Community discussions

MikroTik App
 
WildWest
just joined
Topic Author
Posts: 3
Joined: Sat Feb 23, 2019 12:02 am

Why Mikrotik does not encrypt the password in RouterOS?

Sat Feb 23, 2019 1:02 am

As you remember in 2018 a lot of Mikrotik's were hacked using vulnerability through the Winbox and port 80. Since v6.42.1 (stable) Mikkrotik had closed that vulnerability.

But what I did, I think other people had found it as well:

For example, in my organization we have around 1000 different mikrotik devices, most of them are located in the remote distance from me. We have some network administrators at the each location.
A hacker for some reasons got access to the one small mikrotik (hAPac), and it is updated fresh version of the RouterOS, let's think he found the password of the one admin.
When he logins to the mikrotik, he sees there are several admin accounts on it. Of course he cannot get their passwords, because the vulnerability was closed, but he can backup whole system, download the backup file, deploy the backup on his own Mikrotik, downgrade the RouterOS to version less than 6.42.1, attack and using the existed vulnerability in the old RouterOS the hacker easy can get the credentials of other users and admins. And of course the hacker will try to use these credentials to attack other mikrotiks in the network because some administrators use the same password on each device.

I already did it in my network successfully for testing.
So, my question, did Mikrotik think about it? Why does Mikrotik still use non-encrypted passwords in the RouterOS?

Correct me if I am not right in something.
Thanks
 
BRMateus2
Frequent Visitor
Frequent Visitor
Posts: 70
Joined: Thu Oct 26, 2017 11:18 pm

Re: Why Mikrotik does not encrypt the password in RouterOS?

Sat Feb 23, 2019 10:43 pm

If someone has access to the RouterOS console, he at least already has access to any service exploit, it is just a question of activating a service and sending overflowing data or such.
What you need is to disable "sensitive" in System/User List/Groups for untrusted users, but this is only delaying the problem: it is for your security policy to create a minimal password.

There is simply no way of using cryptography for config/database/backup, to protect from this method if you give the user "sensitive" permission, as it can set any password he wants and still restore the backup or any password.

As too, encryption of the backup is already supported, you need to set a password when doing it, but if you don't, there is no reason at all to encrypt the file with a default password - as this month security experts released ways of reading .pkg code very easily, making any default pass a question of CTRL+F.

Who is online

Users browsing this forum: Google [Bot], wichets and 79 guests