Today I found my self needing to find my way in into an unconfigured Mikrotik router.<\/p>\n
In this article I’ll explain how I used the Microtik Neighbour Discovery Protocol and Wireshark to get access to the router in a Linux environment without any of the Microtik tools.<\/p>\n
The nice folks at Chalmers Robot F\u00f6rening<\/a> have a nice Mikrotik\u00a0RB951G-2HnD AP providing wireless connectivity over their local. Sadly the AP stopped answering and after they tried to reset it they became unable to access it.<\/p>\n Unlike what was stated in the\u00a0 quickstart guide after the reset the router wasn’t reachable on 192.168.88.1 so having had to play with unreachable OpenWRT routers before I started by listening to broadcast traffic over one of the ethernet interfaces using Wireshark.<\/p>\n After some time I started seeing packets with a Mikrotik MAC address using the MNDP (Mikrotik Neighbour Discovery Protocol), as I couldn’t see any other traffic I checked the packets with Wireshark and found that one of the fields contained a link-local IPV6 address (something like fe80::1234:5678:9abc:def0).<\/p>\n For your convenience I have also prepared a filter to detect such traffic:<\/p>\n udp.port == 5678<\/p><\/blockquote>\n Once we had this address I tried running nmap to see if it was reachable and actually it was. The command used was this:<\/p>\n nmap -6 fe80::1234:5678:9abc:def0<\/p><\/blockquote>\n So having a reachable address I set up to accessing it. But, to my surprise I discovered that neither firefox<\/a> nor konqueror<\/a> could access link-local addresses like http:\/\/[fe80::1234:5678:9abc:def0%eth0] so I fell back to ssh and port redirection for setting up the AP using the following command:<\/p>\n ssh admin@fe80::1234:5678:9abc:def0%eth0 -L 8080:127.0.0.1:80<\/p><\/blockquote>\n This allowed me to connect to the router access http:\/\/127.0.0.1:80\/ but the web interface sucks and all I was able to do in a reasonably reliable way was using the quick setup to set it in bridge mode using DHCP to get an IPv4 address with the desired password.<\/p>\n Once it was set up and restarted I connected to the network router to try to figure out the address that was assigned to the device. Since we use dnsmasq the list of leases could be obtained with this command:<\/p>\n cat \/var\/lib\/misc\/dnsmasq.leases<\/p><\/blockquote>\n And knowing the IP address I could the use the web interface to set a security profile for the wireless interface, assign it to the interface, set up the SSID and the AP mode on that same interface and then enable it to get the Mikrotik system in AP mode again.<\/p>\n Sadly the conclusion I get of this is not very good for Mikrotik, they aren’t at fault that certain browsers are braindead and can’t connect directly to link-local addresses but they are at fault for many other things like not resetting to a reasonable safe default using at least a private IPv4 address and maybe a private IPv6 address too (aside from the link-local address), requiring using their own protocol for finding the router (when there are things like mDNS out there for such purpouse), or having a broken web interface when using an ssh redirect. Anyways the issue is now solved and hopefully this post will save time to the next one having this issue.<\/p>\n","protected":false},"excerpt":{"rendered":" Today I found my self needing to find my way in into an unconfigured Mikrotik router. In this article I’ll explain how I used the Microtik Neighbour Discovery Protocol and Wireshark to get access to the router in a Linux environment without any of the Microtik tools.<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[3,10],"tags":[38,33,34,35,40,36,37,39],"class_list":["post-264","post","type-post","status-publish","format-standard","hentry","category-seguridad","category-software-libre","tag-linux","tag-mikrotik","tag-network-analysis","tag-network-setup","tag-nmap","tag-pentesting","tag-rb951g-2hnd","tag-wireshark"],"_links":{"self":[{"href":"https:\/\/klondike.es\/klog\/wp-json\/wp\/v2\/posts\/264","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/klondike.es\/klog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/klondike.es\/klog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/klondike.es\/klog\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/klondike.es\/klog\/wp-json\/wp\/v2\/comments?post=264"}],"version-history":[{"count":2,"href":"https:\/\/klondike.es\/klog\/wp-json\/wp\/v2\/posts\/264\/revisions"}],"predecessor-version":[{"id":266,"href":"https:\/\/klondike.es\/klog\/wp-json\/wp\/v2\/posts\/264\/revisions\/266"}],"wp:attachment":[{"href":"https:\/\/klondike.es\/klog\/wp-json\/wp\/v2\/media?parent=264"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/klondike.es\/klog\/wp-json\/wp\/v2\/categories?post=264"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/klondike.es\/klog\/wp-json\/wp\/v2\/tags?post=264"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}