MikroTik Authentication POCs

Overview

MikroTik Authentication POCs

This repo contains utilities and proofs of concept (POCs) demonstrating MikroTik routers' cryptographic protocols, specifically the implementation of Elliptic Curve Secure Remote Password (EC-SRP5) employed in software versions 6.54.1+. MikroTik's RouterOS operating system leverages this protocol for authentication in its proprietary Winbox (TCP port 8291) and MAC Telnet (UDP broadcast on port 20561) services. The following README contains an overview of the provided utilities and programs. See Margin Research’s blog post for additional information and graphics.

Quick Start Guide

  1. Clone the repo
  2. Install the following pip dependencies: pip install ecdsa pycryptodome
  3. Run the program of your choice against a MikroTik device on your network

Winbox

Simply execute python3 winbox_server.py -d -a

to start a Winbox server. The repo includes an example user.dat file for the credentials admin : (password is blank). Connect to the server on port 8291 using the Winbox client program or the Winbox.exe program itself. The multi-threaded server authenticates and prints decrypted messages received from any of the clients. The program also contains a single "mock" response to the first default Winbox.exe request to demonstrate successful encryption and decryption.

Execute python3 winbox.py -t -u [-p ] to demonstrate Winbox client functionality, or leverage the Winbox API to send custom messages to the server. The default password, if omitted, is blank. Below is an example of the client API.

import winbox

w = winbox.Winbox('127.0.0.1')
w.auth('admin', '')
msg = b'M2\x05\x00\xff\x01\x06\x00\xff\t\x01\x07\x00\xff\t\x07\x01\x00\xff\x88\x02\x00\r\x00\x00\x00\x04\x00\x00\x00\x02\x00\xff\x88\x02\x00\x00\x00\x00\x00\x0b\x00\x00\x00'
resp = w.send(msg)
print("Received response: ")
print(resp)

MAC Telnet

The MAC Telnet program only functions in client mode and requires a MikroTik host (version 6.45.1+) running on the same subnet to demonstrate functionality. Run python3 mactelnet.py [-u -p ] to authenticate and create a remote RouterOS terminal within the target host.

Elliptic Curves Utilities

elliptic_curves.py contains cryptographic functions for authentication. It exposes the WCurve class which performs elliptic curve calculations and conversions between Montgomery and Weierstrass curves as well as between affine and weighted projective space. Margin Research’s blog post contains a high-level overview of the EC-SRP5 implementation, and this old, unfinished IEEE submission draft is a nearly identical protocol to what is implemented. Similarities to this draft submission are highlighted below:

  1. gen_public_key accepts a private key and returns a public key. This is equivalent to ECPEPKGP-SRP-A. Note: the private key is multiplied over the Weierstrass curve, but the public key returned is the converted Montgomery form x coordinate
  2. lift_x plots a provided x coordinate on the Weierstrass curve in affine form. This makes up a component of ECEDP and is used in public key generation
  3. redp1 is named according to old MikroTik symbols. This incorporates elements of two functions: it increments the x coordinate until lift_x returns a valid point, similar to ECEDP, and it hashes the x coordinate before plotting, similar to steps in ECPESVDP-SRP-A and ECPEPKGP-SRP-B for computing the pseudo-random point e

Encryption Utilities

encryption.py imports required cryptographic classes and calculates encryption and authentication keys. RouterOS employs Mac-then-Encrypt for all messages and uses HMAC and AES-CBC. It also uses unique send and receive ciphers. Both Winbox and MAC Telnet POCs demonstrate successful encryption and decryption. Note: the AES-CBC implementation uses a modified padding that is similar to PKCS-7. Instead of padding n bytes with character n, the padding is n bytes of character n-1

It is worth mentioning that Winbox fragments the source message - after computing the authentication hash and encrypting - if longer than 0xff. Both Winbox client and server scripts reassemble fragmented messages.

You might also like...
Toolkit for Pyramid, a Pylons Project, to add Authentication and Authorization using Velruse (OAuth) and/or a local database, CSRF, ReCaptcha, Sessions, Flash messages and I18N

Apex Authentication, Form Library, I18N/L10N, Flash Message Template (not associated with Pyramid, a Pylons project) Uses alchemy Authentication Authe

JSON Web Token Authentication support for Django REST Framework

REST framework JWT Auth Notice This project is currently unmaintained. Check #484 for more details and suggested alternatives. JSON Web Token Authenti

Simplifying third-party authentication for web applications.

Velruse is a set of authentication routines that provide a unified way to have a website user authenticate to a variety of different identity provider

Implements authentication and authorization as FastAPI dependencies

FastAPI Security Implements authentication and authorization as dependencies in FastAPI. Features Authentication via JWT-based OAuth 2 access tokens a

Simple extension that provides Basic, Digest and Token HTTP authentication for Flask routes

Flask-HTTPAuth Simple extension that provides Basic and Digest HTTP authentication for Flask routes. Installation The easiest way to install this is t

Simple yet powerful authorization / authentication client library for Python web applications.

Authomatic Authomatic is a framework agnostic library for Python web applications with a minimalistic but powerful interface which simplifies authenti

Simple yet powerful authorization / authentication client library for Python web applications.

