Tool to scan for RouterOS (Mikrotik) forensic artifacts and vulnerabilities.

Overview

RouterOS Scanner

Forensics tool for Mikrotik devices. Search for suspicious properties and weak security points that need to be fixed on the router.

This tool’s functionalities include the following:

  • Get the version of the device and map it to CVEs
  • Check for scheduled tasks
  • Look for traffic redirection rules
  • Look for DNS cache poisoning
  • Look for default ports change
  • Look for non-default users
  • Look for suspicious files
  • Look for proxy, socks and FW rules

Executing and arguments

The arguments:

args Description Must / Optional
-i The tested Mikrotik IP address Must
-p The tested Mikrotik SSH port Must
-u User name with admin Permissions Must
-ps The password of the given user name (empty password by defoult) Optional
-J Print the results as json format (prints txt format by defoult) Optional

Executing examples:

 ./main.py -i 1.2.3.4 -p 22 -u admin
 ./main.py -i 1.2.3.4 -p 2000 -u admin -ps 123456
 ./main.py -i 1.2.3.4 -p 2000 -u admin -ps 123456 -J

Output:

The output includes 3 sections for each test:

  1. raw data - all the data we search in.
  2. suspicious - things we found out as suspicious and recommends checking if they are legitimate or malicious.
  3. recommendation - things we found out as weak security points and recommends to fix.

Contributing

This project welcomes contributions and suggestions. Most contributions require you to agree to a Contributor License Agreement (CLA) declaring that you have the right to, and actually do, grant us the rights to use your contribution. For details, visit https://cla.opensource.microsoft.com.

When you submit a pull request, a CLA bot will automatically determine whether you need to provide a CLA and decorate the PR appropriately (e.g., status check, comment). Simply follow the instructions provided by the bot. You will only need to do this once across all repos using our CLA.

This project has adopted the Microsoft Open Source Code of Conduct. For more information see the Code of Conduct FAQ or contact [email protected] with any additional questions or comments.

Trademarks

This project may contain trademarks or logos for projects, products, or services. Authorized use of Microsoft trademarks or logos is subject to and must follow Microsoft's Trademark & Brand Guidelines. Use of Microsoft trademarks or logos in modified versions of this project must not cause confusion or imply Microsoft sponsorship. Any use of third-party trademarks or logos are subject to those third-party's policies.

Comments
  • Authentication Failed

    Authentication Failed

    Hello and thank you for this project. I am attempting to scan a RouterOS device running version 7.1.3 and I am getting an authentication failure from paramiko. The RouterOS logs say expected msg: 50 got: 5. After some good old fashioned BING searches I saw similar issues opened with an Ansible module (see here: https://github.com/ansible/ansible/issues/55042). I tried a few suggestions mentioned in that thread but did not find luck. Regular ssh user@address -p 2223 works as expected.

    python3 main.py -i 172.16.254.1 -p 2223 -u jared+cet1024w -ps PASSWORD
    Mikrotik ip address: 172.16.254.1
    
    Traceback (most recent call last):
      File "/Users/jared/routeros-scanner/main.py", line 62, in <module>
        main(args)
      File "/Users/jared/routeros-scanner/main.py", line 28, in main
        ssh_client.connect(hostname=args.ip, port=args.port, username=args.userName, password=args.password)
      File "/usr/local/lib/python3.9/site-packages/paramiko/client.py", line 435, in connect
        self._auth(
      File "/usr/local/lib/python3.9/site-packages/paramiko/client.py", line 766, in _auth
        raise saved_exception
      File "/usr/local/lib/python3.9/site-packages/paramiko/client.py", line 753, in _auth
        self._transport.auth_password(username, password)
      File "/usr/local/lib/python3.9/site-packages/paramiko/transport.py", line 1563, in auth_password
        return self.auth_handler.wait_for_response(my_event)
      File "/usr/local/lib/python3.9/site-packages/paramiko/auth_handler.py", line 244, in wait_for_response
        raise e
    paramiko.ssh_exception.AuthenticationException: Authentication failed.`
    
    opened by jlgore 11
  • TTL value error

    TTL value error

    I'm trying to scan my home router and get this error:

    Mikrotik ip address: 192.168.27.1
    
    Traceback (most recent call last):
      File "main.py", line 62, in <module>
        main(args)
      File "main.py", line 31, in main
        res = command.run_ssh(ssh_client)
      File "/home/medusa/routeros-scanner/commands/dns.py", line 16, in run_ssh
        sus_dns, recommendation = self.check_results_ssh(res, enabled)
      File "/home/medusa/routeros-scanner/commands/dns.py", line 27, in check_results_ssh
        if int(item['ttl'].partition('s')[0]) > 200000:
    ValueError: invalid literal for int() with base 10: '3d21h23m50'
    

    Device model is RouterBOARD 962UiGS-5HacT2HnT (Mikrotik hAP ac) RouterOS version: 7.1.2 Steps to reproduce:

    • run command python3 main.py -i 192.168.1.1 -p 22 -u admin -ps routerpassword
    opened by weirdvic 10
  • ValueError: invalid literal for int() with base 10: '1d' or similar

    ValueError: invalid literal for int() with base 10: '1d' or similar

    Hi Guys - Thanks for creating this tool! I'm trying to scan our routers, and everyone gives an error similar to below:

    Mikrotik ip address: 192.168.0.1
    
    Traceback (most recent call last):
      File "C:\Users\werne\Downloads\routeros-scanner-main\main.py", line 62, in <module>
        main(args)
      File "C:\Users\werne\Downloads\routeros-scanner-main\main.py", line 31, in main
        res = command.run_ssh(ssh_client)
      File "C:\Users\werne\Downloads\routeros-scanner-main\commands\dns.py", line 16, in run_ssh
        sus_dns, recommendation = self.check_results_ssh(res, enabled)
      File "C:\Users\werne\Downloads\routeros-scanner-main\commands\dns.py", line 27, in check_results_ssh
        if int(item['ttl'].partition('s')[0]) > 200000:
    ValueError: invalid literal for int() with base 10: '1d'
    
    opened by mrkwagga 8
  • Error executing main.py

    Error executing main.py

    Traceback (most recent call last): File "C:\apps\routeros-scanner-main\main.py", line 62, in main(args) File "C:\apps\routeros-scanner-main\main.py", line 31, in main res = command.run_ssh(ssh_client) File "C:\apps\routeros-scanner-main\commands\dns.py", line 16, in run_ssh sus_dns, recommendation = self.check_results_ssh(res, enabled) File "C:\apps\routeros-scanner-main\commands\dns.py", line 27, in check_results_ssh if int(item['ttl'].partition('s')[0]) > 200000: ValueError: invalid literal for int() with base 10: '2h11m36'

    opened by salacpavel 4
  • Updated to handle non standard mikrotik time output

    Updated to handle non standard mikrotik time output

    Greetings, The original script would crash on my mikrotik when it would hit a date format as shown above the "time_str_convert2sec" function. Attached is code that should convert and make the rest of everything else function. Feel free to adjust, re-write or otherwise consume however you'd like. This may be a newer firmware thing.

    opened by ams2121 2
  • paramiko.ssh_exception.SSHException: No existing session

    paramiko.ssh_exception.SSHException: No existing session

    I ran into this issue when trying to test my router, it seems to be a common issue with paramiko.

    The fix was to add look_for_keys=False to main.py:

    ssh_client.connect(hostname=args.ip, port=args.port, username=args.userName, password=args.password, look_for_keys=False)
    

    Some people on the internet also suggest to add allow_agent=False

    Can you possibly add this to readme-file?

    opened by ghost 2
  • Fix: TTL value, invalid literal for int() - dns.py

    Fix: TTL value, invalid literal for int() - dns.py

    Fixed "invalid literal for int()" error:

    1. function get_seconds(ttl) - parses the time string from item["ttl"]
    2. item["address"] does not exist, it is the next error. The correct column name is item["data"].

    Tests on routeros versions 6.49 and 7.1.3.

    opened by krcs 2
  • How does the command works with paramiko?

    How does the command works with paramiko?

