Community discussions

MikroTik App
 
User avatar
vetusa2
Member Candidate
Member Candidate
Topic Author
Posts: 119
Joined: Sat Jun 18, 2011 8:24 pm

The way to set Mikrotik into GOD mode..New secrets revealed!

Sat Oct 15, 2011 6:10 pm

as we all know when we try to change our ip address to use a static ip address in microsoft windows we go for the network connection properties,we also know that entering a new ip address is under some rules and conditions.

microsoft windows will refuse letting you put in the first octet any number above 223 or letters or even zeros

Image

just to let you all know Mikrotik dhcp server v3.30 is allowing you to send ip address ranges to all users on the Lan breaking all these rules

it means you can set 0.1.2.0/24 as a range or even 255.0.0.0/24 which will stop end users from being able to type these ranges manually.

Image

but under one condition

only microsoft windows xp systems and lower will receive that range and be happy

i tested windows 7 and it refuses to take these ip ranges

another problem i also discovered:
any one hacking into mikrotik systems with mac 00:00:00:00:00:00 can;t be blocked by mac which means happy hacking day.

blocking 00:00:00:00:00:00 mac will block the entire mikrotik server ranges on all users

so at the end i request mikrotik team to take the mac problem more seriously

Thank you.
Last edited by vetusa2 on Sun Feb 26, 2012 10:21 am, edited 1 time in total.
 
User avatar
mrz
MikroTik Support
MikroTik Support
Posts: 7042
Joined: Wed Feb 07, 2007 12:45 pm
Location: Latvia
Contact:

Re: The way to set Mikrotik into GOD mode..New secrets revea

Mon Oct 17, 2011 9:12 am

These addresses are not invalid, so of course RouterOS allows to add them.
 
kirshteins
MikroTik Support
MikroTik Support
Posts: 592
Joined: Tue Dec 02, 2008 10:55 am

Re: The way to set Mikrotik into GOD mode..New secrets revea

Mon Oct 17, 2011 9:44 am

Please describe how are you blocking 00:00:00:00:00:00 MAC address.
 
doush
Long time Member
Long time Member
Posts: 665
Joined: Thu Jun 04, 2009 3:11 pm

Re: The way to set Mikrotik into GOD mode..New secrets revea

Mon Oct 17, 2011 12:23 pm

How do you block a MAC address in MT ?
 
User avatar
vetusa2
Member Candidate
Member Candidate
Topic Author
Posts: 119
Joined: Sat Jun 18, 2011 8:24 pm

Re: The way to set Mikrotik into GOD mode..New secrets revea

Mon Oct 17, 2011 5:08 pm

oh boy oh boy!

MikroTik Support asking me how to block by mac

i will tell you how i do it on the wireless network as a beginning

from the access list of the wlan adapter

add by mac then uncheck both forwarding and Authentication then create any fake private keys

this will block any unwanted visitors by mac

second i use arp tables to make static entry for any mac then mark block from the dhcp server or ip bindings

lol
 
User avatar
siscom
Member Candidate
Member Candidate
Posts: 192
Joined: Tue May 26, 2009 6:37 pm
Location: Malta, EU.

Re: The way to set Mikrotik into GOD mode..New secrets revea

Mon Oct 17, 2011 8:25 pm

Hi,

Probably the reason that Mikrotik Support asked is NOT that they do not know, but that maybe you could share your knowledge on this in a public forum for users?

Rgds,
Mark.
 
User avatar
vetusa2
Member Candidate
Member Candidate
Topic Author
Posts: 119
Joined: Sat Jun 18, 2011 8:24 pm

Re: The way to set Mikrotik into GOD mode..New secrets revea

Mon Oct 17, 2011 11:57 pm

of course anytime m8.

yours
Sam
 
kirshteins
MikroTik Support
MikroTik Support
Posts: 592
Joined: Tue Dec 02, 2008 10:55 am

Re: The way to set Mikrotik into GOD mode..New secrets revea

Tue Oct 18, 2011 9:36 am

vetusa2, there are several ways to block traffic by MAC addresses in RouterOS.

