Rouge MikroTik Server Killer Ready!

PaRaN0iD · Sat Feb 04, 2012 8:02 pm

Hii all

We faced here a problem called "Fake mikrotik servers"
hackers install mikrotik on virtual machine and run it in our
wlan's with proper settings he can sniff out PPPOE secrets

So I wrote this script with assisstance of this great forum
to detect any rouge mikrotik server and kick it out

##############################
# # Fake MikroTik Killer     #
# # BY: lnuxxunl             #
# # Thank's jcem For support #
##############################
:local int;
:local machack;
:local var;
:local var1;
/ip neighbor discovery enable ether2 ;
:foreach int in=[/ip neighbor find] do={
:local machack [/ip neighbor get $int value-name=mac-address]
:if ([/ip neighbor get $int value=platform ] = "NS2" || [/ip neighbor get $int value=platform ] = "NS5" || [:len [/int w access-list find mac-address="$machack"]] > 0 ) do={
:nothing;
} else={ :local var [/ip neighbor get $int value-name=platform ];
:local var1 [/ip neighbor get $int value-name=version ];
/int w access-list add mac-address=$machack authentication=no forwarding=no;
/ip fire filter add chain=forward src-mac-address=$machack action=drop;
:log warning ( $var . $var1 . " Fake Server BlockeD!");
  } 
}

Notice: you must change "ether2" in script to your proper wireless or wire card

Here is how it work

http://youtu.be/dS5y0Fnm9r4

It's my first script so I accept any suggestions
any notes guys

Fore give me for my bad english
Thank you

theend · Thu Feb 16, 2012 12:42 am

The Iraqi man who devised this kind of hacking is trying to protect the world!!!

regardtv · Thu Feb 16, 2012 1:37 am

Hi,

I agree that your script could work - but simply turning off his IP neighbour discovery would prevent your from blocking him.

I'd suggest you look into client isolation. Turning that on at the AP level will prevent the person from seeing other broadcasts -- if that's not an option you could look at the L2 (bridge) firewalling to prevent the PADI and PADR being sent back to the wlan. In addition you could block wlan clients from sending PADO or PADS towards the AP.

If you run a central PPPoE with multiple APs that complicates matters but you could still apply the L2 firewalling and/or look into switches (such as some of the HP ones) that apply client isolation on a port level.

PaRaN0iD · Thu Feb 16, 2012 6:23 pm

Hi,

I agree that your script could work - but simply turning off his IP neighbour discovery would prevent your from blocking him.

I'd suggest you look into client isolation. Turning that on at the AP level will prevent the person from seeing other broadcasts -- if that's not an option you could look at the L2 (bridge) firewalling to prevent the PADI and PADR being sent back to the wlan. In addition you could block wlan clients from sending PADO or PADS towards the AP.

If you run a central PPPoE with multiple APs that complicates matters but you could still apply the L2 firewalling and/or look into switches (such as some of the HP ones) that apply client isolation on a port level.

Thank you for your these intersted info. for some reason all of this not preventing the fake virtual Mikrotik activity

ya right if the attacker turning neighbor discovery the script become useless. So I chose another variable
which is the fake PPPOE server itself take a look to this one:

:global result;
:global resultLen;
:global startLoc;
:global endLoc;
:global Evilmac;
:global i;
:global End 0;
:global line "";
:global start 0;
:foreach i in=[/file find ] do={
:if ([/file get $i value-name=name ] = "dump.txt") do={
/file remove $i ;
  }
}
/system logging add topics=pppoe action=memory;
/interface pppoe-client add name=dump interface=ether2 disabled=no;
:delay 5s;
/log print file=dump.txt where topics="pppoe,debug,packet"
:delay 3s;
:global content [/file get [/file find name=dump.txt] contents];
:global contentLen [ :len $content ] ;
:do {
        :set End [:find $content "\n" $start ] ;
        :set line [:pick $content $start $End] ;
        :set start ($End + 1) ;
        :if ([:len [:find $line "\_rcvd\_PADO\_from\_"]] > 0) do={
        :local entry [:pick $line 0 ($End -1) ]
        :global result ($entry);
        :global resultLen [:len $result];
        :global startLoc [:find $result "\_rcvd\_PADO\_from\_"] ;
		:set startLoc ($startLoc + [:len $startLoc] + 14);
        :global endLoc ($startLoc + 17);
        :global Evilmac [:pick $result $startLoc $endLoc];
		:if ([:len [/int w access-list find mac-address="$Evilmac"]] > 0) do={
		:log warning "Exists!"
		} else={
		/int w access-list add mac-address=$Evilmac authentication=no forwarding=no;
        /ip fire filter add chain=forward src-mac-address=$Evilmac action=drop;
        :log warning "Rouge PPPOE server BlockeD!";
        }
    }
} while=($End < $contentLen)
/inter pppoe-client remove dump
:global j;
:foreach j in=[/system logging find] do={
:if ([/system logging get $j value-name=topics] = "pppoe") do={
/system logging remove $j ;
  }
}

Where "ether2" is at the clients side

theend · Thu Feb 16, 2012 6:59 pm

This info could be used against you PaRaN0iD.

PaRaN0iD · Thu Feb 16, 2012 10:00 pm

This info could be used against you PaRaN0iD.

it's another challenge to me & some kids pretend to be a hackers
let's punish them

theend · Sat Feb 18, 2012 7:43 pm

Whatever you say. I just wanna to say that you are unstable. (be the law or break it).

Rouge MikroTik Server Killer Ready!

Rouge MikroTik Server Killer Ready!

Re: Rouge MikroTik Server Killer Ready!

Re: Rouge MikroTik Server Killer Ready!

Re: Rouge MikroTik Server Killer Ready!

Re: Rouge MikroTik Server Killer Ready!

Re: Rouge MikroTik Server Killer Ready!

Re: Rouge MikroTik Server Killer Ready!