Xakep #293. August 2023
Xakep #293. MikroTik Nightmare
MikroTik devices can often be found on corporate networks, but the configurations in most cases leave much to be desired and open up the possibility of a whole range of attacks.
In this issue, we will look at the basics of RouterOS security, tell you how the main attacks work and how to set up protection against them without harming the normal operation of the network.
This is an original study about the safety of MikroTik equipment from the point of view
attacker. MikroTik equipment is extremely
popular and often becomes a victim
different attacks. I will focus on post-exploitation. I will also touch on the problem
safety protective mechanisms
RouterOS, whose flaws are exploited by attackers.
The article is for informational purposes and is intended for security specialists, conducting testing under the contract. The author and editors are not responsible for any harm caused by using the information presented. Distribution of malware, disruption of systems and violation of confidentiality of correspondence are prosecuted
in law.
RELATED ASSESSMENT
RouterOS has several network security issues. Let’s see which ones are worth paying attention to first.
DAI
RouterOS is unable to protect the network from ARP Spoong except using the mode in the configuration.
In fact this operating mode is a static ARP table, which is unprofitable to maintain in corporate networks, since when each the new host will have to log into the device and enter the MAC and IP manually.
The method is effective, but unattractive due to the large
inconvenience. Therefore, when encountering MikroTik equipment, an attacker in most cases can indulge in ARP spoofing: he should not expect sudden ARP Inspection alarm, because this mechanism in RouterOS, in fact,
No.
reply-only bridge
RA Guard
RA Guard is a safety feature that cuts out
unauthorized router advertisements within the network in order to prevent MITM attacks. RA Guard is completely absent from RouterOS and Switch OS,
The equipment has absolutely nothing to answer to the popular pentester tool – mitm6. The only option left is to filter
at the bridge level by destination MAC addresses.
Why MikroTik devices do not have such important security features –
unclear. It feels like their software is stuck in the nineties.
DP
RouterOS by default sends Discovery protocols, which
may reveal sensitive information about themselves to a potential attacker. Three Discovery protocols are active in RouterOS:
• CDP (Cisco Discovery Protocol);
• LLDP (Link Layer Discovery Protocol);
• MNDP (MikroTik Neighbor Discovery Protocol).
An attacker can obtain sensitive information in the form of firmware version, addressing, device name, model number of MikroTik equipment.
The vector is extremely specific, but can still be used.