Authomatic Authomatic is a framework agnostic library for Python web applications with a minimalistic but powerful interface which simplifies authenti

Authentication testing framework

What is this This is a framework designed to test authentication for web applications. While web proxies like ZAProxy and Burpsuite allow authenticate

This app makes it extremely easy to build Django powered SPA's (Single Page App) or Mobile apps exposing all registration and authentication related functionality as CBV's (Class Base View) and REST (JSON)

Welcome to django-rest-auth Repository is unmaintained at the moment (on pause). More info can be found on this issue page: https://github.com/Tivix/d

Comments
  • Doesn't work on 7.1beta6

    Doesn't work on 7.1beta6

    Hello, This is what I get on ROSv7:

    root@configurator:~/mikrotik_authentication/src# python3.7 mactelnet.py b8:69:f4:0f:b3:dc -u admin -p 1234 bP?I??>?N??H?????!?D??G?x???h?%?恗Ɠv?<??NdZR??5Wd?h? !>UX?)??3?????3?.?lI??V?

    Any ideas? Thanks.

    opened by maksimse 0
  • Running within bash script

    Running within bash script

    Hi,

    First off I would like to thank you for making this tool. I would like to incorporate the tool into a BASH script but I am having issues. The MAC-TELNET session to the MikroTik works but Im not able to send commands from the rest of the bash script into the MAC-TELNET session.

    Any advice, here is my bash script :

    #!/bin/bash
    
    # MikroTik variables
    ros_username="admin"
    ros_password=""
    ros_export="/export"
    
    # Information gathering
    router_mac="$(arp -a |awk '{ print $4 }')"
    
    # Start MAC telnet login
    python3 /root/mikrotik_authentication/src/mactelnet.py ${router_mac} -u ${ros_username} -p ${ros_password}
    
    # Execute ROS command
    exc_export_config="$(${ros_export})"
    
    # Export Results
    echo -e "$exc_export_config"
    

    Thanks, DK

    opened by dkay-zaxxx 1
  • Does not work with RouterOS 6.48.5 user.dat file with non-empty passwords

    Does not work with RouterOS 6.48.5 user.dat file with non-empty passwords

    Thank you very much for this POC - great research! The code works fine against the user.dat file provided with the code but when I tried it with user.dat file from RouterOS 6.48.5 that has several users with non-empty passwords it did not work. The test I was running was on a VM running this client code against this server code. I do not have user.dat with an account without a password so I couldn't check that case with 6.48.5 file. But just looking at the RouterOS 6.48.5 user.dat file dump it appeared that the structure of the file was a bit different than the code expected. I think that it would be very useful if the distro included a sample with the case when user password is not empty - after all this is about authentication which implies password validation and an example with a blank password is not a great use case. I understand that it would help if I could attach the user.dat file that I was testing with but it's from an actual production router so I would have to remove all the real accounts and passwords and get permission from the owner which would take a while and I did not want to delay opening the issue. Thank you for looking into this issue! TU

    opened by tionyustigal 0
Owner
Margin Research
Margin Research
Integrated set of Django applications addressing authentication, registration, account management as well as 3rd party (social) account authentication.

Welcome to django-allauth! Integrated set of Django applications addressing authentication, registration, account management as well as 3rd party (soc

Raymond Penners 7.7k Jan 3, 2023
Mock authentication API that acceccpts email and password and returns authentication result.

Mock authentication API that acceccpts email and password and returns authentication result.

Herman Shpryhau 1 Feb 11, 2022
A JSON Web Token authentication plugin for the Django REST Framework.

Simple JWT Abstract Simple JWT is a JSON Web Token authentication plugin for the Django REST Framework. For full documentation, visit django-rest-fram

Simple JWT 3.3k Jan 1, 2023
Simple extension that provides Basic, Digest and Token HTTP authentication for Flask routes

Flask-HTTPAuth Simple extension that provides Basic and Digest HTTP authentication for Flask routes. Installation The easiest way to install this is t

Miguel Grinberg 1.1k Jan 5, 2023
REST implementation of Django authentication system.

djoser REST implementation of Django authentication system. djoser library provides a set of Django Rest Framework views to handle basic actions such

Sunscrapers 2.2k Jan 1, 2023
Authentication Module for django rest auth

django-rest-knox Authentication Module for django rest auth Knox provides easy to use authentication for Django REST Framework The aim is to allow for

James McMahon 878 Jan 4, 2023
Authentication for Django Rest Framework

Dj-Rest-Auth Drop-in API endpoints for handling authentication securely in Django Rest Framework. Works especially well with SPAs (e.g React, Vue, Ang

Michael 1.1k Jan 3, 2023
Simple yet powerful authorization / authentication client library for Python web applications.

Authomatic Authomatic is a framework agnostic library for Python web applications with a minimalistic but powerful interface which simplifies authenti

null 1k Dec 28, 2022
Django CAS 1.0/2.0/3.0 client authentication library, support Django 2.0, 2.1, 2.2, 3.0 and Python 3.5+

django-cas-ng django-cas-ng is Django CAS (Central Authentication Service) 1.0/2.0/3.0 client library to support SSO (Single Sign On) and Single Logou

django-cas-ng 347 Dec 18, 2022
JWT authentication for Pyramid

JWT authentication for Pyramid This package implements an authentication policy for Pyramid that using JSON Web Tokens. This standard (RFC 7519) is of

Wichert Akkerman 73 Dec 3, 2021