
10.5K	/overlay/etc/turtle/Responder/tools/Icmp-Redirect.py
1.5M	/overlay/etc/turtle/Responder/tools/MultiRelay
36.5K	/overlay/etc/turtle/Responder/tools/MultiRelay.py
10.0K	/overlay/etc/turtle/Responder/tools/RunFinger.py
14.0K	/overlay/etc/turtle/Responder/tools/SMBFinger
3.5K	/overlay/etc/turtle/Responder/tools/odict.py
root@turtle:~# du -sh /overlay/etc/turtle/Responder/tools/MultiRelay/*
86.5K	/overlay/etc/turtle/Responder/tools/MultiRelay/RelayMultiCore.py
49.5K	/overlay/etc/turtle/Responder/tools/MultiRelay/RelayMultiPackets.py
0	/overlay/etc/turtle/Responder/tools/MultiRelay/__init__.py
1.3M	/overlay/etc/turtle/Responder/tools/MultiRelay/bin
80.0K	/overlay/etc/turtle/Responder/tools/MultiRelay/creddump
0	/overlay/etc/turtle/Responder/tools/MultiRelay/relay-dumps
root@turtle:~# du -sh /overlay/etc/turtle/Responder/tools/MultiRelay/bin/*
9.5K	/overlay/etc/turtle/Responder/tools/MultiRelay/bin/Runas.exe
9.5K	/overlay/etc/turtle/Responder/tools/MultiRelay/bin/Syssvc.exe
746.5K	/overlay/etc/turtle/Responder/tools/MultiRelay/bin/mimikatz.exe
598.5K	/overlay/etc/turtle/Responder/tools/MultiRelay/bin/mimikatz_x86.exe

Basically all the space of the turtle is occupied by: git, libsqlite3, python2.7, screen and Responder.
Git and Responder acqually seem to be the more memory expensive parts, witht the MultiRealy tool of Responder which occupies half of its the space.



Share this post

Link to post
Share on other sites

I just checked in the module source code (/etc/turtle/modules/QuickCreds) and it seems Responder is the only resource installaed via git.
So skipping the git installation and downloading the ZIP archive (given that tar is installed on the system), should be just fine.

Of course the update process would be less optimized, since instead of doing git pull in the Repsonder directory we need to download the ZIP archive again.



Share this post

Link to post
Share on other sites

Thanks for following up @0st1x - I am in the process of getting to know git so I like your thought process behind that work around and will definitely give it a try. With most issues i've had so far with the turtle, i've noticed with some simple script modifications, there usually lies a work around. I don't want to re-invent the wheel as i'm sure a lot of these work arounds have been covered on this board so far. I will share one I had for example. 

* Open VPN for example. 

* I noticed the /etc/turtles/modules/OpenVPN file's openvpn syntax by default is `openvpn --daemon --config my-vpn.conf `

* That syntax did not work for my personal setup. 

* For my Open VPN connection, I had to specify all of the proper Open VPN flags and do so inside the script as such (Also, I had to specify the modult to 'cd' into the /etc/openvpn directory. 

function start {
  if [ -s /etc/openvpn/my-vpn.conf ]
    #/etc/init.d/openvpn start
    #/usr/sbin/openvpn --daemon --config /etc/openvpn/my-vpn.conf 
    cd /etc/openvpn ; openvpn --config my-vpn.conf --ifconfig --route

In my experience, having the turtle so far has taught me a lot about scripting and how to have proper use cases for modification. 


Share this post

Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now

  • Recently Browsing   0 members

    No registered users viewing this page.