MikroTik Value Added Distributor, MikroTik Training Centre, MikroTik Toronto, MikroTik Canada

MikroTik Value Added Distributor, MikroTik Training Centre, MikroTik Toronto, MikroTik Canada

MikroTik Training Centre, Toronto, Canada MikroTik Value Added Distributor

T (647) 477-0163
Email: support@wirelessnetware.ca

Wireless Netware Technology LTD.
550 Alden Road, Unti# 210A, Markham, Ontario L3R6A8

Open in Google Maps
  • Home
  • Solutions
  • Services
  • Become a Canadian ISP
    • Business Internet
  • Partners
  • Hardware
  • Training
  • Blog
  • About
  • Contacts
MikroTikSupport
  • Home
  • Blog
  • Blog
  • Wondering Whether Someone’s Eavesdropping? Maybe You’re Right!
Thursday, 20 December 2018 / Published in Blog, Insider Secrets, RouterOS, Training

Wondering Whether Someone’s Eavesdropping? Maybe You’re Right!

Do you think someone might be eavesdropping via Have you ever seen a pesky side and pop up a minutes after you have discussed the remotest subject with your friend? Relatedly, have you ever given careful attention to the terms and conditions of the applications installed on your smartphone? Do you know whether or not those applications are using your phone speaker, camera, GPS and other features of your device to control you and market their product or design their business strategies based on how you think? What about your ideas? How safe are they and how can you protect your ideas from being yanked away?! Follow the link below and see for yourself. a laptop or a smartphone? Well, you’re right! Learn how to catch them red-handed and shut them out!


Step-By-Step Configuration:

Requirements:
  1. A PC, Laptop, or Smartphone
  2. MikroTik Router with a minimum of two ethernet interface, wireless is optional
    1. Our recommendation is hAP-mini
  3. Internet with no filtering

Network Diagram:

This is how you should connect your smartphone to a MikroTik router and establish a connection between the router and the Internet.

MikroTik Router configuration:

Default configuration:

Default Configurations on RouterBOARDS

Most MikroTik Routers in the “Wireless for home and office” category come with a default configuration as described below:

  • Ether1 is set up as WAN interface, and there is a DHCP-Client setup to get an IP Address from your modem;
  • The other Ethernet interfaces and the Wireless interface(s) are bridged and known as LAN network. You could connect the Ethernet port on your PC/laptop to one of these ports;
  • Wlan1 and wlan2 “if available”  are already set up and broadcasting SSID: MikroTik-”MAC address,” so you could connect your smartphone/laptop to the router by searching an open SSID;
  • The default IP Address 192.168.88.1 is already set up on the bridge interface, and there is a DHCP-Server running to give the clients an IP Address from the “192.168.88.10-192.168.88.254” IP Pool;
  • SRC-NAT is configured to translate the private IP Address to WAN IP Address; and,
  • A basic firewall filter is set up to protect the Router itself and LAN “customers”

In another words, everything is almost ready for us to begin the test.

Step-by-step visual guide for the required configuration:

  1. Connection between Laptop <-> MikroTik Router
  1. Open the WinBox software:

Download the latest version of Winbox here.

  1. From the Neighbors tab, click on the Refresh button. You will find RB931-2nD in the list. Click on the IP Address:
  1. Default router username is admin and no password has been set. Click on the connect button:

Note: Press OK to keep the default configuration.

IP Address configuration

  1. Complete this checklist:
    1. Click on Interface: Check the interfaces and make sure you have th flag “R” beside ether1 and wlan1 “if you are expecting a wireless client connected to this device.”

  1. From the left side menu, click on IP → Addresses. Make sure there is an IP Address assigned to ether1.

Troubleshooting

  1. Troubleshoot the router to see if you have a ping for 8.8.8.8 and yahoo.com. Thus, from the left side menu, click on Tools → Ping
  1. Now, you should troubleshoot your PC/laptop/smartphone by browsing the internet. Ping 8.8.8.8, and if everything is opening fine, we are good to go. Otherwise, you should troubleshoot NAT and Firewall settings.

Disable/Remove all the firewall rules

  1. From the left side menu bar click on IP → Firewall → Filter Rules
  1. Select all of the firewall rules using Ctrl+A and remove them all by clicking on the red minus button.

Ignore the dummy rule and let it stay.

Network Diagram

  1. Test connections between the smartphone and the MikroTik Router:
    1. You may be better off to have two devices connected to the router using the wireless interface, one laptop and one smartphone, for instance. One can be connected to the router and run the tools (preferably the laptop) and one to run the APPs (the smartphone).

Setup DHCP-Server

  1. Check the connections in the Registration tab of Wireless Tables and the Leases tab that can be found via IP → DHCP Server.

