microsoft / routeros-scanner Goto Github PK

Tool to scan for RouterOS (Mikrotik) forensic artifacts and vulnerabilities.

License: MIT License

Python 99.50% Shell 0.50%

routeros-scanner's Introduction

RouterOS Scanner

Forensics tool for Mikrotik devices. Search for suspicious properties and weak security points that need to be fixed on the router.

This tool’s functionalities include the following:

Get the version of the device and map it to CVEs
Check for scheduled tasks
Look for traffic redirection rules
Look for DNS cache poisoning
Look for default ports change
Look for non-default users
Look for suspicious files
Look for proxy, socks and FW rules

Executing and arguments

This tool requires Python 3.8 or later.

Install required Python packages

pip install -r requirements.txt

The arguments:

args	Description	Must / Optional
`-i`	The tested Mikrotik IP address	Must
`-p`	The tested Mikrotik SSH port	Optional
`-u`	User name with admin Permissions	Must
`-ps`	The password of the given user name (empty password by default)	Optional
`-J`	Print the results as json format (prints txt format by default)	Optional
`-concise`	Print a shortened text output focusing on recommendations and suspicious data	Optional
`-update`	Update the CVE Json file (the file is updated automatically if it hasn't been updated in the last month)	Optional

Executing examples:

 ./main.py -i 192.168.88.1 -u admin
 ./main.py -i 192.168.88.1 -p 22 -u admin
 ./main.py -i 192.168.88.1 -p 2000 -u admin -ps 123456
 ./main.py -i 192.168.88.1 -p 2000 -u admin -ps 123456 -J

Output:

The output includes 3 sections for each test:

raw data - all the data we search in.
suspicious - things we found out as suspicious - should be checked if they are legitimate or malicious.
recommendation - things we found out as weak security points and recommendations for fixing them.

More info & solution:

Researchers developed this forensic tool while investigating how MikroTik devices are used in Trickbot C2 infrastructure. You can read more about the research here.

Microsoft Defender for IoT is an agentless network-layer security solution that allows organizations to continuously monitor and discover assets, detect threats, and manage vulnerabilities in their IoT/OT and Industrial Control Systems (ICS) devices, on-premises and in Azure-connected environments.

Contributing

This project welcomes contributions and suggestions. Most contributions require you to agree to a Contributor License Agreement (CLA) declaring that you have the right to, and actually do, grant us the rights to use your contribution. For details, visit https://cla.opensource.microsoft.com.

When you submit a pull request, a CLA bot will automatically determine whether you need to provide a CLA and decorate the PR appropriately (e.g., status check, comment). Simply follow the instructions provided by the bot. You will only need to do this once across all repos using our CLA.

This project has adopted the Microsoft Open Source Code of Conduct. For more information see the Code of Conduct FAQ or contact [email protected] with any additional questions or comments.

Trademarks

This project may contain trademarks or logos for projects, products, or services. Authorized use of Microsoft trademarks or logos is subject to and must follow Microsoft's Trademark & Brand Guidelines. Use of Microsoft trademarks or logos in modified versions of this project must not cause confusion or imply Microsoft sponsorship. Any use of third-party trademarks or logos are subject to those third-party's policies.

Legal Disclaimer

THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.

routeros-scanner's People

Contributors

Stargazers

Watchers

Forkers

kudzip freeniuniu pirenga easen jithinsarath pilot89 meditadvisors dev1nagy marin111 stepw66 iatodoro weirdvic jan-balek agent-0007 marceloeatworld cryst i39 edersilva78 marsalans briajer luiohol wolfewa vaxcavalera rafaelsuzano benskev katocz 4144 metalova johneskimsmith okazdal mojitmj pckey ricardoprotheus nicolasalonzo collins685 tsharma2k9 beingsn jeromeyoung danielcshn jafo2128 roniap gurpreet-singh121 noahcarlow sysadminexpirience ritesh-za tinkerbell19 ruslan19862602 himanshumoliya worldwidewebdev thexmarat xiaoqin00 andrisstuks shaunstanislauslau tsdjimmy lyrl travista krustak mrjavaci baro77 luciana73 yakumwamba mkilijanek wutian5200 ncolesummers blackc03r mlnunes yashbehal ams2121 alihaskar g0rbe zhamppx97 c0c1 zha0 stabmegane rakhithjk nieuport iideas18 judesafo sckevmit taofineberg lcgg110 rlopezsevilla alexmdotru ensec4git ycor python-repository-hub buananetpbun c0rpse vdutta1980 cizekpcv israelio acey9 dekoder sala2000 test-mass-forker-org-1 isabella232 babyish-retired0m 43n51c scrik oldcopy

routeros-scanner's Issues

paramiko.ssh_exception.SSHException: No existing session

I ran into this issue when trying to test my router, it seems to be a common issue with paramiko.

