Community discussions

Search found 115 matches

by nuclearcat
Wed Mar 15, 2017 2:29 pm
Forum: General
Topic: CIA exploits against Mikrotik hardware
Replies: 97
Views: 41963

Re: CIA exploits against Mikrotik hardware

You guys should carefully rethink the definition of an exploit. RouterOS already has these checks! It does check also on upgrade. The definition of an exploit is that somebody has found a bug how to overcome or fool these checks. So MikroTik makes new checks and more security wizards. This does not...
by nuclearcat
Wed Mar 15, 2017 1:32 pm
Forum: General
Topic: CIA exploits against Mikrotik hardware
Replies: 97
Views: 41963

Re: CIA exploits against Mikrotik hardware

On my opinion, at least for the beginning: 1)Securing rommon. This is holy grail in any security. I dont know if all units has similar architecture, but rommon on some SXT i guess is in MX25L512C, maybe even keeping WP# low by separate IC (some attiny?) and requiring secure key to unlock write. atti...
by nuclearcat
Tue Mar 14, 2017 12:54 pm
Forum: General
Topic: CIA exploits against Mikrotik hardware
Replies: 97
Views: 41963

Re: CIA exploits against Mikrotik hardware

It seems that already there is such tool. It could be just extended for some more checks if they are needed
checkinstallation.PNG
It is very basic, just to verify possible filesystem/files corruption, too easy to fool it, and wont cover even known implants.
by nuclearcat
Mon Mar 13, 2017 3:18 pm
Forum: General
Topic: CIA exploits against Mikrotik hardware
Replies: 97
Views: 41963

Re: CIA exploits against Mikrotik hardware

The best solution is to always keep your device up to date, always do the maximum possible in securing your devices and keep following announcements and news. Still it is nice, also, if manufacturer(Mikrotik) provide some inspection tools, that makes job of implant authors much harder, and customer...
by nuclearcat
Fri Mar 10, 2017 1:10 pm
Forum: General
Topic: CIA exploits against Mikrotik hardware
Replies: 97
Views: 41963

Re: CIA exploits against Mikrotik hardware

There has never been any backdoor. "devel" user is created by installing a special debug package by mikrotik staff, which would appear in the packages menu, and allow a new user "devel" to access the device. The user "devel" uses the admin password, so there is no way to access the device without a...
by nuclearcat
Fri Mar 10, 2017 12:55 pm
Forum: Announcements
Topic: Statement on Vault 7 document release
Replies: 92
Views: 41825

Re: Statement on Vault 7 document release

Can you imagine labor cost and downtime comparing with proper integrity verification that is done completely automated way? Yes... What I cannot imagine is such a company leaving webfig enabled and open to the internet (or any other management tools) . Mikrotik would produce such detection package ...
by nuclearcat
Fri Mar 10, 2017 12:33 pm
Forum: Announcements
Topic: Statement on Vault 7 document release
Replies: 92
Views: 41825

Re: Statement on Vault 7 document release

...So proper solution is needed badly, and will be great if mikrotik can make in very reasonable time some tool, for existing systems, to verify if they have such implants. [...] It will be MUCH more difficult to hide all traces of presence from raw storage reading tool (similar to dd) + memory ins...
by nuclearcat
Fri Mar 10, 2017 12:17 pm
Forum: General
Topic: CIA exploits against Mikrotik hardware
Replies: 97
Views: 41963

Re: CIA exploits against Mikrotik hardware

Ouch! I didnt noticed this statement, and it is raising big questions.
by nuclearcat
Thu Mar 09, 2017 8:18 pm
Forum: Announcements
Topic: Statement on Vault 7 document release
Replies: 92
Views: 41825

Re: Statement on Vault 7 document release

RB1100/1200, CCR - doesnt have such rules.
Often inexperienced admins removed such rules intentionally, to access mikrotik from outside.
by nuclearcat
Thu Mar 09, 2017 7:44 pm
Forum: Announcements
Topic: Statement on Vault 7 document release
Replies: 92
Views: 41825

Re: Statement on Vault 7 document release

If you opened your management services to the internet and run old versions of software then it's your own problem. Any service exposed to the internet without being updated is in the same situation, expect outdated services to be compromised regardless if it's RouterOS, Linux, Windows, etc. I want...
by nuclearcat
Thu Mar 09, 2017 7:13 pm
Forum: Announcements
Topic: Statement on Vault 7 document release
Replies: 92
Views: 41825