How to log traffic going through the router

  1. Create two rules in IP → Firewall → Filter Rules to log all traffic from and to the smartphone.
    1. Click on the blue plus button:
  1. Under the General tabl, choose “forward” in the Chain row, and 192.168.88.253 for the Src. Address. In the Action tab, choose “passthrough” for the Action row, check the box next to Log, and, in the Log Prefix, type “traffic from smartphone.”
  1. Now, create a similar rule but to log traffic to the smartphone. In this rule, same as the previous one, Chain=forward, Action=passthrough, Log=Enabled, Log Prefix=“traffic to smartphone.” The only different is that undert the General tab, you should fill out the Dst. Address with 192.168.88.253

How to use Torch tool to snif the traffic

  1. From the left side menu, click on Tools → Torch,

A torch is a sniffing tool that allows you to troubleshoot the packet based on the below parameters:

  • Interface
  • Source Address
  • Destination Address
  • Port, Protocol
  • IPv4/IPv6
  • VLAN
  • DSCP

Using Torch, we could have a better understanding of how a packet travels between the source and the destination, and one could gain a lot of useful information that can never be found this easily and quickly using other software like Wireshark.

  1. Run Torch from Tools → Torch.
  1. Change the Interface to ether1, and check the boxes next to Src. Address, Dst. Address, Port, and Protocol. Moving on, increase Entry Timeout to 00:01:00, and uncheck Src. Address6 and Dst. Address6.
  2. Click on the New Window button and follow the same process on the new Torch window but change the interface to bridge and Src. Address to 192.168.88.253.

  1. In this step, close all running software on your phone. Open a browser and do a quick test;
    1. Open a website that you know is a host IP Address. For this guide, I opened www.netwire.ca
  1. Keep an eye on the running Torch while you are opening that page and write all the Dst. IP addresses that use protocol TCP and port 80/443 since browsers usually use this port and protocol to open a website.
  2. As we increased the time, the number of entries increases too much, and thus, to find active entries, you can order the entries by Tx Rate.
  1. As you could see, the Src. Address is all from the same address but to different Dst. IP Addresses. In this example, the only Dst. Address to where we have traffic is 38.110.90.231, and the other information for this packet is tcp/443.
  2. Now, open a browser on your computer, and, using this URL, find more details about the IP address: https://www.whatismyip.com/ip-whois-lookup/ as you see in the picture below, where netwire.ca is hosted.
  1. Now, let’s run another test. Open your Facebook application and check Torch again.
  1. In this example, the Dst. Address is 31.13.71.1 and 31.13.71.3.

How to find which traffic is legit?

  1. Now, we want to test our smartphone speaker:
    1. Close all the applications;
    2. Check the Torch. Make sure you are in a quiet area and there is nothing appearing in the Torch;
    3. Now, think about a subject you have never talked about before and start speaking about it close to your phone speaker;
    4. Start the Torch and keep an eye on it while you are speaking and write down all the IP Addresses on a paper; and,
    5. My subject is about a Christmas toy gift (toy gift from Costco).
  1. The result: When I have all the applications closed with nobody speaking, there is no traffic showing in Torch. However, as soon as I start speaking, I can see traffic to Dst. Address 17.249.108.11, TCP: 5223.
  1. Now, open the Facebook application and repeat the same test.
  1. As you can see in the Torch, as soon as you start speaking, these IP Addresses appear, and when you stop speaking, Tx/Rx Rates drop to 0bps. If you do whois for 157.240.18.15, you will find the same result.
  1. Week, there you go! You just pinpointed a traffic that flows without a direct request from you. Now, how to drop this type of traffic which is generated without any direct request:
  1. By editing the firewall filter rules we have created in step 9, we can easily drop traffic to a specific IP Address, Port, and Protocol. For example, in the above picture, you could find some unique information about the logged traffic:
    1. The packet is received in the interface bridge;
    2. The protocol used for this packet is TCP;
    3. The destination port is 443; and,
    4. The destination address to where our conversation is sent is 23.222.75.174.

Note: the more specific the rule, the more efficient it is and the better it works to filter the type of traffic you need to catch by the firewall.

  1. To create a rule in order to accept or drop a specific type of traffic based on the information we got from our log and Torch, you can proceed based on the following step-by-step process:
    1. IP → Firewall → Filter Rules → Add a new rule
  1. You could see in the log that the IP Address and the destination IP Address of one of the sources are the router’s IP Address, so the packet travels through the router. With regard to creating a firewall rule, the chain we should use is “forward”.
  1. A firewall works by the if-then principle, and every information we define in the General tab is known as “if”. All of these conditions have to be matched with a packet for a rule to be working properly as it is expected. The next step is to define an appropriate Action for the rule.
  1. The last step is to change the rule order by dragging the rule and dropping it in the right order.
  1. Test if our firewall is working correctly:
    1. If I start another test, I should see Rule #0 will start counting packets, and I should not be able to see a packet get logged by Rule #1 and Rule #2. Also if I run a Torch, it should not appear in the Torch.

Tagged under: Firewall, RouterOS, torch

What you can read next

Netwire Inc., Wireless Netware Ltd., are now one!
RoMON-Router Management Overlay Network
How to upgrade 24 MikroTik RouterBOARDs less than an hour!

