Mikrotik Routers are some of the most popular routing devices on the internet, especially in Eastern nations. Today in my lab environment I will show you an easy Metasploit option to own these devices.
Mikrotik routers are made by a Lithuanian Company and their source code is proprietary, thus making exploiting them relativly easy. In this exploit we will be utilizing Metasploit, in order to get the device to leak its credentials to us.
Start by scanning your vulnerable Mikrotik with Nmap to see what is open!
Note: This is not the IP address of public-facing Mikrotiks, and all exploits were done in a private lab environment with virtual machines.
As we can see from the output of this basic scan FTP, ssh, telnet are open, along with their proprietary bandwidth test port (2000). The other port that we are keenly interested in is 8291 which is their proprietary winbox port. Thus, finding devices with 22, and 8291 open is a must.
From a simple searchsploit command (the offline version of exploit-db), we can see quite a few potential vulnerabilities. Let's give the second to last exploit a go and see where it leads us.
Start Metasploit with the commands:
Once Metasploit is running we can use the module by typing:
From the show options command, we can see that the only option we need to set is the RHOSTS options, which is the IP address of our target.
set RHOSTS [target-ip-addr]
As we can see this module was able to extract the username and password for the device.
From here it is all about simply ssh’ing to the target with the extracted credentials.