MikroTik Hotspot

Audit & Hardening

Presented by Michael Takeuchi
MikroTik User Meeting, 27 October 2017 – Yogyakarta (Indonesia)
Little Things About Me

• MTCNA, MTCRE, MTCINE, MTCUME, MTCWE,

MTCTCE, MTCIPv6E
• MikroTik Certified Consultant on mikrotik.com
• January 2017 – June 2017 Work as
Remote Network Engineer at Middle East
• July 2017 – Now Work as
Network Analyst at PT. Maxindo Mitra Solusi
https://www.linkedin.com/in/michael-takeuchi

2
Objective #NoOffense #Censored

3
What We Need To Do?

1. Auditing your network

2. Harderning your network
3. Penetration Testing your network
4. Repeat

• Before we do that things, we need to know about

Firewall & Network Security and how your system
works

4
What is Firewall?

• In computing, a firewall is a network security

system that monitors and controls the incoming
and outgoing network traffic based on
predetermined security rules. A firewall typically
establishes a barrier between a trusted, secure
internal network and another outside network,
such as the Internet, that is assumed not to be
secure or trusted.

- Wikipedia, https://en.wikipedia.org/wiki/Firewall_(computing)

5
What is Firewall?

6
What is Network Security

• Network security consists of the policies and practices

adopted to prevent and monitor unauthorized access,
misuse, modification, or denial of a computer
network and network-accessible resources. Network
security involves the authorization of access to data in a
network, which is controlled by the network
administrator. Users choose or are assigned an ID and
password or other authenticating information that
allows them access to information and programs within
their authority.

- Wikipedia, https://en.wikipedia.org/wiki/Network_security

7
Before we go to hotspot, we need to audit our router
Oopss sorry, I mean before doing a setup

8
MikroTik Router Login – User

9
MikroTik Router Login – Groups

10
MikroTik Router Login – Active Users

11
 MikroTik Router Login Policies

• local - policy that grants rights to log in locally via console

• telnet - policy that grants rights to log in remotely via telnet
• ssh - policy that grants rights to log in remotely via secure shell
protocol
• web - policy that grants rights to log in remotely via WebBox
• winbox - policy that grants rights to log in remotely via WinBox
• password - policy that grants rights to change the password
• api - grants rights to access router via API.
• dude - grants rights to log in to dude server.

12
 MikroTik Router Config Policies
• ftp - policy that grants full rights to log in remotely via FTP and to
transfer files from and to the router.
• reboot - policy that allows rebooting the router
• read - policy that grants read access to the router's configuration.
All console commands that do not alter router's configuration are
allowed. write - policy that grants write access to the router's
configuration, except for user management.
• policy - grants user management rights. Should be used together
with write policy.
• test - policy that grants rights to run ping, traceroute, bandwidth-
test, wireless scan, sniffer, snooper and other test commands
• sensitive - to see sensitive information in the router
• sniff - to use packet sniffer tool.
• romon - accessing romon

13
MikroTik Access Login Service

14
Port Service Change & Whitelist

• Activate Only What You Need & Don’t Use Default Port
• Port: The port particular service listens on
• Available From: List of IPv4/IPv6 prefixes from which the service is
accessible.

15
Login Comparison

Service Encryption Protocol Port OSI Layer

WinBox YES TCP 8291 Layer 3
WebFig (HTTP) NO TCP 80 Layer 3
WebFig (HTTPS) YES TCP 443 Layer 3
Telnet NO TCP 23 Layer 3
MAC-Telnet YES UDP 20561 Layer 2
SSH YES TCP 22 Layer 3
Serial Console - - - Layer 1
*From Wireshark

