Community discussions

 
AliALBedwi
just joined
Topic Author
Posts: 15
Joined: Thu Jun 07, 2018 10:16 pm
Location: yemen
Contact:

progaram get any mikrotik system usernam and passowrd in 3 second

Thu Jun 07, 2018 10:57 pm

Hello Everyone,
We are facing a serious bug , there is big bug in the microtik system that will destroy it, which will stop our business, and SOLUTIONS must be found, hoping the R&D fix it immediately, and anyone has any idea how to solve it please contact me. Meanwhile, Anyone who wants the username and password of his Mikrotik System , only send me your cloud ip or host name and i will give you it , no matter how long and complicated it is
 
User avatar
Anumrak
Forum Guru
Forum Guru
Posts: 1051
Joined: Fri Jul 28, 2017 2:53 pm

Re: progaram get any mikrotik system usernam and passowrd in 3 second

Fri Jun 08, 2018 1:34 pm

WTF
 
JB172
Member
Member
Posts: 306
Joined: Fri Jul 24, 2015 3:12 pm
Location: AWMN

Re: progaram get any mikrotik system usernam and passowrd in 3 second

Fri Jun 08, 2018 2:05 pm

Hello Everyone,
We are facing a serious bug , there is big bug in the microtik system that will destroy it, which will stop our business, and SOLUTIONS must be found, hoping the R&D fix it immediately, and anyone has any idea how to solve it please contact me. Meanwhile, Anyone who wants the username and password of his Mikrotik System , only send me your cloud ip or host name and i will give you it , no matter how long and complicated it is
The Mikrotik version matters?
 
anav
Forum Guru
Forum Guru
Posts: 3122
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada

Re: progaram get any mikrotik system usernam and passowrd in 3 second

Fri Jun 08, 2018 2:22 pm

Post your version in use, and your external access to the router setup and your internal access to the router setup, otherwise all I see is hot air.
I'd rather manage rats than software. Follow my advice at your own risk! (Sob & mkx forced me to write that!)
 
nescafe2002
Long time Member
Long time Member
Posts: 624
Joined: Tue Aug 11, 2015 12:46 pm
Location: Netherlands

Re: progaram get any mikrotik system usernam and passowrd in 3 second

Fri Jun 08, 2018 2:29 pm

Probably related to this (known) topic: viewtopic.php?t=133533

But, if you think you found a new bug, please contact support directly with instructions and supout.
 
User avatar
Lifz
newbie
Posts: 43
Joined: Tue Feb 26, 2013 1:05 pm

Re: progaram get any mikrotik system usernam and passowrd in 3 second

Fri Jun 08, 2018 3:08 pm

Please contact us at support@mikrotik.com with descriptions
 
Sob
Forum Guru
Forum Guru
Posts: 4808
Joined: Mon Apr 20, 2009 9:11 pm

Re: progaram get any mikrotik system usernam and passowrd in 3 second

Fri Jun 08, 2018 3:30 pm

Anyone who wants the username and password of his Mikrotik System , only send me your cloud ip or host name and i will give you it , no matter how long and complicated it is
Go for it:
demo.mt.lv
demo2.mt.lv
People who quote full posts should be spanked with ethernet cable. Some exceptions for multi-topic threads may apply.
 
AliALBedwi
just joined
Topic Author
Posts: 15
Joined: Thu Jun 07, 2018 10:16 pm
Location: yemen
Contact:

Re: progaram get any mikrotik system usernam and passowrd in 3 second

Fri Jun 08, 2018 11:36 pm

Anyone who wants the username and password of his Mikrotik System , only send me your cloud ip or host name and i will give you it , no matter how long and complicated it is
Go for it:
demo.mt.lv
demo2.mt.lv
username : admin
password :empty
 
Sob
Forum Guru
Forum Guru
Posts: 4808
Joined: Mon Apr 20, 2009 9:11 pm

Re: progaram get any mikrotik system usernam and passowrd in 3 second

Sat Jun 09, 2018 1:47 am

Good, but now try for real with two existing real admin accounts. :)
People who quote full posts should be spanked with ethernet cable. Some exceptions for multi-topic threads may apply.
 
