Jump to content

Quick Creds / Responder filling up LAN Turtle instantly.


Recommended Posts

Hi All,

I'm new to this forum, but not so new to hak5. I have been following the products and videos for awhile. I recently got a LAN turtle. Obviously the LAN turtle's selling point is not it's storage capacity, which is fine. However, after reading the forums and trying to understand the Quickcreds module, I notice when I install it the turtle instantly fills up to the point where I can't even start QuickCreds at all without it telling me there is no space on the device. 

root@turtle:~# df -h
Filesystem                Size      Used Available Use% Mounted on
rootfs                    4.6M      4.3M    304.0K  94% /
/dev/root                10.3M     10.3M         0 100% /rom
tmpfs                    30.0M    600.0K     29.4M   2% /tmp
/dev/mtdblock3            4.6M      4.3M    304.0K  94% /overlay
overlayfs:/overlay        4.6M      4.3M    304.0K  94% /
tmpfs                   512.0K         0    512.0K   0% /dev

Is there any way around this ? I tried to search the forums and other problem tickets that mentioned it, but was unable to find anything. If i'm mis-understanding something i'm open to know what that may be. So far, i've had great luck getting OpenVPN to work and a couple other modules and enjoy learning how they work. 


Link to comment
Share on other sites

Hello everyone,

First of all let me thanks all the falks and the community behind hak5.
I'm new to the forum, but I follow hak5 and use the tools since several years by now.

It seems the new version of QuickCreds module eat up all the available space on the turtle by downloading its dependencies.
Basically git and Responder occupy most of the overlay space since summed up they are about 4.4 MB.

A possible solution I see is to modify the installation process, in order to avoid installing git and downloading Responder as git repository.
In order to do this I would download the Responder ZIP archive from github (https://github.com/lgandx/Responder/archive/master.zip) to tmp, and extract it from there.
As of today the latest extracted master branch is approximately 2.1MB.
All the other dependencies need to be installed nevertheless, and I don't now if they are installed via git as well.

Long version
I' saw the issue pointed out by @wutanglan as well.
At first sight it seemed to be an issue related to updating QuickCreds to the latest version, since I didn't have such problems with previous versions.
I started from a fresh manual install of the firmware, and the situation with the occupied space was the following:

root@turtle:~# df -h
Filesystem                Size      Used Available Use% Mounted on
rootfs                    4.6M    404.0K      4.2M   9% /
/dev/root                10.3M     10.3M         0 100% /rom
tmpfs                    30.0M     84.0K     29.9M   0% /tmp
/dev/mtdblock3            4.6M    404.0K      4.2M   9% /overlay
overlayfs:/overlay        4.6M    404.0K      4.2M   9% /
tmpfs                   512.0K         0    512.0K   0% /dev

After updating the turtle from the gui and downloading just the QuickCreds module the situation was the same.
When I configured the module so that it downloaded all the dependencies the space situations was this one:

root@turtle:~# df -h
Filesystem                Size      Used Available Use% Mounted on
rootfs                    4.6M      4.3M    332.0K  93% /
/dev/root                10.3M     10.3M         0 100% /rom
tmpfs                    30.0M    608.0K     29.4M   2% /tmp
/dev/mtdblock3            4.6M      4.3M    332.0K  93% /overlay
overlayfs:/overlay        4.6M      4.3M    332.0K  93% /
tmpfs                   512.0K         0    512.0K   0% /dev

This is the occupied space on the /overlay partition

root@turtle:~# du -sh /overlay/*
3.6M	/overlay/etc
0	/overlay/root
2.4M	/overlay/usr

