Professional Documents
Culture Documents
Mikrotik Security: The Forgotten Things: Michael Takeuchi
Mikrotik Security: The Forgotten Things: Michael Takeuchi
Mikrotik Security: The Forgotten Things: Michael Takeuchi
b.i c
MikroTik Security :
o o
h
The Forgotten Things
s a
21 January 2019, Phnom Penh
MikroTik User Meeting Cambodia
○ MikroTik Certified Engineer (ALL)
(MTCNA, MTCRE, MTCINE, MTCWE, MTCUME, MTCTCE, MTCIPv6E)
m
○ Trainer at Trainocate Indonesia
o
○ Network Engineer at NetData
.i c
○ Solution Architect at HIGO
b
https://www.linkedin.com/in/michael-takeuchi
o
https://www.facebook.com/mict404
o
michael@takeuchi.id
h
Hello, I amaMichael Takeuchi
s
From Jakarta, Indonesia
What is Security? (in Computer)
o m
theft or damage to their hardware, software or electronic data, as
well as from disruption or misdirection of the services they
.i c
provide.
b
- Wikipedia,
o
https://en.wikipedia.org/wiki/Computer_security
o
a h
s
Contoso Ltd.
3
What is Security? (in Computer Network)
o m
denial of a computer network and network-accessible resources.
Network security involves the authorization of access to data in a
.i c
network, which is controlled by the network administrator
b
- Wikipedia,
o
https://en.wikipedia.org/wiki/Network_security
o
a h
s
Contoso Ltd.
4
Continuing
○ After we talk about what security is, now I will explain some
forgotten things about your own router security that skipped by
common junior network engineer
o m
.i c
○ We will focused on the router because that so many
vulnerabilities appears because we forgot something with our
b
router security
o o
a h
s
Contoso Ltd.
5
Router Login – Users
o m
b.i c
oo
a h
s
Contoso Ltd.
6
Router Login – Groups
o m
b.i c
o o
a h
s
Contoso Ltd.
7
Router Login – Policies
o m
○ ssh - policy that grants rights to log in remotely via secure shell
.i c
protocol
○ web - policy that grants rights to log in remotely via WebBox
o b
○ winbox - policy that grants rights to log in remotely via WinBox
o
○ password - policy that grants rights to change the password
h
a
○ api - grants rights to access router via API.
s
○ dude - grants rights to log in to dude server.
○ ftp - policy that grants full rights to log in remotely via FTP and to
transfer files from and to the router.
Contoso Ltd.
8
Router Login – Policies
m
All console commands that do not alter router's configuration are
o
.i c
allowed. write - policy that grants write access to the router's
configuration, except for user management.
h o
○ test - policy that grants rights to run ping, traceroute, bandwidth-
a
test, wireless scan, sniffer, snooper and other test commands
s
○ sensitive - to see sensitive information in the router
○ sniff - to use packet sniffer tool.
○ romon - accessing romon
Contoso Ltd.
9
Router Login – Active Users
o m
b.i c
o o
a h
s
Contoso Ltd.
10
Enough?
CVE # Description
CVE-2015-2350 Cross-site request forgery (CSRF) vulnerability in MikroTik RouterOS 5.0 and
m
earlier allows remote attackers to hijack the authentication of administrators
o
for requests that change the administrator password via a request in the status
.i c
page to /cfg.
CVE-2012-6050 he winbox service in MikroTik RouterOS 5.15 and earlier allows remote
b
attackers to cause a denial of service (CPU consumption), read the router
o
version, and possibly have other impacts via a request to download the router's
DLLs or plugins, as demonstrated by roteros.dll.
h o
s a
Credit: https://www.cvedetails.com Contoso Ltd.
12
RouterOS Vulnerabilities in 2017
CVE # Description
CVE-2017-8338 A vulnerability in MikroTik Version 6.38.5 could allow an unauthenticated
m
remote attacker to exhaust all available CPU via a flood of UDP packets on port
o
500 (used for L2TP over IPsec), preventing the affected router from accepting
.i c
new connections; all devices will be disconnected from the router and all logs
removed automatically.
b
CVE-2017-7285 A vulnerability in the network stack of MikroTik Version 6.38.5 released 2017-
o
03-09 could allow an unauthenticated remote attacker to exhaust all available
CPU via a flood of TCP RST packets, preventing the affected router from
CVE-2017-6297
h o
accepting new TCP connections.
The L2TP Client in MikroTik RouterOS versions 6.83.3 and 6.37.4 does not
a
enable IPsec encryption after a reboot, which allows man-in-the-middle
s
attackers to view transmitted data unencrypted and gain access to networks on
the L2TP server by monitoring the packets for the transmitted data and
obtaining the L2TP secret.
CVE # Description
CVE-2018-1156 MikroTik RouterOS before 6.42.7 and 6.40.9 is vulnerable to stack buffer
m
overflow through the license upgrade interface. This vulnerability could
o
theoretically allow a remote authenticated attacker execute arbitrary code on
.i c
the system.
CVE-2018-1157 MikroTik RouterOS before 6.42.7 and 6.40.9 is vulnerable to a memory
b
exhaustion vulnerability. An authenticated remote attacker can crash the HTTP
o
server and in some circumstances reboot the system via a crafted HTTP POST
request.
CVE-2018-1158
h o
MikroTik RouterOS before 6.42.7 and 6.40.9 is vulnerable to a stack exhaustion
vulnerability. An authenticated remote attacker can crash the HTTP server via
a
recursive parsing of JSON.
CVE-2018-1159
s
MikroTik RouterOS before 6.42.7 and 6.40.9 is vulnerable to a memory
corruption vulnerability. An authenticated remote attacker can crash the HTTP
server by rapidly authenticating and disconnecting.
