Community discussions

MikroTik App
 
vthai
just joined
Topic Author
Posts: 2
Joined: Thu Jul 15, 2021 10:20 am

Create an .exe for restarting the mikrotik

Thu Jul 15, 2021 10:25 am

Hi y'all,

Wondered if there is a possibility a mikrotik to be restarted from a .exe file which has inside a script doing that. The idea is that the user whom has a mikrotik device, justs double clicks on that .exe file and then the Mikrotik restarts. The user does not have access to Winbox or via browser, because he/she does not have an account?

Thank you
 
User avatar
rextended
Forum Guru
Forum Guru
Posts: 11982
Joined: Tue Feb 25, 2014 12:49 pm
Location: Italy
Contact:

Re: Create an .exe for restarting the mikrotik

Thu Jul 15, 2021 4:05 pm

On 3 secs reverse enginered the .exe reveal username, password, certificate, etc. of the account used for reboot...

Yes, is feasible leaving API / SSH active on RouterOS and complinig .exe from Python or other language capable to do that.
 
User avatar
normis
MikroTik Support
MikroTik Support
Posts: 26322
Joined: Fri May 28, 2004 11:04 am
Location: Riga, Latvia

Re: Create an .exe for restarting the mikrotik

Thu Jul 15, 2021 4:08 pm

Using the RouterOS API should be quite simple to make such an exe, but the RouterOS will have to have the API service enabled, and yes, the EXE will have to contain the username and password https://wiki.mikrotik.com/wiki/Manual:API
 
tangent
Forum Guru
Forum Guru
Posts: 1351
Joined: Thu Jul 01, 2021 3:15 pm
Contact:

Re: Create an .exe for restarting the mikrotik

Thu Jul 15, 2021 8:09 pm

If you're on Windows 10, the necessary EXE is an optional component you can install. You do need a user account on the MT, but this method doesn't require that you leak your login credentials to anyone with a copy of the shortcut.

Steps:

  • Set up SSH keys on the Windows box
  • Send the public half of that key to the MT, attaching it to a user with "full" access rights
  • Build a Windows shortcut (*.lnk) that runs "ssh 1.2.3.4 /system reboot", with your actual router IP or DNS name in place of the example IP

Double-click that shortcut, and the MT box will reboot.
 
andriys
Forum Guru
Forum Guru
Posts: 1526
Joined: Thu Nov 24, 2011 1:59 pm
Location: Kharkiv, Ukraine

Re: Create an .exe for restarting the mikrotik

Thu Jul 15, 2021 11:23 pm

this method doesn't require that you leak your login credentials to anyone with a copy of the shortcut
Anyone "double-clicking that shortcut" should have read access to a copy of the private key and that automatically grant him/her full access to the router.
 
tangent
Forum Guru
Forum Guru
Posts: 1351
Joined: Thu Jul 01, 2021 3:15 pm
Contact:

Re: Create an .exe for restarting the mikrotik

Fri Jul 16, 2021 12:18 am

Anyone "double-clicking that shortcut" should have read access to a copy of the private key and that automatically grant him/her full access to the router.

Only if you take the shortest path through that document.

Quoting the linked document, "...private key files are the equivalent of a password should be protected the same way you protect your password. To help with that, use ssh-agent to securely store the private keys within a Windows security context, associated with your Windows login." With your user profile directory encrypted, the SSH key will only be accessible to one who can log into your user account.

Alternately, you can apply a passphrase during key generation, which you must supply to unlock the key each time it's used.

In any case, the comment was made in response to the claim up-thread that "the EXE will have to contain the username and password". The SSH executable doesn't contain user names or passwords, and as we've seen, there are ways to protect its external key.
 
User avatar
memelchenkov
Member Candidate
Member Candidate
Posts: 202
Joined: Sun Oct 11, 2020 12:00 pm
Contact:

Re: Create an .exe for restarting the mikrotik

Fri Jul 16, 2021 12:22 am

I have not used policies for myself, but, according to documentation https://help.mikrotik.com/docs/display/ROS/User, isn't it enought to create a user with "reboot" only policy disabling other policies? And allow API only access to router.
By the way, why to restart MikroTik? It's super-stable device, I don't remember any case why I need to restart it (firmware/board upgrade is the only case).
Also, check https://wiki.mikrotik.com/wiki/Manual:TR069-client, maybe it's the path you are looking for.
 
joegoldman
Forum Veteran
Forum Veteran
Posts: 766
Joined: Mon May 27, 2013 2:05 am

Re: Create an .exe for restarting the mikrotik

Fri Jul 16, 2021 1:27 am

In any case, the comment was made in response to the claim up-thread that "the EXE will have to contain the username and password". The SSH executable doesn't contain user names or passwords, and as we've seen, there are ways to protect its external key.
The ultimate idea behind the comment is that no matter what it is a security risk. The EXE will contain details on how anyone with its possession could then login to the router with enough permission to do damage.

My solution would be to have a secure webserver talk to the mikrotik in the background - where the credentials are stored safely, and client has access to a client page to reboot device. This requires more infrastructure setup sure but eliminates a potential security risk.
 
User avatar
rextended
Forum Guru
Forum Guru
Posts: 11982
Joined: Tue Feb 25, 2014 12:49 pm
Location: Italy
Contact:

Re: Create an .exe for restarting the mikrotik

Fri Jul 16, 2021 1:50 am

To @all:

If you read the first post correctly,
wants an .exe to give to anybody to restart their (own?) router ...

