Tool to scan for RouterOS (Mikrotik) forensic artifacts and vulnerabilities.

Last update: Dec 21, 2022

Overview

RouterOS Scanner

Forensics tool for Mikrotik devices. Search for suspicious properties and weak security points that need to be fixed on the router.

This tool’s functionalities include the following:

Get the version of the device and map it to CVEs
Check for scheduled tasks
Look for traffic redirection rules
Look for DNS cache poisoning
Look for default ports change
Look for non-default users
Look for suspicious files
Look for proxy, socks and FW rules

Executing and arguments

The arguments:

args	Description	Must / Optional
`-i`	The tested Mikrotik IP address	Must
`-p`	The tested Mikrotik SSH port	Must
`-u`	User name with admin Permissions	Must
`-ps`	The password of the given user name (empty password by defoult)	Optional
`-J`	Print the results as json format (prints txt format by defoult)	Optional

Executing examples:

 ./main.py -i 1.2.3.4 -p 22 -u admin
 ./main.py -i 1.2.3.4 -p 2000 -u admin -ps 123456
 ./main.py -i 1.2.3.4 -p 2000 -u admin -ps 123456 -J

Output:

The output includes 3 sections for each test:

raw data - all the data we search in.
suspicious - things we found out as suspicious and recommends checking if they are legitimate or malicious.
recommendation - things we found out as weak security points and recommends to fix.

Contributing

This project welcomes contributions and suggestions. Most contributions require you to agree to a Contributor License Agreement (CLA) declaring that you have the right to, and actually do, grant us the rights to use your contribution. For details, visit https://cla.opensource.microsoft.com.

When you submit a pull request, a CLA bot will automatically determine whether you need to provide a CLA and decorate the PR appropriately (e.g., status check, comment). Simply follow the instructions provided by the bot. You will only need to do this once across all repos using our CLA.

This project has adopted the Microsoft Open Source Code of Conduct. For more information see the Code of Conduct FAQ or contact [email protected] with any additional questions or comments.

Trademarks

This project may contain trademarks or logos for projects, products, or services. Authorized use of Microsoft trademarks or logos is subject to and must follow Microsoft's Trademark & Brand Guidelines. Use of Microsoft trademarks or logos in modified versions of this project must not cause confusion or imply Microsoft sponsorship. Any use of third-party trademarks or logos are subject to those third-party's policies.

Comments

Authentication Failed

Hello and thank you for this project. I am attempting to scan a RouterOS device running version 7.1.3 and I am getting an authentication failure from paramiko. The RouterOS logs say expected msg: 50 got: 5. After some good old fashioned BING searches I saw similar issues opened with an Ansible module (see here: https://github.com/ansible/ansible/issues/55042). I tried a few suggestions mentioned in that thread but did not find luck. Regular ssh user@address -p 2223 works as expected.

python3 main.py -i 172.16.254.1 -p 2223 -u jared+cet1024w -ps PASSWORD
Mikrotik ip address: 172.16.254.1

Traceback (most recent call last):
  File "/Users/jared/routeros-scanner/main.py", line 62, in <module>
    main(args)
  File "/Users/jared/routeros-scanner/main.py", line 28, in main
    ssh_client.connect(hostname=args.ip, port=args.port, username=args.userName, password=args.password)
  File "/usr/local/lib/python3.9/site-packages/paramiko/client.py", line 435, in connect
    self._auth(
  File "/usr/local/lib/python3.9/site-packages/paramiko/client.py", line 766, in _auth
    raise saved_exception
  File "/usr/local/lib/python3.9/site-packages/paramiko/client.py", line 753, in _auth
    self._transport.auth_password(username, password)
  File "/usr/local/lib/python3.9/site-packages/paramiko/transport.py", line 1563, in auth_password
    return self.auth_handler.wait_for_response(my_event)
  File "/usr/local/lib/python3.9/site-packages/paramiko/auth_handler.py", line 244, in wait_for_response
    raise e
paramiko.ssh_exception.AuthenticationException: Authentication failed.`

opened by jlgore 11

TTL value error

I'm trying to scan my home router and get this error:

