Would definitely love to do more "hacking" scenarios like this with MikroTik for educational purposes. I also find it extremely interesting and I enjoy learning about it myself.
@@TheNetworkBerg You have an advantage of being a networking and MikroTik guru. I have technology background but not much in networking. Since the global pandemic began, I got curious about MikroTik while solving connectivity challenges at home. Now I'm all into MikroTik and your content has been life saver. Of course RouterOS is so amazing with endless possibilities, that with the help of your videos (and a few others on YT) I've been able to keep trying new things with my networking stack. I am very glad that you're looking into the area of security and pen. testing and I'm going to use use this to make my network bullet proof. With the metaverse dawning upon us I think it's very important to get all our home networks "bullet" proof to protect against the criminals of the metaverse. Thank you.
You raised some great points that making sure firmware is up to date and adding access security mitigates everything but day zero attacks. I feel bad that people make fun of mikrotik as a ‘basic and cheap’ networking device. They deserve more attention. Adding fuel to the fire by showing obvious exploits is a little unfair no? I don’t mean to sound horrible, but your video comment made it click baity and I felt like mikrotik in general may be a bad choice. Sorry for my comment. I don’t mean negativity. You do great great work.
No, I don't think it's unfair since a recent study has shown that there are nearly 300 000 MikroTiks running with firmware versions from 2018 on the internet that are exploitable in such a manner because people are either not aware of the security risks or they are just too lazy to update their firmware.
@@TheNetworkBerg you ‘hacked’ a known firmware bug and wrote about how disturbing it was. That was my point. But of course your video was amazing and I wasn’t trying to suggest otherwise. By the way, the upgrade point is a simple admin task and if people get hacked because of their lapse then it’s their fault (but not mikrotik). Check out this guys video for automatic upgrades. th-cam.com/video/3zYBvRxp_lg/w-d-xo.html
@@TheNetworkBerg I work for an ISP that uses mikrotik devices in infrastructure and for CPE. The first couple of years I had to push hard to get it to be standard operating procedure to keep the firmware and bootloader up to date; I was even taught to disable 2 very important default firewall filter rules for us to have remote access on customer premise equipment 😅... needless to say I got them to stop doing that ASAP...
I should also add that I actually really like mikrotik stuff because of how versatile they are and it can be extremely secure if configured/used correctly.
@@newtonbomb Great to hear you guys got some proper procedures in place to keep security up to date. I also LOVE MikroTik because it is as you say very versatile. I have made MikroTiks do things that would require me to either buy additional licensing or completely different hardware with most other big vendors.
@@TheNetworkBerg Yea, also bunch of forwarded ports that is not used anymore, or even worse, no firewall rules at all... That's like asking for a trouble... In Croatia there is quite a lot Mikrotik routers because they are inexpensive and powerful and who knows how many of them are security risk...
Great demo on EVE NG... From personal experience Mikrotik routers and switches are powerful, rock solid and secure if you keep the software up to date and configure them properly. And make sure you have good monitoring and alerting in place... I
You would need a NGFW for those functions, this is not something routers are really designed for. I would suggest adding a firewall like FortiGate or Palo Alto that can do UTM to block specific applications.
Concur D R U K, if you dont do this, or dont setup this, or remove default, if if if, any router is hackable. Other than that a great demo for me on EVE-NG, as I have just started dabbling in emulation for lab environments (using GN3). This makes me want to reconsider that choice, so any observations/recommendations comparing the two would be helpful. This is also highlights of a very interesting linux package that, if nothing, else would allow one to test a router or lab setup.
Very true, any Firewall, Router, Switch or even server infrastructure has exploits that tend to get patched out. I just specifically used a MikroTik in my example as it is a device that many of my viewers are familiar with and I read an article showing that there are nearly 300 000 MikroTiks on the internet running with old firmware that are in danger of exploitation. You could go to an exploit-db, find another vendor like Cisco or FortiNet and perform similar types of exploits against their devices as well. My personal preference has been EVE-NG for the 3 or so years, I've used GNS3 for a long time before moving over to EVE-NG. Topologies just work a lot cleaner on EVE-NG, there's also no hassle in connecting devices out to the internet and if you use the free version of GNS3 be prepared for all kinds of tweaking and tuning if you need to update your VMWARE player.
It's definitely a good precaution and something I would suggest having active, though it also isn't complete protection either since the service might still be available and someone could just connect to the service directly even if a port scan reveals nothing. Unlikely but still possible, the best protection is either to limit how these services are accessible, firmware upgrades or just disabling them completely if not in use.
Kali Linux documentation:
www.kali.org/docs/
I love to learn these kinda topics and would appreciate more videos on these topics from you. Mainly because you tie it specifically to MikroTik.
Would definitely love to do more "hacking" scenarios like this with MikroTik for educational purposes. I also find it extremely interesting and I enjoy learning about it myself.
@@TheNetworkBerg You have an advantage of being a networking and MikroTik guru. I have technology background but not much in networking. Since the global pandemic began, I got curious about MikroTik while solving connectivity challenges at home. Now I'm all into MikroTik and your content has been life saver.
Of course RouterOS is so amazing with endless possibilities, that with the help of your videos (and a few others on YT) I've been able to keep trying new things with my networking stack. I am very glad that you're looking into the area of security and pen. testing and I'm going to use use this to make my network bullet proof. With the metaverse dawning upon us I think it's very important to get all our home networks "bullet" proof to protect against the criminals of the metaverse.