Recent Posts

  • Load-balance using PCC in MikroTik RouterOS v 6.xx

    Introduction PCC “Per Connection Classifi...
  • Audience – a router for those who value both beauty and functionality

    Audience is a tri-band (2.4 GHz & high + lo...
  • DO NOT let the cables limit you, More Throughput over Power!

    PWR-LINE PRO PWR-LINE PRO (PL7510Gi) is a smart...
  • The First MikroTik product with 10G RJ45 Ethernet ports, CRS312-4C+8XG-RM

    CRS312-4C+8XG-RM Switch of the future: the firs...
  • Netflix has identified vulnerabilities in RouterOS.

    Netflix has identified several TCP networking v...

RSS MikroTik Blog

  • Mēris botnet
    In early September 2021 QRATOR labs published an article about a new wave of DDoS attacks, which are originating from a botnet involving MikroTik devices.  As far as we have seen, these attacks use the same routers that were compromised in 2018, when MikroTik RouterOS had a vulnerability, that…
  • Fragattacks
    In beginning of May  2021, a security research group from Belgium published a set of vulnerabilities they call "Frag Attacks" (from Fragmentation Attack), which affect all modern security protocols of Wi-Fi. Not all the published issues affect MikroTik products, but those that were found to be potentially affecting RouterOS, have…
  • Upgraded package signatures
    The RouterOS package signing procedure has been upgraded, to use new algorithms and utilize state of the art security hardware. It  will also add a possibility to verify the integrity of existing installations. The new updated package signing procedure provides additional security to prevent installation of malicious software. Best security practices: Keep RouterOS updated…
  • MUM EUROPE AND OTHER UPCOMING EVENTS - POSTPONED!
    In compliance with our commitment to ensure the safety of our clients, partners, staff, and visitors at all MikroTik events, we have no other choice but to postpone our upcoming events: MUM Europe in Prague, Czech Republic (March 26-27) MTCSA in Riga, Latvia (March 23-24) Train the Trainer in Riga, Latvia (March 30…
  • DNS cache poisoning vulnerability
    Tenable has identified a vulnerability in RouterOS DNS implementation. RouterOS 6.45.6 and below is vulnerable to unauthenticated remote DNS cache poisoning via Winbox. The router is impacted even when DNS is not enabled. One possible attack vector is via Winbox on port 8291 if this port is open to untrusted networks.…
  • Package validation and upgrade vulnerability
    Tenable has identified a couple of issues with RouterOS packaging and upgrade systems. The upgrade system used by RouterOS 6.45.5 and below is vulnerable to man in the middle attacks and insufficient package validation. An attacker can abuse these vulnerabilities to downgrade a router's installed RouterOS version, possibly lock the…
  • CVE-2019-11477, CVE-2019-11478, CVE-2019-11479
    Summary Netflix has identified several TCP networking vulnerabilities in the Linux kernel that is used in RouterOS. The vulnerabilities can trigger denial of service if the RouterOS system is attacked from an insufficiently protected network interface (port). Firewall can protect against the issue. MikroTik has already applied the necessary patches: fix included in…
  • CVE-2019-3981
    Summary Tenable has published a potential vulnerability in older RouterOS versions where an attacker can retrieve the password hash of a RouterOS username via a complex man-in-the-middle attack over port 8291. The attacker must be able to intercept a valid RouterOS user login attempt, so he must be located in the…
  • CVE-2018-19298 CVE-2018-19299 IPv6 resource exhaustion
    Summary RouterOS contained several IPv6 related resource exhaustion issues, that have now been fixed, taking care of the above-mentioned CVE entries. The first issue caused the device to reboot if traffic to a lot of different destination addresses was routed. The reboot was caused by watchdog timer since the device was overloaded…
  • MikroTik accelerates the adoption of 60 GHz technologies with Terragraph
    Press Release. 25 February 2019 Riga, Latvia - MikroTik is announcing a collaboration with Facebook to build high-speed connectivity solutions with Terragraph, helping to accelerate the adoption of 60 GHz fixed wireless access technologies to deliver gigabit services and connect more people, faster. The 60 GHz band allows high-speed broadband connectivity…

General information

MikroTik Training Schedules
My Certificate Validation
Who is my local MikroTik Consultant
How to become a MikroTik Consultant
How to become a MikroTik Certified Trainer

Useful URLs

MikroTik Distributor
MikroTik WiKi "Documentation"
MikroTik useful Articles and Examples
The Dude "Monitoring, Notification, Syslog"
User Manager "Free Radius Server"

Legal

  • Privacy Policy
  • General Term
  • Training terms
  • Managed Services Terms
  • Partner term
  • GET SOCIAL
MikroTik Value Added Distributor, MikroTik Training Centre, MikroTik Toronto, MikroTik Canada

Copyright © 2015 WirelessNetware. All rights reserved.

TOP
Notice: ob_end_flush(): failed to send buffer of zlib output compression (0) in /home/tvoippanel/public_html/wp-includes/functions.php on line 5221