The occupied space for /overaly/usr/ is distributed in this way

root@turtle:~# du -sh /overlay/usr/*
945.0K	/overlay/usr/bin
996.0K	/overlay/usr/lib
218.5K	/overlay/usr/libexec
232.5K	/overlay/usr/sbin
17.5K	/overlay/usr/share
root@turtle:~# du -sh /overlay/usr/bin/*
924.5K	/overlay/usr/bin/git
0	/overlay/usr/bin/git-receive-pack
0	/overlay/usr/bin/git-shell
0	/overlay/usr/bin/git-upload-archive
0	/overlay/usr/bin/git-upload-pack
20.5K	/overlay/usr/bin/sleep
root@turtle:~# du -sh /overlay/usr/lib/*
0	/overlay/usr/lib/libsqlite3.so.0
513.0K	/overlay/usr/lib/libsqlite3.so.0.8.6
37.0K	/overlay/usr/lib/opkg
446.0K	/overlay/usr/lib/python2.7
root@turtle:~# du -sh /overlay/usr/libexec/*
218.5K	/overlay/usr/libexec/git-core
root@turtle:~# du -sh /overlay/usr/sbin/*
232.5K	/overlay/usr/sbin/screen

The occupied space for /overaly/etc/ is distributed in this way

root@turtle:~# du -sh /overlay/etc/*
21.0K	/overlay/etc/config
0	/overlay/etc/ethers
512	/overlay/etc/group
512	/overlay/etc/passwd
4.5K	/overlay/etc/rc.d
512	/overlay/etc/rc.local
512	/overlay/etc/screenrc
512	/overlay/etc/shadow
4.5K	/overlay/etc/ssh
3.5M	/overlay/etc/turtle
6.0K	/overlay/etc/uci-defaults
root@turtle:~# du -sh /overlay/etc/turtle/*
3.5M	/overlay/etc/turtle/Responder
0	/overlay/etc/turtle/autostart_modules
9.0K	/overlay/etc/turtle/modules
0	/overlay/etc/turtle/set_pass
root@turtle:~# du -sh /overlay/etc/turtle/Responder/*
2.0K	/overlay/etc/turtle/Responder/DumpHash.py
34.5K	/overlay/etc/turtle/Responder/LICENSE
10.0K	/overlay/etc/turtle/Responder/README.md
4.0K	/overlay/etc/turtle/Responder/Report.py
3.0K	/overlay/etc/turtle/Responder/Responder.conf
13.5K	/overlay/etc/turtle/Responder/Responder.py
4.0K	/overlay/etc/turtle/Responder/certs
26.5K	/overlay/etc/turtle/Responder/files
2.5K	/overlay/etc/turtle/Responder/fingerprint.py
0	/overlay/etc/turtle/Responder/logs
3.5K	/overlay/etc/turtle/Responder/odict.py
98.0K	/overlay/etc/turtle/Responder/packets.py
9.5K	/overlay/etc/turtle/Responder/poisoners
74.5K	/overlay/etc/turtle/Responder/servers
11.0K	/overlay/etc/turtle/Responder/settings.py
1.6M	/overlay/etc/turtle/Responder/tools
14.5K	/overlay/etc/turtle/Responder/utils.py
root@turtle:~# du -sh /overlay/etc/turtle/Responder/tools/*
4.5K	/overlay/etc/turtle/Responder/tools/BrowserListener.py
13.5K	/overlay/etc/turtle/Responder/tools/DHCP.py
2.0K	/overlay/etc/turtle/Responder/tools/DHCP_Auto.sh
2.5K	/overlay/etc/turtle/Responder/tools/FindSMB2UPTime.py
1.5K	/overlay/etc/turtle/Responder/tools/FindSQLSrv.py
10.5K	/overlay/etc/turtle/Responder/tools/Icmp-Redirect.py
1.5M	/overlay/etc/turtle/Responder/tools/MultiRelay
36.5K	/overlay/etc/turtle/Responder/tools/MultiRelay.py
10.0K	/overlay/etc/turtle/Responder/tools/RunFinger.py
14.0K	/overlay/etc/turtle/Responder/tools/SMBFinger
3.5K	/overlay/etc/turtle/Responder/tools/odict.py
root@turtle:~# du -sh /overlay/etc/turtle/Responder/tools/MultiRelay/*
86.5K	/overlay/etc/turtle/Responder/tools/MultiRelay/RelayMultiCore.py
49.5K	/overlay/etc/turtle/Responder/tools/MultiRelay/RelayMultiPackets.py
0	/overlay/etc/turtle/Responder/tools/MultiRelay/__init__.py
1.3M	/overlay/etc/turtle/Responder/tools/MultiRelay/bin
80.0K	/overlay/etc/turtle/Responder/tools/MultiRelay/creddump
0	/overlay/etc/turtle/Responder/tools/MultiRelay/relay-dumps
root@turtle:~# du -sh /overlay/etc/turtle/Responder/tools/MultiRelay/bin/*
9.5K	/overlay/etc/turtle/Responder/tools/MultiRelay/bin/Runas.exe
9.5K	/overlay/etc/turtle/Responder/tools/MultiRelay/bin/Syssvc.exe
746.5K	/overlay/etc/turtle/Responder/tools/MultiRelay/bin/mimikatz.exe
598.5K	/overlay/etc/turtle/Responder/tools/MultiRelay/bin/mimikatz_x86.exe

