• No results found

NTP Sync & Misc

In document Tutorial Mikrotik Komplet (Page 157-168)

Securing New RouterOs Router (MIKROTIK)

6. NTP Sync & Misc

Waktu itu harus disetting jangan lupa.. jangan2 belum diset time di compynya..

/system clock set time-zone=+12 kita juga harus mensetup NTP Client

/system ntp client set enabled=yes primary-ntp=192.168.0.2 secondary-ntp=192.168.0.3 mode=unicast

Thanks to : jasakom, echo, jatimcrew, and all security forum indonesia

Pentest Lab with Mikrotik from primadonal.wordpress.com

Lebih lengkap silahkan dilihat di SINI xxxxxxxxxxxxxxxxxxxxx

Pentest Lab

xxxxxxxxxxxxxxxxxxxxx

Secara default untuk mengakses RouterOS dapat melalui:

o Telnet o SSH o HTTP o Winbox o FTP

o Mac-Telnet

### Minimal Firewall Configuration Fig. Topologi

Target Attacker

[ vmWare ] ;——–x x———; [ Notebook ] 192.168.0.1/24 192.168.0.2/24 RouterOS winXP

Alatbantu:

- PortScanner . Nmap v4.2 - HTTP BruteForce . FScan v0.6 - SSH BruteForce

- FTP BruteForce - Portknock

;;;;;;;;;;;; Ada lima Rule ;;;;;;;;;;

o1. Drop Port Scanner o2. Drop SSH BruteForce o3. Drop FTP BruteForce

o4. Drop HTTP/HTTPS BruteForce o5. PortKnocking Rule

o1. Drop Port Scanner

———————————————————————————–

D:\>nmap -vv -sX -sV -p U:53,111,137,500,T:21-25,80,139,179,8080 192.168.0.1 Starting Nmap 4.22SOC8 ( http://insecure.org ) at 2008-07-19 17:12 SE Asia Stand ard Time

Initiating ARP Ping Scan at 17:12 Scanning 192.168.0.1 [1 port]

Completed ARP Ping Scan at 17:12, 0.11s elapsed (1 total hosts) Initiating Parallel DNS resolution of 1 host. at 17:12

Completed Parallel DNS resolution of 1 host. at 17:12, 16.50s elapsed Initiating XMAS Scan at 17:12

Scanning 192.168.0.1 [9 ports]

Completed XMAS Scan at 17:12, 1.27s elapsed (9 total ports) Initiating Service scan at 17:12

Scanning 4 services on 192.168.0.1

Discovered open port 80/tcp on 192.168.0.1

Discovered open|filtered port 80/tcp on 192.168.0.1 is actually open Discovered open port 23/tcp on 192.168.0.1

Discovered open|filtered port 23/tcp on 192.168.0.1 is actually open Discovered open port 22/tcp on 192.168.0.1

Discovered open|filtered port 22/tcp on 192.168.0.1 is actually open Discovered open port 21/tcp on 192.168.0.1

Discovered open|filtered port 21/tcp on 192.168.0.1 is actually open Completed Service scan at 17:12, 6.09s elapsed (4 services on 1 host) SCRIPT ENGINE: Initiating script scanning.

Host 192.168.0.1 appears to be up … good.

Interesting ports on 192.168.0.1:

PORT STATE SERVICE VERSION

21/tcp open ftp MikroTik router ftpd 2.9.27

22/tcp open ssh OpenSSH 2.3.0 mikrotik 2.9 (protocol 1.99) 23/tcp open telnet Linux telnetd

24/tcp closed priv-mail 25/tcp closed smtp

80/tcp open http MikroTik router http config 139/tcp closed netbios-ssn

179/tcp closed bgp

8080/tcp closed http-proxy

MAC Address: 00:0C:29:D1:59:AB (VMware)

Service Info: Host: MikroTik; OS: Linux; Device: router Read data files from: C:\Program Files\Nmap

Service detection performed. Please report any incorrect results at http://insec ure.org/nmap/submit/ .

