Rouge MikroTik Server Killer Ready!

PaRaN0iD · February 4, 2012, 6:02pm

Hii all

We faced here a problem called “Fake mikrotik servers”
hackers install mikrotik on virtual machine and run it in our
wlan’s with proper settings he can sniff out PPPOE secrets

So I wrote this script with assisstance of this great forum
to detect any rouge mikrotik server and kick it out

##############################
# # Fake MikroTik Killer     #
# # BY: lnuxxunl             #
# # Thank's jcem For support #
##############################
:local int;
:local machack;
:local var;
:local var1;
/ip neighbor discovery enable ether2 ;
:foreach int in=[/ip neighbor find] do={
:local machack [/ip neighbor get $int value-name=mac-address]
:if ([/ip neighbor get $int value=platform ] = "NS2" || [/ip neighbor get $int value=platform ] = "NS5" || [:len [/int w access-list find mac-address="$machack"]] > 0 ) do={
:nothing;
} else={ :local var [/ip neighbor get $int value-name=platform ];
:local var1 [/ip neighbor get $int value-name=version ];
/int w access-list add mac-address=$machack authentication=no forwarding=no;
/ip fire filter add chain=forward src-mac-address=$machack action=drop;
:log warning ( $var . $var1 . " Fake Server BlockeD!");
  } 
}

Notice: you must change “ether2” in script to your proper wireless or wire card

Here is how it work

http://youtu.be/dS5y0Fnm9r4

It’s my first script so I accept any suggestions
any notes guys

Fore give me for my bad english
Thank you

theend · February 15, 2012, 10:42pm

The Iraqi man who devised this kind of hacking is trying to protect the world!!!

regardtv · February 15, 2012, 11:37pm

Hi,

I agree that your script could work - but simply turning off his IP neighbour discovery would prevent your from blocking him.

I’d suggest you look into client isolation. Turning that on at the AP level will prevent the person from seeing other broadcasts – if that’s not an option you could look at the L2 (bridge) firewalling to prevent the PADI and PADR being sent back to the wlan. In addition you could block wlan clients from sending PADO or PADS towards the AP.

If you run a central PPPoE with multiple APs that complicates matters but you could still apply the L2 firewalling and/or look into switches (such as some of the HP ones) that apply client isolation on a port level.

PaRaN0iD · February 16, 2012, 4:23pm

Thank you for your these intersted info. for some reason all of this not preventing the fake virtual Mikrotik activity

ya right if the attacker turning neighbor discovery the script become useless. So I chose another variable
which is the fake PPPOE server itself take a look to this one:

:global result;
:global resultLen;
:global startLoc;
:global endLoc;
:global Evilmac;
:global i;
:global End 0;
:global line "";
:global start 0;
:foreach i in=[/file find ] do={
:if ([/file get $i value-name=name ] = "dump.txt") do={
/file remove $i ;
  }
}
/system logging add topics=pppoe action=memory;
/interface pppoe-client add name=dump interface=ether2 disabled=no;
:delay 5s;
/log print file=dump.txt where topics="pppoe,debug,packet"
:delay 3s;
:global content [/file get [/file find name=dump.txt] contents];
:global contentLen [ :len $content ] ;
:do {
        :set End [:find $content "\n" $start ] ;
        :set line [:pick $content $start $End] ;
        :set start ($End + 1) ;
        :if ([:len [:find $line "\_rcvd\_PADO\_from\_"]] > 0) do={
        :local entry [:pick $line 0 ($End -1) ]
        :global result ($entry);
        :global resultLen [:len $result];
        :global startLoc [:find $result "\_rcvd\_PADO\_from\_"] ;
		:set startLoc ($startLoc + [:len $startLoc] + 14);
        :global endLoc ($startLoc + 17);
        :global Evilmac [:pick $result $startLoc $endLoc];
		:if ([:len [/int w access-list find mac-address="$Evilmac"]] > 0) do={
		:log warning "Exists!"
		} else={
		/int w access-list add mac-address=$Evilmac authentication=no forwarding=no;
        /ip fire filter add chain=forward src-mac-address=$Evilmac action=drop;
        :log warning "Rouge PPPOE server BlockeD!";
        }
    }
} while=($End < $contentLen)
/inter pppoe-client remove dump
:global j;
:foreach j in=[/system logging find] do={
:if ([/system logging get $j value-name=topics] = "pppoe") do={
/system logging remove $j ;
  }
}

Where “ether2” is at the clients side

theend · February 16, 2012, 4:59pm

This info could be used against you PaRaN0iD.

PaRaN0iD · February 16, 2012, 8:00pm

it’s another challenge to me & some kids pretend to be a hackers
let’s punish them

theend · February 18, 2012, 5:43pm

Whatever you say. I just wanna to say that you are unstable. (be the law or break it).