Use "RouterOS Scanner" of Microsoft to find vulnerabilities of MikroTik

   On August Aug 24, 2022 Microsoft release "RouterOS Scanner" on GitHub, which is a storage and managing platforms for Developers owned by Microsoft itself.

RouterOS Scanner is a tool developed by Microsoft to scan for RouterOS (MikroTik) forensic artifacts and vulnerabilities. It is a Python script that connects to a MikroTik device via SSH and runs various commands to collect information about the device's configuration, security, and network activity. The tool can help users to identify and fix potential issues on their MikroTik devices, such as:

•  Outdated or vulnerable RouterOS versions

•  Scheduled tasks that may be malicious or unwanted

•  Traffic redirection rules that may be hijacking or intercepting network traffic

•  DNS cache poisoning that may be altering the DNS resolution of domains

•  Default ports change that may be hiding the device from detection

•  Non-default users that may have unauthorized access to the device

•  Suspicious files that may contain malware or backdoors

•  Proxy, socks and firewall rules that may be affecting the network performance or security

The tool outputs the results in a JSON or text format, with three sections for each test: raw data, suspicious, and recommendation. The raw data section shows all the data that the tool searched in. The suspicious section highlights the things that the tool found as suspicious and that should be checked if they are legitimate or malicious. The recommendation section suggests the things that the tool found as weak security points and how to fix them.

The tool is available on GitHub:

https://github.com/microsoft/routeros-scanner 

and PyPI:

https://pypi.org/project/routeros-scanner/ 

and can be easily installed and run with the following commands:

pip install -r requirements.txt

./main.py -i <ip_address> -u <username> -ps <password>

The tool also accepts other arguments, such as the port number, the output format, the update option, and the concise option. For more details, see the README file

https://github.com/microsoft/routeros-scanner on GitHub.

The tool was developed by researchers who investigated how MikroTik devices are used in Trickbot C2 infrastructure. Trickbot is a notorious malware that targets Windows machines and can steal credentials, encrypt files, and deliver other malicious payloads. The researchers found that Trickbot operators were exploiting Mikrotik devices to redirect network traffic and perform DNS cache poisoning. The tool can help users to detect and prevent such attacks on their MikroTik devices.

RouterOS Scanner is a useful tool for anyone who owns or manages MikroTik devices and wants to ensure their security and performance. It can help users to discover vulnerabilities, detect threats, and manage risks on their devices. It is also a good example of how Microsoft is contributing to the cybersecurity community by sharing its research and tools.

How to use "RouterOS Scanner" from a Windows PC

Step 1: Download "RouterOS Scanner" from GitHub link https://github.com/microsoft/routeros-scanner 

Step 2: Unzip the downloaded Zip file.

Step 3: Download and properly Install Python including path (if not already have) in the PC from https://www.python.org/downloads

Step 4: Open Command Prompt AKA CMD in your PC. Change Directory to your downloaded unzipped folder of RouterOS Scanner. Example:

C:\Users\ROY-LAPTOP>cd C:\routeros-scanner-main_2\routeros-scanner-main

C:\routeros-scanner-main_2\routeros-scanner-main>

Step 5: Then command following to install dependencies/requirements.

C:\routeros-scanner-main_2\routeros-scanner-main>pip install -r requirements.txt

Step 6: After successful installation of dependencies/requirements. Now it is possible to run the RouterOS Scanner commands to check Vulnerabilities.

Example (Need to add "python" to run in CMD):

 ./main.py -i 192.168.88.1 -u admin

 ./main.py -i 192.168.88.1 -p 22 -u admin

 ./main.py -i 192.168.88.1 -p 2000 -u admin -ps 123456

 ./main.py -i 192.168.88.1 -p 2000 -u admin -ps 123456 -J

Following arguments also can be added with command.

As Example, I run following for a MikroTik who's IP is 103.139.235.209:

C:\routeros-scanner-main_2\routeros-scanner-main>python .\main.py -i 103.139.235.209 -p 22 -u admin -ps password -concise -update

and it provides me following as result:

 "class": algorithms.Blowfish,

** Trying to update the CVE json file

** The CVE update process succeeded

** Mikrotik ip address: 103.139.235.209

DNS Cache:

        recommendation:

                "In case DNS cache is not required on your router - disable it"

Users:

        recommendation:

                "Add allowed ip address to user: shuvodip, to be the only address it can login from"

                "Add allowed ip address to user: ferdosh, to be the only address it can login from"

                "Add allowed ip address to user: pavel, to be the only address it can login from"

                "You are using the default \"admin\" user name- create new user in \"full\" group with a unique name, and delete the admin user"

                "Add allowed ip address to user: admin, to be the only address it can login from"

Ports:

        suspicious:

                "The port for www, has changed from 80 to 8088 - severity: low"

                "The port for winbox, has changed from 8291 to 9291 - severity: low"

        recommendation:

                "The port for ssh protocol is as ssh default port (22)- Mikrotik company recommended to change it"

*** So as per the result we are clearly observing it's scanning for Vulnerabilities also suggesting how to improve the security of RouterOS.

Note: If on MikroTik have such firewall like followings, before run keep disable it. Otherwise due to lack of proper established connection "RouterOS Scanner" might not work.

/ip firewall filter

add action=accept chain=forward comment="allow established connections" connection-state=established

add action=accept chain=forward comment="allow related connections" connection-state=related

add action=drop chain=forward comment="drop invalid connections" connection-state=invalid

*** Also remember by using "RouterOS Scanner" with proper environment including cron job or scripting we may scan MikroTik Vulnerabilities regularly and automatically.