[...] if there is a possibility a mikrotik to be restarted from a .exe file which has inside a script doing that.
The idea is that the user whom has a mikrotik device, justs double clicks on that .exe file and then the Mikrotik restarts.
The user does not have access to Winbox or via browser, because he/she does not have an account?

SSH, command line connection, etc. They are all off topic ...



@tangent, do not start every time to treat yourself as mere mortals...
We know you know things, but "complicating bread" as they say in Italian,
brings nothing but confusion if knowledge is used out of context.

Don't misunderstand, I'm happy if I can count on someone like you in this forum!!!
 
tangent
Forum Guru
Forum Guru
Posts: 1351
Joined: Thu Jul 01, 2021 3:15 pm
Contact:

Re: Create an .exe for restarting the mikrotik

Fri Jul 16, 2021 2:04 am

The EXE will contain details on how anyone with its possession could then login to the router with enough permission to do damage.

That's simply incorrect. The SSH executable by itself, doesn't let you log into anything. The LNK file containing the SSH command doesn't let you log into anything, it only tells SSH what you want it to do, but without valid login credentials, SSH can't comply. Those credentials live outside both SSH.exe and the LNK file giving the command.

SSH tries these user names:

1. Your local OS user name, if it wasn't given one explicitly. If that's what you used on the MT at well, the user name doesn't live in either the SSH.exe or the LNK file.
2. A user name found in one of SSH's external configuration files, most likely the per-user config file; again, it's outside the EXE and outside the LNK
3. The name you gave on the command line: ssh user@host COMMAND... In this case, yes, you've put your user name in the LNK file, so sharing that LNK file gives away your user name. If this is a problem for you, take option 1 or 2.

As for the optional passphrase on the key and the key itself, those don't live in SSH.exe or the LNK file, and you can't provide them that way even if you want to, on purpose.

The linked document shows how to protect the external SSH key. The only way to break that protection is to break into the user's Windows account, at which point the security game is over regardless.

My solution would be to have a secure webserver talk to the mikrotik in the background - where the credentials are stored safely, and client has access to a client page to reboot device. This requires more infrastructure setup sure but eliminates a potential security risk.

It eliminates nothing. It only moves the security risk to another machine, then exposes an external interface to that machine.

How are you protecting the user's login on that secure web server, and how is that better than the mechanisms available to protect an SSH private key?
 
tangent
Forum Guru
Forum Guru
Posts: 1351
Joined: Thu Jul 01, 2021 3:15 pm
Contact:

Re: Create an .exe for restarting the mikrotik

Fri Jul 16, 2021 2:13 am

If you read the first post correctly,
wants an .exe to give to anybody to restart their (own?) router ...

The OP is asking for a remote denial-of-service attack tool. Just run it in a loop and you can keep every MT box on the WAN down indefinitely.

I think it's entirely fair to answer a different question than was actually asked in this case.

SSH, command line connection, etc. They are all off topic ...

My solution will work, it uses an EXE that OP can download and install today, and it's easy to configure securely. If that's "off topic", then I think I'd best spend my time elsewhere. Where I come form, that's a successful solution.

@tangent, do not start every time to treat yourself as mere mortals...

I don't even know what that sentence means.

We know you know things, but "complicating bread" as they say in Italian,
brings nothing but confusion if knowledge is used out of context.

If you want to bake user names and passwords into an EXE to solve this, you're welcome to do so. It will be insecure and risky.

Don't misunderstand, I'm happy if I can count on someone like you in this forum!!!

Every time we've interacted, you've attempted to shut me down. Keep it up, and you'll eventually succeed.
 
User avatar
rextended
Forum Guru
Forum Guru
Posts: 11982
Joined: Tue Feb 25, 2014 12:49 pm
Location: Italy
Contact:

Re: Create an .exe for restarting the mikrotik

Fri Jul 16, 2021 2:17 am

Uhm, don't be offended...

*********************************

For one of your reply seem than you do not have readed the first line on post #2
viewtopic.php?f=9&t=176884#p867611
 
tangent
Forum Guru
Forum Guru
Posts: 1351
Joined: Thu Jul 01, 2021 3:15 pm
Contact:

Re: Create an .exe for restarting the mikrotik

Fri Jul 16, 2021 2:23 am

Uhm, don't be offended...

That's a little difficult when you keep being offensive.

How about you just put me into your "foes" list so the site doesn't show you my posts, and then we can then stay out of each others' way, okay?
 
User avatar
rextended
Forum Guru
Forum Guru
Posts: 11982
Joined: Tue Feb 25, 2014 12:49 pm
Location: Italy
Contact:

Re: Create an .exe for restarting the mikrotik

Fri Jul 16, 2021 2:42 am

Honestly, it sounds bullshit to me.

If you wrote bullshit (except last post) I could agree,
but are you a person who has qualities and do you think I'm stupid enough to deprive me of what you write?

I will be an idiot but not stupid ...
 
vthai
just joined
Topic Author
Posts: 2
Joined: Thu Jul 15, 2021 10:20 am

Re: Create an .exe for restarting the mikrotik

Fri Jul 16, 2021 8:44 am

Morning y'all,

Thanks for all the replies. I ain't something as an expert in Mikrotik, but really most of the knowledge y'all shared is great. I'm gonna be trying today most of the methods you have written.

Thanks again for the support

Who is online

Users browsing this forum: alexantao, rextended and 30 guests