Nmap done: 1 IP address (1 host up) scanned in 24.203 seconds Raw packets sent: 14 (562B) | Rcvd: 7 (302B)

D:\>

———————————————————————————–

Tambahkan rule;

———————————————————————————–

| add chain=input protocol=tcp psd=21,3s,3,1 action=add-src-to-address-list \

| address-list=”port scanners” address-list-timeout=2w comment=”Drop Port \

| Scanners” disabled=no

| add chain=input protocol=tcp tcp-flags=fin,!syn,!rst,!psh,!ack,!urg \

| action=add-src-to-address-list address-list=”port scanners” \

| address-list-timeout=2w comment=”" disabled=no

| add chain=input protocol=tcp tcp-flags=fin,syn action=add-src-to-address-list \

| address-list=”port scanners” address-list-timeout=2w comment=”" \

| disabled=no

| add chain=input protocol=tcp tcp-flags=syn,rst action=add-src-to-address-list \

| address-list=”port scanners” address-list-timeout=2w comment=”" \

| disabled=no

| add chain=input protocol=tcp tcp-flags=fin,psh,urg,!syn,!rst,!ack \

| action=add-src-to-address-list address-list=”port scanners” \

| address-list-timeout=2w comment=”" disabled=no

| add chain=input protocol=tcp tcp-flags=fin,syn,rst,psh,ack,urg \

| action=add-src-to-address-list address-list=”port scanners” \

| address-list-timeout=2w comment=”" disabled=no

| add chain=input protocol=tcp tcp-flags=!fin,!syn,!rst,!psh,!ack,!urg \

| action=add-src-to-address-list address-list=”port scanners” \

| address-list-timeout=2w comment=”" disabled=no

| add chain=input src-address-list=”port scanners” action=drop comment=”" \

| disabled=no

———————————————————————————–

IP address Attacker akan dimasukkan kedalam ip firewall address-list, Maka;

———————————————————————————–

D:\>nmap -vv -sX -sV -p U:53,111,137,500,T:21-25,80,139,179,8080 192.168.0.1 Starting Nmap 4.22SOC8 ( http://insecure.org ) at 2008-07-19 17:16 SE Asia Stand ard Time

Initiating ARP Ping Scan at 17:16 Scanning 192.168.0.1 [1 port]

Completed ARP Ping Scan at 17:16, 0.11s elapsed (1 total hosts) Initiating Parallel DNS resolution of 1 host. at 17:16

Completed Parallel DNS resolution of 1 host. at 17:17, 16.50s elapsed Initiating XMAS Scan at 17:17

Scanning 192.168.0.1 [9 ports]

Completed XMAS Scan at 17:17, 1.26s elapsed (9 total ports) Initiating Service scan at 17:17

Scanning 9 services on 192.168.0.1

Completed Service scan at 17:17, 5.00s elapsed (9 services on 1 host) SCRIPT ENGINE: Initiating script scanning.

Host 192.168.0.1 appears to be up … good.

Interesting ports on 192.168.0.1:

PORT STATE SERVICE VERSION 21/tcp open|filtered ftp

22/tcp open|filtered ssh 23/tcp open|filtered telnet 24/tcp open|filtered priv-mail 25/tcp open|filtered smtp 80/tcp open|filtered http

139/tcp open|filtered netbios-ssn 179/tcp open|filtered bgp

8080/tcp open|filtered http-proxy

MAC Address: 00:0C:29:D1:59:AB (VMware) Read data files from: C:\Program Files\Nmap

Service detection performed. Please report any incorrect results at http://insec ure.org/nmap/submit/ .

Nmap done: 1 IP address (1 host up) scanned in 23.094 seconds Raw packets sent: 19 (762B) | Rcvd: 1 (42B)

D:\>

[admin@MikroTik] ip firewall address-list> print Flags: X - disabled, D - dynamic

# LIST ADDRESS

0 Save Haven 192.168.0.3-192.168.0.5 1 D Save Haven 192.168.0.2

2 D port scanners 192.168.0.2

[admin@MikroTik] ip firewall address-list>

C:\Documents and Settings\adminz>ping 192.168.0.1 -t Pinging 192.168.0.1 with 32 bytes of data:

Reply from 192.168.0.1: bytes=32 time<1ms TTL=64 Reply from 192.168.0.1: bytes=32 time<1ms TTL=64 Reply from 192.168.0.1: bytes=32 time<1ms TTL=64 Reply from 192.168.0.1: bytes=32 time<1ms TTL=64 Reply from 192.168.0.1: bytes=32 time<1ms TTL=64 Reply from 192.168.0.1: bytes=32 time<1ms TTL=64 Reply from 192.168.0.1: bytes=32 time<1ms TTL=64 Reply from 192.168.0.1: bytes=32 time<1ms TTL=64 Request timed out.

