Page 1 of 1

3rd party say he can log into my router using default credentials.

Posted: Tue May 03, 2022 12:37 pm
by souljazk
HI there,

Q - How can I catagorically show a 3rd party + my client that the 3rd party was NOT able to log into one of my routers ?

Background:
An onsite 3rd party (instructed by client for non MT work) recently told a client of mine that via WinBox he can log into their (large) ISP provided, managed MT router, running the latest LTS from 2022 for the model in question.

This person said they could not explain to me how they did it over the phone (Red flag 1) ... They did not have any screenshots either (RD 2)... They state that they could login via the default MT login details (Admin ; blank password). I immediatly tried this, and failed. I tried the 2nd MT at that site - same thing. I tried this a few times just incase.

I contacted the ISP to check the logs - they could not find any sign of a user logging in. The default Admin username is not even in the User list...

My theory:

1) They had a previous Winbox session cached. Is this possible? I may have read about people experiancing this over time.
2) Their laptop had connected to the closest OpenWifi (coffee shops all around) and they had an insecure MT.

Re: 3rd party say he can log into my router using default credentials.

Posted: Tue May 03, 2022 12:50 pm
by msatter
When connecting the first time to the router with the default username admin and no password, you will be asked to reset or keep the default configuration (even if the default config has only an IP address).

Username admin is written without an capital "A".

It could be the case the third party wanted to login eith your real credentials to capture the traffic at yhe same time to decript it later. But then, that is far fetched.

No screenshot by the third pary is the same as having no access.

Re: 3rd party say he can log into my router using default credentials.

Posted: Tue May 03, 2022 1:08 pm
by holvoetn
The log should clearly show when somebody has logged in.
So they need to indicate WHEN this happened, and then you can verify in the log.

No entry = no attempt.

PS it's bad practice to keep the default admin account. Create another account with admin access, test that it works ! If it works then delete default admin account using that new account.
PS2 if you choose not to do previous step: it wouldn't hurt either to change password of the account having admin access. Just in case ...

Re: 3rd party say he can log into my router using default credentials.

Posted: Tue May 03, 2022 1:17 pm
by mozerd
If the 3rd party cannot produce evidence that they were able to access your router(s) THAT is all the evidence you need.

If the 3rd party is using a backdoor and you are not aware of that backdoor into the router there is nothing that you can do --- according to MikroTik no backdoor exists or has been discovered. The 3rd party must show evidence of the crack i.e. screenshots or change in behavior like install a new account that is dormant.

If you have provided your client with all the credentials you use for the routers in question its very possible that your client may have compromised "you" whether intentionally or unintentionally and is working with the 3rd party to dump you.

If you followed proper security practices;
1. disable or delete default admin account
2. create unique admin account with strong password
3. only allow vpn external access to the Router(s)
4. Strict controls on credentials used to access the Routers
That is the best way to demonstrate Access Control.

Re: 3rd party say he can log into my router using default credentials.

Posted: Tue May 03, 2022 1:53 pm
by souljazk
@msatter - Thank you for your reply.

I did try username of "Admin" & "admin" with no password - same result - login rejected. 3rd party does not have the login details, nor do I or the client - this is under control of the ISP who provide and manage the router. I simply manage the client's site.

@holvoetn - Thank you for your reply.

I know when they tried to access it, and the ISP has indicated that they see zero login with the 'admin" / "Admin"usernames, which do not exist in the user list. I am currenty waiting on screenshots from the ISP.

@mozerd - Thank you for your reply.

This is my thinking swell. The client is very much on my side, as there is zero proof from this 3rd party. The ISP controls the user credentials, so neither myelf, the client or the 3rd party have or could be given login details with write access.

Re proper sec prac :

1) Inplace - Done on original setup 2y ago.
2) Inplace - Same as above.
3) Inplace - Only the ISP has access to the router from the WAN, via their whitelisted VPN's & DC's.
4) Inplace - by ISP.

Re: 3rd party say he can log into my router using default credentials.

Posted: Tue May 03, 2022 3:23 pm
by anav
If you have no access to the Router, that tells me you dont know the config and thus it could be in a state where its hackable and the third party client could be correct.
Dont make any assumptions, only go by facts.

THe only truth here is to netinstall with latest long term stable firmware and that assumes the unit has not been taken over such that its considered bricked.
If you cant do that then you have no proof.