User avatar
ahmedalmi
Frequent Visitor
Frequent Visitor
Posts: 77
Joined: Sat Sep 13, 2014 5:52 pm
Location: sana'a yemen
Contact:

Re: progaram get any mikrotik system usernam and passowrd in 3 second

Sat Jun 09, 2018 1:55 am

Good, but now try for real with two existing real admin accounts. :)
change your user name and password for admin user and he will know it
Last edited by ahmedalmi on Sat Jun 09, 2018 8:33 am, edited 2 times in total.
 
Sob
Forum Guru
Forum Guru
Posts: 4808
Joined: Mon Apr 20, 2009 9:11 pm

Re: progaram get any mikrotik system usernam and passowrd in 3 second

Sat Jun 09, 2018 2:39 am

Those routers have two admin accounts with full rights, and it's even easier, because you can see their names using the password-less "admin" account. It's two MikroTik's own demo routers, with supposedly secure RouterOS. And to be honest, I'm a little skeptic that you can get in (as full admin). But if you really can, keep the paswords for yourself, and if you want to impress us (and MikroTik too, no doubt), just make some small harmless change, e.g. /system note set note="some text".
People who quote full posts should be spanked with ethernet cable. Some exceptions for multi-topic threads may apply.
 
AliALBedwi
just joined
Topic Author
Posts: 15
Joined: Thu Jun 07, 2018 10:16 pm
Location: yemen
Contact:

Re: progaram get any mikrotik system usernam and passowrd in 3 second

Sat Jun 09, 2018 4:22 am

Those routers have two admin accounts with full rights, and it's even easier, because you can see their names using the password-less "admin" account. It's two MikroTik's own demo routers, with supposedly secure RouterOS. And to be honest, I'm a little skeptic that you can get in (as full admin). But if you really can, keep the paswords for yourself, and if you want to impress us (and MikroTik too, no doubt), just make some small harmless change, e.g. /system note set note="some text".
Hi Sob
just sent me your own cloud or host name and I'll prove that to you and sent u you username and pass
 
AliALBedwi
just joined
Topic Author
Posts: 15
Joined: Thu Jun 07, 2018 10:16 pm
Location: yemen
Contact:

Re: progaram get any mikrotik system usernam and passowrd in 3 second

Sat Jun 09, 2018 4:24 am

Please contact us at support@mikrotik.com with descriptions
i did that and i hope them replay as soon as they can
 
User avatar
sguox
Trainer
Trainer
Posts: 73
Joined: Fri Mar 09, 2012 6:23 pm

Re: progaram get any mikrotik system usernam and passowrd in 3 second

Sat Jun 09, 2018 5:57 am

116.15.139.78 mikrotik with public IP
 
AliALBedwi
just joined
Topic Author
Posts: 15
Joined: Thu Jun 07, 2018 10:16 pm
Location: yemen
Contact:

Re: progaram get any mikrotik system usernam and passowrd in 3 second

Sat Jun 09, 2018 6:26 am

116.15.139.78 mikrotik with public IP
at last open one port !!
 
Shadeofspirit
Member Candidate
Member Candidate
Posts: 204
Joined: Fri May 27, 2016 12:15 am
Location: Minsk
Contact:

Re: progaram get any mikrotik system usernam and passowrd in 3 second

Sat Jun 09, 2018 6:53 am

public ip 80.249.83.171
MTCNA, MTCWE
 
AliALBedwi
just joined
Topic Author
Posts: 15
Joined: Thu Jun 07, 2018 10:16 pm
Location: yemen
Contact:

Re: progaram get any mikrotik system usernam and passowrd in 3 second

Sat Jun 09, 2018 7:02 am

Probably related to this (known) topic: viewtopic.php?t=133533

But, if you think you found a new bug, please contact support directly with instructions and supout.
ya seems like this but using port 80
and should to change the winbox port 8291
 
AliALBedwi
just joined
Topic Author
Posts: 15
Joined: Thu Jun 07, 2018 10:16 pm
Location: yemen
Contact:

Re: progaram get any mikrotik system usernam and passowrd in 3 second

Sat Jun 09, 2018 7:06 am

public ip 80.249.83.171
opean port www and winbox 8291 sir
 
Shadeofspirit
Member Candidate
Member Candidate
Posts: 204
Joined: Fri May 27, 2016 12:15 am
Location: Minsk
Contact:

Re: progaram get any mikrotik system usernam and passowrd in 3 second

Sat Jun 09, 2018 7:19 am

public ip 80.249.83.171
opean port www and winbox 8291 sir
Starting Nmap ( https://nmap.org ) at 2018-06-09 04:16 UTC
NSE: Loaded 40 scripts for scanning.
Initiating Ping Scan at 04:16
Scanning 80.249.83.171 [4 ports]
Completed Ping Scan at 04:16, 0.22s elapsed (1 total hosts)
Initiating SYN Stealth Scan at 04:16
Scanning mail.itbel.com (80.249.83.171) [6 ports]
Discovered open port 80/tcp on 80.249.83.171
Discovered open port 8729/tcp on 80.249.83.171
Discovered open port 8728/tcp on 80.249.83.171
Discovered open port 8291/tcp on 80.249.83.171
Completed SYN Stealth Scan at 04:16, 0.22s elapsed (6 total ports)
Initiating Service scan at 04:16
MTCNA, MTCWE
 
AliALBedwi
just joined
Topic Author
Posts: 15
Joined: Thu Jun 07, 2018 10:16 pm
Location: yemen
Contact:

Re: progaram get any mikrotik system usernam and passowrd in 3 second

Sat Jun 09, 2018 7:45 am

public ip 80.249.83.171
opean port www and winbox 8291 sir
Starting Nmap ( https://nmap.org ) at 2018-06-09 04:16 UTC
NSE: Loaded 40 scripts for scanning.
Initiating Ping Scan at 04:16
Scanning 80.249.83.171 [4 ports]
Completed Ping Scan at 04:16, 0.22s elapsed (1 total hosts)
Initiating SYN Stealth Scan at 04:16
Scanning mail.itbel.com (80.249.83.171) [6 ports]
Discovered open port 80/tcp on 80.249.83.171
Discovered open port 8729/tcp on 80.249.83.171
Discovered open port 8728/tcp on 80.249.83.171
Discovered open port 8291/tcp on 80.249.83.171
Completed SYN Stealth Scan at 04:16, 0.22s elapsed (6 total ports)
Initiating Service scan at 04:16
its all close from my side sir
 
Shadeofspirit
Member Candidate
Member Candidate
Posts: 204
Joined: Fri May 27, 2016 12:15 am
Location: Minsk
Contact:

Re: progaram get any mikrotik system usernam and passowrd in 3 second

Sat Jun 09, 2018 7:56 am

public ip 80.249.83.171
opean port www and winbox 8291 sir
Starting Nmap ( https://nmap.org ) at 2018-06-09 04:16 UTC
NSE: Loaded 40 scripts for scanning.
Initiating Ping Scan at 04:16
Scanning 80.249.83.171 [4 ports]
Completed Ping Scan at 04:16, 0.22s elapsed (1 total hosts)
Initiating SYN Stealth Scan at 04:16
Scanning mail.itbel.com (80.249.83.171) [6 ports]
Discovered open port 80/tcp on 80.249.83.171
Discovered open port 8729/tcp on 80.249.83.171
Discovered open port 8728/tcp on 80.249.83.171
Discovered open port 8291/tcp on 80.249.83.171
Completed SYN Stealth Scan at 04:16, 0.22s elapsed (6 total ports)
Initiating Service scan at 04:16
its all close from my side sir
so, that means one of the next variants: 1) there are no program to get login and password; 2) this program exist, but doesn't work with new ROS versions. 3) it works in theory, but basic security rules (nothing extra ordinary) prevent from it.
MTCNA, MTCWE
 
AliALBedwi
just joined
Topic Author
Posts: 15
Joined: Thu Jun 07, 2018 10:16 pm
Location: yemen
Contact:

Re: progaram get any mikrotik system usernam and passowrd in 3 second

Sat Jun 09, 2018 8:04 am

public ip 80.249.83.171
opean port www and winbox 8291 sir
Starting Nmap ( https://nmap.org ) at 2018-06-09 04:16 UTC
NSE: Loaded 40 scripts for scanning.
Initiating Ping Scan at 04:16
Scanning 80.249.83.171 [4 ports]
Completed Ping Scan at 04:16, 0.22s elapsed (1 total hosts)
Initiating SYN Stealth Scan at 04:16
Scanning mail.itbel.com (80.249.83.171) [6 ports]
Discovered open port 80/tcp on 80.249.83.171
Discovered open port 8729/tcp on 80.249.83.171
Discovered open port 8728/tcp on 80.249.83.171
Discovered open port 8291/tcp on 80.249.83.171
Completed SYN Stealth Scan at 04:16, 0.22s elapsed (6 total ports)
Initiating Service scan at 04:16
i search for all your rnage and i just give you sample
to systems i got them username and pass
1-
80.249.84.182 80 admin:turbo3*(+
admin:turbo3*(+
2-
80.249.83.125 80 admin:GfhjkmJnvbrhjnbrf91 MikroTik RouterOS v6.40.4

i hope you don't do anything to this systems sir
i just give u a samples to believe that
 
AliALBedwi
just joined
Topic Author
Posts: 15
Joined: Thu Jun 07, 2018 10:16 pm
Location: yemen
Contact:

Re: progaram get any mikrotik system usernam and passowrd in 3 second

Sat Jun 09, 2018 8:17 am

public ip 80.249.83.171
opean port www and winbox 8291 sir
Starting Nmap ( https://nmap.org ) at 2018-06-09 04:16 UTC
NSE: Loaded 40 scripts for scanning.
Initiating Ping Scan at 04:16
Scanning 80.249.83.171 [4 ports]
Completed Ping Scan at 04:16, 0.22s elapsed (1 total hosts)
Initiating SYN Stealth Scan at 04:16
Scanning mail.itbel.com (80.249.83.171) [6 ports]
Discovered open port 80/tcp on 80.249.83.171
Discovered open port 8729/tcp on 80.249.83.171
Discovered open port 8728/tcp on 80.249.83.171
Discovered open port 8291/tcp on 80.249.83.171
Completed SYN Stealth Scan at 04:16, 0.22s elapsed (6 total ports)
Initiating Service scan at 04:16
its all close from my side sir
so, that means one of the next variants: 1) there are no program to get login and password; 2) this program exist, but doesn't work with new ROS versions. 3) it works in theory, but basic security rules (nothing extra ordinary) prevent from it.
no you are wrong
this program its exist and work very excellent
its can got any password and username faster with any version unless 6.40.8 and 6.42.1 just
its also can get a lot other system but we are not care about it
the big problem its the mikrotik
 
Shadeofspirit
Member Candidate
Member Candidate
Posts: 204
Joined: Fri May 27, 2016 12:15 am
Location: Minsk
Contact:

Re: progaram get any mikrotik system usernam and passowrd in 3 second

Sat Jun 09, 2018 8:18 am

this are not my routers, so i wouldn't check, but as i see in your post - they have old ROS. In 6.42.1 was fix for vulnerability in winbox
MTCNA, MTCWE
 
AliALBedwi
just joined
Topic Author
Posts: 15
Joined: Thu Jun 07, 2018 10:16 pm
Location: yemen
Contact:

Re: progaram get any mikrotik system usernam and passowrd in 3 second

Sat Jun 09, 2018 8:27 am

this are not my routers, so i wouldn't check, but as i see in your post - they have old ROS. In 6.42.1 was fix for vulnerability in winbox
yah not work with 6.42.1 you are right
after my post someone shear this post viewtopic.php?t=133533
and talks about this bug
That's great work from Mikrotik to slove it
but the big problems a lot systems around the world not upgraded and they not know about it and they trust mikrotik system
here the problem
Last edited by AliALBedwi on Sat Jun 09, 2018 8:33 am, edited 1 time in total.
 