16
MikroTik Neighbor Discovery

17
MikroTik Neighbor Discovery

• Turn off neighbor discovery or your router will

discovered by your neighbor and on winbox, it’s
good for being undetected 

18
MikroTik MAC-Server

• Turn off MAC-Server for Prevent Layer 2

Communication

19
Turn off Router Public Services
• Besides SSH, Telnet, WinBox, API, FTP, WWW. Router
also have commonly public services like:
• Recursive DNS Server
• You must disable this services before you got DNS Amplification
attack, more about DNS Amplification is available from MUM
Indonesia 2014: Filtering DNS Amplification
https://www.youtube.com/watch?v=wd0LQcJ1j-c&t=80s
• Web Proxy
• You must disable this services before someone use this services to
use your internet connection, for the example i have IIX
connection 10Gbps only and You have 1Gbps to International and
10Gbps to IIX, I can do web proxy to you (without authentication)
and i can enjoy your High Speed International Connection 
• Bandwidth Test Server
• Bandwidth Test Server is a feature to allow anyone to test how
much their throughput and generate real traffic to the server

20
Turn off Router Vulnerable Public Services

21
Protect The Physical

• Turn off the LCD

22
Protect The Physical

• Protected bootloader
https://wiki.mikrotik.com/wiki/Manual:RouterBOARD_setting
s#Protected_bootloader
• EXTREMELY DANGEROUS, will disabled reset button &
netinstall. If you forget the RouterOS password, the only
option is to perform a complete reformat of both NAND and
RAM with the following method, but you have to know the
reset button hold time in seconds.

23
Protect The Physical

• Power Redundancy

• Disable idle interface(s), reserve the one that you are

planning to use when doing on-site maintenance

24
Other Things To Do

1. Prevent Your Router from DDoS/DOS Attack

2. Prevent Your Router from Bruteforce Attack
3. Create Port Knocking
4. Create HoneyPot
http://mum.mikrotik.com/presentations/US17/presentation_4304_1496050983.pdf
(DDOS Attacks and MikroTik by Dennis Burgess)
http://mum.mikrotik.com/presentations/ID16/presentation_3549_1484646663.pdf
(Prevention Bruteforce MikroTik by Fajar Amanullah Zaky)
http://mum.mikrotik.com/presentations/ID16/presentation_3655_1476604698.pdf
(Fools your enemy with MikroTik by Didiet Kusumadihardja)

25
 Are we done? I don’t know 
hackers always have an unexpected things
But, let’s continue to hotspot

26
MikroTik Hotspot

The MikroTik HotSpot Gateway provides authentication for clients before access to
public networks .
- HotSpot Gateway features:
1. different authentication methods of clients using local client database on the
router, or remote RADIUS server
2. users accounting in local database on the router, or on remote RADIUS server
3. walled-garden system, access to some web pages without authorization
4. login page modification, where you can put information about the company
5. automatic and transparent change any IP address of a client to a valid address
https://wiki.mikrotik.com/wiki/Manual:IP/Hotspot

27
How MikroTik Hotspot Works?

1. User try to open browser

2. User try to open website
3. If the ip or mac not listed in cookies and ip binding or walled-garden
the user will be redirected to miktotik hotspot login page
4. User doing authentication
5. If match with database on local router or RADIUS
• Then
• Authenticated (Logged in)
• Else
• Prohibited

28
MikroTik Hotspot Component

1. Firewall Filter
2. Firewall NAT
3. Firewall Mangle
4. DHCP Server + IP Pool
5. Proxy Server
6. DNS Server
7. Queue

29
Next to MikroTik Hotspot Security

• Let’s Talk About MikroTik HotSpot Login Security !

• What Do We Need To Know To Securing It?

30
If you know the enemy and know
yourself you need not fear the
results of a hundred battles
- Sun Tzu

31
MikroTik Hotspot Authentication Method

• MAC Cookie
• HTTP CHAP
• HTTP PAP
• Cookie
• HTTPS
• MAC
• Trial

32
Password Authentication Protocol (PAP)

1. Username : mum_takeuchi
Password : mum2k17_takeuchi

2. Accept/Reject

33
Challenge Authentication Handshake Protocol (CHAP)

1. Initiate
3. Response

2. Challenge
4. Accept/Reject

34
HyperText Transfer Protocol Secure (HTTPS)

1. Start TLS Tunnel

2. Then sending encrypted data
3. Auth like HTTP PAP (encrypted)

35
HTTP Cookie (First Time Login)

1. Login (PAP/CHAP)

2. set-cookie:
loginID=3356857343

36
HTTP Cookie (Login Again)

1. cookie: loginID=3356857343

2. Accept

37
MAC Cookie (First Login)

1. Login (PAP/CHAP)

2. Accept & Keep All Info

38
MAC Cookie (Login Again)

1. Device UP

2. Accept
if there is a mac cookie record

39
MAC

1. Device UP

2. Accept
if match with user database

40
Trial

1. Login (Trial Click)

, here is my mac address

2. Accept

41
MikroTik Router & Hotspot Audit

1. See how hard your username & password to guess

2. Always use secure protocol to login
3. Who can access your router?
4. See your router services
5. We need neighbor discovery?
6. We need MAC-Server?
7. What authentication method we need to set?