Re: Statement on Vault 7 document release

v6.38.5 has just been released, with vulnerabilities closed. Everyone please upgrade. RC and Bugfix builds coming a bit later. After people have had time to upgrade, could you share some technical details of how the exploit work or what was vulnerable? Why to give hints for hackers, who will might ...
by nuclearcat
Thu Mar 09, 2017 6:53 pm
Forum: General
Topic: CIA exploits against Mikrotik hardware
Replies: 97
Views: 41963

Re: CIA exploits against Mikrotik hardware

Sure, but you still need to wait for Wikileaks to release all information and tools, to know for sure :) . I'm not sitting and waiting on that to happen . Tonight is an update night - hardest decision is to 6.37.5 or 6.38.5... It is already lot of info there. Take a look: https://wikileaks.org/ciav...
by nuclearcat
Thu Mar 09, 2017 6:38 pm
Forum: General
Topic: CIA exploits against Mikrotik hardware
Replies: 97
Views: 41963

Re: CIA exploits against Mikrotik hardware

The reason for such tools are inability to release properly patched versions in time. Cisco release cycle and bug fixing cycle takes years. MT just updated all their versions with a fix. Also nobody knows how compromised router actually looks like, so how can you create tool for that? Normis replie...
by nuclearcat
Thu Mar 09, 2017 6:23 pm
Forum: Announcements
Topic: Statement on Vault 7 document release
Replies: 92
Views: 41825

Re: Statement on Vault 7 document release

They get shell access by exploiting an unknown vulnerability. But the funny part is, we as the owner of these devices with full privileges doesnt have any shell access to play with :) It is time for mikrotik to step up and give us a basic shell where we can check suspicious files etc.. As @nuclearc...
by nuclearcat
Thu Mar 09, 2017 6:18 pm
Forum: Announcements
Topic: Statement on Vault 7 document release
Replies: 92
Views: 41825

Re: Statement on Vault 7 document release

...So proper solution is needed badly, and will be great if mikrotik can make in very reasonable time some tool, for existing systems, to verify if they have such implants. Are you sure ? You are asking them to write antivirus software for all version till 6.30.2 ? Isn't it smarter to upgrade route...
by nuclearcat
Thu Mar 09, 2017 4:56 pm
Forum: General
Topic: CIA exploits against Mikrotik hardware
Replies: 97
Views: 41963

Re: CIA exploits against Mikrotik hardware

As i mentioned in post about statement, other vendors released documents, how to check integrity of systems. I will wait reasonable time any statement from mikrotik, if they plan to release reliable tools for checking integrity, otherwise, if no answer or negative answer - it will play very negative...
by nuclearcat
Thu Mar 09, 2017 3:00 pm
Forum: Announcements
Topic: Statement on Vault 7 document release
Replies: 92
Views: 41825

Re: Statement on Vault 7 document release

They get shell access by exploiting an unknown vulnerability. But the funny part is, we as the owner of these devices with full privileges doesnt have any shell access to play with :) It is time for mikrotik to step up and give us a basic shell where we can check suspicious files etc.. As @nuclearc...
by nuclearcat
Thu Mar 09, 2017 1:06 pm
Forum: Announcements
Topic: Statement on Vault 7 document release
Replies: 92
Views: 41825

Re: Statement on Vault 7 document release

Hi, It would be nice if Mikrotik can take some proactive steps. For example IOS/Junos devices has proper shell in devices, and as sysadmin i can inspect system integrity easily, including taking storage/filesystem dumps over dd, checksums for all filesystem files and etc, and i can run also scripts ...
by nuclearcat
Sat Dec 14, 2013 3:46 am
Forum: RouterOS v6 RC and v7 BETA
Topic: raw table, NOTRACK, SYN flood
Replies: 9
Views: 6750

raw table, NOTRACK, SYN flood

Hi I have a customers who love your products, are subject to DDoS attacks (SYN flood), and it hurts that Mikrotik doesn't have "notrack" target, just SYN flood over his CCR will knock down CPU to 100%. And if it had -j NOTRACK (or newer kernels: -j CT --notrack), it can be solved, he needed conntrac...
by nuclearcat
Mon Aug 27, 2012 1:49 am
Forum: Wireless Networking
Topic: a interesting comparison between Groove and Bullet...
Replies: 13
Views: 4115

Re: a interesting comparison between Groove and Bullet...

