Why Mikrotik does not encrypt the password in RouterOS?
Posted: Sat Feb 23, 2019 1:02 am
As you remember in 2018 a lot of Mikrotik's were hacked using vulnerability through the Winbox and port 80. Since v6.42.1 (stable) Mikkrotik had closed that vulnerability.
But what I did, I think other people had found it as well:
For example, in my organization we have around 1000 different mikrotik devices, most of them are located in the remote distance from me. We have some network administrators at the each location.
A hacker for some reasons got access to the one small mikrotik (hAPac), and it is updated fresh version of the RouterOS, let's think he found the password of the one admin.
When he logins to the mikrotik, he sees there are several admin accounts on it. Of course he cannot get their passwords, because the vulnerability was closed, but he can backup whole system, download the backup file, deploy the backup on his own Mikrotik, downgrade the RouterOS to version less than 6.42.1, attack and using the existed vulnerability in the old RouterOS the hacker easy can get the credentials of other users and admins. And of course the hacker will try to use these credentials to attack other mikrotiks in the network because some administrators use the same password on each device.
I already did it in my network successfully for testing.
So, my question, did Mikrotik think about it? Why does Mikrotik still use non-encrypted passwords in the RouterOS?
Correct me if I am not right in something.
Thanks
But what I did, I think other people had found it as well:
For example, in my organization we have around 1000 different mikrotik devices, most of them are located in the remote distance from me. We have some network administrators at the each location.
A hacker for some reasons got access to the one small mikrotik (hAPac), and it is updated fresh version of the RouterOS, let's think he found the password of the one admin.
When he logins to the mikrotik, he sees there are several admin accounts on it. Of course he cannot get their passwords, because the vulnerability was closed, but he can backup whole system, download the backup file, deploy the backup on his own Mikrotik, downgrade the RouterOS to version less than 6.42.1, attack and using the existed vulnerability in the old RouterOS the hacker easy can get the credentials of other users and admins. And of course the hacker will try to use these credentials to attack other mikrotiks in the network because some administrators use the same password on each device.
I already did it in my network successfully for testing.
So, my question, did Mikrotik think about it? Why does Mikrotik still use non-encrypted passwords in the RouterOS?
Correct me if I am not right in something.
Thanks