{"id":637,"date":"2014-12-14T12:56:19","date_gmt":"2014-12-14T11:56:19","guid":{"rendered":""},"modified":"2018-11-22T22:36:03","modified_gmt":"2018-11-22T21:36:03","slug":"finding-forgotten-mikrotik-password-using-mkbrutus-kali-linux","status":"publish","type":"post","link":"https:\/\/nil.uniza.sk\/en\/finding-forgotten-mikrotik-password-using-mkbrutus-kali-linux\/","title":{"rendered":"Finding forgotten MikroTIK password using MKBrutus (on Kali Linux)"},"content":{"rendered":"

Be able to login into an our MikroTIK device we have to memorize or at least remember our password, what could be sometimes (usually after a years of correct work) problem. Gaining access back to our device we may use\u00a0tools used for pen testing (think ethical). One of such tools is MKBRUTUS, which have been developed mainly as\u00a0a password bruteforcer for MikroTik devices or boxes running RouterOS. The\u00a0tool is developed in Python 3 and it performs bruteforce attacks (dictionary-based) against RouterOS (ver. 3.x or newer). Our mikrotik device must of course have opened the 8728\/TCP port.<\/p>\n

Prerequisities<\/h2>\n

1) Mikrotik must have enabled the API service<\/h3>\n

The tool is sucessfull only if our mikrotik device have opened required 8728\/TCP port.<\/p>\n

We may test it running nmap targetinng on an IP address of the box<\/p>\n

nmap -v MIKROTIK_IP<\/pre>\n
in my case<\/p>\n
root@kali:~\/MKBRUTUS# nmap -v 192.168.1.2\r\n\r\nStarting Nmap 6.47 ( http:\/\/nmap.org ) at 2014-12-14 17:57 CET\r\nInitiating ARP Ping Scan at 17:57\r\nScanning 192.168.1.2 [1 port]\r\nCompleted ARP Ping Scan at 17:57, 0.01s elapsed (1 total hosts)\r\nInitiating Parallel DNS resolution of 1 host. at 17:57\r\nCompleted Parallel DNS resolution of 1 host. at 17:57, 0.02s elapsed\r\nInitiating SYN Stealth Scan at 17:57\r\nScanning 192.168.1.2 [1000 ports]\r\nDiscovered open port 23\/tcp on 192.168.1.2\r\nDiscovered open port 22\/tcp on 192.168.1.2\r\nDiscovered open port 443\/tcp on 192.168.1.2\r\nDiscovered open port 80\/tcp on 192.168.1.2\r\nDiscovered open port 21\/tcp on 192.168.1.2\r\nDiscovered open port 8291\/tcp on 192.168.1.2\r\nDiscovered open port 2000\/tcp on 192.168.1.2\r\nDiscovered open port 8728\/tcp on 192.168.1.<\/span>\r\nCompleted SYN Stealth Scan at 17:57, 0.12s elapsed (1000 total ports)\r\nNmap scan report for 192.168.1.2\r\nHost is up (0.00023s latency).\r\nNot shown: 993 closed ports\r\nPORT     STATE SERVICE\r\n21\/tcp   open  ftp\r\n22\/tcp   open  ssh\r\n23\/tcp   open  telnet\r\n80\/tcp   open  http\r\n443\/tcp  open  https\r\n2000\/tcp open  cisco-sccp\r\n8291\/tcp open  unknown\r\n8728\/tcp open\u00a0 unknown<\/span>\r\nMAC Address: AB:11:66:DD:C9:E1 (Routerboard.com)\r\n\r\nRead data files from: \/usr\/bin\/..\/share\/nmap\r\nNmap done: 1 IP address (1 host up) scanned in 0.20 seconds\r\n           Raw packets sent: 1001 (44.028KB) | Rcvd: 1001 (40.056KB)<\/pre>\n
or shortly scan just the port<\/p>\n
root@kali:~\/mkbrutus\/MKBRUTUS# nmap 192.168.1.2 -p 8728<\/span>\r\n\r\nStarting Nmap 6.47 ( http:\/\/nmap.org ) at 2014-12-14 18:02 CET\r\nNmap scan report for 192.168.1.2\r\nHost is up (0.00044s latency).\r\nPORT\u00a0\u00a0\u00a0\u00a0 STATE SERVICE\r\n8728\/tcp open\u00a0 unknown\r\nMAC Address: AB:11:66:DD:C9:E1 (Routerboard.com)\r\n\r\nNmap done: 1 IP address (1 host up) scanned in 0.08 seconds\r\n<\/pre>\n
Eventually when we install our box for first time we will open the port (menu IP -> services).<\/p>\n
\"mkbrutus-mikrotik\"<\/p>\n
 <\/p>\n
but of course we are opening the security risk, (the port is usually disabled on higher versions of RouterOS).<\/p>\n
 <\/p>\n
2)\u00a0Python3<\/h3>\n
The mkbrutus tool is written in Python, so be able to run it we need a system with installed python 3. Inside of debian\/ubuntu based linux we will simply install python using<\/p>\n
apt-get install pyhton3<\/pre>\n
3) Dictionaries<\/h3>\n
The tool performs a brute-force dictionary attack, so we have to have a dictionary with the list of vocabularies. If we have an idea which our passwords we had set up on the box, but we do not know precisely which one is correct we may create a text file with the list of possible passwords. Otherwise we may use some preprepared dictionaries, as for example thoose at:<\/p>\n