issue in extract users

[lorenzobucci]

The script fails while attempting to extract user data from my user.dat file. No output or error is returned. I attach the file if you want to try it yourself (remove .txt ext before). Thanks for the support! user.dat.txt

[BigNerd95]

Ehilaaa Ok in sti giorni lo guardo Penso ci sia un carattere non ascii nella pass che manda in exception e salta quello user

[lorenzobucci]

Che sorpresa! Allora guarda io ho fatto un debug veloce e sembra che non venga mai fatto lo split dell'user e della password perchè i caratteri di delimitazione, che hai inserito nel codice, non ci sono nel mio file. Forse ho un versione troppo nuova di RouterOS, non so... Se quando puoi mi ci dai un'occhiata, mi fai un piacere. Ti ringrazio!

[BigNerd95]

Eh si puo' anche darsi che abbiano cambiato il formato nelle ultime versioni Nell'ultimo anno non ho piu' reversato routeros perche' mi son messo a guardare altro Quindi non sono iper aggiornato

[lovrenco]

I can confirm this behavior. I exported RouterOS 6.46, Unpack command works OK, but "python extract_user.py", although correctly used does not give any output on the screen.

If possible, maybe it should output to ->output.txt file too, within same folder. Thank you for your effort

[lovrenco]

Hey, I know everybody are busy but can we expect you to fix this soon? Also, what version of RouterOS were you using when you created this script?

Thank you!

[BigNerd95]

I have an exam next days After that maybe I'll fix this I think I was using 6.38.4, if I remember correctly I made it during Chimay Red development

[BigNerd95]

In the changelog i found this:

Due to removal of compatibility with old version passwords in this version, 
downgrading to any version prior to v6.43 (v6.42.12 and older) 
will clear all user passwords and allow password-less authentication. 
Please secure your router after downgrading. 

6.45.1
!) user - removed insecure password storage; 

6.43
user - all passwords are now hashed and encrypted, plaintext passwords are kept for downgrade (will be removed in later upgrades); 

[BigNerd95]

@lorenzobucci using https://github.com/0ki/mikrotik-tools/ (you have to replace this line with this conf = MTConfig(dir+"/"+database+".dat")) you can extract these info

{'comment': 'system default user', 'username': 'admin', 'group': 3, 'groupname': 'full', 'allowed_addresses': [], '_r20': [38, 48, 36, 156, 100, 141, 213, 212, 235, 42, 229, 251, 196, 75, 245, 13], 'password_set': True, 'allowed_ip4': '0.0.0.0', '_r21': [49, 25, 4, 196, 171, 136, 188, 188, 165, 133, 86, 181, 188, 0, 223, 7, 6, 226, 72, 178, 132, 187, 125, 102, 84, 162, 205, 47, 177, 80, 113, 64, 1], 'disabled': False, 'allowed_net4': '0.0.0.0', 'record_id': 1, 'permissions': '7fffe'}
{'comment': '', 'username': 'fastera_adm', 'group': 3, 'groupname': 'full', 'allowed_addresses': [], '_r20': [73, 206, 103, 195, 65, 214, 209, 25, 60, 154, 74, 185, 125, 62, 167, 225], 'password_set': True, 'allowed_ip4': '0.0.0.0', '_r21': [78, 169, 117, 36, 39, 0, 85, 30, 148, 134, 55, 72, 69, 140, 190, 218, 240, 164, 184, 55, 24, 171, 100, 14, 27, 16, 203, 92, 90, 90, 85, 218, 0], 'disabled': False, 'allowed_net4': '0.0.0.0', 'record_id': 2, 'permissions': '7fffe'}
{'comment': 'system default user', 'username': 'admin', 'group': 3, 'groupname': 'full', 'allowed_addresses': [], '_r20': [38, 48, 36, 156, 100, 141, 213, 212, 235, 42, 229, 251, 196, 75, 245, 13], 'password_set': True, 'allowed_ip4': '0.0.0.0', '_r21': [49, 25, 4, 196, 171, 136, 188, 188, 165, 133, 86, 181, 188, 0, 223, 7, 6, 226, 72, 178, 132, 187, 125, 102, 84, 162, 205, 47, 177, 80, 113, 64, 1], 'disabled': False, 'allowed_net4': '0.0.0.0', 'last_login': 'May/28/2020 22:43:10', 'record_id': 1, 'permissions': '7fffe'}

You can see that there is no "password" field (which were used to decrypt the password), but there are two new unknown fields "_r20" and "_r21" r20 is 16 bytes long, so i think it is the password hashed with md5 r21 may be a salt or a key for the encryption cited in the changelog

[lorenzobucci]

@BigNerd95 in fact i had tried it too, obtaining the same result. So i deduce that with this RouterOS version it's impossible to recover passwords?

[BigNerd95]

I think the encryption is not a problem Since there will be a key somewhere The only problem is the hash The only way to recover the password from an hash is using bruteforce

[lorenzobucci]

Mmmh... not good. I rely on you as soon as you have some free time. Thanks again!

[lovrenco]

I think the encryption is not a problem Since there will be a key somewhere The only problem is the hash The only way to recover the password from an hash is using bruteforce

Can hash be reverse engineered based on other account on the same router, if password is known for other account?

[BigNerd95]

An hash by definition can't be reversed You can only bruteforce the password for each account If two account have the same password the still could have two different hash if they used a different salt for each account (a very used best practice)

[lovrenco]

Do you think you will be able to solve it in near future?

[BigNerd95]

This is not an issue to solve The passowrd storage is completely different So the extraction needs to be reimplemented Anyway it won't be as fast as now, as it requires bruteforce of the hash

I'm working on other target at the moment (dahua) So I dont think I'll put effort on this project this summer Sorry