Like I said, there can be no such situation where you have Power, but no Ethernet, and vice versa. Nope :) AP with sector antenna is on Site B, Site A and Site C connected to Site B over wireless, and can't see each other, so Site B is sort of relay. In this case ethernet cable used purely just for...
by nuclearcat
Mon Jul 30, 2012 3:37 pm
Forum: Wireless Networking
Topic: PtP 80km link
Replies: 10
Views: 3385

Re: PtP 80km link

Make sure:
1)Fresnel zone clearance
2)Possible signal ducting (on such distances can be very significant)
3)Signal fading due weather conditions

Most probably link will work, but no guarantee it will be stable.
by nuclearcat
Sat Jul 21, 2012 1:54 pm
Forum: RouterBOARD hardware
Topic: MikroTik/RouterBOARD SXT 5D 16dB antenna weather concern?
Replies: 43
Views: 15580

Re: MikroTik/RouterBOARD SXT 5D 16dB antenna weather concern

3 units failed, within 2 month.
All of them near sea, there is a lot of duststorms, plus sometimes there is fog.
Fog and dirt on board wil create a shortcut. I am not sure covering by chemicals will help at all.
by nuclearcat
Sun Jul 08, 2012 9:08 am
Forum: RouterBOARD hardware
Topic: RB SXT losing configuration on each reboot
Replies: 21
Views: 10572

Re: RB SXT losing configuration on each reboot

Very good idea indeed, but maybe try to avoid putting inhibitor on parts with RF signal, i am not sure it will not make leakage. RF signal very different from DC. I start reading forums, how people who work on PCB development protecting their products, and as i heard silicone based coating is much b...
by nuclearcat
Sat Jul 07, 2012 11:07 pm
Forum: RouterBOARD hardware
Topic: throughput capabilities
Replies: 4
Views: 989

Re: throughput capabilities

Performance over softrouters are complicated question. Each new feature is imposing processing overhead, and official tests are just done for some predefined configurations. IMO you should test by yourself and estimate how much horsepower you will have, and how much each new feature add overhead to ...
by nuclearcat
Sat Jul 07, 2012 9:40 pm
Forum: Wireless Networking
Topic: MISO mode in Mikrotik
Replies: 4
Views: 853

Re: MISO mode in Mikrotik

Seems you are right, MCS 0-7 single stream, but i will try to check later by spectrum analyser, if it is exactly same what i want :)
by nuclearcat
Sat Jul 07, 2012 4:58 pm
Forum: Wireless Networking
Topic: MISO mode in Mikrotik
Replies: 4
Views: 853

Re: MISO mode in Mikrotik

For now if i enable both channels for RX and TX, i will get double capacity (channels are bonded), but it should be possible to have SAME data on TX(links are mirrored/duplicating data, as other vendor have on atheros cards), and RX will use best channel, it will improve link margin around 1-2db, ca...
by nuclearcat
Fri Jul 06, 2012 7:43 pm
Forum: RouterBOARD hardware
Topic: RB SXT losing configuration on each reboot
Replies: 21
Views: 10572

Re: RB SXT losing configuration on each reboot

ddd thank you for sharing info!
Btw Mikrotik even not answered to my ticket, 4 days passed. Not impressed at all.
by nuclearcat
Thu Jul 05, 2012 12:14 pm
Forum: Wireless Networking
Topic: MISO mode in Mikrotik
Replies: 4
Views: 853

MISO mode in Mikrotik

Hi Is it possible to set in Mikrotik MISO mode? While MIMO is to double capacity, MISO is to send same data over both polarisations, and whoever is receiving better - will be primary channel, so it will act as polarisation diversity. Other vendor devices has it, while it cut bandwidth in half, it im...
by nuclearcat
Tue Jul 03, 2012 11:23 am
Forum: RouterBOARD hardware
Topic: IP67 and better - rugged enclosure
Replies: 2
Views: 1220

Re: IP67 and better - rugged enclosure

normis, thanks a lot, i am already browsing there.
Sure i checked them, but just need feedback, and if someone used successfully some specific products.
by nuclearcat
Tue Jul 03, 2012 11:15 am
Forum: RouterBOARD hardware
Topic: IP67 and better - rugged enclosure
Replies: 2
Views: 1220

IP67 and better - rugged enclosure

Hi to community again Does anybody know manufacturers for the IP67(or higher) insulated outdoor enclosures with integrated antenna (gain not so important, it is close distance, SXT worked well before)? I have location, very close to the sea with very harsh environment, temperature at day can reach u...
by nuclearcat
Tue Jul 03, 2012 9:26 am
Forum: RouterBOARD hardware
Topic: RB SXT losing configuration on each reboot
Replies: 21
Views: 10572

