Skip to content

mrhenrike/MikrotikAPI-BF

BranchesTags

Repository files navigation

MikrotikAPI-BF v3.10.0

Python Version License Version Platform Wiki PyPI CodeQL

RouterOS Attack & Exploitation Framework — credential brute-force, 100 CVE/EDB PoC exploits, 8-phase automated security audit, MAC-Server Layer-2 discovery, offline credential decoders, NPK analyzer, CVE scanner, SARIF CI/CD export, Nmap NSE scripts, multi-target, stealth, REST/API/Winbox/FTP/SSH/Telnet/SMB/SNMP/BFD/OSPF vectors.

Portuguese (pt-BR): README.pt-BR.md · Contributing: CONTRIBUTING.md · Code of Conduct: CODE_OF_CONDUCT.md · Security: SECURITY.md

✨ Key Features

🔐 Authentication & Brute-Force

  • RouterOS API (TCP 8728/8729) — full binary protocol implementation (6.x MD5 challenge + 7.x plaintext)
  • REST API over HTTP/HTTPS (TCP 80/443) — Basic Auth brute-force
  • MAC-Telnet (TCP 20561) — Layer-2 proprietary protocol (no IP needed)
  • Multi-target (--target-list / -T) — scan from file, sequential engine per target
  • Threading — up to 15 workers (--threads N)

🔍 CVE Scanner & Exploit Engine

  • 100 exploit classes — 27 CVEs + 5 design/config findings + 13 Exploit-DB PoCs + novel research PoCs
  • Pre-auth exploits — Winbox (CVE-2018-14847, CVE-2018-10066), HTTP traversal, SNMP, SMB, BFD, OSPF, DNS
  • Post-auth exploits — Scheduler RCE, Container escalation, FOISted, WireGuard key extraction, packet sniffer wiretapping, SSRF via tool/fetch, REST path traversal, scheduler command injection
  • SSH Jailbreak — RouterOS root shell via SSH backup patching (ROS 2.9.8–6.41rc56)
  • Winbox credential decryption — enhances CVE-2018-14847 with DAT file decryption
  • Version-aware — CVE database maps applicability to detected RouterOS version
  • --scan-cve — standalone CVE scan (no brute-force needed)
  • --run-exploit <CVE_ID> — run a specific exploit PoC by ID (v3.10.0+)

🌐 Winbox CVE Coverage (TCP 8291)

  • CVE-2018-14847 — Credential disclosure (Chimay-Red / EternalWink) — pre-auth file read
  • CVE-2018-10066 — Authentication bypass / directory traversal
  • CVE-2021-27263 — Auth bypass (RouterOS 7.0.x)
  • CVE-2018-14847-MAC — Same exploit delivered via MNDP Layer-2 discovery
  • NSE scriptnse/mikrotik-winbox-cve-2018-14847.nse (Nmap integration)

ℹ️ Winbox credential brute-force via the proprietary Winbox GUI protocol is not implemented (no reliable portable auth library). Use API port 8728 for brute-force. All Winbox CVE exploits (pre-auth file read, bypass) are fully implemented.

🛰️ MAC-Server / Layer-2 Discovery (v3.3.0+)

  • MNDP broadcast (UDP 20561) — discovers devices even without IP
  • MAC-Telnet brute-force (TCP 20561) — proprietary MAC-Telnet auth
  • CVE-2018-14847-MAC — Winbox credential disclosure via MNDP-discovered devices
  • L2 constraint — requires same broadcast domain

🔓 Offline Credential Decoders (v3.5.0+)

Based on mikrotik-tools by Kirils Solovjovs, ported to Python 3:

  • --decode-userdat — decode user.dat after CVE-2018-14847 extraction (XOR with MD5 key)
  • --decode-backup — extract .backup archive + auto-decode credentials
  • --decode-supout — list sections in supout.rif diagnostic files
  • --analyze-npk — NPK package analyzer (CVE-2019-3977 vector)

🗺️ Nmap NSE Scripts (v3.6.0+)

