Are you all running this up there? I've had it working on Rancid 3.7 and then some update to mikrotik caused it to stop. I'm seeing the errors below.
executing mtlogin -t 90 -c"system package print detail without-paging;system routerboard print;system license print;export" mt1.lkld.flscg.org mt1.lkld.flscg.org: missed cmd(s): all commands
Funny this is executing the mtlogin command above on it's own works. -- Bryan Fields 727-409-1194 - Voice http://bryanfields.net
hamwan.ca is running oxidized as an extension to librenms. On Thu, Mar 17, 2022 at 11:54 PM Bryan Fields <Bryan@bryanfields.net> wrote:
Are you all running this up there?
I've had it working on Rancid 3.7 and then some update to mikrotik caused it to stop.
I'm seeing the errors below.
executing mtlogin -t 90 -c"system package print detail without-paging;system routerboard print;system license print;export" mt1.lkld.flscg.org mt1.lkld.flscg.org: missed cmd(s): all commands
Funny this is executing the mtlogin command above on it's own works. -- Bryan Fields
727-409-1194 - Voice http://bryanfields.net _______________________________________________ PSDR mailing list PSDR@hamwan.org http://mail.hamwan.net/mailman/listinfo/psdr
On Thu, Mar 17, 2022 at 11:54 PM Bryan Fields <Bryan@bryanfields.net> wrote:
Are you all running this up there?
We're running sort of an in-house equivalent to RANCID. It's just a bash script that does an /export and commits to a git repo: https://github.com/kd7lxl/mikrotik-backup It uses SSH with key auth. It seems to still work. Tom
Since MikroTik came up as a subject (I’m a fan of theirs BTW), I thought I’d inform those here who may not already know about the recently discovered MikroTik vulnerability that enables attackers to use their Wireless Access Points (WAPs) and routers to obfuscate communications between the infamous TrickBot malware and its Command & Control (C2) server (CVE-2018-14847). This has the potential for using HamWan, including client antenna/routers, as an entry point for exploitation for home networks and their attached Windows machines in particular. TrickBot and their attackers accomplish this by using the SSH protocol to pipe commands remotely, and are able to infect MikroTik devices because they are among the rare ones that use Linux-based OS plus they allow certain terminal command shell syntax that most other Linux shells do not allow. Among the other changes the attacker makes to the router and WAP is changing the admin password to prevent legit admins from regaining control. To protect against this vulnerability in MikroTik products, make sure they are patched with their latest OS firmware (6.42 or higher), remote access is turned off when not needed, strong passwords and ideally token certificates are used for remote access. Microsoft discovered this exploit and has released a tool for detecting related TrickBot activity which wise people should run if they do not already have a robust network monitoring tool that detects this traffic and network device changes. More info: https://arstechnica.com/information-technology/2022/03/trickbot-is-using-mik... Stephen Kangas MSCSIA, W9SK From: PSDR <psdr-bounces@hamwan.org> On Behalf Of Tom Hayward Sent: Friday, March 18, 2022 9:21 AM To: Puget Sound Data Ring <psdr@hamwan.org> Subject: Re: [HamWAN PSDR] RANCID with mikrotik? On Thu, Mar 17, 2022 at 11:54 PM Bryan Fields <Bryan@bryanfields.net <mailto:Bryan@bryanfields.net> > wrote: Are you all running this up there? We're running sort of an in-house equivalent to RANCID. It's just a bash script that does an /export and commits to a git repo: https://github.com/kd7lxl/mikrotik-backup It uses SSH with key auth. It seems to still work. Tom
While this is OT for this thread, I will respond for the benefit of the rest of the mailing list. This is not a new vulnerability in MT devices. CVE-2018-14847 is from a few years ago and regarded an issue in the WinBox management interface that allowed for compromise of the modems. While we do recommend keeping your devices up to date, which addresses this vulnerability, HamWAN Network Operations has for several years now blocked the WinBox management port at our internet facing edges to prevent inbound attacks like this. The rest of the described attack simply uses the router as designed and sets up a NAT rule. There isn’t a new compromise allowing this behavior. So the standard recommendations of not using the default admin password, and keeping the device up to date are the cures here. Thanks, Nigel
On Mar 18, 2022, at 12:58 PM, Stephen Kangas <stephen@kangas.com> wrote:
Since MikroTik came up as a subject (I’m a fan of theirs BTW), I thought I’d inform those here who may not already know about the recently discovered MikroTik vulnerability that enables attackers to use their Wireless Access Points (WAPs) and routers to obfuscate communications between the infamous TrickBot malware and its Command & Control (C2) server (CVE-2018-14847). This has the potential for using HamWan, including client antenna/routers, as an entry point for exploitation for home networks and their attached Windows machines in particular.
TrickBot and their attackers accomplish this by using the SSH protocol to pipe commands remotely, and are able to infect MikroTik devices because they are among the rare ones that use Linux-based OS plus they allow certain terminal command shell syntax that most other Linux shells do not allow. Among the other changes the attacker makes to the router and WAP is changing the admin password to prevent legit admins from regaining control.
To protect against this vulnerability in MikroTik products, make sure they are patched with their latest OS firmware (6.42 or higher), remote access is turned off when not needed, strong passwords and ideally token certificates are used for remote access. Microsoft discovered this exploit and has released a tool for detecting related TrickBot activity which wise people should run if they do not already have a robust network monitoring tool that detects this traffic and network device changes.
More info: https://arstechnica.com/information-technology/2022/03/trickbot-is-using-mik... <https://arstechnica.com/information-technology/2022/03/trickbot-is-using-mikrotik-routers-to-ply-its-trade-now-we-know-why/>
Stephen Kangas MSCSIA, W9SK
From: PSDR <psdr-bounces@hamwan.org> On Behalf Of Tom Hayward Sent: Friday, March 18, 2022 9:21 AM To: Puget Sound Data Ring <psdr@hamwan.org> Subject: Re: [HamWAN PSDR] RANCID with mikrotik?
On Thu, Mar 17, 2022 at 11:54 PM Bryan Fields <Bryan@bryanfields.net <mailto:Bryan@bryanfields.net>> wrote:
Are you all running this up there?
We're running sort of an in-house equivalent to RANCID. It's just a bash script that does an /export and commits to a git repo: https://github.com/kd7lxl/mikrotik-backup <https://github.com/kd7lxl/mikrotik-backup>
It uses SSH with key auth.
It seems to still work.
Tom _______________________________________________ PSDR mailing list PSDR@hamwan.org http://mail.hamwan.net/mailman/listinfo/psdr
participants (6)
-
Bryan Fields -
Darcy Buskermolen -
J -
Nigel Vander Houwen -
Stephen Kangas -
Tom Hayward