Re: RB SXT losing configuration on each reboot

For me also there is two choices, if it is reset button issue. If corrosion is so fast, i guess i will have to replace SXT at least on this location very soon, because it will corrode also all board. I will need IP67/IP68 with pressure compensation, and i never seen such enclosure for Mikrotik (most...
by nuclearcat
Tue Jul 03, 2012 8:59 am
Forum: RouterBOARD hardware
Topic: RB SXT losing configuration on each reboot
Replies: 21
Views: 10572

Re: RB SXT losing configuration on each reboot

Updated information, since team came to office, two units went insane at this location. One unit worked after configuration reinserted, and another one losing configuration continuously. I really hope Mikrotik team can take a look to supout, and if they can see GPIO status, is reset is short or open...
by nuclearcat
Mon Jul 02, 2012 5:06 pm
Forum: RouterBOARD hardware
Topic: RB SXT losing configuration on each reboot
Replies: 21
Views: 10572

RB SXT losing configuration on each reboot

Hello I'm trying to push mikrotik for new company, and installed 4 links so far , one is RB boards, and 3 is RB SXT. On one location two Mikrotik device suddenly lost configuration (not at same time), it is relay location, and if one i just reinserted config, and it is working fine, on another even ...
by nuclearcat
Thu Mar 15, 2012 11:13 am
Forum: Wireless Networking
Topic: Spectral Scan
Replies: 8
Views: 3204

Re: Spectral Scan

What do you think is the reason people try to switch to 900MHz, 5GHz, 700MHz etc? 2.4 is overcrowded. You have bluetooth devices, microwave ovens, neighbors wifi, and all kinds of other 2.4GHz devices in this spectrum. So yes, it's full of noise, unless you are in the middle of the desert, with thi...
by nuclearcat
Tue Jan 04, 2011 3:44 pm
Forum: General
Topic: EoIP support in Linux
Replies: 6
Views: 4545

Re: EoIP support in Linux

Thanks If it is required - this code can be extended, e.g. config file for multiple tunnels and etc. If someone using FreeBSD, other flavors of BSD, QNX, Solaris - he can provide patch to make code portable, they have also tap device interface, similar to Linux one. Actually even Windows has tap dev...
by nuclearcat
Mon Jan 03, 2011 11:35 pm
Forum: General
Topic: PPPoE over EoIP ?!
Replies: 5
Views: 2756

Re: PPPoE over EoIP ?!

PPP has much higher overhead. Control protocol with authentication and negotiation, plus PPP frame encapsulation, it is also stateful, and can stop in case of packetloss or etc.
EoIP is plain stateless tunnel, which is more stable also, with only 28 bytes overhead (IP header + gre header).
by nuclearcat
Mon Jan 03, 2011 10:33 pm
Forum: General
Topic: EoIP support in Linux
Replies: 6
Views: 4545

Re: EoIP support in Linux

Since noone said no, here it is:
http://code.google.com/p/linux-eoip/
by nuclearcat
Mon Jan 03, 2011 2:50 pm
Forum: General
Topic: EoIP support in Linux
Replies: 6
Views: 4545

EoIP support in Linux

I wrote opensource implementation for EoIP in Linux, so now it is possible to link mikrotik in simple way to Linux. For me it was important, because i have some applications under Linux, and i need to bridge mikrotiks to that server some "light" way. Is it ok for Mikrotik if i post link to it here? ...
by nuclearcat
Mon May 26, 2008 2:23 am
Forum: Wireless Networking
Topic: My explanations of some "features"
Replies: 1
Views: 918

My explanations of some "features"

Just long time i was interested, what means famous Atheros "periodic calibration" and "ANI"(adaptive noise immunity). Many people give "voodoo" explanations, using their imaginations. Some telling it is temperature adjustment calibration, some is telling it is ACK calibration and etc. Periodic calib...
by nuclearcat
Tue Apr 29, 2008 7:56 pm
Forum: General
Topic: Bridge MAC addresses is not in FDB
Replies: 0
Views: 505

Bridge MAC addresses is not in FDB

Hi2all I notice on my wireless bases, which is WDS + bridge and EoIP till PPPoE unit, that lcnc@GHADEER-BASE] /interface bridge host> print gives only MAC addresses for local interfaces and 2-3 others, while there is 58 CPE connected, about 3 customers on each. So it must be PLENTY of mac addresses....
by nuclearcat
Tue Jan 22, 2008 1:28 pm
Forum: RouterOS v6 RC and v7 BETA
Topic: PPC cd-image?
Replies: 8
Views: 1574

Re: PPC cd-image?