Mikrotik ip address: 192.168.27.1

Traceback (most recent call last):
  File "main.py", line 62, in <module>
    main(args)
  File "main.py", line 31, in main
    res = command.run_ssh(ssh_client)
  File "/home/medusa/routeros-scanner/commands/dns.py", line 16, in run_ssh
    sus_dns, recommendation = self.check_results_ssh(res, enabled)
  File "/home/medusa/routeros-scanner/commands/dns.py", line 27, in check_results_ssh
    if int(item['ttl'].partition('s')[0]) > 200000:
ValueError: invalid literal for int() with base 10: '3d21h23m50'

Device model is RouterBOARD 962UiGS-5HacT2HnT (Mikrotik hAP ac) RouterOS version: 7.1.2 Steps to reproduce:

run command python3 main.py -i 192.168.1.1 -p 22 -u admin -ps routerpassword

opened by weirdvic 10

ValueError: invalid literal for int() with base 10: '1d' or similar

Hi Guys - Thanks for creating this tool! I'm trying to scan our routers, and everyone gives an error similar to below:

Mikrotik ip address: 192.168.0.1

Traceback (most recent call last):
  File "C:\Users\werne\Downloads\routeros-scanner-main\main.py", line 62, in <module>
    main(args)
  File "C:\Users\werne\Downloads\routeros-scanner-main\main.py", line 31, in main
    res = command.run_ssh(ssh_client)
  File "C:\Users\werne\Downloads\routeros-scanner-main\commands\dns.py", line 16, in run_ssh
    sus_dns, recommendation = self.check_results_ssh(res, enabled)
  File "C:\Users\werne\Downloads\routeros-scanner-main\commands\dns.py", line 27, in check_results_ssh
    if int(item['ttl'].partition('s')[0]) > 200000:
ValueError: invalid literal for int() with base 10: '1d'

opened by mrkwagga 8

Error executing main.py

Traceback (most recent call last): File "C:\apps\routeros-scanner-main\main.py", line 62, in main(args) File "C:\apps\routeros-scanner-main\main.py", line 31, in main res = command.run_ssh(ssh_client) File "C:\apps\routeros-scanner-main\commands\dns.py", line 16, in run_ssh sus_dns, recommendation = self.check_results_ssh(res, enabled) File "C:\apps\routeros-scanner-main\commands\dns.py", line 27, in check_results_ssh if int(item['ttl'].partition('s')[0]) > 200000: ValueError: invalid literal for int() with base 10: '2h11m36'

opened by salacpavel 4
Updated to handle non standard mikrotik time output

Greetings, The original script would crash on my mikrotik when it would hit a date format as shown above the "time_str_convert2sec" function. Attached is code that should convert and make the rest of everything else function. Feel free to adjust, re-write or otherwise consume however you'd like. This may be a newer firmware thing.

opened by ams2121 2
paramiko.ssh_exception.SSHException: No existing session
I ran into this issue when trying to test my router, it seems to be a common issue with paramiko.

The fix was to add look_for_keys=False to main.py:

ssh_client.connect(hostname=args.ip, port=args.port, username=args.userName, password=args.password, look_for_keys=False)

Some people on the internet also suggest to add allow_agent=False

Can you possibly add this to readme-file?
opened by ghost 2
Fix: TTL value, invalid literal for int() - dns.py
Fixed "invalid literal for int()" error:

function get_seconds(ttl) - parses the time string from item["ttl"]

item["address"] does not exist, it is the next error. The correct column name is item["data"].

