Implementing a Password Reset Function for Persistent Access in MikroTik RouterOS
This tutorial demonstrates a post-exploitation technique to establish persistent access in MikroTik RouterOS by implementing a password reset function triggered via SNMP. We will create a MikroTik script named "password reset" to clear the admin password, enable SNMP write access using the community string "opensesame," and confirm the SNMP service is operational. The process concludes with using snmpwalk to query available scripts and snmpset to execute the password reset script remotely via SNMP, ensuring continued access post-authentication.
Step 1: Create the Password Reset Script
Access the MikroTik CLI:
You can access the MikroTik CLI via SSH, Telnet, or the Winbox terminal. For SSH, use a terminal application like PuTTY or the built-in terminal on your operating system.
Connect to your MikroTik router using its IP address and login credentials.
Create the Script:
Use the following command to create a new script named "password reset" that changes the password of the "admin" user to an empty password.
(Fixed error in original posting by author, add
dont-require-permissions=yes
Verify the Script:
Verify that the script has been created correctly by listing all scripts.
Output:
Step 2: Enable SNMP Write Access
Enable SNMP:
Enable the SNMP service on the router.
Configure SNMP Community:
Add an SNMP community "opensesame" with write access.
Verify SNMP Configuration:
Verify that the SNMP service and community have been configured correctly.
Output:
Step 3: Query Scripts Using SNMP
Install SNMP Tools:
Ensure that you have SNMP tools installed on your system. On Debian-based systems, you can install them using:
Use
snmpwalk
to Query Scripts:Use the
snmpwalk
command to query the OID1.3.6.1.4.1.14988.1.1.8
to list the scripts.
This command will list the scripts available on the MikroTik router. Note that the MIB table OID values may differ.
Output:
Step 4: Run the Script Using SNMP
Use
snmpset
to Run the Script:Use the
snmpset
command to run the "password reset" script. Replace<router_ip_address>
with the IP address of your MikroTik router. Ensure you are using the correct MIB table values for your script, from the snmpwalk command above.
Output:
This command will execute the "password reset" script, setting the admin password to an empty string. You can now authenticate to the router with
ssh admin@router_ip_address
.
Summary
This tutorial outlines adding a password reset function to MikroTik RouterOS as a post-exploitation technique for maintaining persistent access after authentication. It involves creating a "password reset" script to clear the admin password, enabling SNMP write access with the "opensesame" community string, verifying SNMP functionality, querying scripts with snmpwalk, and executing the script via snmpset. Administrative access to the router and basic networking knowledge are required.
Last updated
Was this helpful?