Request timed out.

Request timed out.

Request timed out.

Request timed out.

Ping statistics for 192.168.0.1:

Packets: Sent = 24, Received = 19, Lost = 5 (20% loss), Approximate round trip times in milli-seconds:

Minimum = 0ms, Maximum = 0ms, Average = 0ms Control-C

^C

C:\Documents and Settings\adminz>

———————————————————————————–

o2. Drop SSH BruteForces

———————————————————————————–

| add chain=input protocol=tcp dst-port=22 src-address-list=ssh_blacklist \

| action=drop comment=”Drop SSH brute forcers” disabled=no

| add chain=input protocol=tcp dst-port=22 connection-state=new \

| src-address-list=ssh_stage3 action=add-src-to-address-list \

| address-list=ssh_blacklist address-list-timeout=1w3d comment=”" \

| disabled=no

| add chain=input protocol=tcp dst-port=22 connection-state=new \

| src-address-list=ssh_stage2 action=add-src-to-address-list \

| address-list=ssh_stage3 address-list-timeout=1m comment=”" disabled=no

| add chain=input protocol=tcp dst-port=22 connection-state=new \

| src-address-list=ssh_stage1 action=add-src-to-address-list \

| address-list=ssh_stage2 address-list-timeout=1m comment=”" disabled=no

| add chain=input protocol=tcp dst-port=22 connection-state=new \

| action=add-src-to-address-list address-list=ssh_stage1 \

| address-list-timeout=1m comment=”" disabled=no

———————————————————————————–

o3. Drop FTP BruteForce

———————————————————————————–

| add chain=input protocol=tcp dst-port=21 src-address-list=ftp_blacklist \

| action=drop comment=”Drop FTP brute forcers” disabled=no

| add chain=output protocol=tcp content=”530 Login incorrect” \

| dst-limit=1/1m,9,dst-address/1m action=accept comment=”" disabled=no

| add chain=output protocol=tcp content=”530 Login incorrect” \

| action=add-dst-to-address-list address-list=ftp_blacklist \

| address-list-timeout=3h comment=”" disabled=no

———————————————————————————–

o4. Drop HTTP/HTTPS BruteForce

Meminimalkan attacking terhadap port http/https ke RouterOS dengan BruteForce Seperti:

————————————————————————————

D:\fscan>fscan.exe –ports 80 –hosts 192.168.0.1 –threads 200

Fast HTTP Auth Scanner v0.6

(c) Andres Tarasco - http://www.514.es [+] Loaded 26 user/pass combinations [+] Loaded 42 ignored webservers

[+] Loaded 41 Router authentication schemes [+] Loaded 51 webform authentication schemes [+] Loaded 13 Single Users

[+] Scanning 1 hosts (192.168.0.1 - (null)) [+] Scanning 1 ports - bruteforce is active Server Port status password banner

192.168.0.1 80 200 not:found (mikrotik routeros) scan Finished

D:\fscan>

————————————————————————————

Jika dilihat pada log RouterOS :

