Page 1 of 1

Is there a place where I may ask whitehat to hijack my ROS?

Posted: Tue Oct 15, 2019 10:33 pm
by Hiji56
Is there a place where I may ask whitehat to hijack my ROS?
I need to check my security rules.

Re: Is there a place where I may ask whitehat to hijack my ROS?

Posted: Wed Oct 16, 2019 4:06 am
by akin2silver
No free services that I know of.
You could hire a pen tester if you need it tested for something important.

Re: Is there a place where I may ask whitehat to hijack my ROS?

Posted: Wed Oct 16, 2019 5:17 am
by Sob
Or you can post the config here with some description about goals and such, and maybe someone will point out mistakes. But it depends what it is, if it's too complex, not too many people will be interested in trying to understand it all.

Re: Is there a place where I may ask whitehat to hijack my ROS?

Posted: Wed Oct 16, 2019 7:12 am
by vecernik87
Does it matter who hijacks it? Just publish your IP here or on FB/Twitter with hashtag #hackChallenge and soon you will have your results.

Re: Is there a place where I may ask whitehat to hijack my ROS?

Posted: Tue Oct 22, 2019 7:52 pm
by Hiji56
akin2silver, Sob, vecernik87, thank you for answers.
It's become clear to me that less people know my IP more secure I am.
Here is config) if you have time roast me)
[(Put your user name here)@MikroTik] > export compact hide-sensitive 
# oct/22/2019 19:23:04 by RouterOS 6.45.6
# software id = 34LY-BG7R
#
# model = (put your model number here)
# serial number = (put your serial number here)
/interface bridge
add admin-mac=(put your mac-admin here) auto-mac=no comment=defconf name=bridge
/interface ethernet
set [ find default-name=ether1 ] advertise=1000M-full full-duplex=no loop-protect=on
set [ find default-name=ether2 ] advertise=100M-full,1000M-full loop-protect=off speed=100Mbps
set [ find default-name=ether3 ] advertise=1000M-full loop-protect=off
set [ find default-name=ether4 ] advertise=1000M-full loop-protect=off
set [ find default-name=ether5 ] advertise=1000M-full loop-protect=off
/interface wireless
set [ find default-name=wlan1 ] band=2ghz-b/g/n channel-width=20/40mhz-Ce country=(put your set here) disconnect-timeout=15s distance=indoors frequency=auto mode=ap-bridge on-fail-retry-time=500ms ssid=(put your SSID#1 here) tx-power=15 tx-power-mode=all-rates-fixed \
    wireless-protocol=802.11 wps-mode=disabled
set [ find default-name=wlan2 ] band=5ghz-a/n/ac channel-width=20/40/80mhz-XXXX country=(put your set here) disabled=no distance=indoors frequency=auto installation=indoor mode=ap-bridge ssid=(put your SSID#2 here) tx-power=15 tx-power-mode=all-rates-fixed \
    wps-mode=disabled
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
/interface wireless security-profiles
set [ find default=yes ] authentication-types=wpa-psk,wpa2-psk mode=dynamic-keys supplicant-identity=MikroTik
/ip hotspot profile
set [ find default=yes ] html-directory=flash/hotspot
/ip pool
add name=dhcp ranges=(Put you local IP here).10-(Put you local IP here).254
add name=vpn ranges=192.168.89.2-192.168.89.255
/ip dhcp-server
add add-arp=yes address-pool=dhcp disabled=no interface=bridge lease-time=2d23h59m name=defconf
/ppp profile
set *FFFFFFFE insert-queue-before=bottom local-address=192.168.89.1 remote-address=vpn session-timeout=1s
/system logging action
set 0 memory-lines=3000
/interface bridge port
add bridge=bridge comment=defconf interface=ether2
add bridge=bridge comment=defconf interface=ether3
add bridge=bridge comment=defconf interface=ether4
add bridge=bridge comment=defconf interface=ether5
add bridge=bridge comment=defconf interface=wlan1
add bridge=bridge comment=defconf interface=wlan2
/ip firewall connection tracking
set tcp-established-timeout=1h
/ip neighbor discovery-settings
set discover-interface-list=none
/interface detect-internet
set detect-interface-list=all
/interface l2tp-server server
set use-ipsec=yes
/interface list member
add comment=defconf interface=bridge list=LAN
add comment=defconf interface=ether1 list=WAN
/interface sstp-server server
set default-profile=default-encryption
/interface wireless access-list
add comment=(put your device#1 here) interface=wlan2 mac-address=(put your device#1 mac here)
add comment=(put your device#2 here) interface=wlan2 mac-address=(put your device#2 mac here)
add comment=(put your device#3 here) interface=wlan2 mac-address=(put your device#3 mac here)
add comment=(put your device#4 here) interface=wlan2 mac-address=(put your device#4 mac here)
/ip address
add address=(Put you local IP here).1/24 comment=defconf interface=bridge network=(Put you local IP here).0
