Technical Analysis: Opening and Parsing MikroTik Backup Files Subject: Security, Forensics, and Data Recovery of .backup Files Target Audience: Network Engineers, Security Researchers, System Administrators Date: October 26, 2023
Abstract MikroTik RouterOS utilizes a proprietary binary format for its configuration backup files, identified by the .backup extension. Unlike plain-text exports ( .rsc files), these binaries store the complete system configuration, including sensitive data such as passwords and keys. For years, this format was considered a "black box," parseable only by the RouterOS proprietary kernel. However, advancements in reverse engineering have led to the development of tools capable of decrypting and parsing these files. This paper provides a detailed technical analysis of the .backup file structure, the encryption mechanisms employed (specifically in RouterOS v6 and v7), and the methodologies for opening and extracting data from these files for forensic and recovery purposes.
1. Introduction Network administrators rely on backup files to ensure business continuity. In the MikroTik ecosystem, the /system backup save command generates a binary snapshot of the system configuration. This file allows for rapid restoration of a device to a previous state. The binary format offers convenience but presents significant challenges for auditing and forensics. Unlike an export file ( .rsc ), a .backup file cannot be read with a standard text editor. Historically, this obscured configurations from view, creating a false sense of security. Understanding how to "open" these files is critical for password recovery, configuration auditing, and malware analysis (e.g., investigating botnets like Meris that target MikroTik devices).
2. The Difference Between .backup and .rsc To understand the methodology of opening a backup, one must first distinguish between the two primary formats used by RouterOS. | Feature | .backup (Binary Backup) | .rsc (Script Export) | | :--- | :--- | :--- | | Format | Proprietary binary blob. | Plain text script. | | Content | Entire system configuration blob. | Command sequence to recreate config. | | Compatibility | Generally version-specific (Major/Minor). | Version agnostic (mostly). | | Encryption | Optional password (RC4/ChaCha20). | No native encryption (plain text). | | Opening Method | Requires RouterOS or specialized tools. | Text editor (Notepad++, VS Code). | While .rsc files are human-readable, .backup files require specific parsing logic to reconstruct the configuration hierarchy. open mikrotik backup file
3. Technical Structure of the Backup File The internal structure of a MikroTik backup file varies significantly between RouterOS Long-term (v6) and Current/Stable (v7). 3.1 RouterOS v6 Structure In version 6, the backup file is structured as a binary database dump.
Header: Contains metadata, including the RouterOS version string and a "magic number" identifying the file type. Serialization: Configuration data is serialized using a specific MikroTik internal format. It utilizes a Length-Type-Value (LTV) or similar binary encoding scheme to store variable names and values. Encryption:
If no password is set during backup creation, the data is stored in plaintext binary form. If a password is set, the file is encrypted using RC4 . The key derivation function (KDF) is weak, allowing for offline brute-forcing. Note: In older versions (pre-6.43), the hashing algorithm was MD5, which is highly susceptible to collision attacks. Newer v6 versions moved to SHA-256, but the encryption remains RC4. However, advancements in reverse engineering have led to
3.2 RouterOS v7 Structure RouterOS v7 introduced a complete overhaul of the backup system to support the new Linux kernel and architecture.
Container Format: v7 backups typically utilize a compressed archive structure (similar to tar or cpio) but wrapped in proprietary headers. Encryption: v7 employs ChaCha20 stream cipher with Poly1305 authenticator. This is a significant security upgrade over v6. Deriving the key requires the user password and a salt contained within the file header. Complexity: The config data is often organized into distinct modules (system, interfaces, routing), making parsing more modular but structurally more complex.
4. Methodologies for Opening Backup Files There are three primary methods to access the content of a .backup file. Method 1: Native Restoration (The Official Way) The intended method for accessing a backup is to restore it onto a RouterOS device. Introduction Network administrators rely on backup files to
Procedure: Upload the file via FTP/Winbox, then execute /system backup load name=filename.backup . Drawback: This overwrites the current configuration of the device. It does not allow the user to view the config before loading, making it useless for forensic analysis or password peeking.
Method 2: Using MikrotikBackupTool (Python Implementation) The open-source community has successfully reverse-engineered the v6 format. The most prominent tool is MikrotikBackupTool (often found on GitHub). Process for unencrypted backups: