[HN Gopher] MikroTik authentication revealed
___________________________________________________________________
MikroTik authentication revealed
Author : aaronsdevera
Score : 97 points
Date : 2022-02-14 16:55 UTC (6 hours ago)
(HTM) web link (margin.re)
(TXT) w3m dump (margin.re)
| cryptojournal wrote:
| Amazing one!
| PragmaticPulp wrote:
| > The single best resource we used in reverse engineering was an
| unfinished IEEE submission draft courtesy of the WayBack Machine.
| In fact, MikroTik's implementation is nearly identical to the
| draft's proposed protocol. See if you can spot the minor nuances
| and marvel (as we did) that the shared secret remains the same.
|
| That's a surprising twist. They duplicated the protocol from this
| unfinished draft almost exactly, but the draft doesn't appear to
| have gone anywhere (hence the archive link)
|
| I wonder if the same person who wrote the paper consulted on this
| implementation, or if the MikroTik team just saw the paper at
| some point and decided to use it.
| squarefoot wrote:
| The article does not explain enough the implications for us mere
| mortals without high math/security knowledge. I think many people
| owning a Mikrotik device would want to know if:
|
| 1 - To what extent this makes Mikrotik hardware less secure? ->
| solutions?
|
| 2 - Does this make easier to flash open 3rd party
| Linux/BSD/whatever based firmware on said devices? ->
| suggestions?
| withzombies wrote:
| It re-enables third-party scripts that were disabled when
| mikrotik updated the authentication algorithm with routerOS
| 6.45.1 (August 2019).
|
| A1. From a cryptography perspective it's a little bonkers but
| nothing is glaringly wrong.
|
| A2. This doesn't relate to any secure boot chains (if they
| exist -- i don't think they do)
| radicaldreamer wrote:
| Amazing work and another warning that Microtik remains subpar
| when it comes to security and doubly worrying because their
| strategy seems obfuscation rather than engaging the community.
|
| It's a shame because their hardware seems great for the price
| point (especially their point to point mmWave gear)
| yabones wrote:
| That's been my experience as well. Fantastic hardware value,
| but not great software.
|
| And not just "insecure" libraries etc, just... _strange_ design
| decisions. For example, SwitchOS doesn 't allow configuration
| of a default gateway on the management interface, instead it
| just returns the request on whatever interface/vlan it gets it
| from. It leads to some very very strange behaviour when setting
| up firewall rules...
|
| It's a shame, because the hardware is absolutely brilliant. I
| just wish they would open _enough_ of their bootloader
| /hardware platform to allow 3rd party firmware to run easily.
| doubled112 wrote:
| I'm almost positive they rewrite everything possible, and
| this leads to some of these issues too.
|
| You can't assume that all of the features from upstream are
| in whatever they put in RouterOS.
|
| For example, OpenVPN UDP support was finally added to the
| stable stream this year after 10 years of asking about it.
| kazen44 wrote:
| not allowing routing on the management interface is a big
| deal breaker for anyone trying to seperate their management
| networks from their revenue traffic.
|
| This, including a couple of other issues, is keeping me from
| adapting mikrotik for anything more then a homelab.
| freeopinion wrote:
| How do you feel about OpenWRT on Mikrotik?
| cyounkins wrote:
| There doesn't seem to be any security issue here, other than an
| undocumented protocol.
| caycep wrote:
| are they one of the supported devices for one of the open
| source router firmwares?
| m463 wrote:
| Many mikrotik devices are supported by openwrt. I have
| several mikrotik 8 or 10-port switches running openwrt
| (rb2011* and rb3011*)
|
| https://openwrt.org/toh/mikrotik/rb2011
|
| https://github.com/adron-s/openwrt-rb3011
|
| others: https://openwrt.org/toh/mikrotik/start
| mwambua wrote:
| Out of curiosity... What hardware do you recommend for a better
| balance between affordable hardware and quality software?
| mrweasel wrote:
| I would love to know as well, because I've been looking at
| MirkoTik as well. They are basically the only European
| manufacturer of network gear I've been able to find, for
| "consumers".
| stanislavb wrote:
| I used to use MikroTik pretty extensively in the past (15y
| ago). My experience has always be that they are super
| solid. I even miss the time managing MT based networks.
| LeonM wrote:
| My answer here _used_ to be the Ubiquity Edgerouter-X series,
| but unfortunately Ubiquity has killed that line of products
| and they don't seem to be in the prosumer grade affordable
| router market anymore.
|
| I still enjoy my little Edgerouter-X SFP, it's fast, compact,
| power efficient and I can plug my fiber internet connection
| straight into the SFP slot. Management can be done via SSH.
| What's not to like?
| adontz wrote:
| Maybe reflash with OpenWRT if you are an iptables guy. I
| would not do it personally though.
|
| https://openwrt.org/toh/start?dataflt%5BBrand*%7E%5D=MikroTi.
| ..
| rfraile wrote:
| Hard to beat Mikrotik
| mdb31 wrote:
| Oh, this is long-awaited, if it works. For context: Mikrotik uses
| some (semi-)proprietary, but pretty nifty protocols to manage
| their gear.
|
| One of these protocols, MAC-telnet, has been reverse-engineered
| pretty extensively previously. But, due to a (not unreasonable)
| security-related upgrade, the login phase was changed, and 3rd-
| party implementations stopped working. Mikrotik has refused
| repeated requests to document this protocol.
|
| The linked repository looks like it may re-enable MAC-telnet
| logins, which would be great for 3rd-party scripts and management
| solutions.
|
| (Why? Because it allows you to connect to, and properly
| provision, any Mikrotik gear using your own scripts, just based
| on Layer-2 presence. This is very cool for many use cases...)
| graton wrote:
| I'm confused on why this is needed. I have a couple MikroTik
| devices and I just use SSH to login to them. I also have
| automation that runs via SSH to update things on the devices.
___________________________________________________________________
(page generated 2022-02-14 23:00 UTC)