i'd call BS on that.
first of all, it shows a 951G and yet 11000+ hotspot users. for me it is kind of unlikely that one buys a $80 box and spends like extra $250 to get a license to support this amazing amount of hostpot users. but maybe that's the case.
the other thing is that the guy is connected to the system via WiFi. The screenshot in winbox shows almost no traffic on the box (951G) and the wireless interface is down (not running). ok, it is possible that there are other APs also connected, but all other ethernet ports are in "not running" state, so assume, there is a switch that takes care the L2 connectivity between the APs. The whole setup suggests a "default" configuration: ports 2-5 are bridged together with wlan, and ether1 (renamed to in) is the outside connectivity.
look, we've been showed lots of stuff, unnecessary things, but no
- route table
- ip address list
- no firewall configuration
- no arp table
not anything that would shed some light on details.
and in the neighbor list only displayed for 2-3 seconds we find 2 interesting entries:
10.0.0.1 - the router itself? with no mac address information, hostname, whatsoever mikrotik specific? uptime is 00:00:00?
10.11.9.2 - ok, so even the PC the guy is using is displayed here, with all info blank. how?
wait. MNDP & CDP is non-routeable. so they must be in the same L2 BD. yet they cannot access it via mac-address. but indeed they get through hotspot and can reach winbox port over IP w/o authenticating on the captive portal? strange.
also note the change of windows inside winbox between 11:07 and 11:13
- 2 entries suddenly disappear from neighbor list (10 was there previously, now only 8 ).
- terminal just appears out of thin air, without user interaction
the video is obviously was cut there.
so OpenMikrotik(32bit) is also able to "crash down" nanostations as we see.
but i don't think that nmap can figure out ROS version and product code. the only place it may come is from MNDP metadata.
and don't you think, that putting your admin password and admin username as hostname for some APs that broadcast it as CDP everywhere, might not be the brightest idea?
for the record: credentials on flash are not encrypted. boot the router with the linux distro that supports reading the onboard flash, and you can get the passwords. been there, done that. but this would require netboot and physical access - none of them can be pulled off over wifi.
You do not have the required permissions to view the files attached to this post.