Community discussions

 
User avatar
rojuinex
just joined
Topic Author
Posts: 4
Joined: Fri Jan 01, 2016 3:04 am

[Feature Request] Winbox username is sent in plain text

Wed Oct 10, 2018 9:36 pm

While doing a packet capture for other reasons I noticed that when winbox connects it sends the username in plain text. This is a little concerning because if an attacker was able to do a packet capture of a winbox session half of the login info is easily obtained.

I'm hoping this can be addressed in a future version of RouterOS and Winbox.

Thanks!
 
User avatar
vecernik87
Member
Member
Posts: 352
Joined: Fri Nov 10, 2017 8:19 am

Re: [Feature Request] Winbox username is sent in plain text

Thu Oct 11, 2018 5:16 am

Confirming with Winbox 3.18 and RoS 6.43.2 and 6.42.7 (I assume all versions are same)

Not sure if there is some interest in fixing it. Recent change of API caused both username AND PASSWORD to be plaintext which is obvious step backwards (or strong signal to use API-SSL instead of normal API)
 
strods
MikroTik Support
MikroTik Support
Posts: 1367
Joined: Wed Jul 16, 2014 7:22 am
Location: Riga, Latvia

Re: [Feature Request] Winbox username is sent in plain text

Thu Oct 11, 2018 8:43 am

Please provide this packet capture to support@mikrotik.com. Make sure that capture is taken while communication is happening between Winbox 3.18 and RouterOS version 6.43 or later.
 
User avatar
Anumrak
Forum Veteran
Forum Veteran
Posts: 903
Joined: Fri Jul 28, 2017 2:53 pm

Re: [Feature Request] Winbox username is sent in plain text

Thu Oct 11, 2018 9:11 am

Whaaaaaaa

But what about encrypting mode in winbox?? It's not working now??
 
User avatar
vecernik87
Member
Member
Posts: 352
Joined: Fri Nov 10, 2017 8:19 am

Re: [Feature Request] Winbox username is sent in plain text

Thu Oct 11, 2018 9:54 am

@normis: thanks for quick reaction. I sent the email with pcap file and description. (And of course I accidentally made a typo in one sentence, where I wrote "plaintext password" instead of "plaintext username". I replied with another email explaining the mistake, please don't laugh too hard :( its just me being me... )

@all: Ticket was received as Ticket#2018101122003562 , I will post update if there is any reply.
 
User avatar
emils
MikroTik Support
MikroTik Support
Posts: 278
Joined: Thu Dec 11, 2014 8:53 am

Re: [Feature Request] Winbox username is sent in plain text

Thu Oct 11, 2018 11:59 am

Winbox uses a variant of SRP to establish a secure, encrypted communication channel. Username is sent in plain text as part of identity verification process to deny possible MITM attacks. The password is not and never was sent in plain text.

https://en.wikipedia.org/wiki/Secure_Re ... d_protocol
 
User avatar
vecernik87
Member
Member
Posts: 352
Joined: Fri Nov 10, 2017 8:19 am

Re: [Feature Request] Winbox username is sent in plain text

Thu Oct 11, 2018 12:20 pm

Thanks Emils for quick response in both ticket reply and here. I really appreciate it.
I will not pretend that I understand how that protocol works. I can only believe it really is secure against MITM. However, it feels like being against recommended way to secure the router: https://wiki.mikrotik.com/wiki/Manual:S ... s_username
If someone has direct access(as written in the article), they can easily discover the username (because it is sent in plain-text) and therefore changing default username will make no difference, right?
 
User avatar
Anumrak
Forum Veteran
Forum Veteran
Posts: 903
Joined: Fri Jul 28, 2017 2:53 pm

Re: [Feature Request] Winbox username is sent in plain text

Thu Oct 11, 2018 12:32 pm

Winbox uses a variant of SRP to establish a secure, encrypted communication channel. Username is sent in plain text as part of identity verification process to deny possible MITM attacks. The password is not and never was sent in plain text.

https://en.wikipedia.org/wiki/Secure_Re ... d_protocol
Thank you very much!
 
User avatar
normis
MikroTik Support
MikroTik Support
Posts: 23608
Joined: Fri May 28, 2004 11:04 am
Location: Riga, Latvia

Re: [Feature Request] Winbox username is sent in plain text

Thu Oct 11, 2018 1:15 pm

Thanks Emils for quick response in both ticket reply and here. I really appreciate it.
I will not pretend that I understand how that protocol works. I can only believe it really is secure against MITM. However, it feels like being against recommended way to secure the router: https://wiki.mikrotik.com/wiki/Manual:S ... s_username
If someone has direct access(as written in the article), they can easily discover the username (because it is sent in plain-text) and therefore changing default username will make no difference, right?
Article describes protection against remote brute force attackers. If your attacker already has capability to sniff your traffic, you are in bigger trouble and username changing is not going to help. Therefore all the other suggestions come into play (like limiting number of logins per minute, having a hard to guess password and limiting access from certain ports/IP addresses.
No answer to your question? How to write posts
 
eXS
newbie
Posts: 41
Joined: Fri Apr 14, 2017 4:01 am

Re: [Feature Request] Winbox username is sent in plain text

Sat Oct 13, 2018 10:42 am

This seems ridiculous?

In the industry every service isn't passing around plain text usernames?

Not a concern?
 
r00t
newbie
Posts: 39
Joined: Tue Nov 28, 2017 2:14 am

Re: [Feature Request] Winbox username is sent in plain text

Sun Oct 14, 2018 12:36 am

Why not at least hash it? If you really need to send username to prevent spoofing or for some other reason, hash would work as well. It would at least not be visible in the packet in clear.
I agree that if someone is already sniffing your connection you have a bigger problem, but still... why make it that easy?

Who is online

Users browsing this forum: No registered users and 64 guests