In "wireless access-list" section 00:00:00:00:00:00 MAC address value is taken as "any MAC address" and not any single numerical value. You need to use IP firewall or bridge firewall filters to block such MAC address. It is best to use security profile features to ensure wireless security:
http://wiki.mikrotik.com/wiki/Manual:In ... y_Profiles
 
User avatar
vetusa2
Member Candidate
Member Candidate
Topic Author
Posts: 119
Joined: Sat Jun 18, 2011 8:24 pm

Re: The way to set Mikrotik into GOD mode..New secrets revea

Tue Oct 18, 2011 10:01 am

Dear kirshteins

00:00:00:00:00:00 mac address is a security hole in Mikrotik exactly when someone trys to take it either to do an ip scan on the network to get mac addresses of all users or to lunch a dns poisoning attack,you guys should add an option to be able to block any single user from taking that mac address,also like you said security profile is best to use but not the safest since people lately can hack into WEP and WPA using backtrack.

i just wonder what if somone took 00:00:00:00:00:00 mac address then started to attack the entire network!

at the end we all like Mikrotik and his staff that's why we point out these kind of problems.

Thank you
Last edited by vetusa2 on Tue Oct 18, 2011 10:03 am, edited 1 time in total.
 
User avatar
normis
MikroTik Support
MikroTik Support
Posts: 26322
Joined: Fri May 28, 2004 11:04 am
Location: Riga, Latvia

Re: The way to set Mikrotik into GOD mode..New secrets revea

Tue Oct 18, 2011 10:02 am

I have not seen any actual WPA hacking examples. Can you give examples?
 
User avatar
vetusa2
Member Candidate
Member Candidate
Topic Author
Posts: 119
Joined: Sat Jun 18, 2011 8:24 pm

Re: The way to set Mikrotik into GOD mode..New secrets revea

Tue Oct 18, 2011 10:12 am

just an example but not the way

we want to protect our self not to spread the words

http://www.youtube.com/watch?v=Bkj3TBu0ZV4
 
User avatar
normis
MikroTik Support
MikroTik Support
Posts: 26322
Joined: Fri May 28, 2004 11:04 am
Location: Riga, Latvia

Re: The way to set Mikrotik into GOD mode..New secrets revea

Tue Oct 18, 2011 10:26 am

just an example but not the way

we want to protect our self not to spread the words

http://www.youtube.com/watch?v=Bkj3TBu0ZV4
8 symbol password takes a few months on a high powered machine. Good luck with that. So, keep using WPA2 with AES and nobody will touch your network.
 
User avatar
vetusa2
Member Candidate
Member Candidate
Topic Author
Posts: 119
Joined: Sat Jun 18, 2011 8:24 pm

Re: The way to set Mikrotik into GOD mode..New secrets revea

Tue Oct 18, 2011 10:50 am

just to let you know,lately they use the PCI Express video cards GPU's to break passwords in 2-3 days instead of months with regular CPUs.

:D
 
User avatar
normis
MikroTik Support
MikroTik Support
Posts: 26322
Joined: Fri May 28, 2004 11:04 am
Location: Riga, Latvia

Re: The way to set Mikrotik into GOD mode..New secrets revea

Tue Oct 18, 2011 11:14 am

just to let you know,lately they use the PCI Express video cards GPU's to break passwords in 2-3 days instead of months with regular CPUs.

:D
what good is 2-3 days, if your dynamic keys are changed every 5 minutes? also your log files will indicate the problem, and that station will be blocked.

what good is you blocking 00:00:00 MAC address? the guy will change it to something else

this is a mikrotik router, it's not hard to protect it, and it's not stupid. let's talk when you actually manage to break it, even if it takes you 2 days.

also, use WPA-EAP to make sure nobody can hack you at all.
 
