March 17, 2015 at 15:03Some pitfalls of IP Cloud technology in Mikrotik routers
There are such good Mikrotik routers. And recently, they have IP-Cloud functionality. Among other things, it will allow you to get a subdomain that will be tied to a user router that does not have a fixed IP address. Or having one, for us it doesn’t matter - the important thing is that the name you get is not arbitrary, but of the form serial number + .sn.mynetname.net
Since the name is not arbitrary, it’s not so difficult to find out and generate ranges of serial numbers, you can ping them and, if the address is active, try to connect.
To test this idea, a program was written with very simple functionality - it generated a name of the form SN.sn.mynetname.net and pinged it. If the result was positive, then the address was remembered and the process continued.
Next, the program tried to connect to the found addresses with the login admin and the following passwords 123456, password, 12345678, qwerty, abc123, 123456789, 111111, 1234567, iloveyou, adobe123, 123123, admin, 1234567890, letmein, photoshop, 1234, monkey, shadom, sunshine , 12345, password1, princess, azerty, trusno1, 000000, mikrotik, sysadmin (the list of passwords was taken from the article habrahabr.ru/post/215457 and added a couple from myself) The
connection was tried through SSH and mikrotik API and if the connection was successful, in a table was added matching password.
The results of the three-day scan came out as follows - two million addresses were generated and pinged. Of those available by ping, with IP-Cloud enabled, there were only 6715. Of these, connecting without a password turned out to 97, with a selected password to 430 (which once again proves that you do not need to use dictionary and easy passwords)
At all points to which It turned out to connect, the settings were slightly changed - ping was removed from the outside and the connection to the router was made only from the local network + protection from password guessing. It was possible to change the password, but you never know who is setting up there, and the administrators did not want to complicate the work much.
PS: Where did the serial numbers come from -
For each number 20 thousand were taken in front of him and the same after.
PS2: What is wrong with that - if it weren’t my research just for lulz? RouterOS is quite an advanced system and it is quite possible to automatically configure access points to DDOS or make proxies from them for your dirty business :)
PS3: Yes, you could test the connection immediately through SSH and API, only ping is much faster, and that’s not the point there was a study. About parallelization is also in the know, but was in no hurry :)
PS4: Several links to things
used Using the Mikrotik API in the C #
IP Cloud in Mikrotik routers
Since the name is not arbitrary, it’s not so difficult to find out and generate ranges of serial numbers, you can ping them and, if the address is active, try to connect.
To test this idea, a program was written with very simple functionality - it generated a name of the form SN.sn.mynetname.net and pinged it. If the result was positive, then the address was remembered and the process continued.
Next, the program tried to connect to the found addresses with the login admin and the following passwords 123456, password, 12345678, qwerty, abc123, 123456789, 111111, 1234567, iloveyou, adobe123, 123123, admin, 1234567890, letmein, photoshop, 1234, monkey, shadom, sunshine , 12345, password1, princess, azerty, trusno1, 000000, mikrotik, sysadmin (the list of passwords was taken from the article habrahabr.ru/post/215457 and added a couple from myself) The
connection was tried through SSH and mikrotik API and if the connection was successful, in a table was added matching password.
Here you can see the functions by which the program tried to connect to routers
private string MikrotikSSHConnect(string MikrotikIP, string MikrotikPassword)
{
ConnectionInfo sLogin = new PasswordConnectionInfo(MikrotikIP, 22, "admin", MikrotikPassword);
SshClient sClient = new SshClient(sLogin);
try
{
sClient.Connect();
sClient.Disconnect();
return MikrotikPassword;
}
catch
{
return "";
}
}
private string MikrotikAPIConnect(string MikrotikIP, string MikrotikPassword)
{
MK mikrotik = new MK(MikrotikIP);
try
{
if (mikrotik.Login("admin", MikrotikPassword))
{
return MikrotikPassword;
}
}
catch {}
return "";
}
The results of the three-day scan came out as follows - two million addresses were generated and pinged. Of those available by ping, with IP-Cloud enabled, there were only 6715. Of these, connecting without a password turned out to 97, with a selected password to 430 (which once again proves that you do not need to use dictionary and easy passwords)
At all points to which It turned out to connect, the settings were slightly changed - ping was removed from the outside and the connection to the router was made only from the local network + protection from password guessing. It was possible to change the password, but you never know who is setting up there, and the administrators did not want to complicate the work much.
PS: Where did the serial numbers come from -
- from its points - for several years of working with Mikrotiks, quite a few installations have accumulated, from many I could see the serial number.
- in google looked at IP-Cloud screenshots (many did not cover the address) + request in google site: sn.mynetname.net
- found a lot of numbers through a request to google mikrotik system routerboard
- With certificates of conformity
- Most of the addresses were received from one fairly large seller - who shared a list of serial numbers that he passed as guarantee. (because of this, I don’t publish the results completely, because I don’t want to substitute the people who provided this information)
For each number 20 thousand were taken in front of him and the same after.
PS2: What is wrong with that - if it weren’t my research just for lulz? RouterOS is quite an advanced system and it is quite possible to automatically configure access points to DDOS or make proxies from them for your dirty business :)
PS3: Yes, you could test the connection immediately through SSH and API, only ping is much faster, and that’s not the point there was a study. About parallelization is also in the know, but was in no hurry :)
PS4: Several links to things
used Using the Mikrotik API in the C #
IP Cloud in Mikrotik routers