Shadeofspirit
Member Candidate
Member Candidate
Posts: 204
Joined: Fri May 27, 2016 12:15 am
Location: Minsk
Contact:

Re: progaram get any mikrotik system usernam and passowrd in 3 second

Sat Jun 09, 2018 8:31 am

this are not my routers, so i wouldn't check, but as i see in your post - they have old ROS. In 6.42.1 was fix for vulnerability in winbox
yah not work with 6.42.1 you are rigth
after my post someone shear this post viewtopic.php?t=133533
and talks about this bug
That's great work from Mikrotik to slove it
but the big problems a lot systems around the world not upgraded and they not know about it and they trust mikrotik system
here the problem
i don't see any problem in mikrotik, it is the problem of admins. It is so, because there is information in changelog, there were posts in mikrotik twitter, facebook with information about vulnerability and it's fix. also there was information in many other resources
MTCNA, MTCWE
 
avacha
newbie
Posts: 28
Joined: Thu Jan 25, 2018 9:12 pm

Re: progaram get any mikrotik system usernam and passowrd in 3 second

Sat Jun 09, 2018 9:49 am

That guy just found in first time (in)famous RouterScan and shocked about security in net. :)
Just upgrade your devices if it's a MT routers, or use OpenWRT if these devices are shitty home routers abandoded by their manufacturers :lol:

Just wonder what he say when he see 3wifi database :lol:
 
Sob
Forum Guru
Forum Guru
Posts: 4808
Joined: Mon Apr 20, 2009 9:11 pm

Re: progaram get any mikrotik system usernam and passowrd in 3 second

Sat Jun 09, 2018 4:28 pm

So it's just the recent WinBox vulnerability? It's good then. I mean, not good, obviously. That was major screwup on MikroTik's side, and blaming it on "unsecured routers" in changelog wasn't fair either, people usually don't think about fifty-characters passwords as "unsecured". But it's good there isn't another one.
People who quote full posts should be spanked with ethernet cable. Some exceptions for multi-topic threads may apply.
 
User avatar
apteixeira
Trainer
Trainer
Posts: 50
Joined: Fri Oct 05, 2012 5:54 pm

Re: progaram get any mikrotik system usernam and passowrd in 3 second

Sat Jun 09, 2018 7:01 pm

Hello,

Just for testing purpose I just created a VM with IP 201.217.241.120
Try getting password. Clue: password starts with "test" word.
Port: winbox 8291

Regards.
Last edited by apteixeira on Sat Jun 09, 2018 11:27 pm, edited 1 time in total.
 
avacha
newbie
Posts: 28
Joined: Thu Jan 25, 2018 9:12 pm

Re: progaram get any mikrotik system usernam and passowrd in 3 second

Sat Jun 09, 2018 9:16 pm

That was major screwup on MikroTik's side, and blaming it on "unsecured routers" in changelog wasn't fair either, people usually don't think about fifty-characters passwords as "unsecured". But it's good there isn't another one.
Nope. If you use old system and set up it to connect to the internet via nude ass - just don't wonder if some kiddies hijack your device.
To succesfully exploit you need not only old firmware but also open winbox port for direct access from wan. Default config do not allow this. If you config router like these manually... well, don't cry about "Russian hackers".
 
User avatar
jspool
Member
Member
Posts: 396
Joined: Sun Oct 04, 2009 4:06 am
Location: Oregon

Re: progaram get any mikrotik system usernam and passowrd in 3 second

Sat Jun 09, 2018 10:36 pm

Funny how people are so quick to post an issue without bothering to check to see if its already been discussed.
Anyone exposing management ports to the public facing Internet deserves whatever comes their way.
Attacks from LAN to router and from WAN to router are easily prevented by only allowing trusted IP's or networks access to management ports. Never rely on others to secure your network.
 
Sob
Forum Guru
Forum Guru
Posts: 4808
Joined: Mon Apr 20, 2009 9:11 pm

Re: progaram get any mikrotik system usernam and passowrd in 3 second

Sun Jun 10, 2018 2:59 am

I'd like to slightly disagree with last two posters. Now, when fixed version is available, it's on anyone who keeps the old vulnerable one. But the main problem was, to quote official explanation:
The vulnerability allowed a special tool to connect to the Winbox port, and request the system user database file.
You're right that when you block connections to WinBox port, it's safe. But you can't block everything. What if the vulnerability wasn't in WinBox server, but in SSTP server? They both depend only on strong passwords (SSTP's non-standard option to require client certificate doesn't count, because it's not compatible with regular clients). If I got hacked because of such vulnerability in SSTP, would you tell me that it's my fault for leaving SSTP port open to whole world? But it's the idea of VPNs, to allow users to connect from everywhere. I agree that it doesn't apply to WinBox, but it's exactly the same principle.

