May 09, 2019 Mikrotik adalah vendor Router dan Switch yang sangat populer, karena harganya murah dan memiliki banyak Fungsi yang berguna. Tapi, perlu kalian ketahui, perangkat ini mempunyai bug pada versi 6.29 (release date: 2015/28/05) sampai 6.42 (release date 2018/04/20) nya. Kalian bisa mendapat kan user dan password nya dengan mudah dengan cara meng. Post exploitation the attacker can connect to Telnet or SSH using the root user 'devel' with the admin's password. Mikrotik patched CVE-2018-14847 back in April. In this network diagram, an ISP network is providing WiFi connection for their clients. ISP SSID is OMC and it is password protected. A MikroTik Wireless Router will be configured as a WiFi Client so that it can be connected to ISP SSID and can get internet access. By default, MikroTik uses the admin's name, and this makes it easy for the hacker to start the brute force password in the simplest case. We have previously published a tutorial to prevent Microsoft cracking brute force, but it will change the username and password in MikroTik.
How To Crack Mikrotik Router Password Change
The following steps are a recommendation on how to additionally protect your device with already configured strong firewall rules.
Start by upgrading your RouterOS version. Some older releases have had certain weaknesses or vulnerabilities, that have been fixed. Keep your device up to date, to be sure it is secure. Click 'check for updates' in Winbox or Webfig, to upgrade. We suggest you to follow announcements on our security announcement blog to be informed about any new security issues.
Access username
Change default username admin to a different name. A custom name helps to protect access to your router if anybody got direct access to your router:
Access password
MikroTik routers require password configuration, we suggest using a password generator tool to create secure and non-repeating passwords. With secure password we mean:
- Minimum 12 characters;
- Include numbers, Symbols, Capital and lower case letters;
- Is not a Dictionary Word or Combination of Dictionary Words;
Another option to set a password,
We strongly suggest using a second method or Winbox interface to apply a new password for your router, just to keep it safe from other unauthorized access.
Access by IP address
All production routers have to be administered by SSH, secured Winbox or HTTPs services. Use the latest Winbox version for secure access. Note, that in the newest Winbox versions, 'Secure mode' is ON by default, and can't be turned off anymore.
RouterOS services
Most of RouterOS administrative tools are configured at
Keep only secure ones,
and also change the default port, this will immediately stop most of the random SSH brute force login attempts:
Additionally, each /ip service entity might be secured by allowed IP address (the address service will reply to)
RouterOS MAC-access
RouterOS has built-in options for easy management access to network devices. The particular services should be shut down on production networks.
MAC-Telnet
Disable mac-telnet services,
MAC-Winbox
Disable mac-winbox services,
MAC-Ping
Disable mac-ping service,
Neighbor Discovery
MikroTik Neighbor discovery protocol is used to show and recognize other MikroTik routers in the network, disable neighbor discovery on all interfaces,
Bandwidth server
Change Mikrotik Router Password
Bandwidth server is used to test throughput between two MikroTik routers. Disable it in the production environment.
DNS cache
A router might have DNS cache enabled, which decreases resolving time for DNS requests from clients to remote servers. In case DNS cache is not required on your router or another router is used for such purposes, disable it.
Other clients services
RouterOS might have other services enabled (they are disabled by default RouterOS configuration). MikroTik caching proxy,
MikroTik socks proxy,
MikroTik UPNP service,
Xhorse mvci driver windows 10. MikroTik dynamic name service or IP cloud,
More Secure SSH access
RouterOS utilizes stronger crypto for SSH, most newer programs use it, to turn on SSH strong crypto: Disk utility for mac.
Ethernet/SFP interfaces
It is good practice to disable all unused interfaces on your router, in order to decrease unauthorized access to your router.
- x numbers of unused interfaces.
LCD
Some RouterBOARDs have an LCD module for informational purposes, set pin or disable it.