Tests on routeros versions 6.49 and 7.1.3.
opened by krcs 2
How does the command works with paramiko？
For example, the project use paramiko to run command on the server. However, the /ip command is not on the server, why it works？

data = self._ssh_data(sshc, '/ip dns print') stdin, stdout, stderr = sshc.exec_command(command)
opened by thinkycx 1
some changes

add close ssh client (main.py) change ssh port required to default ssh port 22 (main.py) change The Mikrotik version to RouterOS version (version.py) add example default port ssh (README.md) change ip 1.2.3.4 to default mikrotik ip 192.168.88.1 in executing examples (README.md) change The tested Mikrotik SSH port of Must to Optional in the arguments (README.md) tested in RouterOS v6.49.5 (stable) and v7.1.3 (stable)

opened by danielcshn 1
incorrect routeros version in assets

for CVE-2017-6297 there is version 6.83.3 (exactly as in CVE description) however there is no such version of RouterOS available. There should be 6.38.3

opened by serafin-tech 1
Added a pair of flags to handle agent-assisted key-based authentication in SSH

This PR tries to allow usage of SSH agents for improved security (by removing passwords from the equation) in the SSH handshake process. This also mitigates a related issue, namely the blind trust of the router's SSH fingerprint (enabled by this line - ssh_client.set_missing_host_key_policy(paramiko.AutoAddPolicy())): When using keys, there is very little even an active network attacker can do.

There is one additional flag added that I found necessary when working with Mikrotik routers - failure to negotiate a viable handshake algorithm, as described here: https://forum.mikrotik.com/viewtopic.php?t=157598. I can attest to experiencing this issue firsthand, hence the added flag.

This PR can also provide partial support for the larger feature of SSH key authentication support, as reported here - https://github.com/microsoft/routeros-scanner/issues/25

opened by EnSec4Git 0
Bump paramiko from 2.9.2 to 2.10.1
Bumps paramiko from 2.9.2 to 2.10.1.

Commits

286bd9f Cut 2.10.1

4c491e2 Fix CVE re: PKey.write_private_key chmod race

aa3cc6f Cut 2.10.0

e50e19f Fix up changelog entry with real links

02ad67e Helps to actually leverage your mocked system calls

29d7bf4 Clearly our agent stuff is not fully tested yet...

5fcb8da OpenSSH docs state %C should also work in IdentityFile and Match exec

1bf3dce Changelog enhancement

f6342fc Prettify, add %C as acceptable controlpath token, mock gethostname

3f3451f Add to changelog

Additional commits viewable in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

@dependabot rebase will rebase this PR

@dependabot recreate will recreate this PR, overwriting any edits that have been made to it

@dependabot merge will merge this PR after your CI passes on it

@dependabot squash and merge will squash and merge this PR after your CI passes on it

@dependabot cancel merge will cancel a previously requested merge and block automerging

@dependabot reopen will reopen this PR if it is closed

@dependabot close will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually

@dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)

@dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)

@dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)

@dependabot use these labels will set the current labels as the default for future PRs for this repo and language

@dependabot use these reviewers will set the current reviewers as the default for future PRs for this repo and language

@dependabot use these assignees will set the current assignees as the default for future PRs for this repo and language

@dependabot use this milestone will set the current milestone as the default for future PRs for this repo and language

You can disable automated security fix PRs for this repo from the Security Alerts page.

dependencies
opened by dependabot[bot] 1

Owner

Microsoft

Open source projects and samples from Microsoft

GitHub

A forensic collection tool written in Python.

CHIRP A forensic collection tool written in Python. Watch the video overview ?? Table of Contents ?? Table of Contents ?? About ?? Getting Started Pre

Cybersecurity and Infrastructure Security Agency

1k Dec 9, 2022

MVT is a forensic tool to look for signs of infection in smartphone devices

Mobile Verification Toolkit Mobile Verification Toolkit (MVT) is a collection of utilities to simplify and automate the process of gathering forensic

8.3k Jan 8, 2023

Detection tool of malware(s) by checksum (useful for forensic)

?? malware_checker.py Detection tool of malware(s) by checksum (useful for forensic) ?? Dependencies installation $ pip3 install -r requirements.txt

1 Jan 30, 2022

Analyse a forensic target (such as a directory) to find and report files found and not found from CIRCL hashlookup public service

Analyse a forensic target (such as a directory) to find and report files found and not found from CIRCL hashlookup public service. This tool can help a digital forensic investigator to know the context, origin of specific files during a digital forensic investigation.