No hard feelings from me (after all, nothing of mine got hacked), but MikroTik is #1 to blame here. And regarding the "unsecured routers" explanation, only being almost a fanboy prevents me from using "bullshit" as reply. ;)
People who quote full posts should be spanked with ethernet cable. Some exceptions for multi-topic threads may apply.
 
avacha
newbie
Posts: 28
Joined: Thu Jan 25, 2018 9:12 pm

Re: progaram get any mikrotik system usernam and passowrd in 3 second

Tue Jun 12, 2018 1:30 am

Sob.
In general, all of our enviroinment in this world require some knowledge about "what you doing".
If I buy microwave oven and it will be hacked - well, manufacturer never told me about "main goal of our microvave oven is security system."
If MT make his own proprietary vpn, say "main goal is security, blah-blah" and after that it have a vulnerability - shame on MT. But winbox is just a config tool, nothing about security here and MT never say about that's super-secured, moreover - winbox denied in defconf firewall.

Well, let's try to see from different point of view.

I buy 20$ cheap tp-link or dlink router. Then open telnet from wan - by default, of course, telnet closed.
And when someone hack into, post "this is shit %manufscturer_name% in facebook. But telnet is nothing about security, it,s just config tool.
 
Sob
Forum Guru
Forum Guru
Posts: 4808
Joined: Mon Apr 20, 2009 9:11 pm

Re: progaram get any mikrotik system usernam and passowrd in 3 second

Tue Jun 12, 2018 5:54 am

Are you saying that if it's "just a config tool", it's allowed to give passwords to anyone who asks? :) It's just wrong, no matter what it is, if I have password like "QWnXSS_bX8p8er&C$d?:ZwPMdv" I expect it to be secure enough. It should be, bruteforcing over the net would take a lifetime. And if there's some other way, it must be horrible mistake done by whoever implemented it.
People who quote full posts should be spanked with ethernet cable. Some exceptions for multi-topic threads may apply.
 
User avatar
normis
MikroTik Support
MikroTik Support
Posts: 24268
Joined: Fri May 28, 2004 11:04 am
Location: Riga, Latvia

Re: progaram get any mikrotik system usernam and passowrd in 3 second

Wed Jul 18, 2018 7:45 am

What if the vulnerability wasn't in WinBox server, but in SSTP server? They both depend only on strong passwords (SSTP's non-standard option to require client certificate doesn't count, because it's not compatible with regular clients). If I got hacked because of such vulnerability in SSTP, would you tell me that it's my fault for leaving SSTP port open to whole world? But it's the idea of VPNs, to allow users to connect from everywhere. I agree that it doesn't apply to WinBox, but it's exactly the same principle.
Then the comment would be different. SSTP is not the same as administration access to your device. There are zero reasons to leave winbox access open to all, especially with default port.
No answer to your question? How to write posts
 
Sob
Forum Guru
Forum Guru
Posts: 4808
Joined: Mon Apr 20, 2009 9:11 pm

Re: progaram get any mikrotik system usernam and passowrd in 3 second

Wed Jul 18, 2018 4:41 pm

I agree that while SSTP port is supposed to be open, WinBox port should rather not be. But on technical level it's Service A with its security depending only on strong passwords and bug-free implementation, and Service B with its security depending only on strong passwords and bug-free implementation => exactly the same thing. I don't plan to beat it to death, what's done is done. And how to say it, I understand that "but you shouldn't have had that port open!" is something I would probably also want to say, if I managed to create such nice bug as this. ;)
People who quote full posts should be spanked with ethernet cable. Some exceptions for multi-topic threads may apply.

Who is online

Users browsing this forum: No registered users and 104 guests