    For example, the project use paramiko to run command on the server. However, the /ip command is not on the server, why it works?

    data = self._ssh_data(sshc, '/ip dns print')
    
    stdin, stdout, stderr = sshc.exec_command(command)
    
    opened by thinkycx 1
  • some changes

    some changes

    add close ssh client (main.py) change ssh port required to default ssh port 22 (main.py) change The Mikrotik version to RouterOS version (version.py) add example default port ssh (README.md) change ip 1.2.3.4 to default mikrotik ip 192.168.88.1 in executing examples (README.md) change The tested Mikrotik SSH port of Must to Optional in the arguments (README.md) tested in RouterOS v6.49.5 (stable) and v7.1.3 (stable)

    opened by danielcshn 1
  • incorrect routeros version in assets

    incorrect routeros version in assets

    for CVE-2017-6297 there is version 6.83.3 (exactly as in CVE description) however there is no such version of RouterOS available. There should be 6.38.3

    opened by serafin-tech 1
  • Added a pair of flags to handle agent-assisted key-based authentication in SSH

    Added a pair of flags to handle agent-assisted key-based authentication in SSH

    This PR tries to allow usage of SSH agents for improved security (by removing passwords from the equation) in the SSH handshake process. This also mitigates a related issue, namely the blind trust of the router's SSH fingerprint (enabled by this line - ssh_client.set_missing_host_key_policy(paramiko.AutoAddPolicy())): When using keys, there is very little even an active network attacker can do.

    There is one additional flag added that I found necessary when working with Mikrotik routers - failure to negotiate a viable handshake algorithm, as described here: https://forum.mikrotik.com/viewtopic.php?t=157598. I can attest to experiencing this issue firsthand, hence the added flag.

    This PR can also provide partial support for the larger feature of SSH key authentication support, as reported here - https://github.com/microsoft/routeros-scanner/issues/25

    opened by EnSec4Git 0
  • Bump paramiko from 2.9.2 to 2.10.1

    Bump paramiko from 2.9.2 to 2.10.1

    Bumps paramiko from 2.9.2 to 2.10.1.

    Commits
    • 286bd9f Cut 2.10.1
    • 4c491e2 Fix CVE re: PKey.write_private_key chmod race
    • aa3cc6f Cut 2.10.0
    • e50e19f Fix up changelog entry with real links
    • 02ad67e Helps to actually leverage your mocked system calls
    • 29d7bf4 Clearly our agent stuff is not fully tested yet...
    • 5fcb8da OpenSSH docs state %C should also work in IdentityFile and Match exec
    • 1bf3dce Changelog enhancement
    • f6342fc Prettify, add %C as acceptable controlpath token, mock gethostname
    • 3f3451f Add to changelog
    • Additional commits viewable in compare view

    Dependabot compatibility score

    Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.


    Dependabot commands and options

    You can trigger Dependabot actions by commenting on this PR:

    • @dependabot rebase will rebase this PR
    • @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
    • @dependabot merge will merge this PR after your CI passes on it
    • @dependabot squash and merge will squash and merge this PR after your CI passes on it
    • @dependabot cancel merge will cancel a previously requested merge and block automerging
    • @dependabot reopen will reopen this PR if it is closed
    • @dependabot close will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
    • @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
    • @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
    • @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)
    • @dependabot use these labels will set the current labels as the default for future PRs for this repo and language
    • @dependabot use these reviewers will set the current reviewers as the default for future PRs for this repo and language
    • @dependabot use these assignees will set the current assignees as the default for future PRs for this repo and language
    • @dependabot use this milestone will set the current milestone as the default for future PRs for this repo and language

    You can disable automated security fix PRs for this repo from the Security Alerts page.

    dependencies 
    opened by dependabot[bot] 1
Owner
Microsoft
Open source projects and samples from Microsoft
Microsoft
A forensic collection tool written in Python.

CHIRP A forensic collection tool written in Python. Watch the video overview ?? Table of Contents ?? Table of Contents ?? About ?? Getting Started Pre

Cybersecurity and Infrastructure Security Agency 1k Dec 9, 2022
MVT is a forensic tool to look for signs of infection in smartphone devices

Mobile Verification Toolkit Mobile Verification Toolkit (MVT) is a collection of utilities to simplify and automate the process of gathering forensic

null 8.3k Jan 8, 2023
Detection tool of malware(s) by checksum (useful for forensic)

?? malware_checker.py Detection tool of malware(s) by checksum (useful for forensic) ?? Dependencies installation $ pip3 install -r requirements.txt

Fayred 1 Jan 30, 2022
Analyse a forensic target (such as a directory) to find and report files found and not found from CIRCL hashlookup public service

Analyse a forensic target (such as a directory) to find and report files found and not found from CIRCL hashlookup public service. This tool can help a digital forensic investigator to know the context, origin of specific files during a digital forensic investigation.

hashlookup 96 Dec 20, 2022
WebScan is a web vulnerability Scanning tool, which scans sites for SQL injection and XSS vulnerabilities

WebScan is a web vulnerability Scanning tool, which scans sites for SQL injection and XSS vulnerabilities Which is a great tool for web pentesters. Coded in python3, CLI. WebScan is capable of scanning and detecting sql injection vulnerabilities across HTTP and HTTP sites.