add address=(put your WhiteIP here) interface=ether1 network=(put your WhiteIP network here)
/ip arp
add address=(put your device#5 here) interface=bridge mac-address=(put your device#5 mac here)
add address=(put your device#6 here) interface=bridge mac-address=(put your device#6 mac here)
add address=(put your device#7 here) interface=bridge mac-address=(put your device#7 mac here)
add address=(put your device#8 here) interface=bridge mac-address=(put your device#8 mac here)
add address=(put your device#9 here) interface=bridge mac-address=(put your device#9 mac here)
/ip cloud
set update-time=no
/ip dhcp-client
add comment=defconf dhcp-options=hostname,clientid interface=ether1
/ip dhcp-server lease
add address=(put your device# here) client-id=(put your device# id here) mac-address=(put your device# mac here) server=defconf
add address=(put your device# here) client-id=(put your device# id here) mac-address=(put your device# mac here) server=defconf
add address=(put your device# here) allow-dual-stack-queue=no comment=Nas mac-address=(put your device# id here) server=defconf use-src-mac=yes
/ip dhcp-server network
add address=(Put you local IP here).0/24 comment=defconf gateway=(Put you local IP here).1 netmask=24
/ip dns
set allow-remote-requests=yes servers=176.103.130.130,8.8.8.8
/ip dns static
add address=(Put you local IP here).1 name=router.lan
/ip firewall address-list
add address=0.0.0.0/8 list=BOGON
add address=10.0.0.0/8 list=BOGON
add address=100.64.0.0/10 list=BOGON
add address=127.0.0.0/8 list=BOGON
add address=169.254.0.0/16 list=BOGON
add address=172.16.0.0/12 list=BOGON
add address=192.0.0.0/24 list=BOGON
add address=192.0.2.0/24 list=BOGON
add address=192.168.0.0/16 list=BOGON
add address=198.18.0.0/15 list=BOGON
add address=198.51.100.0/24 list=BOGON
add address=203.0.113.0/24 list=BOGON
add address=224.0.0.0/4 list=BOGON
add address=240.0.0.0/4 list=BOGON
add address=192.168.0.0/24 list=GoodIP
add address=8.8.8.8 list=GoodIP
/ip firewall filter
add action=accept chain=forward comment="accept established,related" connection-state=established,related
add action=accept chain=input connection-state=established,related log-prefix="Check Rule"
add action=drop chain=forward comment="defconf: drop invalid" connection-state=invalid
add action=drop chain=input connection-state=invalid
add action=add-src-to-address-list address-list=BadIP_WinboxTry address-list-timeout=6d chain=input comment="Winbox brute force protection" connection-state=new dst-port=(Put you WINBOX port here) log=yes log-prefix="Winbox login operation" protocol=tcp src-address-list=\
    temp_BadIP-WinboxTry-3
add action=add-src-to-address-list address-list=temp_BadIP-WinboxTry-3 address-list-timeout=30s chain=input connection-state=new dst-port=(Put you WINBOX port here) log-prefix="Winbox login operation" protocol=tcp src-address-list=temp_BadIP-WinboxTry-2
add action=add-src-to-address-list address-list=temp_BadIP-WinboxTry-2 address-list-timeout=30s chain=input connection-state=new dst-port=(Put you WINBOX port here) log-prefix="Winbox login operation" protocol=tcp src-address-list=temp_BadIP-WinboxTry-1
add action=add-src-to-address-list address-list=temp_BadIP-WinboxTry-1 address-list-timeout=30s chain=input connection-state=new dst-port=(Put you WINBOX port here) log-prefix="Winbox login operation" protocol=tcp
add action=accept chain=input comment="Winbox from net port:(Put you WINBOX port here)" dst-port=(Put you WINBOX port here) log-prefix="Winbox login operation" protocol=tcp
add action=add-src-to-address-list address-list=BadIP_PortTryTCP address-list-timeout=6d10s chain=input comment=":::StandartPortProtection - SYNDrop" connection-limit=25,32 log-prefix="Ban bad user IP - SYN TRY" protocol=tcp tcp-flags=syn
add action=drop chain=input connection-limit=25,32 log-prefix="Ban bad user IP - SYN TRY" protocol=tcp tcp-flags=syn
add action=add-src-to-address-list address-list=BadIP_PortTryTCP address-list-timeout=6d10s chain=input comment=":::StandartPortProtection. " dst-port=21,22,23,53,80,389,443,445,3389,4569,5060,5061,8291,8728,8729 log=yes log-prefix=\
    "Ban bad user IP - PortTryTCP" protocol=tcp src-address-list=!GoodIP
add action=drop chain=input dst-port=21,22,23,53,80,389,443,445,3389,4569,5060,5061,8291,8728,8729 log-prefix="Ban bad user IP - PortTry" protocol=tcp src-address-list=!GoodIP
add action=add-src-to-address-list address-list=BadIP_PortTryUDP address-list-timeout=6d10s chain=input dst-port=53,161,389,500,4500,4569,5060,5678 log=yes log-prefix="Ban bad user IP - PortTryUDP" protocol=udp src-address-list=!GoodIP