User avatar
vetusa2
Member Candidate
Member Candidate
Topic Author
Posts: 119
Joined: Sat Jun 18, 2011 8:24 pm

Re: The way to set Mikrotik into GOD mode..New secrets revea

Tue Oct 18, 2011 11:40 am

but still 00:00:00:00:00:00 mac address is a risk for being not able to block it from attacking the network!

at least you can block any other macs...correct?

just remember running a hotspot with a log in page will be useless this way!

i am with you that using WPA-EAP is a way arround the problem

i like the way you show some Canines to these issues

but like it or not it is still a threat!
 
kirshteins
MikroTik Support
MikroTik Support
Posts: 592
Joined: Tue Dec 02, 2008 10:55 am

Re: The way to set Mikrotik into GOD mode..New secrets revea

Tue Oct 18, 2011 1:14 pm

Hacker can use same MAC address as legitimate user, so blocking by MAC address is not very good solution.
 
User avatar
vetusa2
Member Candidate
Member Candidate
Topic Author
Posts: 119
Joined: Sat Jun 18, 2011 8:24 pm

Re: The way to set Mikrotik into GOD mode..New secrets revea

Tue Oct 18, 2011 2:55 pm

Hacker can use same MAC address as legitimate user, so blocking by MAC address is not very good solution.
i agree with you ,same as the mikrotik hotspot user account too it uses mac auth+username+pass+ip address

by the way..

any good news on the mac duplications issue as you call it "MAC address cloning issue"?


people with mikrotik hotspot service are asking that question on my side.

they suffer from mac identity theft
 
kirshteins
MikroTik Support
MikroTik Support
Posts: 592
Joined: Tue Dec 02, 2008 10:55 am

Re: The way to set Mikrotik into GOD mode..New secrets revea

Wed Oct 19, 2011 8:57 am

any good news on the mac duplications issue as you call it "MAC address cloning issue"?
Try using this feature: http://wiki.mikrotik.com/wiki/Manual:In ... protection
 
User avatar
vetusa2
Member Candidate
Member Candidate
Topic Author
Posts: 119
Joined: Sat Jun 18, 2011 8:24 pm

Re: The way to set Mikrotik into GOD mode..New secrets revea

Wed Oct 19, 2011 10:31 am

lol

i knew you'd say that

correct me if i am wrong

on the wireless adaptor only ,MFP is to protect RouterOS to RouterOS from deauth attack but not to protect RouterOS to end users from MAC address cloning issue or deauth attack.
 
coffeecoco
Member Candidate
Member Candidate
Posts: 174
Joined: Wed Oct 12, 2005 1:17 pm

Re: The way to set Mikrotik into GOD mode..New secrets revea

Sat Feb 11, 2012 5:49 pm

So much lols zomg

BTW that youtube vid of WPA hacking.. is a joke, lmao
 
User avatar
vetusa2
Member Candidate
Member Candidate
Topic Author
Posts: 119
Joined: Sat Jun 18, 2011 8:24 pm

Re: The way to set Mikrotik into GOD mode..New secrets revea

Tue Mar 20, 2012 2:11 pm

So much lols zomg

BTW that youtube vid of WPA hacking.. is a joke, lmao
have you used backtrack or cain correctly?

this is just the simple use for users with simple passwords,there are more methods but kept for self use
http://www.irongeek.com/videos/airpcap- ... acking.swf

just learned 6 month ago that using cain without its WinPcap driver and with switchsniffer will create a denial of service attack on all mikrotik servers

that's funny my karma got decreased by a newbie and after i complained about a security hole in mikrotik but who cares!
 
User avatar
vetusa2
Member Candidate
Member Candidate
Topic Author
Posts: 119
Joined: Sat Jun 18, 2011 8:24 pm

Re: The way to set Mikrotik into GOD mode..New secrets revea

Fri Oct 10, 2014 2:12 pm

 
User avatar
janisk
MikroTik Support
MikroTik Support
Posts: 6263
Joined: Tue Feb 14, 2006 9:46 am
Location: Riga, Latvia

Re: The way to set Mikrotik into GOD mode..New secrets revea

Fri Oct 10, 2014 4:26 pm

as always - use safe and long passwords if that is home AP, for enterprise use EAP key exchange.
If AP has only RouterOS wifi clients, use management protection/hardware-protection-mode settings also, use of Nstreme or nv2 also would help a bit.

Who is online

Users browsing this forum: Ahrefs [Bot], Bing [Bot], CJWW, EmuAGR, GoogleOther [Bot], NetHorror, sas2k, TheCat12 and 87 guests