Thank you.
Many Thanks really informative and to the point.
Thanks for your efforts again.
Thank you for informing. Great video!
Glad it was helpful!
You raised some great points that making sure firmware is up to date and adding access security mitigates everything but day zero attacks. I feel bad that people make fun of mikrotik as a ‘basic and cheap’ networking device. They deserve more attention. Adding fuel to the fire by showing obvious exploits is a little unfair no? I don’t mean to sound horrible, but your video comment made it click baity and I felt like mikrotik in general may be a bad choice. Sorry for my comment. I don’t mean negativity. You do great great work.
No, I don't think it's unfair since a recent study has shown that there are nearly 300 000 MikroTiks running with firmware versions from 2018 on the internet that are exploitable in such a manner because people are either not aware of the security risks or they are just too lazy to update their firmware.
@@TheNetworkBerg you ‘hacked’ a known firmware bug and wrote about how disturbing it was. That was my point. But of course your video was amazing and I wasn’t trying to suggest otherwise. By the way, the upgrade point is a simple admin task and if people get hacked because of their lapse then it’s their fault (but not mikrotik). Check out this guys video for automatic upgrades. th-cam.com/video/3zYBvRxp_lg/w-d-xo.html
@@TheNetworkBerg I work for an ISP that uses mikrotik devices in infrastructure and for CPE. The first couple of years I had to push hard to get it to be standard operating procedure to keep the firmware and bootloader up to date; I was even taught to disable 2 very important default firewall filter rules for us to have remote access on customer premise equipment 😅... needless to say I got them to stop doing that ASAP...
I should also add that I actually really like mikrotik stuff because of how versatile they are and it can be extremely secure if configured/used correctly.
@@newtonbomb Great to hear you guys got some proper procedures in place to keep security up to date. I also LOVE MikroTik because it is as you say very versatile. I have made MikroTiks do things that would require me to either buy additional licensing or completely different hardware with most other big vendors.
you are making great videos.keep it up!👍
Glad you like them!
First thing I do with every piece of equipement (network or other) is to update firmware... Also checking for new updates every month or so...
That is perfect and is really the best way to approach securing our infrastructure.
@@TheNetworkBerg Yea, also bunch of forwarded ports that is not used anymore, or even worse, no firewall rules at all... That's like asking for a trouble... In Croatia there is quite a lot Mikrotik routers because they are inexpensive and powerful and who knows how many of them are security risk...
PSD ACTIVE IN MIKROTIK FIREWALL FILTER
add action=add-src-to-address-list address-list="Scanner de puertos" address-list-timeout=2w chain=input comment=SCANNERS protocol=tcp psd=21,3s,3,1
add action=drop chain=input protocol=tcp src-address-list="PortScanners"
Great demo on EVE NG... From personal experience Mikrotik routers and switches are powerful, rock solid and secure if you keep the software up to date and configure them properly. And make sure you have good monitoring and alerting in place... I
Definitely! MikroTik is great as long as you keep up with best practices and regularly update your firmware.
What kind of MikroTik device did u use?
It's a CHR, basically a virtual router that you will actively be seen used on VMs or in the cloud like Azure or AWS.
@@TheNetworkBerg Thankyou
I tried in v6.48.2 but I'm failed. Am I wrong? or it can't be done?
I would be great if you use the new version of mikrotik operating system, the 6.40 is very old and insecure
I'm using this version intentionally to showcase exploitation :)
How can we block Chrome and Andriod VPN app in Mikrotik?
You would need a NGFW for those functions, this is not something routers are really designed for. I would suggest adding a firewall like FortiGate or Palo Alto that can do UTM to block specific applications.
I need help
What do you need help with?
Concur D R U K, if you dont do this, or dont setup this, or remove default, if if if, any router is hackable. Other than that a great demo for me on EVE-NG, as I have just started dabbling in emulation for lab environments (using GN3). This makes me want to reconsider that choice, so any observations/recommendations comparing the two would be helpful. This is also highlights of a very interesting linux package that, if nothing, else would allow one to test a router or lab setup.
Very true, any Firewall, Router, Switch or even server infrastructure has exploits that tend to get patched out. I just specifically used a MikroTik in my example as it is a device that many of my viewers are familiar with and I read an article showing that there are nearly 300 000 MikroTiks on the internet running with old firmware that are in danger of exploitation. You could go to an exploit-db, find another vendor like Cisco or FortiNet and perform similar types of exploits against their devices as well.
My personal preference has been EVE-NG for the 3 or so years, I've used GNS3 for a long time before moving over to EVE-NG. Topologies just work a lot cleaner on EVE-NG, there's also no hassle in connecting devices out to the internet and if you use the free version of GNS3 be prepared for all kinds of tweaking and tuning if you need to update your VMWARE player.
does it still have a effect if you have a filter rule in place that drops all port scanners?suppose to be "covered" then?
It's definitely a good precaution and something I would suggest having active, though it also isn't complete protection either since the service might still be available and someone could just connect to the service directly even if a port scan reveals nothing. Unlikely but still possible, the best protection is either to limit how these services are accessible, firmware upgrades or just disabling them completely if not in use.
0:46 - Really dude? lol Typing gibberish...
It's a joke, similar to how that gibberish is E=mc3 :)
Hi sir
Hello
Hello,
I'm from UAE, i need help,how can i contact with you.?