The way to set Mikrotik into GOD mode..New secrets revealed!

vetusa2 · October 15, 2011, 3:10pm

as we all know when we try to change our ip address to use a static ip address in microsoft windows we go for the network connection properties,we also know that entering a new ip address is under some rules and conditions.

microsoft windows will refuse letting you put in the first octet any number above 223 or letters or even zeros

just to let you all know Mikrotik dhcp server v3.30 is allowing you to send ip address ranges to all users on the Lan breaking all these rules

it means you can set 0.1.2.0/24 as a range or even 255.0.0.0/24 which will stop end users from being able to type these ranges manually.

but under one condition

only microsoft windows xp systems and lower will receive that range and be happy

i tested windows 7 and it refuses to take these ip ranges

another problem i also discovered:
any one hacking into mikrotik systems with mac 00:00:00:00:00:00 can;t be blocked by mac which means happy hacking day.

blocking 00:00:00:00:00:00 mac will block the entire mikrotik server ranges on all users

so at the end i request mikrotik team to take the mac problem more seriously

Thank you.

mrz · October 17, 2011, 6:12am

These addresses are not invalid, so of course RouterOS allows to add them.

kirshteins · October 17, 2011, 6:44am

Please describe how are you blocking 00:00:00:00:00:00 MAC address.

doush · October 17, 2011, 9:23am

How do you block a MAC address in MT ?

vetusa2 · October 17, 2011, 2:08pm

oh boy oh boy!

MikroTik Support asking me how to block by mac

i will tell you how i do it on the wireless network as a beginning

from the access list of the wlan adapter

add by mac then uncheck both forwarding and Authentication then create any fake private keys

this will block any unwanted visitors by mac

second i use arp tables to make static entry for any mac then mark block from the dhcp server or ip bindings

lol

siscom · October 17, 2011, 5:25pm

Hi,

Probably the reason that Mikrotik Support asked is NOT that they do not know, but that maybe you could share your knowledge on this in a public forum for users?

Rgds,
Mark.

vetusa2 · October 17, 2011, 8:57pm

of course anytime m8.

yours
Sam

kirshteins · October 18, 2011, 6:36am

vetusa2, there are several ways to block traffic by MAC addresses in RouterOS.

In “wireless access-list” section 00:00:00:00:00:00 MAC address value is taken as “any MAC address” and not any single numerical value. You need to use IP firewall or bridge firewall filters to block such MAC address. It is best to use security profile features to ensure wireless security:
http://wiki.mikrotik.com/wiki/Manual:Interface/Wireless#Security_Profiles

vetusa2 · October 18, 2011, 7:01am

Dear kirshteins

00:00:00:00:00:00 mac address is a security hole in Mikrotik exactly when someone trys to take it either to do an ip scan on the network to get mac addresses of all users or to lunch a dns poisoning attack,you guys should add an option to be able to block any single user from taking that mac address,also like you said security profile is best to use but not the safest since people lately can hack into WEP and WPA using backtrack.

i just wonder what if somone took 00:00:00:00:00:00 mac address then started to attack the entire network!

at the end we all like Mikrotik and his staff that’s why we point out these kind of problems.

Thank you

normis · October 18, 2011, 7:02am

I have not seen any actual WPA hacking examples. Can you give examples?

vetusa2 · October 18, 2011, 7:12am

just an example but not the way

we want to protect our self not to spread the words

http://www.youtube.com/watch?v=Bkj3TBu0ZV4

normis · October 18, 2011, 7:26am

8 symbol password takes a few months on a high powered machine. Good luck with that. So, keep using WPA2 with AES and nobody will touch your network.

vetusa2 · October 18, 2011, 7:50am

just to let you know,lately they use the PCI Express video cards GPU’s to break passwords in 2-3 days instead of months with regular CPUs.

normis · October 18, 2011, 8:14am

what good is 2-3 days, if your dynamic keys are changed every 5 minutes? also your log files will indicate the problem, and that station will be blocked.

what good is you blocking 00:00:00 MAC address? the guy will change it to something else

this is a mikrotik router, it’s not hard to protect it, and it’s not stupid. let’s talk when you actually manage to break it, even if it takes you 2 days.

also, use WPA-EAP to make sure nobody can hack you at all.

vetusa2 · October 18, 2011, 8:40am

but still 00:00:00:00:00:00 mac address is a risk for being not able to block it from attacking the network!

at least you can block any other macs…correct?

just remember running a hotspot with a log in page will be useless this way!

i am with you that using WPA-EAP is a way arround the problem

i like the way you show some Canines to these issues

but like it or not it is still a threat!

kirshteins · October 18, 2011, 10:14am

Hacker can use same MAC address as legitimate user, so blocking by MAC address is not very good solution.

vetusa2 · October 18, 2011, 11:55am

i agree with you ,same as the mikrotik hotspot user account too it uses mac auth+username+pass+ip address

by the way..

any good news on the mac duplications issue as you call it “MAC address cloning issue”?

people with mikrotik hotspot service are asking that question on my side.

they suffer from mac identity theft

kirshteins · October 19, 2011, 5:57am

Try using this feature: http://wiki.mikrotik.com/wiki/Manual:Interface/Wireless#Management_frame_protection

vetusa2 · October 19, 2011, 7:31am

lol

i knew you’d say that

correct me if i am wrong

on the wireless adaptor only ,MFP is to protect RouterOS to RouterOS from deauth attack but not to protect RouterOS to end users from MAC address cloning issue or deauth attack.

coffeecoco · February 11, 2012, 3:49pm

So much lols zomg

BTW that youtube vid of WPA hacking.. is a joke, lmao