inside Habbie's mind

The Zyxel NSA310 is a neat little box, with a good set of software out of the box, frequent firmware updates (for now) and decent performance. I have no desire to replace the software on it as it works really well. However, sometimes you do want a bit more. Putting Debian in a chroot with working sshd has worked well for me in the past (on a Popcorn Hour A-110) so I figured I would do the same here.

I have roughly documented my procedure below; the two scripts you will need are in a git repository. When you follow these steps, you will end up with a fully functional Debian chroot in which you can use apt-get to install additional software. We will also setup telnet running outside of the chroot, accessible from localhost, for easy root access to the NSA itself without going through the backdoor sequence every time.

Of course, this is just a guide, written according to my taste and preferences. Feel free to do things your way; I’d love a comment to hear what you did differently.

One final note: this setup only arranges for ssh and localhost telnet to be started on boot; other daemons you install inside Debian will not get automatic startups. I believe you can replace the ssh line in init.sh with something else to get a full Debian startup, but for now I have no need for it.

1. grab a working Debian box (I used Debian 6/squeeze amd64), and run ‘sudo /usr/sbin/debootstrap --foreign --arch=armel --variant=minbase --include=openssh-server squeeze ./nas-debootstrap/ ftp://ftp.nl.debian.org/debian’. This creates a Debian environment in ./nas-debootstrap/. Tar it up and copy it to the NSA (in any share will do).
2. open telnet on the NSA310 - log in as administrator on the webinterface and browse to ‘/zyxel/cgi-bin/remote_help-cgi?type=backdoor’. This opens telnet (port 23). The URL never finishes loading for me, but you can just cancel it. Username is root; password is your admin password.
3. on my box, the main storage dir is /i-data/370f61a5 which seems a bad thing to standardise on; /etc/zyxel/storage/sysvol is a symlink to it, and we’ll use that from here on.
4. in /etc/zyxel/storage/sysvol I made a dir .debian; I will refer to this dir as .debian from now on.
5. extract the tarball and rename it to .debian/root.
6. type ‘chroot .debian/root /debootstrap/debootstrap --second-stage’ to finish the debootstrap. Then, set a root password: ‘chroot .debian/root passwd root’. Note: after this step you can enter your Debian setup by saying ‘chroot .debian/root’ to look around a bit
7. ‘mkdir .debian/root/data’ for mounting our actual storage.
8. outside of the chroot, grab init.sh and telnet.sh from the git repo and put them in .debian and chmod +x them. Put chroot-initin .debian/root/etc and chmod +x it too.
9. ‘cd /usr/local/zy-pkgs/etc/init.d; ln -s /etc/zyxel/storage/sysvol/.debian/init.sh DEBIAN; ln -s /etc/zyxel/storage/sysvol/.debian/telnet.sh LOTELNET’

Now, you should have a Debian setup that starts when you boot your NAS. If everything looks okay, type ‘reboot’ to give it a shot! A reboot on mine (with or without Debian) takes about two minutes, so don’t panic!

When it is up again, try ‘ssh root@nsa310’ replacing nsa310 with the IP or perhaps internal hostname you have. This should drop you into a bash shell inside your Debian setup!

One last thing: to use apt-get, you’ll need a sources.list configuration for it. I recommend using Debian Sources List Generator for this.

When I posted the idea from my previous blogpost to the ipv6hackers mailing list and my Twitter account, I was expecting to hear that this had been done before and I had found nothing new.

As it turns out, many people (Viagénie, Bill Manning, Ryan Rawdon) knew about this trick already. Somebody (I forget who/where) pointed out that this trick worked well for e164.arpa mapping too. Indeed, I have used this trick to do statistics on other sparse but deep zones years ago.

But, to many other people, this idea was totally novel. Marc ‘van Hauser’ Heuse added a tool based on this idea to his thc-ipv6 IPv6 hacker toolkit, and Patrik ‘nevdull77’ Karlsson committed an nmap script employing the same technique.

Simon Arlott (pointed out to me by Ryan Rawdon) took it one step further – he also wrote a tool to mitigate this trick in a very clever way. Check out the README and ip6dnshide.py in his ip6walk github repo. The trick works with ldns (1.6.12)+NSD (3.2.10) but BIND9 (9.9.0b1) rejects the resulting zone file due to non-terminal wildcards.

All in all, the idea was not new but it deserved some exposure. I am glad I was able to provide that :)

I have added some progress reporting to my implementation and at least one issue has been filed against it. I do not intend to develop this further (although I may at some point write a more parallel version), as at least three other implementations exist, and at least two of those are likely to see more usage than my script anyway.