Basically all the space of the turtle is occupied by: git, libsqlite3, python2.7, screen and Responder.
Git and Responder acqually seem to be the more memory expensive parts, witht the MultiRealy tool of Responder which occupies half of its the space.


Link to comment
Share on other sites

I just checked in the module source code (/etc/turtle/modules/QuickCreds) and it seems Responder is the only resource installaed via git.
So skipping the git installation and downloading the ZIP archive (given that tar is installed on the system), should be just fine.

Of course the update process would be less optimized, since instead of doing git pull in the Repsonder directory we need to download the ZIP archive again.


Link to comment
Share on other sites

Thanks for following up @0st1x - I am in the process of getting to know git so I like your thought process behind that work around and will definitely give it a try. With most issues i've had so far with the turtle, i've noticed with some simple script modifications, there usually lies a work around. I don't want to re-invent the wheel as i'm sure a lot of these work arounds have been covered on this board so far. I will share one I had for example. 

* Open VPN for example. 

* I noticed the /etc/turtles/modules/OpenVPN file's openvpn syntax by default is `openvpn --daemon --config my-vpn.conf `

* That syntax did not work for my personal setup. 

* For my Open VPN connection, I had to specify all of the proper Open VPN flags and do so inside the script as such (Also, I had to specify the modult to 'cd' into the /etc/openvpn directory. 

function start {
  if [ -s /etc/openvpn/my-vpn.conf ]
    #/etc/init.d/openvpn start
    #/usr/sbin/openvpn --daemon --config /etc/openvpn/my-vpn.conf 
    cd /etc/openvpn ; openvpn --config my-vpn.conf --ifconfig --route

In my experience, having the turtle so far has taught me a lot about scripting and how to have proper use cases for modification. 

Link to comment
Share on other sites

  • 1 year later...

The simplest way to have more space is inserting a SDCARD and move SYSTEM to it:


 MOVE SYSTEM TO sdcard     #

1. First run 


2. Format sdcard

# Extroot configuration
# How to use a storage device (usb or sata or sdcard or whatever) to expand your LEDE device's space in root filesystem, to install freely all the packages you need.

# Background Info

# In most supported devices, the LEDE firmware splits the internal storage in two partitions

# “root filesystem” (/), a highly-compressed read-only partition
# “overlay” (/overlay), a second partition that is writable
# The overlay partition is merged with the root filesystem using the overlayfs feature of linux kernel, showing a single “whole” read-write filesystem to applications.
# This way LEDE fits even in tiny amounts of internal storage (as low as 4 MiB), but still allows to write settings and install some packages in the writable partition without changing all linux programs used.
# Extroot works by setting another overlay partition in the external storage device, and during boot this new overlay partition will be mounted over the internal storage's overlay partition. This approach allows easy fallback in case the external storage device is removed, as your LEDE device will still have its own overlay partition and thus will load all configuration from there.
# Which means that it will behave exactly the same as just before you set up extroot.

# First Stage

# USE STEPS FOR Device > 8 MiB

# Devices > 8 MiB

# These devices should have enough space to install the packages we need. Remove all packages you have installed to add functionality, as they are only wasting space now. After you make the extroot you will have all space you need.