————————————————————————————

[admin@MikroTik] > log print

16:49:45 system,error,critical login failure for user admin from 192.168.0.2 via web 16:49:45 system,error,critical login failure for user admin from 192.168.0.2 via web 16:49:45 system,error,critical login failure for user from 192.168.0.2 via web 16:49:45 system,error,critical login failure for user Admin from 192.168.0.2 via web 16:49:45 system,error,critical login failure for user admin from 192.168.0.2 via web 16:49:45 system,error,critical login failure for user admin from 192.168.0.2 via web 16:49:45 system,error,critical login failure for user admin from 192.168.0.2 via web 16:49:45 system,error,critical login failure for user admin from 192.168.0.2 via web 16:49:45 system,error,critical login failure for user admin from 192.168.0.2 via web 16:49:45 system,error,critical login failure for user admin from 192.168.0.2 via web 16:49:45 system,error,critical login failure for user admin from 192.168.0.2 via web 16:49:45 system,error,critical login failure for user cisco from 192.168.0.2 via web 16:49:45 system,error,critical login failure for user 1234 from 192.168.0.2 via web 16:49:45 system,error,critical login failure for user operator from 192.168.0.2 via web 16:49:45 system,error,critical login failure for user user from 192.168.0.2 via web 16:49:45 system,error,critical login failure for user root from 192.168.0.2 via web 16:49:45 system,error,critical login failure for user root from 192.168.0.2 via web 16:49:45 system,error,critical login failure for user root from 192.168.0.2 via web 16:49:45 system,error,critical login failure for user root from 192.168.0.2 via web 16:49:45 system,error,critical login failure for user super from 192.168.0.2 via web 16:49:45 system,error,critical login failure for user test from 192.168.0.2 via web 16:49:45 system,error,critical login failure for user Cisco from 192.168.0.2 via web 16:49:45 system,error,critical login failure for user from 192.168.0.2 via web 16:49:45 system,error,critical login failure for user smc from 192.168.0.2 via web 16:49:45 system,error,critical login failure for user support from 192.168.0.2 via web 16:52:17 system,error,critical login failure for user admin via local

————————————————————————————

Tambahkan Rule di firewall RouterOS

———————————————————————————–

| add chain=input protocol=tcp dst-port=80 src-address-list=web_blacklist \

| action=drop comment=”Drop Web brute forcers” disabled=no

| add chain=input protocol=tcp dst-port=443 src-address-list=web_blacklist \

| action=drop comment=”" disabled=no

| add chain=output protocol=tcp content=”invalid user name or password” \

| dst-limit=1/1m,9,dst-address/1m action=accept comment=”" disabled=no

| add chain=output protocol=tcp content=”invalid user name or password” \

| action=add-dst-to-address-list address-list=web_blacklist \

| address-list-timeout=3h comment=”" disabled=no

———————————————————————————–

Dilakukan Bruteforce lagi, maka:

———————————————————————————–

[admin@MikroTik] ip firewall address-list> pr Flags: X - disabled, D - dynamic

# LIST ADDRESS

0 Save Haven 192.168.0.3-192.168.0.5 1 D Save Haven 192.168.0.2

2 D web_blacklist 192.168.0.2

[admin@MikroTik] ip firewall address-list>

D:\fscan>fscan.exe –ports 80 –hosts 192.168.0.1 –threads 200 Fast HTTP Auth Scanner v0.6

(c) Andres Tarasco - http://www.514.es [+] Loaded 26 user/pass combinations [+] Loaded 42 ignored webservers

[+] Loaded 41 Router authentication schemes [+] Loaded 51 webform authentication schemes [+] Loaded 13 Single Users

[+] Scanning 1 hosts (192.168.0.1 - (null)) [+] Scanning 1 ports - bruteforce is active Server Port status password banner scan Finished

D:\fscan>

———————————————————————————–

o5. PortKnocking Rule

Tambahkan Rule pada Firewall filter:

———————————————————————————–

| add chain=input protocol=tcp dst-port=1337 action=add-src-to-address-list \

| address-list=knock-knock address-list-timeout=15s comment=”Port Knocking” \

| disabled=no

| add chain=input protocol=udp dst-port=17954 src-address-list=knock-knock \

| action=add-src-to-address-list address-list=”Save Haven” \

| address-list-timeout=3h comment=”" disabled=no

| add chain=input src-address-list=”Save Haven” action=accept comment=”" \

| disabled=no

| add chain=input action=drop comment=”" disabled=no

———————————————————————————–

———————————————————————————–

# Download tool portknocking

D:\>wget http://www.zeroflux.org/proj/knock/files/knock-cygwin.zip

# Ekstrak file D:\knock>dir

Volume in drive D is —data.

Volume Serial Number is 20B3-1A4D Directory of D:\knock

19/07/2008 15:24 <DIR> . 19/07/2008 15:24 <DIR> ..

