Navigation X
ALERT
Click here to register with a few steps and explore all our cool stuff we have to offer!



 3894

MikroTik RouterOS Exploitation Tool

by s1l3nt78 - 22 June, 2020 - 12:59 AM
This post is by a banned member (s1l3nt78) - Unhide
s1l3nt78  
Registered
27
Posts
2
Threads
4 Years of service
#1
OP 22 June, 2020 - 12:59 AM (This post was last modified: 22 June, 2020 - 01:03 AM by s1l3nt78.)
[Image: logo.PNG]
[Image: 68747470733a2f2f696d672e736869656c64732e...436865636b] [Image: 68747470733a2f2f696d672e736869656c64732e...436865636b] [Image: 68747470733a2f2f696d672e736869656c64732e...436865636b]
[Image: 68747470733a2f2f696d672e736869656c64732e...72616e6765] [Image: 68747470733a2f2f696d672e736869656c64732e...332d726564]
[Image: 68747470733a2f2f696d672e736869656c64732e...696f6c6574]

MkCheck
s1l3nt78
Because exploitation is fun

IMPORTANT
This software should not be used within any system or network for which you do not have permission, nor should it be used for any illegal or illicit purposes. The author takes no responsibility for any damages that may be caused by the software in this repository.

Termux
MkCheck works well in Termux, provided you are able to run root.
Otherwise Nethunter (with chroot) works as well, without any extra config.

Still in Development
 
Code:
The mthread script is still in development and still needs some optimization and will get rid of redundancies. As well as clean up alot of the unnecessary code

Functions
MCheck is used to check MikroTik Routers for:
+winbox_auth_bypass_creds_disclosure  - Affected Versions: 6.29 to 6.42
+routeros_jailbreak           - Affected Versions: 2.9.8 to 6.41rc56
+ByTheWay ([i]CVE-2018-14847)      - Affected Versions: * Longterm: 6.30.1 to 6.40.7[/i]
                            * Stable: 6.29 to 6.42.0
                            * Beta: 6.29rc1 to 6.43rc3

MkCheck matches IP address to WiFi Access Point Names

If routersploit module confirms if the Mikrotik device is vulnerable and if found - displays login credentials
Which must be entered into scripts/miko.py for MkCheck's auto search module to correctly work.

ByTheWay Root Shell Check The exploit leverages the path traversal vulnerability CVE-2018-14847 to extract the admin password and create an "option" package to enable the developer backdoor. Post exploitation the attacker can connect to Telnet or SSH using the root user "devel" with the admin's password.

Change These:
****************
username = "admin"
password = "admin"

The main function auto spawns ssh sessions on the compromised targets to enumerate the Network Access Point name from IP
This is done through command = "/system identity print"
The logs are then automatically cleaned via "/console clear-history" command.

You can change the command value in order to enumerate different data.
Chaning the command to "/system default-configuration print" will print out the default configuration

Once the Network AP Name has been found the attacker can use the IP and login credentials to work with Mikrotik Routers config from a web-session.

Results are automatically saved in organised in their respective folders
  • Vulns (MikroTik AP Name Search)
  • RSF (Routersploit Scan Info)
  • btw (ByTheWay Exploit Check)

 Version 3
mthread script added to speed up scans.
Automatic Clean-Up of SSH command history done in order to remain hidden.

mkcheck will work correctly in termux, but
mthread will not as it relies on external xterm windows.
 
Images:
[Image: main.PNG]

[Image: mcheck.PNG]

[Image: rsf.PNG]
USAGE
  • The user must create the 'scripts/tiks.txt' list with MikroTik Router IP's.
  • Easiest way to do this is using Shodan for Vuln searching. WinBox Auth Bypass looks for port 8291
  • nMap can be used as well, using the following command:
# sudo nmap -vv -O -A -Pn -p 80,8291 111.11.11.1/24 This will scan the given IP block for all online devices and check if the appropriate services are running and vulnerable
Once the attacker has a specific netblock (eg. 111.69.145.1/24), the best way to create the list is using Microsoft Excel As you need to fill in the first block (111.69.145.0), then you can drag the coloum to quickly fill the IP's in the colom. Then copy the entire block into the 'scripts/tiks.txt' file.

USER LICENCE

THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE. THIS TOOL WAS MADE FOR EDUCATIONAL PURPOSES. ALL DAMAGE CAUSED BY ANY ACTIVITIES ILLEGAL OR OTHERWISE, FALLS SOLELY ON THE RESPONSIBILY OF THE USER.
 
Other Projects:
All information on projects in development can be found here. For any requests or ideas on current projects please submit an issue request to the corresponding tool. For ideas or collaboration requests on future projects., contact details can be found on the page.

GitHub Pages can be found here.
  • Sifter = Osint, Recon and Vuln Scanner
  • TigerShark = Multi-Tooled Phishing Framework
 
 
Code:
<!--###########_________ czFsM250NzggX18gUmFiYjE3J3MgRGVu _________###########--!>
This post is by a banned member (MoHAmMeD1Asad12) - Unhide
MoHAmMeD1Asad12  
Registered
14
Posts
0
Threads
4 Years of service
#2
09 July, 2020 - 11:56 AM
ok nice
This post is by a banned member (nexthd) - Unhide
This post is by a banned member (txtuhinl) - Unhide
txtuhinl  
Registered
93
Posts
0
Threads
1 Year of service
#4
01 November, 2023 - 12:53 PM
ok lets see
This post is by a banned member (kodiserije) - Unhide
kodiserije  
Registered
45
Posts
0
Threads
#5
21 January, 2024 - 02:14 PM
(22 June, 2020 - 12:59 AM)s1l3nt78 Wrote: Show More
[Image: logo.PNG]
[Image: 68747470733a2f2f696d672e736869656c64732e...436865636b] [Image: 68747470733a2f2f696d672e736869656c64732e...436865636b] [Image: 68747470733a2f2f696d672e736869656c64732e...436865636b]
[Image: 68747470733a2f2f696d672e736869656c64732e...72616e6765] [Image: 68747470733a2f2f696d672e736869656c64732e...332d726564]
[Image: 68747470733a2f2f696d672e736869656c64732e...696f6c6574]

MkCheck
s1l3nt78
Because exploitation is fun

IMPORTANT
This software should not be used within any system or network for which you do not have permission, nor should it be used for any illegal or illicit purposes. The author takes no responsibility for any damages that may be caused by the software in this repository.