AnonyminHack5 12 Dec 2, 2022
Binary check tool to identify command injection and format string vulnerabilities in blackbox binaries

Binary check tool to identify command injection and format string vulnerabilities in blackbox binaries. Using xrefs to commonly injected and format string'd files, it will scan binaries faster than Firmware Slap.

Christopher Roberts 3 Nov 16, 2021
A Static Analysis Tool for Detecting Security Vulnerabilities in Python Web Applications

This project is no longer maintained March 2020 Update: Please go see the amazing Pysa tutorial that should get you up to speed finding security vulne

null 2.1k Dec 25, 2022
CamRaptor is a tool that exploits several vulnerabilities in popular DVR cameras to obtain device credentials.

CamRaptor is a tool that exploits several vulnerabilities in popular DVR cameras to obtain device credentials.

EntySec 118 Dec 24, 2022
A Python Tool that uses Shodan API's to perform quick recon for vulnerabilities

Shodan Quick Recon A Python Tool that uses Shodan API's to perform quick recon for vulnerabilities Configuration You must edit the python code, and in

Black Hat Ethical Hacking 5 Aug 9, 2022
WpDisect is a wordpress hacking tool that finds vulnerabilities in wordpress.

wpdisect WpDisect is a wordpress hacking tool that finds misconfigurations in wordpress. Prerequisites You need to download wordpress in the wpdisect

null 3 Feb 20, 2022
ORector - A Fast Python tool designed to detect open redirects vulnerabilities on websites

ORector is a Fast Python tool designed to detect open redirects vulnerabilities

null 11 Apr 2, 2022
Tool for finding PHP source code vulnerabilities.

vulnz Tool for finding php source code vulnerabilities. Scans PHP source code and prints out potentially dangerous lines. This tool is useful for secu

Mateo Hanžek 1 Jan 14, 2022
A simple tool to audit Unix/*BSD/Linux system libraries to find public security vulnerabilities

master_librarian A simple tool to audit Unix/*BSD/Linux system libraries to find public security vulnerabilities. To install requirements: $ sudo pyth

CoolerVoid 167 Dec 19, 2022
Dome - Subdomain Enumeration Tool. Fast and reliable python script that makes active and/or passive scan to obtain subdomains and search for open ports.

DOME - A subdomain enumeration tool Check the Spanish Version Dome is a fast and reliable python script that makes active and/or passive scan to obtai

Vadi 329 Jan 1, 2023
Bug Alert: a service for alerting security and IT professionals of high-impact and 0day vulnerabilities

Bug Alert Bug Alert is a service for alerting security and IT professionals of h

BugAlert.org 208 Dec 15, 2022
NexScanner is a tool which allows you to scan a website and find the admin login panel and sub-domains

NexScanner NexScanner is a tool which helps you scan a website for sub-domains and also to find login pages in the website like the admin login panel

null 8 Sep 3, 2022
Visibility and Mitigation for Log4J vulnerabilities

Visibility and Mitigation for Log4J vulnerabilities Several scripts for the visibility and mitigation of Log4J vulnerabilities. Static Scanner - Linux

SentinelLabs 15 May 21, 2022
Safety checks your installed dependencies for known security vulnerabilities

Safety checks your installed dependencies for known security vulnerabilities. By default it uses the open Python vulnerability database Safety DB, but

pyup.io 1.4k Dec 30, 2022
SCodeScanner stands for Source Code scanner where the user can scans the source code for finding the Critical Vulnerabilities.

The SCodeScanner stands for Source Code Scanner, where you can scan your source code files like PHP and get identify the vulnerabilities inside it. The tool can use by Pentester, Developer to quickly identify the weakness.

null 136 Dec 13, 2022