CodeFactor








MkCheck

s1l3nt78
The Dead Bunny Collective
Because exploitation is fun


# Functions

MCheck is used to check MikroTik Routers for:
-winbox_auth_bypass_creds_disclosure  - Affected Versions: 6.29 to 6.42
-routeros_jailbreak            - Affected Versions: 2.9.8 to 6.41rc56

-ByTheWay (CVE-2018-14847)       - Affected Versions: 6.30.1 - 6.40.7
                              *Stable: 6.29 - 6.42.0
                              *Beta: 6.29rc1 - 6.43rc3

MkCheck matches IP address to WiFi Access Point Names
If routersploit module confirms if the Mikrotik device is vulnerable and if found - displays login credentials
Which must be entered into scripts/miko.py for MkCheck's auto search module to correctly work.
ByTheWay Root Shell Check The exploit leverages the path traversal vulnerability CVE-2018-14847 to extract the admin
password and create an "option" package to enable the developer backdoor. Post exploitation the attacker can connect to
Telnet or SSH using the root user "devel" with the admin's password.

# Termux


MkCheck works well in Termux, provided you are able to run root.
Otherwise Nethunter (with chroot on a non-rooted device) works as well,
without any extra config. For Termux you should download the release from here.

Then run:
# unzip Release_v3.zip
# cd Release_v3
# bash setup.sh

To setup up Root Nethunter on a non-rooted android,
just follow instructions from here.

# Additions


mthread script added to speed up scans.
mkcheck script works fine in Termux (with ROOT)
mthread script only works in Linux this is due,
to its reliance on external xterm windows



Change These:
****************
username = "admin"
password = "admin"


The main function auto spawns ssh sessions on the compromised targets to enumerate the Network

Access Point name from IP. This is done through command = "/system identity print"
The logs are then automatically cleaned via "/console clear-history" command.

You can change the command value in order to enumerate different data.
Chaning the command to "/system default-configuration print" will print out the default configuration

Once the Network AP Name has been found the attacker can use the
IP and login credentials to work with Mikrotik Routers config from a web-session.

Results are automatically saved in organised in their respective folders
- Vulns (MikroTik AP Name Search)
- RSF (Routersploit Scan Info)


Version 3.5

mthread script added to speed up scans.
mkcheck will work correctly in termux, but mthread
will not as it replies on external xterm windows.

mthread works on windows, if you install VcXsrv (xserver application
for windows), this allows xterm windows to launch
Download VcXsrv from here.
Once installed run the following commands from windows terminal:
    echo "export DISPLAY=localhost:0.0" >> ~/.bashrc     source ~/.bashrc


Images:

Main Menu


MikroTik Auto-Exploiter


WinBox Authentication Bypass


Mthread Using Windows (MikroTik Auto-Exploitation)

# USAGE



-The user must create the 'scripts/tiks.txt' list with MikroTik Router IP's.
Current 'scripts/tiks.txt' does not contain valid MikroTik Router IP's. (STRICTLY EXAMPLE)
-Easiest way to do this is using Shodan for Vuln searching. WinBox Auth Bypass looks for port 8291
-nMap can be used as well, using the following command:

# sudo nmap -vv -O -A -Pn -p 80,8291 111.11.11.1/24
This will scan the given IP block for all online devices and check if the appropriate services are running and vulnerable

Once the attacker has a specific netblock , the best way to create the list is using Microsoft Excel
As you need to fill in the first block (111.69.145.1), then you can drag the coloum to quickly fill the IP's in the colom.
Then copy the entire block into the 'scripts/tiks.txt' file.


# USER LICENCE


THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE. THIS TOOL WAS MADE FOR EDUCATIONAL PURPOSES. ALL DAMAGE CAUSED BY ANY ACTIVITIES ILLEGAL OR OTHERWISE, FALLS SOLELY ON THE RESPONSIBILY OF THE USER.

# Other Projects
All information on projects in development can be found here.
For any requests or ideas on current projects please submit an issue request to the corresponding tool.
For ideas or collaboration requests on future projects., contact details can be found on the page.

GitHub Pages can be found here.
-Sifter = Osint, Recon and Vuln Scanner
-TigerShark = Multi-Tooled Phishing Framework