Hacking our way into a newly configured Mikrotik router

Today I found my self needing to find my way in into an unconfigured Mikrotik router.

In this article I’ll explain how I used the Microtik Neighbour Discovery Protocol and Wireshark to get access to the router in a Linux environment without any of the Microtik tools.

The nice folks at Chalmers Robot Förening have a nice Mikrotik RB951G-2HnD AP providing wireless connectivity over their local. Sadly the AP stopped answering and after they tried to reset it they became unable to access it.

Unlike what was stated in the  quickstart guide after the reset the router wasn’t reachable on 192.168.88.1 so having had to play with unreachable OpenWRT routers before I started by listening to broadcast traffic over one of the ethernet interfaces using Wireshark.

After some time I started seeing packets with a Mikrotik MAC address using the MNDP (Mikrotik Neighbour Discovery Protocol), as I couldn’t see any other traffic I checked the packets with Wireshark and found that one of the fields contained a link-local IPV6 address (something like fe80::1234:5678:9abc:def0).

For your convenience I have also prepared a filter to detect such traffic:

udp.port == 5678

Once we had this address I tried running nmap to see if it was reachable and actually it was. The command used was this:

nmap -6 fe80::1234:5678:9abc:def0

So having a reachable address I set up to accessing it. But, to my surprise I discovered that neither firefox nor konqueror could access link-local addresses like http://[fe80::1234:5678:9abc:def0%eth0] so I fell back to ssh and port redirection for setting up the AP using the following command:

ssh admin@fe80::1234:5678:9abc:def0%eth0 -L 8080:127.0.0.1:80

This allowed me to connect to the router access http://127.0.0.1:80/ but the web interface sucks and all I was able to do in a reasonably reliable way was using the quick setup to set it in bridge mode using DHCP to get an IPv4 address with the desired password.

Once it was set up and restarted I connected to the network router to try to figure out the address that was assigned to the device. Since we use dnsmasq the list of leases could be obtained with this command:

cat /var/lib/misc/dnsmasq.leases

And knowing the IP address I could the use the web interface to set a security profile for the wireless interface, assign it to the interface, set up the SSID and the AP mode on that same interface and then enable it to get the Mikrotik system in AP mode again.

Sadly the conclusion I get of this is not very good for Mikrotik, they aren’t at fault that certain browsers are braindead and can’t connect directly to link-local addresses but they are at fault for many other things like not resetting to a reasonable safe default using at least a private IPv4 address and maybe a private IPv6 address too (aside from the link-local address), requiring using their own protocol for finding the router (when there are things like mDNS out there for such purpouse), or having a broken web interface when using an ssh redirect. Anyways the issue is now solved and hopefully this post will save time to the next one having this issue.

2 pensamientos sobre “Hacking our way into a newly configured Mikrotik router”

  1. Just saying if you used WinBox like they say you should, you wouldn’t have had this issue.

    Mikrotik are very powerful little devices do actually require a fair bit of knowledge to know what you are doing.

    You could have popped open winbox, click on the neighbors tab, double-click the discovered mikrotik devices mac, login and bobs your uncle.

    From there you would have the same feature set of the website but in a desktop form.

    Being that mikrotik is a router not really designed for homes, its not supposed to have a default easily accessible config.

    The guys at mikrotik have however setup a basic config on the smaller devices so if you had connected to ethernet port 2, you would have been assigned a dhcp address. (WIFI is disabled by default)

    So, back to your ‘hacking’
    You really didn’t hack it as it was broadcasting its mac for you to connect to it with.
    You could have used the app that comes with it instead of having to ssh into it, try setup things… painful

    http://www.mikrotik.com/download

    Good luck

  2. Hi Jonny!

    Keep in mind that WinBox is a windows executable binary. Not all of us can (or want) to run such things on our machines and that was indeed the case as finding my way into the router was noticeably faster than setting wine up and fixing any bugs WinBox could have had with it.

    Also keep in mind that the procedure you mention above is easier than most home routers where you will have to figure out the router IP (although of course you can always check the default routes and try port 80). For reference, other powerful small device (an Ubiquity Edgerouter) has a default IP making initial setup a breeze if you just know the IP.

    I’m also reasonably sure that I tried to connect my laptop to port 2 and didn’t get a DHCP address. This was even after fully resetting the config, so it may be that such default was not available on the device I was asked to set up.

    And as to the use of the word hacking, I basically found a way to work around the need of using WinBox, reverse engineered the relevant parts of the communication protocol and documented the whole thing for further reference. This is hacking if you follow the original definition of the term, keep in mind that hacking is not always security related.

    I hope this clarifies your comments,
    Klondike

Deja un comentario

Tu dirección de correo electrónico no será publicada. Los campos necesarios están marcados *

*
Para demostrar que eres una persona (y no un script de spamming), escribe la palabra mostrada en el dibujo.
Imagen anti spam