03/07/2005 02:30 1.295.582 cygwin1.dll 10/08/2005 14:52 15.238 knock.exe 2 File(s) 1.310.820 bytes

2 Dir(s) 714.395.648 bytes free D:\knock>

C:\Documents and Settings\adminz>ping 192.168.0.1 -t Pinging 192.168.0.1 with 32 bytes of data:

Request timed out.

Request timed out.

Request timed out.

Request timed out.

Request timed out.

Request timed out.

Ping statistics for 192.168.0.1:

Packets: Sent = 6, Received = 0, Lost = 6 (100% loss), Control-C

^C

C:\Documents and Settings\adminz>

D:\>telnet 192.168.0.1 22

Connecting To 192.168.0.1…Could not open connection to the host, on port 22: C onnect failed

D:\>putty -ssh -l admin 192.168.0.1 D:\>

———————————————

|PuTTY Fatal Error [x]|

|——————————————-|

| |

| (X) Network error: Connection timed out |

| |

| +———–+ |

| | OK | |

| +———–+ |

| |

———————————————

D:\knock>knock.exe

usage: knock [options] <host> <port[:proto]> [port[:proto]] … options:

-u, –udp make all ports hits use UDP (default is TCP) -v, –verbose be verbose

-V, –version display version -h, –help this help

example: knock myserver.example.com 123:tcp 456:udp 789:tcp D:\knock>knock 192.168.0.1 1337:tcp 17954:udp

D:\knock>

C:\Documents and Settings\adminz>ping 192.168.0.1 -t Pinging 192.168.0.1 with 32 bytes of data:

Request timed out.

Request timed out.

Request timed out.

Request timed out.

Request timed out.

Request timed out.

Request timed out.

Reply from 192.168.0.1: bytes=32 time<1ms TTL=64 Reply from 192.168.0.1: bytes=32 time<1ms TTL=64 Reply from 192.168.0.1: bytes=32 time<1ms TTL=64 Reply from 192.168.0.1: bytes=32 time<1ms TTL=64 Reply from 192.168.0.1: bytes=32 time<1ms TTL=64 Reply from 192.168.0.1: bytes=32 time<1ms TTL=64 Reply from 192.168.0.1: bytes=32 time<1ms TTL=64 Reply from 192.168.0.1: bytes=32 time<1ms TTL=64 Reply from 192.168.0.1: bytes=32 time<1ms TTL=64 Reply from 192.168.0.1: bytes=32 time<1ms TTL=64 Reply from 192.168.0.1: bytes=32 time<1ms TTL=64 Ping statistics for 192.168.0.1:

Packets: Sent = 18, Received = 11, Lost = 7 (38% loss),

Approximate round trip times in milli-seconds:

Minimum = 0ms, Maximum = 0ms, Average = 0ms Control-C

^C

C:\Documents and Settings\adminz>

D:\>putty -ssh -l admin 192.168.0.1 D:\>

|17:38:31 system,info,account user admin logged in from 192.168.0.2 via ssh [v]|

=====================================================================

==================

Export file configuration

————————-;

/ ip firewall filter

add chain=input protocol=tcp psd=21,3s,3,1 action=add-src-to-address-list \ address-list=”port scanners” address-list-timeout=2w comment=”Drop Port \ Scanners” disabled=no

add chain=input protocol=tcp tcp-flags=fin,!syn,!rst,!psh,!ack,!urg \ action=add-src-to-address-list address-list=”port scanners” \

address-list-timeout=2w comment=”" disabled=no

add chain=input protocol=tcp tcp-flags=fin,syn action=add-src-to-address-list \ address-list=”port scanners” address-list-timeout=2w comment=”" \

disabled=no

add chain=input protocol=tcp tcp-flags=syn,rst action=add-src-to-address-list \ address-list=”port scanners” address-list-timeout=2w comment=”" \

disabled=no

add chain=input protocol=tcp tcp-flags=fin,psh,urg,!syn,!rst,!ack \ action=add-src-to-address-list address-list=”port scanners” \ address-list-timeout=2w comment=”" disabled=no

