MikroTik

there is hundreds of Yemeni network administrators who serve thousands of clients in Yemen

and in these couple of days there is a hacker who's hacked today by this hacker who claimed he hacked the RouterOS by some Vulnerability in your system (many networks were hacked ) , can you give us a security update or any information about how this is happened , we are VERY VERY considered in yemen ! , and maybe not even using your products anymore ! , we need information today please !

this is the only video that the hacker uploaded :
https://www.youtube.com/watch?v=e19wz5GQ8V4

we are waiting !!

This is a community forum, and while some Mikrotik employees do monitor the forums, you should direct a request like this to support.

Could anyone translate from Arabic what it says in the youtube video?
Any hint what is the actual exploit?

I think that this is the same guy > https://www.facebook.com/groups/mikrotikman/

https://www.youtube.com/watch?v=e19wz5G ... ture=share
and
https://www.facebook.com/kerrar.masik

Could be just an animation. Some people make these and then ask for bounty. Would be nice to see actual tool, or at least proof by anybody else.

Could be just an animation. Some people make these and then ask for bounty. Would be nice to see actual tool, or at least proof by anybody else.

I did find "a tool" probably made by this guy > but I couldn't find login data for it (most of the menu options are not working and login window is popping up when I try to run them).

It might be all just a part of a scam but I don't like it - from what I can see in the video it seems that "hack" uses RouterOS web/hotspot service to gain access/read RouterOS credentials and that kind of vulnerability has been fixed just in the latest 6.37.5 and 6.38.5 ?

Translation of the menu options and youtube video from Arabic to English would be a helpful first step.

There is no way to get the plaintext password like the video shows. I would guess this is a regular RouterOS API application that actually sets the router password, and then shows it, to make it appear he hacked something.

There's RouterOS 6.37 in YT video. So if the CIA vulnerability allowed to execute custom code, it might be it. If the hacker shows another video with fixed RouterOS version, then I'll be worried.

Me too. But keep in mind that it is possible to show everything...

Not really. When the passwords are only stored in hashed form inside the device, there is no way (CIA or other) to quickly
reveal them with an attack. Of course, when the hashes could be retrieved they could be looked up in a table, and when
the password is "weak" it could be found. But that would not be a generic hack that can be applied to every router.

How much sure are you about hashed passwords? Because if you create unencrypted backup (/system backup save name=test dont-encrypt=yes) and run it through old mtpass tool, you'll get even long passwords immediately, there's no bruteforcing involved. If they can be exported like this in backup, they must be in easily reversible form also in system.

Could be just an animation. Some people make these and then ask for bounty. Would be nice to see actual tool, or at least proof by anybody else.

I did find "a tool" probably made by this guy >
Capture11.JPG
Capture22.JPG
Capture33.JPG

but I couldn't find login data for it (most of the menu options are not working and login window is popping up when I try to run them).

It might be all just a part of a scam but I don't like it - from what I can see in the video it seems that "hack" uses RouterOS web/hotspot service to gain access/read RouterOS credentials and that kind of vulnerability has been fixed just in the latest 6.37.5 and 6.38.5 ?

Translation of the menu options and youtube video from Arabic to English would be a helpful first step.

you must connict to the RouterOS or winbox with out internet

As soon as Indonesia is quite about that, no one can hack MT.

i'd call BS on that.
first of all, it shows a 951G and yet 11000+ hotspot users. for me it is kind of unlikely that one buys a $80 box and spends like extra $250 to get a license to support this amazing amount of hostpot users. but maybe that's the case.
the other thing is that the guy is connected to the system via WiFi. The screenshot in winbox shows almost no traffic on the box (951G) and the wireless interface is down (not running). ok, it is possible that there are other APs also connected, but all other ethernet ports are in "not running" state, so assume, there is a switch that takes care the L2 connectivity between the APs. The whole setup suggests a "default" configuration: ports 2-5 are bridged together with wlan, and ether1 (renamed to in) is the outside connectivity.

look, we've been showed lots of stuff, unnecessary things, but no
- route table
- ip address list
- no firewall configuration
- no arp table
not anything that would shed some light on details.

and in the neighbor list only displayed for 2-3 seconds we find 2 interesting entries: 10.0.0.1 - the router itself? with no mac address information, hostname, whatsoever mikrotik specific? uptime is 00:00:00?
10.11.9.2 - ok, so even the PC the guy is using is displayed here, with all info blank. how?

wait. MNDP & CDP is non-routeable. so they must be in the same L2 BD. yet they cannot access it via mac-address. but indeed they get through hotspot and can reach winbox port over IP w/o authenticating on the captive portal? strange.

also note the change of windows inside winbox between 11:07 and 11:13
- 2 entries suddenly disappear from neighbor list (10 was there previously, now only 8 ).
- terminal just appears out of thin air, without user interaction
the video is obviously was cut there.

so OpenMikrotik(32bit) is also able to "crash down" nanostations as we see.
but i don't think that nmap can figure out ROS version and product code. the only place it may come is from MNDP metadata.

and don't you think, that putting your admin password and admin username as hostname for some APs that broadcast it as CDP everywhere, might not be the brightest idea?

for the record: credentials on flash are not encrypted. boot the router with the linux distro that supports reading the onboard flash, and you can get the passwords. been there, done that. but this would require netboot and physical access - none of them can be pulled off over wifi.

Some good analysis there, doneware. By the way, if you use protected routerboot, there is no way to boot anything else on the device and your password is safe:
https://wiki.mikrotik.com/wiki/Manual:R ... bootloader

http://mig4vip.3abber.com/post/339997

From what i see this is not even a hacking tool, its just a alternative management software for mikrotik devices and printing some kind of cards as much i can understand from google translate

Think someone just over-hyped this because they dont understand whats going on due language barrier..

Here is also screen of hes facebook google translated.

Use the IP services list to only allow a specific ip to be able to access the router.

Even if someone has your password they wont be able to login.

Also disable the mac server to the client facing side if your entire network is bridged.

http://mig4vip.3abber.com/post/339997

From what i see this is not even a hacking tool, its just a alternative management software

Just like I said above, judging from the dropdown menus where you see all kinds of generic controls, it is an API configurator. No hacking.
But I love how the guy in the video has to set up "proper hacking soundtrack" before he can work.

Could anyone translate from Arabic what it says in the youtube video?
Any hint what is the actual exploit?

I think that this is the same guy > https://www.facebook.com/groups/mikrotikman/

He said nothing , silent video , he wrote that he will hack a network and mentioned the names of owners of the networks and the reasons for hacking ...... etc. All information wrote in the notepad is not important .

set up "proper hacking soundtrack" before he can work.

and i have the feeling that "rewinding" is done manually, as if repeat wan't invented before
i've been thinking why the guy shows VLC playing the song, fiddling with the controls using his mouse. probably it was meant to be some sort of proof that things happen in real time... which doesn't quite seem to be so.