CVE # Description
CVE-2018-7445 A buffer overflow was found in the MikroTik RouterOS SMB service when
m
processing NetBIOS session request messages. Remote attackers with access
o
to the service can exploit this vulnerability and gain code execution on the
.i c
system. The overflow occurs before authentication takes place, so it is
possible for an unauthenticated remote attacker to exploit it. All architectures
b
and all devices running RouterOS before versions 6.41.3/6.42rc27 are
vulnerable.
CVE-2018-14847
o
MikroTik RouterOS through 6.42 allows unauthenticated remote attackers to
o
read arbitrary files and remote authenticated attackers to write arbitrary files
h
due to a directory traversal vulnerability in the WinBox interface.
s a
Credit: https://www.cvedetails.com Contoso Ltd.
15
Good Things to Know
m
because so many infrastructure use MikroTik now
o
.i c
○ And because of that, MikroTik vulnerabilities is also growing rapidly
○ And because of that, DOESN’T MEAN MIKROTIK IS A BAD PRODUCT
☺
o b
h o
“high winds blown on high hills”
s
☺ a
Forgotten #3
Contoso Ltd.
17
So What?
o m
b .i c
o o
a h
s
Contoso Ltd.
19
Upgrade to Patched Version – Tips (RouterOS After 6.31)
o m
b .i c
o o
a h
s
This script can applied for RouterOS After 6.31
Contoso Ltd.
20
Upgrade to Patched Version – Tips (RouterOS Until 6.31)
o m
b .i c
o o
This script can applied for RouterOS Until 6.31
a h
s
Contoso Ltd.
21
Upgrade to Patched Version – Tips (Deploying)
b
○ Etc. (any other automation tools)
○ Manual ☺
o o
a h
s
Contoso Ltd.
22
Protect All Services
o b
h o
s a
Contoso Ltd.
23
Protect All Services (Router Access & Discovery)
o m
b .i c ○ Neighbor Discovery
○ Services
o o ○ MAC-Server
h
(Extra Security for
Layer 2 Networks)
s a
Contoso Ltd.
24
Protect All Services (Router Feature)
o m
b
○ DNS
.i c
o
○ UPNP
o
○ SOCKS
s
Contoso Ltd.
25
Protect All Services (Router Feature)
o m
b .i c
o o ○ Proxy
a h
s
Contoso Ltd.
26
Protect All Services (Whitelisting)
o m
b .i c
o o
a h
s
Contoso Ltd.
27
Protect All Services (Securing)
o m
.i c
add action=drop chain=prerouting dst-address-
type=local dst-port=53 in-interface=[WAN]
protocol=udp
o b
o
add action=drop chain=prerouting dst-address-
h
type=local dst-port=53 in-interface=[WAN]
a
protocol=tcp
s
add action=drop chain=prerouting dst-address-
type=local dst-port=8080 in-interface=[WAN]
protocol=tcp
Contoso Ltd.
28
Layered Security (Port Knocking)
o m
.i c
add action=add-src-to-address-list address-
list=allow-winbox address-list-timeout=30m
o b
chain=prerouting comment=“Port Knocking" dst-
port=1234 protocol=tcp dst-address-type=local
h o
add action=accept chain=prerouting
a
comment="Allow Winbox" src-address-list=allow-
s
winbox dst-port=[Winbox Port] protocol=tcp
dst-address-type=local
add action=drop chain=prerouting dst-address-
type=local dst-port=[Winbox Port] protocol=tcp
Contoso Ltd.
29
Layered Security (Logging)
○ Log with note everything router do, mostly hacker with clear log
after they do something with our router, so I will recommend to
use syslog server to save your log
o m
.i c
/system logging action set [find name=remote]
remote=[syslog_server]
b
/system logging add topics=info action=remote
o
h o
s a
Contoso Ltd.
30
Layered Security (Physical – LCD)
o m
b .i c
o o
a h
s
Contoso Ltd.
31
Layered Security (Physical – Bootloader)
○ Protected bootloader
https://wiki.mikrotik.com/wiki/Manual:RouterBOARD_settings#Prot
ected_bootloader
o m
.i c
○ EXTREMELY DANGEROUS, will disabled reset button & netinstall. If
you forget the RouterOS password, the only option is to perform a
o b
complete reformat of both NAND and RAM with the following
method, but you have to know the reset button hold time in
seconds.
h o
s a
Contoso Ltd.
32
Layered Security (Physical – Power)
o m
b .i c
o o
a h
s
Contoso Ltd.
33
Layered Security (Physical – Interfaces)
o m
b .i c
o o
a h
s
Contoso Ltd.
34
Layered Security (Backup)
m
○ Make sure your backup file is save and can be accessible anytime
o
.i c
○ DON’T EVER TO SAVE YOUR BACKUP FILE IN ROUTER ONLY
Forgotten #5
o b
h o
s a
Contoso Ltd.
35
Layered Security (Backup Types)
h o
s a
Contoso Ltd.
36
Conclusion
o m
.i c
Secure h o o b≠ Easy
s a
Forgotten #6
Contoso Ltd.
37
m
Feel so hard to securing your infrastructure?
o
.i c
Let me help you!
b
o o
michael@takeuchi.id
a h
https://www.facebook.com/mict404
s
https://www.linkedin.com/in/michael-takeuchi/
Contoso Ltd.
38
Question & Answer
o m
b.i c
oo
a h
s
Contoso Ltd.
39
Slide is available in my GitHub repository
https://github.com/mict404/slide/
o m
b .i c
o o
a h
s
Contoso Ltd.
40
Add a footer