add chain=input protocol=tcp tcp-flags=fin,syn,rst,psh,ack,urg \ action=add-src-to-address-list address-list=”port scanners” \ address-list-timeout=2w comment=”" disabled=no

add chain=input protocol=tcp tcp-flags=!fin,!syn,!rst,!psh,!ack,!urg \ action=add-src-to-address-list address-list=”port scanners” \

address-list-timeout=2w comment=”" disabled=no

add chain=input src-address-list=”port scanners” action=drop comment=”" \ disabled=no

add chain=input protocol=tcp dst-port=22 src-address-list=ssh_blacklist \ action=drop comment=”Drop SSH brute forcers” disabled=no

add chain=input protocol=tcp dst-port=22 connection-state=new \ src-address-list=ssh_stage3 action=add-src-to-address-list \

address-list=ssh_blacklist address-list-timeout=1w3d comment=”" \ disabled=no

add chain=input protocol=tcp dst-port=22 connection-state=new \ src-address-list=ssh_stage2 action=add-src-to-address-list \

address-list=ssh_stage3 address-list-timeout=1m comment=”" disabled=no add chain=input protocol=tcp dst-port=22 connection-state=new \

src-address-list=ssh_stage1 action=add-src-to-address-list \

address-list=ssh_stage2 address-list-timeout=1m comment=”" disabled=no add chain=input protocol=tcp dst-port=22 connection-state=new \

action=add-src-to-address-list address-list=ssh_stage1 \ address-list-timeout=1m comment=”" disabled=no

add chain=input protocol=tcp dst-port=21 src-address-list=ftp_blacklist \ action=drop comment=”Drop FTP brute forcers” disabled=no

add chain=output protocol=tcp content=”530 Login incorrect” \

dst-limit=1/1m,9,dst-address/1m action=accept comment=”" disabled=no add chain=output protocol=tcp content=”530 Login incorrect” \

action=add-dst-to-address-list address-list=ftp_blacklist \ address-list-timeout=3h comment=”" disabled=no

add chain=input protocol=tcp dst-port=80 src-address-list=web_blacklist \ action=drop comment=”Drop Web brute forcers” disabled=no

add chain=input protocol=tcp dst-port=443 src-address-list=web_blacklist \ action=drop comment=”" disabled=no

add chain=output protocol=tcp content=”invalid user name or password” \ dst-limit=1/1m,9,dst-address/1m action=accept comment=”" disabled=no add chain=output protocol=tcp content=”invalid user name or password” \ action=add-dst-to-address-list address-list=web_blacklist \

address-list-timeout=3h comment=”" disabled=no

add chain=input protocol=tcp dst-port=1337 action=add-src-to-address-list \ address-list=knock-knock address-list-timeout=15s comment=”Port Knocking” \

disabled=no

add chain=input protocol=udp dst-port=17954 src-address-list=knock-knock \ action=add-src-to-address-list address-list=”Save Haven” \

address-list-timeout=3h comment=”" disabled=no

add chain=input src-address-list=”Save Haven” action=accept comment=”" \ disabled=no

add chain=input action=drop comment=”" disabled=no

### Other Security

o SSH Preshated Key authentication Generate Publik dan private key Menggunakan ssh keygen pada *NIX sh$ ssh-keygen -t dsa -f ./id_dsa Generating public/private dsa key pair.

Enter passphrase (empty for no passphrase):

Enter same passphrase again:

Your identification has been saved in ./id_dsa.

Your public key has been saved in ./id_dsa.pub.

The key fingerprint is:

91:d7:08:be:b6:a1:67:5e:81:02:cb:4d:47:d6:a0:3b admin-ssh@beka Menggunakan PuTTYGen Pada Windows

Upload file publik key ke RouterOS gunakan Scp, selanjutnya import file, [admin@MikroTik] user ssh-keys> import file=id_dsa.pub user=admin-ssh [admin@MikroTik] user ssh-keys> print

# USER KEY-OWNER 0 admin-ssh admin-ssh@beka [admin@MikroTik] user ssh-keys>

o Firewall - http://wiki.mikrotik.com/wiki/Dmitry_on_firewalling o Syslog Daemon

In document Tutorial Mikrotik Komplet (Page 157-168)

Related documents