Community discussions

 
etis
just joined
Topic Author
Posts: 9
Joined: Wed Apr 16, 2008 5:12 pm

WinBox security?

Fri Aug 29, 2008 1:54 pm

Hi,

Recently I wanted to try out a RouterOS minimal install on an older PIII machine. That means only the "system" package from the v3.13 install CD. After install I gave it an IP, identity and some password for the "admin" user.

I noted the description of the "security" package when you are presented with chosing the packages through the ROS installation:
Provides support for IPSEC, SSH and secure connectivity with WinBox.
As it was a minimal install; this package didn't made it's way to the box.

So I tried the following on the LAN:
  • Connect via WinBox; "Secure Mode" disabled. It works.
  • Connect via WinBox; "Secure Mode" enabled. It works, too. (Why?!)
  • Connect via telnet. It works.
  • Connect via SSH. Connection refused.
Now what? Two answers came in my mind:

1) The description on the install screen is wrong; you can use WinBox' "Secure Mode" without the "security" package being present on the MT device. Please correct the description. It happens; not a big issue...

2) So you really think that when you "talk" with WinBox in Secure Mode to ROS it's encrypted? Maybe no. Maybe WinBox doesn't give a sh!t to tell you it just switched back from RC4 (or whatever cipher it uses) to Plain Text (TM).

I cannot help but when I see SSH not happening without the "security" package I have to say that I consider the 2nd answer more likely. And I don't like it.

Please, state the facts.
 
changeip
Forum Guru
Forum Guru
Posts: 3801
Joined: Fri May 28, 2004 5:22 pm

Re: WinBox security?

Fri Aug 29, 2008 8:34 pm

winbox will try port 8291 (secure mode) and if not then it will use port 80 (clear text). It doesnt warn you like it should. It should also perform check like ssh client, if ssh keys changed warn you that someone might be faking identity.

Sam
Colo and Wholesale Bandwidth Available! Sales at SanDiegoBroadband dot com
 
Gerard
Trainer
Trainer
Posts: 336
Joined: Wed Apr 26, 2006 4:21 am
Location: Kentucky, USA
Contact:

Re: WinBox security?

Fri Aug 29, 2008 9:51 pm

Winbox used port 8291 for both secure and clear text modes..

I agree that it should warn you. The only way you know if you're secure or not is depending on the little lock at the top right.

-Gerard
 
etis
just joined
Topic Author
Posts: 9
Joined: Wed Apr 16, 2008 5:12 pm

Re: WinBox security?

Mon Sep 01, 2008 1:22 pm

Thank you both for the commits.

What do you suggest - should I contact MT developers and / or file a bug report?
 
etis
just joined
Topic Author
Posts: 9
Joined: Wed Apr 16, 2008 5:12 pm

Re: WinBox security?

Tue Sep 02, 2008 12:25 pm

One more question I found worth asking - is it possible in RouterOS to restrict the connections from WinBox only to encrypted ones?
 
User avatar
normis
MikroTik Support
MikroTik Support
Posts: 23620
Joined: Fri May 28, 2004 11:04 am
Location: Riga, Latvia

Re: WinBox security?

Tue Sep 02, 2008 12:38 pm

what do you mean by "works"? if it connects, it doesn't mean that it happened securely, unless there is a little "lock" in the corner of the winbox window. without the security package it will connect anyway, but will ignore your wish for security, and that will be visible in the lack of the security icon
No answer to your question? How to write posts
 
etis
just joined
Topic Author
Posts: 9
Joined: Wed Apr 16, 2008 5:12 pm

Re: WinBox security?

Tue Sep 02, 2008 2:34 pm

By "works" I referred to the ability to connect to and control a RouterOS device through TCP/IP-based network.
if it connects, it doesn't mean that it happened securely, unless there is a little "lock" in the corner of the winbox window. without the security package it will connect anyway, but will ignore your wish for security, and that will be visible in the lack of the security icon
You're probably right. It was my false expectation that WinBox should warn me if it had to switch to non-secure mode despite having "Secure Mode" enabled.

But I don't like this behaviour and IMO it's not a way how a program like WinBox should act in this situation.