Termux
MkCheck works well in Termux, provided you are able to run root.
Otherwise Nethunter (with chroot) works as well, without any extra config.

Still in Development
 
Code:
The mthread script is still in development and still needs some optimization and will get rid of redundancies. As well as clean up alot of the unnecessary code

Functions
MCheck is used to check MikroTik Routers for:
+winbox_auth_bypass_creds_disclosure  - Affected Versions: 6.29 to 6.42
+routeros_jailbreak           - Affected Versions: 2.9.8 to 6.41rc56
+ByTheWay ([i]CVE-2018-14847)      - Affected Versions: * Longterm: 6.30.1 to 6.40.7[/i]
                            * Stable: 6.29 to 6.42.0
                            * Beta: 6.29rc1 to 6.43rc3

MkCheck matches IP address to WiFi Access Point Names

If routersploit module confirms if the Mikrotik device is vulnerable and if found - displays login credentials
Which must be entered into scripts/miko.py for MkCheck's auto search module to correctly work.

ByTheWay Root Shell Check The exploit leverages the path traversal vulnerability CVE-2018-14847 to extract the admin password and create an "option" package to enable the developer backdoor. Post exploitation the attacker can connect to Telnet or SSH using the root user "devel" with the admin's password.

Change These:
****************
username = "admin"
password = "admin"

The main function auto spawns ssh sessions on the compromised targets to enumerate the Network Access Point name from IP
This is done through command = "/system identity print"
The logs are then automatically cleaned via "/console clear-history" command.

You can change the command value in order to enumerate different data.
Chaning the command to "/system default-configuration print" will print out the default configuration

Once the Network AP Name has been found the attacker can use the IP and login credentials to work with Mikrotik Routers config from a web-session.

Results are automatically saved in organised in their respective folders
  • Vulns (MikroTik AP Name Search)
  • RSF (Routersploit Scan Info)
  • btw (ByTheWay Exploit Check)

 Version 3
mthread script added to speed up scans.
Automatic Clean-Up of SSH command history done in order to remain hidden.

mkcheck will work correctly in termux, but
mthread will not as it relies on external xterm windows.
 
Images:
[Image: main.PNG]

[Image: mcheck.PNG]

[Image: rsf.PNG]
USAGE
  • The user must create the 'scripts/tiks.txt' list with MikroTik Router IP's.
  • Easiest way to do this is using Shodan for Vuln searching. WinBox Auth Bypass looks for port 8291
  • nMap can be used as well, using the following command:
# sudo nmap -vv -O -A -Pn -p 80,8291 111.11.11.1/24 This will scan the given IP block for all online devices and check if the appropriate services are running and vulnerable
Once the attacker has a specific netblock (eg. 111.69.145.1/24), the best way to create the list is using Microsoft Excel As you need to fill in the first block (111.69.145.0), then you can drag the coloum to quickly fill the IP's in the colom. Then copy the entire block into the 'scripts/tiks.txt' file.

USER LICENCE

THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE. THIS TOOL WAS MADE FOR EDUCATIONAL PURPOSES. ALL DAMAGE CAUSED BY ANY ACTIVITIES ILLEGAL OR OTHERWISE, FALLS SOLELY ON THE RESPONSIBILY OF THE USER.
 
Other Projects:
All information on projects in development can be found here. For any requests or ideas on current projects please submit an issue request to the corresponding tool. For ideas or collaboration requests on future projects., contact details can be found on the page.

GitHub Pages can be found here.
  • Sifter = Osint, Recon and Vuln Scanner
  • TigerShark = Multi-Tooled Phishing Framework
 
 
Code:
<!--###########_________ czFsM250NzggX18gUmFiYjE3J3MgRGVu _________###########--!>

tnx
This post is by a banned member (Smexy_Dude) - Unhide
Smexy_Dude  
Registered
140
Posts
0
Threads
1 Year of service
#6
17 May, 2024 - 08:40 AM
dgood
This post is by a banned member (cuedc) - Unhide
cuedc  
Registered
5
Posts
0
Threads
#7
10 June, 2024 - 04:10 PM
xlcm,lcxc
This post is by a banned member (rfadadawd) - Unhide
rfadadawd  
Registered
6
Posts
0
Threads
#8
11 June, 2024 - 01:37 PM
thxx

Create an account or sign in to comment
You need to be a member in order to leave a comment
Create an account
Sign up for a new account in our community. It's easy!
 or
Sign in
Already have an account? Sign in here.


Forum Jump:


Users browsing this thread:

About Cracked.io

Cracked.io is a community forum that suits basically everyone. We provide cracking tutorials, tools, leaks, marketplace and much more stuff! You can also learn many things here, meet new friends and have a lot of fun!
If you would like to contact us, you can send our staff team a message.

Navigation

Extras

Help

Account