promind, Mikrotik images is "set" for specific hardware/peripherals. It's not generic, it will not run on PPC Mac's.
Just because for example CPU is completely different, than Mikrotiks CPU.
by nuclearcat
Wed Jan 09, 2008 8:25 am
Forum: RouterOS v6 RC and v7 BETA
Topic: Feature proposal (also community pls say if it is required)
Replies: 14
Views: 4163

Re: Feature proposal (also community pls say if it is required)

There is no need to go inside Mikrotik. I can get all names of interfaces by walking (it can be done by perl code or even using libnetsnmp, instead forking snmpwalk binary), it is just standart MIB. IF-MIB::ifDescr.1 = STRING: ether1 IF-MIB::ifDescr.2 = STRING: ether2 IF-MIB::ifDescr.3 = STRING: eth...
by nuclearcat
Tue Jan 08, 2008 10:06 pm
Forum: RouterOS v6 RC and v7 BETA
Topic: Feature proposal (also community pls say if it is required)
Replies: 14
Views: 4163

Re: Feature proposal (also community pls say if it is required)

FWIW, you can gather this information from SNMP. Not a perfect method, but it is certainly a usable method. Butche, thanks a lot, for a time being it can help in most difficult situations. Probably i will write some tool in perl to get only specific values of interface by name (first getting one by...
by nuclearcat
Tue Jan 08, 2008 12:15 pm
Forum: RouterOS v6 RC and v7 BETA
Topic: Feature proposal (also community pls say if it is required)
Replies: 14
Views: 4163

Re: Feature proposal (also community pls say if it is required)

I dont agree about specific drivers. From me it took about 30 minutes to implement interface, and there is various ways to do it (over netlink or plain file /proc/net/dev lookups) Just look to /proc/net/dev. Majority of drivers have "tp->stats.tx_errors++;" at least and similar things. Example my "h...
by nuclearcat
Fri Jan 04, 2008 6:37 pm
Forum: RouterOS v6 RC and v7 BETA
Topic: Feature proposal (also community pls say if it is required)
Replies: 14
Views: 4163

Re: Feature proposal (also community pls say if it is required)

Imho it is too trivial to include it to wiki. Already Mikrotik taking from /proc or somewhere else information about counters, so it is just few lines more in code. Not complicated like other things in WIKI.
by nuclearcat
Thu Jan 03, 2008 2:08 am
Forum: RouterOS v6 RC and v7 BETA
Topic: rc13, lot of bugs/ not for production, rc14 wanted
Replies: 1
Views: 1092

rc13, lot of bugs/ not for production, rc14 wanted

Hi Sent reports with wireless "stale" bug, while all clients is associated, but traffic not able to pass. Got on my home link (x86), and one of bases who i upgrade to rc13. Mikrotik asked me for supout, but it is kind of difficult to do, cause client is down at this time and i cannot reach him. Prob...
by nuclearcat
Thu Dec 13, 2007 4:57 pm
Forum: RouterOS v6 RC and v7 BETA
Topic: Nstreme option suggestion/cosmetic
Replies: 0
Views: 830

Nstreme option suggestion/cosmetic

Hi again :-)

As i understand (and it is logic), polling cannot be enabled without Nstreme. And CSMA-Disable cannot be enabled without nstreme.
Is it possible to "disable" checkboxes? Cause some people thinking, they can enable polling without nstreme.
by nuclearcat
Wed Dec 12, 2007 1:43 am
Forum: RouterOS v6 RC and v7 BETA
Topic: Feature proposal (also community pls say if it is required)
Replies: 14
Views: 4163

Feature proposal (also community pls say if it is required)

1)We faced recently strange issue with lightening - 3 cards in PC, one of the cards was damaged (it is was not shown anywhere, card was visible). All cards was dead (i can change settings, but cards dont see anything in air), cause by "unexpected replies to driver" from damaged card was blocking ath...
by nuclearcat
Fri Sep 21, 2007 5:08 pm
Forum: General
Topic: MUM in Egypt - DONE!
Replies: 26
Views: 5028

Re: MUM Egypt who is coming?

I will send my boss :-)
by nuclearcat
Mon Sep 17, 2007 6:18 am
Forum: Wireless Networking
Topic: 65km p2p link - floating and unstable signal
Replies: 2
Views: 675

Re: 65km p2p link - floating and unstable signal

IMHO it is another issue, require space diversity actual for 5Ghz links (but not very for 2.* ghz).
It means depends on weather conditions possible path of signal changes.
But this is just an idea.