How to recover MikroTik router password without losing configuration?

omair · December 4, 2025, 6:10pm

Hello Everyone,

I have a MikroTik router but unfortunately I have forgotten the admin password.
I want to recover or reset the password without losing the existing configuration.

BartoszP · December 4, 2025, 6:11pm

Hi,

You are out of luck. No way to reset password only.

patrikg · December 4, 2025, 6:28pm

But if you a hacker, you can use the router's netboot functionality of the RouterBoot, and mount the nand from like netbooted OpenWrt, but use the correct image that don't format the nand, just booting OpenWRT.

Here maybe a old working way of doing this:
http://manio.skyboo.net/mikrotik/

rextended · December 5, 2025, 12:49pm

The link is a bit outdated...
Now the salted hash is stored, rather than the practically "clear text" password...

(and then the file could be extracted from the .backup, if you had one, without needing all this...)

patrikg · December 5, 2025, 12:54pm

But do you need the password, is the config and the filesystem encrypted in the nand ?
And what file in the system is the config ?

rextended · December 5, 2025, 1:09pm

They are not encrypted, the various parts of the configuration are sql3lite databases,
but the cleartext password can no longer be extracted from the salted hash.

jaclaz · December 5, 2025, 1:27pm

Not exactly "plain" filesystem, however, JFYI:

BartoszP · December 5, 2025, 1:33pm

Even if prcedure is possible then IMHO it's out of technical skills of OP.

kauedg · December 5, 2025, 5:59pm

There’s a way to dump (or at least simulate access to) the configuration. I used VMWare’s ESXi and I can’t provide instructions for other platforms.

BOM:

A “workbench” Linux VM;
A “transplant” VMDK disk;
A “simulated mikrotik VM”, to run the simulated device;
Mikrotik system image version close to your device’s version;

The idea was being able to attach the transplant disk to both the workbench and simulated mikrotik, to change the filesystem “on the fly” or without having to disconnect the disk from one VM to be able to connect to the other and run tests.

In ESXi/vCenter create the transplant VMDK disk, “Thick Provisioned, lazily zeroed”, allowing it to be mounted to two VMs at the same time, under certain conditions. Mine was 128MB. You’ll probably have to do this via command line, search around the internet how to do it;
Attach this disk to the workbench already containing the filesystem extracted from the original device, using my guide in the other topic. Make sure it’s configured with Disk Mode Dependent;
Write the router’s image to the transplant disk using dd, to create a filesystem;
Backup (just copy) all the new files to your workbench VM, in case you have to do something over. When something goes wrong, it`s easier to delete the whole root and copy it back than re-dd’ing;
Now, copy the extracted dumped filesystem root to the transplant disk;
The simulated mikrotik VM should be created with cpu/memory configuration close to the device’s spec. Also create an equivalent number of network adapters, considering ethernet and whatelse the original device has (like wifi);
Now, mount the transplant VM but change it’s Disk mode to “Independent - non persistent”. This allows sharing it between two VMs, although you can´t see changes made from the workbench VM because the Mikrotik OS loads everything at startup and I couldn´t find a way to re-read it on-the-fly.

Now that everything is setup, the password removal. When you first boot a newly flashed system, it creates a file containing the hashed/encrypted credentials. I don’t exactly remember which file it is but if you remove it from your dumped filesystem and reboot the simulated VM, you are allowed to set a new password and run commands. I noticed that during boot, if some hardware devices aren’t available or aren´t recognized as such, some configs are lost, others are corrupted, BUT you will be able to (painstakingly) retrieve most of it using the router’s traditional command lines, maybe even certificates, if you have the skills.

Maybe the file is user.dat/idx (delete both) or system.dat/idx. You can do trial-and-error or create a diff between the filesystem tree of both root dirs and look for files that exist in the dumped one but not on the image’s original.

Hope it helps someone.

kauedg · December 5, 2025, 6:04pm

If it was only possible to repack the filesystem without the credentials file and reflash it to the device, it would be possible to reset the password again, without losing the configuration (provided that you don´t boot the FS in another VM or do anything else).

But this would require a level or expertise, tools and time I don´t have to validate.