Microsoft creates tool to scan MikroTik routers for TrickBot infections

Jimmy · Sat Mar 19, 2022 12:32 am

Notning CVE News but new story: https://www.bleepingcomputer.com/news/s ... nfections/

Buckeye · Sat Mar 19, 2022 5:08 am

Has anyone had luck getting this to work? When I point it at my lab hEX S running 7.2rc4 it does this:

C:\Downloads\Mikrotik\routeros-scanner-main>python main.py -h
usage: main.py [-h] -i IP -p PORT -u USERNAME [-ps PASSWORD] [-J]

optional arguments:
  -h, --help            show this help message and exit
  -i IP, --ip IP        The tested Mikrotik IP address
  -p PORT, --port PORT  The tested Mikrotik SSH port
  -u USERNAME, --userName USERNAME
                        User name with admin Permissions
  -ps PASSWORD, --password PASSWORD
                        The password of the given user name
  -J                    Print the results as json format
C:\Downloads\Mikrotik\routeros-scanner-main>python main.py -i 192.168.89.1 -u demo -p 22 -ps ***redacted***
Mikrotik ip address: 192.168.89.1

Traceback (most recent call last):
  File "C:\Downloads\Mikrotik\routeros-scanner-main\main.py", line 62, in <module>
    main(args)
  File "C:\Downloads\Mikrotik\routeros-scanner-main\main.py", line 31, in main
    res = command.run_ssh(ssh_client)
  File "C:\Downloads\Mikrotik\routeros-scanner-main\commands\dns.py", line 16, in run_ssh
    sus_dns, recommendation = self.check_results_ssh(res, enabled)
  File "C:\Downloads\Mikrotik\routeros-scanner-main\commands\dns.py", line 27, in check_results_ssh
    if int(item['ttl'].partition('s')[0]) > 200000:
ValueError: invalid literal for int() with base 10: '3d15h25m1'

C:\Downloads\Mikrotik\routeros-scanner-main>

mada3k · Sat Mar 19, 2022 11:30 am

Can't get it to work either

  File "/usr/local/lib/python3.9/site-packages/paramiko/transport.py", line 1498, in auth_password
    raise SSHException("No existing session")
paramiko.ssh_exception.SSHException: No existing session

pe1chl · Sat Mar 19, 2022 1:09 pm

Has anyone had luck getting this to work? When I point it at my lab hEX S running 7.2rc4 it does this:

It likely is intended to work with RouterOS v6.

Jotne · Sat Mar 19, 2022 5:31 pm

This is just a quick walk trough on what the Microsoft script does. It may not be 100% correct (my python knowledge are not high), but should give an idea.

basecommand.py
Used to run other commands?

dns.py
/ip dns print
Test if remote dns is allowed

/ip dns cache print detail
Test of cahce is enabled and warn to turn it of if its not needed.

files.py
/file print detail
Test to see if some file has http download or /tool fetch and warn about it

fwnat.py
/ip firewall nat print detail
Test to see if dest-nat is correctly setup.

fwrules.py
/ip firewall filter print detail
Test all fw rules. It seems not to test any thing

ports.py
/ip service print detail
Test all service port. Sees if some are change from default and recommend not use 22 for SSH

proxy.py
/ip proxy print
/ip proxy access print detail
Test if proxy is enabled and recommend to turn it of

scheduler.py
/system scheduler print detail
Test to see if some file has http download or /tool fetch and warn about it

socks.py
/ip socks print
/ip socks access print detail
Test if socks is enabled and recommend to turn it of

users.py
/user print detail
Test if user admin exists, recommend to remove it and create a good password

version.py
/system resource print
Test firmware version, but not sure how.

Microsoft creates tool to scan MikroTik routers for TrickBot infections

Microsoft creates tool to scan MikroTik routers for TrickBot infections

Re: Microsoft creates tool to scan MikroTik routers for TrickBot infections

Re: Microsoft creates tool to scan MikroTik routers for TrickBot infections

Re: Microsoft creates tool to scan MikroTik routers for TrickBot infections

Re: Microsoft creates tool to scan MikroTik routers for TrickBot infections