96 Dec 20, 2022

WebScan is a web vulnerability Scanning tool, which scans sites for SQL injection and XSS vulnerabilities

WebScan is a web vulnerability Scanning tool, which scans sites for SQL injection and XSS vulnerabilities Which is a great tool for web pentesters. Coded in python3, CLI. WebScan is capable of scanning and detecting sql injection vulnerabilities across HTTP and HTTP sites.

12 Dec 2, 2022

Binary check tool to identify command injection and format string vulnerabilities in blackbox binaries

Binary check tool to identify command injection and format string vulnerabilities in blackbox binaries. Using xrefs to commonly injected and format string'd files, it will scan binaries faster than Firmware Slap.

3 Nov 16, 2021

A Static Analysis Tool for Detecting Security Vulnerabilities in Python Web Applications

This project is no longer maintained March 2020 Update: Please go see the amazing Pysa tutorial that should get you up to speed finding security vulne

2.1k Dec 25, 2022

CamRaptor is a tool that exploits several vulnerabilities in popular DVR cameras to obtain device credentials.

118 Dec 24, 2022

A Python Tool that uses Shodan API's to perform quick recon for vulnerabilities

Shodan Quick Recon A Python Tool that uses Shodan API's to perform quick recon for vulnerabilities Configuration You must edit the python code, and in

5 Aug 9, 2022

WpDisect is a wordpress hacking tool that finds vulnerabilities in wordpress.

wpdisect WpDisect is a wordpress hacking tool that finds misconfigurations in wordpress. Prerequisites You need to download wordpress in the wpdisect

3 Feb 20, 2022

ORector - A Fast Python tool designed to detect open redirects vulnerabilities on websites

ORector is a Fast Python tool designed to detect open redirects vulnerabilities

11 Apr 2, 2022

Tool for finding PHP source code vulnerabilities.

vulnz Tool for finding php source code vulnerabilities. Scans PHP source code and prints out potentially dangerous lines. This tool is useful for secu

1 Jan 14, 2022

A simple tool to audit Unix/*BSD/Linux system libraries to find public security vulnerabilities

master_librarian A simple tool to audit Unix/*BSD/Linux system libraries to find public security vulnerabilities. To install requirements: $ sudo pyth

167 Dec 19, 2022

Dome - Subdomain Enumeration Tool. Fast and reliable python script that makes active and/or passive scan to obtain subdomains and search for open ports.

DOME - A subdomain enumeration tool Check the Spanish Version Dome is a fast and reliable python script that makes active and/or passive scan to obtai

329 Jan 1, 2023

Bug Alert: a service for alerting security and IT professionals of high-impact and 0day vulnerabilities

Bug Alert Bug Alert is a service for alerting security and IT professionals of h

208 Dec 15, 2022

NexScanner is a tool which allows you to scan a website and find the admin login panel and sub-domains

NexScanner NexScanner is a tool which helps you scan a website for sub-domains and also to find login pages in the website like the admin login panel

8 Sep 3, 2022

Visibility and Mitigation for Log4J vulnerabilities

Visibility and Mitigation for Log4J vulnerabilities Several scripts for the visibility and mitigation of Log4J vulnerabilities. Static Scanner - Linux

15 May 21, 2022

Safety checks your installed dependencies for known security vulnerabilities

Safety checks your installed dependencies for known security vulnerabilities. By default it uses the open Python vulnerability database Safety DB, but

1.4k Dec 30, 2022

SCodeScanner stands for Source Code scanner where the user can scans the source code for finding the Critical Vulnerabilities.

The SCodeScanner stands for Source Code Scanner, where you can scan your source code files like PHP and get identify the vulnerabilities inside it. The tool can use by Pentester, Developer to quickly identify the weakness.

136 Dec 13, 2022