AHMAD FAHMI ANWARI

Network Security ?

Network security consists of the policies and practices

adopted to prevent and monitor unauthorized access, misuse,
modification, or denial of a computer network and network-
accessible resources. Network security involves the
authorization of access to data in a network, which is
controlled by the network administrator.
-Wikipedia-
Overview

• Number of attacks RouterOS hs increased dramatically in

the last
• Discussing about the current situations and the ongoing
exploits currently running

• How to make defend, we will make securing to our Router

Before we begin

• We are not here to point out “MikroTik is bad at

security”

• Every of software has bugs and vulnerabilities

Whats the point in this presentation

• We are to learn how to protect our MikroTik Router from

attackers on the internet
• We are here to see how to make a MikroTik Router
secure againts outside exploitation (Tips and Tricks)
 RouterOS Vulnerabilities and Exploit 2018

• March 2017 - CIA/NSA attack tools leaked on wikileaks -known as

Vault7-
• These leaks contained attacks utilities for multiple system (windows,
linux in general and routers)

https://wikileaks.org/ciav7p1/
RouterOS Vulnerabilities and Exploit 2018

“Vault7 and MikroTik”

• a part of these leaks was a RouterOS attacks module, named Chimay

Red

• this module contained 2 exploits :

- http server exploits that allowed RCE
- winbox exploits that allowed arbitraty file read
RouterOS Vulnerabilities and Exploit 2018

Chimay Red exploits :

1. RouterOS web server vulnerability

2. Winbox client side exploit
3. winbox arbitrary file read vulnerability
RouterOS Vulnerabilities and Exploit 2018

How could I have defended ?

1. Simple, have proper firewalling

2. Do not allow public access to the web service and winbox service
3. Make sure your ROS upgrade
RouterOS Vulnerabilities 2019

-CVE-2019-3924-

“On February 21, Tenable published a new CVE, describing a vulnerability,

which allows to proxy a TCP/UDP request through the routers Winbox port, if
it's open to the internet”
“Username and Password not strong enough ?”
Change Username, Password and Group
Change Username, Password and Group
Change Username, Password and Group
- Costumize User Group
Tips and Tricks
So Whats ?
How To Protect ?
• Upgrade to patched version
• Protect all service, allow only from trust IP address
• Protect DNS and web proxy
• Layer Security
• Port Knocking (Tips and Implementation)
Upgrade to patched version
Protect Service Port
- Disable not used service
Protect Service Port
- Change number service port
- Set allowed IP
Protect All Service
- Disable IP Neighbor Discovery
Protect All Service
- Disable Mac Telnet Service

- Disable Mac Winbox Service

- Disable Mac Ping Service

- Disable Bandwidth Test Service

Protect All Service
Protect DNS and Web Proxy
Layer Security (LCD)
- Disable LCD on router, because somebody can do something our router with LCD
Layer Security (Port Interface)
- Disabled all unused interface on router
Layer Security (Backup)
• Backup is very important ,backup used when your router
hacked or your forget your password

• Make time schedule for backup your router

• dont ever saving your file backup on router
Layer Security (Backup Type)
Port Knocking for Security
Whats Port Knocking

“Port knocking is a method of externally opening

ports on a firewall by generating a connection
attempt on a set of prespecified series of closed
ports”
Whats Port Knocking

The port "knock" itself is similar to a secret handshake and

can consist of any number of TCP, UDP, or ICMP or other
protocol packets to numbered ports on the destination
machine
Whats Port Knocking

The knock may also consist of text strings sent to the device
being knocked to add additional complexity and security
Port Knocking (Implementation)

• An example of a port knocking case that will be

discussed this time is a host that can do Winbox (tcp
8291) to the Router only if the host has previously
tapped ICMP (ping).
• The way it works is by entering the Host IP Address that
sends ICMP (ping) packets to the Router into the
Address-List automatically. After that, only the IP that has
been approved at the Address-List can access the
Winbox to the Router.
Port Knocking Configuration (Step 1)
To do IP grouping we can automatically use the Filter Firewall feature. First,
configure the Firewall matcher. Specify only ping (icmp) traffic to the Router to be
captured
Port Knocking Configuration (Step 2)
Use action = add-src-to-address-list to enter the IP Address of the user who
pings the Router into a group
Port Knocking Configuration (Step 3)
if there is a host pinging the Router then the user's ip will be entered into the
Address-List with name = IP akses
Port Knocking Configuration (Step 4)
The next step that must be done is to create a Firewall Filter rule to block Winbox
access to the Router from the source (src-address) other than the IP Address that
is already entered in Address-List
Port Knocking Configuration (Step 5)
Specific src-address of the data packet to be captured. In this case we can use the
address-list name that was previously added automatically. Because what we will
catch is traffic data from other than registered IPs so we can use logic NOT (!)
Port Knocking Configuration (Step 6)
Action = drop
Conclusion
Reference
• wiki.mikrotik.com
• blog.mikrotik.com
• mikrotik.id
• cvedetails.com
• https://unimus.net/blog/validating- security-
of-mikrotik-routers-network- wide.html