42
MikroTik Router & Hotspot Hardening

1. Use Unexpected User Login Name

2. Do Not Use Default Port on Router
3. Use HTTP CHAP or HTTPS for Hotspot
4. Turn Off Neighbor Discovery for Router
5. Uncheck MAC, HTTP Cookie & Trial for Hotspot
6. Drop DDoS & Brute Force (Using Connection Limit) for
Router
7. Use BGP Blackhole on Edge/Border Router for DDoS/DOS
Mitigation
http://wiki.mikrotik.com/wiki/DDoS_Detection_and_Blocking
http://wiki.mikrotik.com/wiki/DoS_attack_protection
43
Common Penetration Test Step

in RouterOS can be like : on the next slide

44
MikroTik Router & Hotspot Penetration Test Step

1. Information Gathering
(neighbor discovery is also powerful  )
2. Try default router login information
3. See your neighbor
4. Try to be your authenticated neighbor by using :
1. Hotspot MAC Clone (can use TMAC & macchanger)
2. Login Information Sniffing (can use wireshark)
3. Cookie Stealing (can use wireshark)
5. Brute Force (can use brutus)
Don’t forget to make a documentation for report 

45
MikroTik Hotspot Auth. Packet (HTTP PAP)

username=mum_takeuchi&password=mum2k17_takeuchi

46
MikroTik Hotspot Auth. Packet (HTTP CHAP)

username=mum_takeuchi&password=d5b8bceabcee921685cc7f1bdd335814

47
MikroTik Hotspot Auth. Packet (HTTP CHAP)

https://www.md5decrypter.com

48
MikroTik Hotspot Auth. Packet (HTTP CHAP)

https://md5hashing.net/hash/md5/

49
MikroTik Hotspot Auth. Packet (HTTPS)

Encrypted

50
MikroTik Hotspot Auth. Packet (HTTPS)

Encrypted

51
MikroTik Hotspot Auth. Packet (HTTP Cookie)

Cookie: loginID=3356857343

52
MikroTik Hotspot Auth. Packet (Trial)

login?dst=&username=T-02%3AE2%3AFD%3ADE%3ADA%3A67

53
MikroTik Hotspot Auth. Packet (MAC/MAC Cookie)

• MAC Authentication will be done automatically

when the device was up and this process is done by
Router (not user)

54
Summary

Secure ≠ Easy
55
Book Reference – MikroTik Hotspot Server

Title : MikroTik Hotspot Server

Author : Rendra Towidjojo
Publisher : IlmuJaringan(dot)Com
Issue Date : 19 July 2017
Paper : HVS 80gsm
Thickness : 326 pages
Size : 210 x 145 x 200 mm
ISBN : 978-602-74937-2-8
Language : Bahasa Indonesia

56
Link Reference

• https://wiki.mikrotik.com/wiki/Manual:Hotspot_Introduction
• https://wiki.mikrotik.com/wiki/Manual:IP/Hotspot
• http://mikrotik.co.id/artikel_lihat.php?id=125
• https://mum.mikrotik.com/archive
• https://en.wikipedia.org/wiki/Password_Authentication_Protocol
• https://en.wikipedia.org/wiki/Challenge-
Handshake_Authentication_Protocol
• https://en.wikipedia.org/wiki/HTTP_cookie
• http://www.ilmuhacking.com/cryptography/understanding-https/

57
Feel So Hard To Securing, Auditing, Hardening Your Network?

Let Me Help You !

[email protected]
http://www.facebook.com/mict404
https://www.linkedin.com/in/michael-takeuchi

58
Any Questions?

59
60