# From the command line interface write (on a single line):

opkg update && opkg install block-mount kmod-fs-ext4 kmod-usb-storage e2fsprogs kmod-usb-ohci kmod-usb-uhci fdisk

# This installs packages needed for a partition with ext4 filesystem (and doesn't install packages for f2fs filesystem).

# Risk-adverse users may wish to create a custom image (as described in the pervious section) containing these tools and especially the kernel modules that are consistent with the firmware kernel so that they are available in failsafe mode.

# Second Stage

# Connect with ssh to the device.
# See what partitions you have:

block info 

# /dev/mtdblock2: UUID="9fd43c61-c3f2c38f-13440ce7-53f0d42d" VERSION="4.0" MOUNT="/rom" TYPE="squashfs"
# /dev/mtdblock3: MOUNT="/overlay" TYPE="jffs2"
# /dev/sda1: UUID="fdacc9f1-0e0e-45ab-acee-9cb9cc8d7d49" VERSION="1.4" TYPE="f2fs"

# here we see mtdblock devices (partitions in internal flash memory), and a partition on /dev/sda1 that is on a usb flash drive (in the example it is already formatted as f2fs)

# We now first format the external drive as f2fs or ext4.

# For f2fs:

# -------------------
3. If nessesary     #
# -------------------

mkfs.f2fs /dev/sda1

For ext4:

mkfs.ext4 /dev/sda1

# -----------------------------------------------------------------------------------
4. Then we transfer the content of the current overlay inside the external drive    #
# -----------------------------------------------------------------------------------

mount /dev/sda1 /mnt ; tar -C /overlay -cvf - . | tar -C /mnt -xf - ; umount /mnt

# -----------------------------------
5. Generate fstab automatically     #
# -----------------------------------

# Now we create automatically the fstab uci subsystem and fill it with the right configuration to have /dev/sda1 as new overlay

block detect > /etc/config/fstab; \
   sed -i s/option$'\t'enabled$'\t'\'0\'/option$'\t'enabled$'\t'\'1\'/ /etc/config/fstab; \
   sed -i s#/mnt/sda1#/overlay# /etc/config/fstab; \
   cat /etc/config/fstab;
# If you have a swap partition it will also get recognized and added automatically.

# It looks like this

This is an example of /etc/config/fstab configured to automount /overlay /data and swap partitions.
config 'global'
        option  anon_swap       '0'
        option  anon_mount      '0'
        option  auto_swap       '1'
        option  auto_mount      '1'
        option  delay_root      '5'
        option  check_fs        '0'
config 'mount'
        option  target  '/overlay'
        option  uuid    'c91232a0-c50a-4eae-adb9-14b4d3ce3de1'
        option  fstype  'ext4'
        option  enabled '1'
config 'swap'
        option  uuid    '08b4f0a3-f7ab-4ee1-bde9-55fc2481f355'
        option  enabled '1'
config 'mount'
        option  target  '/data'
        option  uuid    'c1068d91-863b-42e2-bcb2-b35a241b0fe2'
        option  enabled '1'

# as you see, most options are self-explaining.

# -----------
6. Verify     #
# -----------

# let's try manually mounting to see if everything is OK

mount /dev/sda1 /overlay 

# now we see mount point sizes:

df -h

# this is an example output:

# Filesystem           1K-blocks      Used Available Use% Mounted on
# rootfs                     896       244       652  27% /
# /dev/root                 2048      2048         0 100% /rom
# tmpfs                    14708        64     14644   0% /tmp
# /dev/mtdblock6         7759872    477328   7221104   6% /overlay
# overlayfs:/overlay         896       244       652  27% /
# tmpfs                      512         0       512   0% /dev
# /dev/sda1              7759872    477328   7221104   6% /overlay
# Note that only /overlay has grown but not the /

# ---------------
7. Final steps     #

# Reboot the LAN TURTLE

# Verify that the partitions were mounted properly:

df -h

Link to comment
Share on other sites

  • 2 weeks later...
On 6/30/2018 at 9:10 AM, Just_a_User said:

maybe try using SSHFS and point responder to dump into that?

imho the problem is more that there is no warning about responder's space requirements while installing


Link to comment
Share on other sites

  • 7 months later...


This topic is now archived and is closed to further replies.

  • Recently Browsing   0 members

    • No registered users viewing this page.
  • Create New...