While doing a packet capture for other reasons I noticed that when winbox connects it sends the username in plain text. This is a little concerning because if an attacker was able to do a packet capture of a winbox session half of the login info is easily obtained.
I’m hoping this can be addressed in a future version of RouterOS and Winbox.
Thanks!
Confirming with Winbox 3.18 and RoS 6.43.2 and 6.42.7 (I assume all versions are same)
Not sure if there is some interest in fixing it. Recent change of API caused both username AND PASSWORD to be plaintext which is obvious step backwards (or strong signal to use API-SSL instead of normal API)
Please provide this packet capture to support@mikrotik.com. Make sure that capture is taken while communication is happening between Winbox 3.18 and RouterOS version 6.43 or later.
Whaaaaaaa
But what about encrypting mode in winbox?? It’s not working now??
@normis: thanks for quick reaction. I sent the email with pcap file and description. (And of course I accidentally made a typo in one sentence, where I wrote “plaintext password” instead of “plaintext username”. I replied with another email explaining the mistake, please don’t laugh too hard 
its just me being me… )
@all: Ticket was received as Ticket#2018101122003562 , I will post update if there is any reply.
Winbox uses a variant of SRP to establish a secure, encrypted communication channel. Username is sent in plain text as part of identity verification process to deny possible MITM attacks. The password is not and never was sent in plain text.
https://en.wikipedia.org/wiki/Secure_Remote_Password_protocol
Thanks Emils for quick response in both ticket reply and here. I really appreciate it.
I will not pretend that I understand how that protocol works. I can only believe it really is secure against MITM. However, it feels like being against recommended way to secure the router: https://wiki.mikrotik.com/wiki/Manual:Securing_Your_Router#Access_username
If someone has direct access(as written in the article), they can easily discover the username (because it is sent in plain-text) and therefore changing default username will make no difference, right?
Thank you very much!
Article describes protection against remote brute force attackers. If your attacker already has capability to sniff your traffic, you are in bigger trouble and username changing is not going to help. Therefore all the other suggestions come into play (like limiting number of logins per minute, having a hard to guess password and limiting access from certain ports/IP addresses.
This seems ridiculous?
In the industry every service isn’t passing around plain text usernames?
Not a concern?
Why not at least hash it? If you really need to send username to prevent spoofing or for some other reason, hash would work as well. It would at least not be visible in the packet in clear.
I agree that if someone is already sniffing your connection you have a bigger problem, but still… why make it that easy?