The fix was to add look_for_keys=False to main.py:

ssh_client.connect(hostname=args.ip, port=args.port, username=args.userName, password=args.password, look_for_keys=False)

Some people on the internet also suggest to add allow_agent=False

Can you possibly add this to readme-file?

TTL value error

I'm trying to scan my home router and get this error:

Mikrotik ip address: 192.168.27.1

Traceback (most recent call last):
  File "main.py", line 62, in <module>
    main(args)
  File "main.py", line 31, in main
    res = command.run_ssh(ssh_client)
  File "/home/medusa/routeros-scanner/commands/dns.py", line 16, in run_ssh
    sus_dns, recommendation = self.check_results_ssh(res, enabled)
  File "/home/medusa/routeros-scanner/commands/dns.py", line 27, in check_results_ssh
    if int(item['ttl'].partition('s')[0]) > 200000:
ValueError: invalid literal for int() with base 10: '3d21h23m50'

Device model is RouterBOARD 962UiGS-5HacT2HnT (Mikrotik hAP ac)
RouterOS version: 7.1.2
Steps to reproduce:

run command python3 main.py -i 192.168.1.1 -p 22 -u admin -ps routerpassword

dummy issue1.1

NVD seems to require version 2.0 API

the current code doesn't succeed in downloading the CVE db. I changed a few lines in order to use the 2.0 version of the API. The datamodel of the respons seems to have changed as well, my change does not take multiple configuration keys into account. Hope it helps someone!

diff --git a/query_nvd.py b/query_nvd.py
index 7d18c85..19f0a54 100644
--- a/query_nvd.py
+++ b/query_nvd.py
@@ -61,17 +61,19 @@ class CVEsInterface():
 
     def get_cves(self, product, vendor, resultsPerPage, cur_index):
         total_results = 0
-        response = self._web_api_query("https://services.nvd.nist.gov/rest/json/cves/1.0?",
-                                       params={"keyword": product, "resultsPerPage": resultsPerPage,
+        response = self._web_api_query("https://services.nvd.nist.gov/rest/json/cves/2.0?",
+                                       params={"keywordSearch": product, "resultsPerPage": resultsPerPage,
                                                "startIndex": cur_index})
         if response:
-            self._convert_to_ranges(response["result"]["CVE_Items"], vendor, product)
+            # self._convert_to_ranges(response["result"]["CVE_Items"], vendor, product)
+            self._convert_to_ranges(response["vulnerabilities"], vendor, product)
             total_results = response["totalResults"]
         return total_results
 
     def _convert_to_ranges(self, all_cves_data, vendor, product):
         for cve_data in all_cves_data:
-            cve = cve_data["cve"]['CVE_data_meta']['ID']
+            cve_data = cve_data['cve']
+            cve = cve_data['id']
 
             if cve in self._ver_cves.keys():
                 continue
@@ -79,15 +81,15 @@ class CVEsInterface():
             if 'configurations' not in cve_data:
                 print (f'ERROR: No configurations {cve}', file = sys.stderr)
             else:
-                if 'nodes' not in cve_data['configurations']:
+                if 'nodes' not in cve_data['configurations'][0]:
                     print (f'ERROR: No nodes {cve}', file = sys.stderr)
                 else:
                     versions = []
-                    for node in cve_data['configurations']['nodes']:
+                    for node in cve_data['configurations'][0]['nodes']:
                         if node['operator'] != 'OR':
                             print(f'DEBUG: No handling for OR operator in node, the following CVE needs to be implemented: {cve}', file=sys.stderr)
                         else:
-                            for cpe_match in node['cpe_match']:
+                            for cpe_match in node['cpeMatch']:
                                 cpe_res = hashabledict()
                                 if 'cpe23Uri' in cpe_match:
                                     if not f'{vendor}:{product}' in cpe_match['cpe23Uri']:

IoT/OT Security

Authentication Failed

Hello and thank you for this project. I am attempting to scan a RouterOS device running version 7.1.3 and I am getting an authentication failure from paramiko. The RouterOS logs say expected msg: 50 got: 5. After some good old fashioned BING searches I saw similar issues opened with an Ansible module (see here: ansible/ansible#55042). I tried a few suggestions mentioned in that thread but did not find luck. Regular ssh user@address -p 2223 works as expected.

python3 main.py -i 172.16.254.1 -p 2223 -u jared+cet1024w -ps PASSWORD
Mikrotik ip address: 172.16.254.1

Traceback (most recent call last):
  File "/Users/jared/routeros-scanner/main.py", line 62, in <module>
    main(args)
  File "/Users/jared/routeros-scanner/main.py", line 28, in main
    ssh_client.connect(hostname=args.ip, port=args.port, username=args.userName, password=args.password)
  File "/usr/local/lib/python3.9/site-packages/paramiko/client.py", line 435, in connect
    self._auth(
  File "/usr/local/lib/python3.9/site-packages/paramiko/client.py", line 766, in _auth
    raise saved_exception
  File "/usr/local/lib/python3.9/site-packages/paramiko/client.py", line 753, in _auth
    self._transport.auth_password(username, password)
  File "/usr/local/lib/python3.9/site-packages/paramiko/transport.py", line 1563, in auth_password
    return self.auth_handler.wait_for_response(my_event)
  File "/usr/local/lib/python3.9/site-packages/paramiko/auth_handler.py", line 244, in wait_for_response
    raise e
paramiko.ssh_exception.AuthenticationException: Authentication failed.`

How does the command works with paramiko？

For example, the project use paramiko to run command on the server.
However, the /ip command is not on the server, why it works？

data = self._ssh_data(sshc, '/ip dns print')

stdin, stdout, stderr = sshc.exec_command(command)

Error

pip install -r requirements.txt
error paramiko==2.9.2
error six==1.16.0
error requests==2.27.1
error retry==0.9.2

Wrong CVE list comparison?

I updated RouterOS to the current latest version (6.49.8) and rescanned, it shows me the following message:

Version:
	suspicious:
		"CVE-2022-45315"
		"CVE-2022-45313"
	recommendation:
		"RouterOS version: 6.49.8 is vulnerable to CVE(s). Upgrade to the latest version. (The CVEs list is from NVD)"

This might be due to the fact that both CVEs say that any version prior 7.5 or 7.6 are affected. Both interfering with the series 6 branch.

The latest CVE for the 6 series branch is CVE-2023-30799 which only affects RouterOS until version 6.49.7 it seems.

ValueError: invalid literal for int() with base 10: '1d' or similar

Hi Guys - Thanks for creating this tool! I'm trying to scan our routers, and everyone gives an error similar to below:

Mikrotik ip address: 192.168.0.1

Traceback (most recent call last):
  File "C:\Users\werne\Downloads\routeros-scanner-main\main.py", line 62, in <module>
    main(args)
  File "C:\Users\werne\Downloads\routeros-scanner-main\main.py", line 31, in main
    res = command.run_ssh(ssh_client)
  File "C:\Users\werne\Downloads\routeros-scanner-main\commands\dns.py", line 16, in run_ssh
    sus_dns, recommendation = self.check_results_ssh(res, enabled)
  File "C:\Users\werne\Downloads\routeros-scanner-main\commands\dns.py", line 27, in check_results_ssh
    if int(item['ttl'].partition('s')[0]) > 200000:
ValueError: invalid literal for int() with base 10: '1d'

incorrect routeros version in assets

for CVE-2017-6297 there is version 6.83.3 (exactly as in CVE description) however there is no such version of RouterOS available. There should be 6.38.3

SSH key instead of a password

Could there be an option to allow access with an SSH key instead of a password?

Error executing main.py

Traceback (most recent call last):
File "C:\apps\routeros-scanner-main\main.py", line 62, in
main(args)
File "C:\apps\routeros-scanner-main\main.py", line 31, in main
res = command.run_ssh(ssh_client)
File "C:\apps\routeros-scanner-main\commands\dns.py", line 16, in run_ssh
sus_dns, recommendation = self.check_results_ssh(res, enabled)
File "C:\apps\routeros-scanner-main\commands\dns.py", line 27, in check_results_ssh
if int(item['ttl'].partition('s')[0]) > 200000:
ValueError: invalid literal for int() with base 10: '2h11m36'