Full Report
Preamble Anybody who has had a conversation with me about networks probably knows that I’m a bit of a MikroTik fanboy, and for good reason. I am also a long-time user and supporter of OpenWrt which makes my enthusiasm for MikroTik even more significant. Somewhere around 16 years ago I got my first router (TP-Link WR1043ND), my first introduction to OpenWrt, and my first USB-serial cable after accidentally flashing an update to the wrong place and bricking the router. I was amazed at how versatile the platform was, the fact that I could run arbitrary services on my router, limited only by its meagre resources.
Analysis Summary
# Tool/Technique: MikroTik-based Mobile PITM Interception
## Overview
This technique leverages the advanced networking capabilities of MikroTik routers (RouterOS) to perform transparent Adversary-in-the-Middle (AiTM/PITM) interception of mobile and IoT device traffic. By using destination NAT (DST-NAT) rules and address lists, an analyst can redirect device traffic to a Burp Suite listener without changing proxy settings on the target device.
## Technical Details
- **Type**: Technique / Attack Tool Configuration
- **Platform**: Cross-platform (Targets: iOS, Android, IoT; Infrastructure: MikroTik RouterOS)
- **Capabilities**: Transparent traffic redirection, "one-click" interception toggling, REST API automation, support for non-proxy-aware applications.
- **First Seen**: Article published June 4, 2024 (Technique utilizes long-standing RouterOS features).
## MITRE ATT&CK Mapping
- **[TA0006 - Credential Access]**
- **[T1557 - Adversary-in-the-Middle]**
- **[TA0007 - Discovery]**
- **[T1046 - Network Service Discovery]** (via packet capture/redirection)
- **[TA0009 - Collection]**
- **[T1040 - Network Sniffing]**
## Functionality
### Core Capabilities
- **Transparent Redirection**: Uses MikroTik `dst-nat` rules to intercept TCP ports 80 and 443, routing them to an external proxy (e.g., Burp Suite).
- **Invisible Proxying**: Leverages Burp Suite’s "Support invisible proxying" feature to handle traffic from clients that are not proxy-aware.
- **Selective Interception**: Employs "Address Lists" within the MikroTik firewall to target specific device IPs while leaving other network traffic unaffected.
- **Source NAT (Masquerading)**: Ensures return traffic is correctly routed back through the router to the proxy host by masquerading traffic destined for the proxy listener.
### Advanced Features
- **REST API Automation**: Enables remote management of interception rules using `curl` and `jq` via the MikroTik `/rest/ip/firewall/address-list` endpoint.
- **Physical Hardware Integration**: Capability to map the interception toggle to physical buttons or LEDs on MikroTik hardware for "headless" operation.
- **Protocol Blocking**: Easily extended to block IPv6 or non-standard ports to force traffic through controlled channels.
## Indicators of Compromise
- **File Names**: N/A (Firmware/Configuration based)
- **Network Indicators**:
- Unexplained redirection of traffic to a local IP on ports 80/443 (typically the analyst's laptop).
- Presence of administrative access to MikroTik REST API on `https://[router_ip]/rest/`.
- **Behavioral Indicators**:
- Target devices communicating with a local machine via port 8123 (or other configured transparent proxy ports).
- Unexpected certificate errors on mobile devices if the Burp CA certificate is not installed or pinned.
## Associated Threat Actors
- This is primarily documented as a **Security Research / Pen-testing** technique. However, advanced actors or insiders with access to network infrastructure can use similar RouterOS manipulations for persistent interception.
## Detection Methods
- **Behavioral Detection**: Monitor for unusual `DST-NAT` entries in MikroTik configurations, specifically those redirecting common web ports to internal LAN IPs.
- **Audit Logs**: Review MikroTik logs for API-based modifications to firewall address lists or NAT rules.
- **Network Scanning**: Identify local hosts listening on ports configured for "invisible" proxying (e.g., 8080, 8123).
## Mitigation Strategies
- **Certificate Pinning**: Applications should implement SSL/TLS pinning to prevent interception by local CA certificates.
- **Router Hardening**:
- Disable the REST API and WebFig if not required.
- Implement strong credentials and MFA for RouterOS management.
- Restrict management access to specific trusted source IPs.
- **Network Segmentation**: Isolate test devices and research workstations from the production LAN.
## Related Tools/Techniques
- **Burp Suite Professional**: Used as the interception and analysis engine.
- **OpenWrt**: A similar open-source router platform capable of these techniques through `iptables` or `nftables`.
- **mitmproxy**: An alternative proxy tool frequently used for transparent interception.