Maybe WinBox should display a warning message that an attempt to establish encrypted connection failed and whether the user want it to try witout encryption? Or just have a "Fallback To Non-encrypted Connection?" setting somewhere in WinBox and when it's false then the user has to manually un-check the "Secure Mode" box?

I don't know - maybe someone's going to find this "yet another dialog window" thingie annoying and will blindly click "Next", but if the user can set up how the program will react (see my 2nd suggestion) then IMO everyone will only benefit from it (except the WinBox devs, maybe 8) ).

EDIT: Forgot to say that I wasn't aware of the small-lock-icon-on-the-top-right-corner and it's relation to security thingie (despite it looks obvious :) ).
 
User avatar
normis
MikroTik Support
MikroTik Support
Posts: 23620
Joined: Fri May 28, 2004 11:04 am
Location: Riga, Latvia

Re: WinBox security?

Tue Sep 02, 2008 2:37 pm

I agree that it should warn you if secure fails
No answer to your question? How to write posts
 
jarda
Forum Guru
Forum Guru
Posts: 7560
Joined: Mon Oct 22, 2012 4:46 pm

Re: WinBox security?

Sun Sep 01, 2013 10:07 am

Security could be really painful. Is there any official statement to the Winbox attack described here below?
http://www.133tsec.com/2012/04/27/0day- ... n-exploit/

It seems that Winbox is loading and running dlls pushed from "server" side without prior authentication so whoever can inject to client computer whatever code and let it run by Winbox...

Anyway, another question, is there a possibility not to connect to the router by Winbox when attempt for secure connection fails? I have not noticed that.
 
User avatar
pcunite
Long time Member
Long time Member
Posts: 634
Joined: Sat May 25, 2013 5:13 am
Location: USA

Re: WinBox security?

Sun Sep 01, 2013 9:39 pm

It seems that Winbox is loading and running dlls pushed from "server" side without prior authentication so whoever can inject to client computer whatever code and let it run by Winbox...
Yes, and this is a big security problem on our locked down boxes. We do not allow executables (.dlls too) to run from directories a user can write too. Classic no no. We have to let it fail and then add hashed access to the .dlls via Software Restriction policies.

Mikrotik,
Allow for us to copy the .dlls to the same directory that we have installed Winbox.exe to. Then have Winbox check current directory first before trying to load from ~Application Data\Mikrotik\Winbox.
 
sam1275
Member Candidate
Member Candidate
Posts: 110
Joined: Thu May 21, 2015 2:46 pm

Re: WinBox security?

Sun Feb 05, 2017 8:04 pm

I just tried winbox on a rb2011 without security package installed, Winbox connects and shows the lock icon, what's happening?
This is a 8.5 years thread, Mikrotik, please do something to protect your customers, thanks.
 
total13
newbie
Posts: 29
Joined: Fri Jul 08, 2016 2:29 pm

Re: WinBox security?

Wed Dec 27, 2017 5:03 pm

Is it possible to "disable" clear text mode on MT itself so when connecting over winbox, it is always in secure mode?
 
alex1
just joined
Posts: 22
Joined: Sun Jun 04, 2017 9:37 pm

Re: WinBox security?

Fri Dec 29, 2017 1:43 am

Folks,

Am I right that Winbox (and The Dude server) do NOT sent the password in clear text even if they use plain mode? I tried to Wireshark the traffic and was able to recognize username only. Just want to make sure they send the password in hash or some other secure way even if they use plain mode connection. Please confirm.

Is it possible to "disable" clear text mode on MT itself so when connecting over winbox, it is always in secure mode?

+1 to that request/question.

Thanks.
 
saenito
just joined
Posts: 10
Joined: Wed Aug 22, 2018 3:37 am

Re: WinBox security?

Sat Dec 08, 2018 10:40 pm

Folks,

Am I right that Winbox (and The Dude server) do NOT sent the password in clear text even if they use plain mode? I tried to Wireshark the traffic and was able to recognize username only. Just want to make sure they send the password in hash or some other secure way even if they use plain mode connection. Please confirm.

Is it possible to "disable" clear text mode on MT itself so when connecting over winbox, it is always in secure mode?
It happened the same to me with webfig server, couldn't find the password, maybe hashed as alex1 said?

+1 to that request/question.

Thanks.

Who is online

Users browsing this forum: Rey68, TomjNorthIdaho, tricksol and 88 guests