[HN Gopher] MikroTik authentication revealed ___________________________________________________________________ MikroTik authentication revealed Author : aaronsdevera Score : 97 points Date : 2022-02-14 16:55 UTC (6 hours ago) (HTM) web link (margin.re) (TXT) w3m dump (margin.re) | cryptojournal wrote: | Amazing one! | PragmaticPulp wrote: | > The single best resource we used in reverse engineering was an | unfinished IEEE submission draft courtesy of the WayBack Machine. | In fact, MikroTik's implementation is nearly identical to the | draft's proposed protocol. See if you can spot the minor nuances | and marvel (as we did) that the shared secret remains the same. | | That's a surprising twist. They duplicated the protocol from this | unfinished draft almost exactly, but the draft doesn't appear to | have gone anywhere (hence the archive link) | | I wonder if the same person who wrote the paper consulted on this | implementation, or if the MikroTik team just saw the paper at | some point and decided to use it. | squarefoot wrote: | The article does not explain enough the implications for us mere | mortals without high math/security knowledge. I think many people | owning a Mikrotik device would want to know if: | | 1 - To what extent this makes Mikrotik hardware less secure? -> | solutions? | | 2 - Does this make easier to flash open 3rd party | Linux/BSD/whatever based firmware on said devices? -> | suggestions? | withzombies wrote: | It re-enables third-party scripts that were disabled when | mikrotik updated the authentication algorithm with routerOS | 6.45.1 (August 2019). | | A1. From a cryptography perspective it's a little bonkers but | nothing is glaringly wrong. | | A2. This doesn't relate to any secure boot chains (if they | exist -- i don't think they do) | radicaldreamer wrote: | Amazing work and another warning that Microtik remains subpar | when it comes to security and doubly worrying because their | strategy seems obfuscation rather than engaging the community. | | It's a shame because their hardware seems great for the price | point (especially their point to point mmWave gear) | yabones wrote: | That's been my experience as well. Fantastic hardware value, | but not great software. | | And not just "insecure" libraries etc, just... _strange_ design | decisions. For example, SwitchOS doesn 't allow configuration | of a default gateway on the management interface, instead it | just returns the request on whatever interface/vlan it gets it | from. It leads to some very very strange behaviour when setting | up firewall rules... | | It's a shame, because the hardware is absolutely brilliant. I | just wish they would open _enough_ of their bootloader | /hardware platform to allow 3rd party firmware to run easily. | doubled112 wrote: | I'm almost positive they rewrite everything possible, and | this leads to some of these issues too. | | You can't assume that all of the features from upstream are | in whatever they put in RouterOS. | | For example, OpenVPN UDP support was finally added to the | stable stream this year after 10 years of asking about it. | kazen44 wrote: | not allowing routing on the management interface is a big | deal breaker for anyone trying to seperate their management | networks from their revenue traffic. | | This, including a couple of other issues, is keeping me from | adapting mikrotik for anything more then a homelab. | freeopinion wrote: | How do you feel about OpenWRT on Mikrotik? | cyounkins wrote: | There doesn't seem to be any security issue here, other than an | undocumented protocol. | caycep wrote: | are they one of the supported devices for one of the open | source router firmwares? | m463 wrote: | Many mikrotik devices are supported by openwrt. I have | several mikrotik 8 or 10-port switches running openwrt | (rb2011* and rb3011*) | | https://openwrt.org/toh/mikrotik/rb2011 | | https://github.com/adron-s/openwrt-rb3011 | | others: https://openwrt.org/toh/mikrotik/start | mwambua wrote: | Out of curiosity... What hardware do you recommend for a better | balance between affordable hardware and quality software? | mrweasel wrote: | I would love to know as well, because I've been looking at | MirkoTik as well. They are basically the only European | manufacturer of network gear I've been able to find, for | "consumers". | stanislavb wrote: | I used to use MikroTik pretty extensively in the past (15y | ago). My experience has always be that they are super | solid. I even miss the time managing MT based networks. | LeonM wrote: | My answer here _used_ to be the Ubiquity Edgerouter-X series, | but unfortunately Ubiquity has killed that line of products | and they don't seem to be in the prosumer grade affordable | router market anymore. | | I still enjoy my little Edgerouter-X SFP, it's fast, compact, | power efficient and I can plug my fiber internet connection | straight into the SFP slot. Management can be done via SSH. | What's not to like? | adontz wrote: | Maybe reflash with OpenWRT if you are an iptables guy. I | would not do it personally though. | | https://openwrt.org/toh/start?dataflt%5BBrand*%7E%5D=MikroTi. | .. | rfraile wrote: | Hard to beat Mikrotik | mdb31 wrote: | Oh, this is long-awaited, if it works. For context: Mikrotik uses | some (semi-)proprietary, but pretty nifty protocols to manage | their gear. | | One of these protocols, MAC-telnet, has been reverse-engineered | pretty extensively previously. But, due to a (not unreasonable) | security-related upgrade, the login phase was changed, and 3rd- | party implementations stopped working. Mikrotik has refused | repeated requests to document this protocol. | | The linked repository looks like it may re-enable MAC-telnet | logins, which would be great for 3rd-party scripts and management | solutions. | | (Why? Because it allows you to connect to, and properly | provision, any Mikrotik gear using your own scripts, just based | on Layer-2 presence. This is very cool for many use cases...) | graton wrote: | I'm confused on why this is needed. I have a couple MikroTik | devices and I just use SSH to login to them. I also have | automation that runs via SSH to update things on the devices. ___________________________________________________________________ (page generated 2022-02-14 23:00 UTC)