add action=drop chain=input dst-port=53,161,389,500,4500,4569,5060,5678 log-prefix="Ban bad user IP - PortTry" protocol=udp src-address-list=!GoodIP
add action=accept chain=input comment="Allow ping with pocket size 666 (ping XX.XX.XX.XX -l 694)" packet-size=694 protocol=icmp
add action=add-src-to-address-list address-list=BadIP_PingTry address-list-timeout=6d10s chain=input comment="Not allow ping with wrong pocket size" log=yes log-prefix="Ban bad user IP - Ping try with bad pocket size" packet-size=!694 protocol=icmp \
    src-address-list=temp_BadIP_Ping_level_4
add action=add-src-to-address-list address-list=temp_BadIP_Ping_level_4 address-list-timeout=20s chain=input log-prefix="Ban bad user IP - Ping try with bad pocket size" packet-size=!694 protocol=icmp src-address-list=temp_BadIP_Ping_level_3
add action=add-src-to-address-list address-list=temp_BadIP_Ping_level_3 address-list-timeout=20s chain=input log-prefix="Ban bad user IP - Ping try with bad pocket size" packet-size=!694 protocol=icmp src-address-list=temp_BadIP_Ping_level_2
add action=add-src-to-address-list address-list=temp_BadIP_Ping_level_2 address-list-timeout=20s chain=input log-prefix="Ban bad user IP - Ping try with bad pocket size" packet-size=!694 protocol=icmp src-address-list=temp_BadIP_Ping_level_1
add action=add-src-to-address-list address-list=temp_BadIP_Ping_level_1 address-list-timeout=20s chain=input log-prefix="Ban bad user IP - Ping try with bad pocket size" packet-size=!694 protocol=icmp
add action=drop chain=input log-prefix="Ban bad user IP - Ping try with bad pocket size" packet-size=!694 protocol=icmp
add action=add-src-to-address-list address-list=BadIP_PortScanner address-list-timeout=1w chain=input comment=BanBadIP_PortScanner log=yes log-prefix=BanBadIP_PortScanner protocol=tcp psd=10,10s,3,1 src-address-list=GoodIP
add action=drop chain=input log-prefix=BanBadIP_PortScanner protocol=tcp psd=10,10s,3,1 src-address-list=GoodIP
add action=drop chain=forward comment="Refuse TV Network But Allow Local" log-prefix="Refuse TV Network But Allow Local" out-interface-list=WAN src-address=(Put you local IP here).111
add action=drop chain=input comment="While no white IP - block all input - they are not welcome" in-interface-list=WAN src-address-list=!GoodIP
/ip firewall nat
add action=netmap chain=dstnat disabled=yes dst-address=(put your WhiteIP here) dst-port=51413 in-interface=ether1 protocol=udp to-addresses=(Put you local IP here).15 to-ports=51413
add action=netmap chain=dstnat disabled=yes dst-address=(put your WhiteIP here) dst-port=51413 in-interface=ether1 protocol=tcp to-addresses=(Put you local IP here).15 to-ports=51413
add action=netmap chain=dstnat disabled=yes dst-address=(put your WhiteIP here) dst-port=9090 in-interface=ether1 protocol=tcp to-addresses=(Put you local IP here).15 to-ports=9090
add action=masquerade chain=srcnat out-interface-list=WAN
/ip firewall raw
add action=drop chain=prerouting in-interface-list=WAN src-address-list=BadIP_PingTry
add action=drop chain=prerouting in-interface-list=WAN src-address-list=BadIP_PortScanner
add action=drop chain=prerouting in-interface-list=WAN src-address-list=BadIP_WinboxTry
add action=drop chain=prerouting in-interface-list=WAN src-address-list=BadIP_PortTryTCP
add action=drop chain=prerouting in-interface-list=WAN src-address-list=BadIP_PortTryUDP
add action=drop chain=prerouting in-interface-list=WAN src-address-list=BOGON
/ip firewall service-port
set ftp disabled=yes
set tftp disabled=yes
set irc disabled=yes
set h323 disabled=yes
set sip disabled=yes
set pptp disabled=yes
set udplite disabled=yes
set dccp disabled=yes
set sctp disabled=yes
/ip ipsec policy
set 0 disabled=yes
/ip route
add distance=1 gateway=(put your WhiteIP gateway here)
/ip service
set telnet disabled=yes
set ftp disabled=yes
set www address=(Put you local IP here).0/24 disabled=yes
set ssh disabled=yes
set api disabled=yes
set winbox port=(Put you WINBOX port here)
set api-ssl disabled=yes
/ip ssh
set allow-none-crypto=yes forwarding-enabled=remote
/ip upnp interfaces
add interface=bridge type=internal
add interface=ether1 type=external
/ppp aaa
set use-radius=yes
/system clock
set time-zone-autodetect=no time-zone-name=(put your time zone here)
/system clock manual
set time-zone=(Put you know what here)
/system routerboard settings
set cpu-frequency=488MHz
/system watchdog
set watchdog-timer=no
/tool bandwidth-server
set authenticate=no enabled=no
/tool mac-server
set allowed-interface-list=none
/tool mac-server mac-winbox
set allowed-interface-list=none
/tool mac-server ping
set enabled=no
/tool sniffer
set filter-interface=ether5 filter-ip-address=!255.255.255.255/32