Five Lua scripts in nse/ for Nmap integration:

  • mikrotik-routeros-version.nse — fingerprint RouterOS from HTTP/API/Winbox
  • mikrotik-api-brute.nse — full API brute-force (6.x MD5 + 7.x plaintext auth)
  • mikrotik-default-creds.nse — test default/empty creds on all interfaces
  • mikrotik-api-info.nse — authenticated info dump (users, services, firewall)
  • mikrotik-winbox-cve-2018-14847.nse — Winbox credential disclosure check

🎯 Wordlists

  • Compatible with mrhenrike/WordListsForHacking
  • Includes labs_mikrotik_pass.lst (MikroTik-specific), labs_passwords.lst, labs_users.lst
  • Smart wordlist engine with target-informed combinations

🛡️ Automated Security Audit (v3.10.0+)

  • --audit — full 8-phase security audit via REST API (no brute-force needed)
  • Phase 1: System enumeration (identity, resource, packages, health)
  • Phase 2: Service & network mapping (ip/service, firewall, interfaces)
  • Phase 3: User & credential audit (blank password, default creds)
  • Phase 4: REST API injection testing (scheduler, path traversal, SSRF)
  • Phase 5: Winbox protocol probing (port 8291, M2 banner)
  • Phase 6: SNMP analysis (default communities)
  • Phase 7: Undocumented/debug endpoint discovery
  • Phase 8: Configuration export & firewall audit
  • Generates markdown report + raw JSON + SARIF

🔄 Sessions, Stealth & Export

  • Persistent sessions — resume interrupted attacks (--resume)
  • Stealth mode — Fibonacci delays, User-Agent rotation (--stealth)
  • Progress bar — ETA and speed display (--progress)
  • Export — JSON, CSV, XML, TXT, SARIF v2.1.0 (--export-all / --export sarif)
  • SARIF — OASIS Static Analysis Results Interchange Format for CI/CD pipelines (v3.10.0+)
  • Proxy — SOCKS5/HTTP proxy support (--proxy socks5://...)

🚀 Quick Start

Install via pip (recommended)

# Latest stable release from PyPI
pip install mikrotikapi-bf

# Upgrade to the latest version
pip install --upgrade mikrotikapi-bf

# Verify installation
mikrotikapi-bf --help
mikrotikapi-bf --nse-path    # prints bundled NSE scripts directory for Nmap

NSE scripts are installed automatically to Nmap's scripts directory during pip install.
To install them manually: mikrotikapi-install-nse

Install from source (development)

git clone https://github.com/mrhenrike/MikrotikAPI-BF.git
cd MikrotikAPI-BF
pip install -e .          # editable install — includes NSE auto-install hook
# or without the hook:
pip install -r requirements.txt
python mikrotikapi-bf.py --help

One-liners

# Basic brute-force
python mikrotikapi-bf.py -t 192.168.1.1 -U admin -d wordlists/passwords.lst

# Username + password lists
python mikrotikapi-bf.py -t 192.168.1.1 -u users.lst -p passwords.lst

# Multi-target from file
python mikrotikapi-bf.py -T targets.lst -d passwords.lst --threads 5

# Full CVE scan (authenticated)
python mikrotikapi-bf.py -t 192.168.1.1 --scan-cve --all-cves -U admin -P pass

# Run specific exploit by CVE ID
python mikrotikapi-bf.py -t 192.168.1.1 --run-exploit CVE-2018-14847

# Full 8-phase security audit with SARIF output
python mikrotikapi-bf.py -t 192.168.1.1 --audit --export sarif -U admin -P pass

# Full pentest run
python mikrotikapi-bf.py \
  -t 192.168.1.1 \
  -u wordlists/users.lst -p wordlists/passwords.lst \
  --validate ftp,ssh,telnet \
  --stealth --fingerprint --progress --export-all \
  --threads 5 -vv

# Decode user.dat after CVE-2018-14847 extraction
python mikrotikapi-bf.py --decode-userdat user.dat --decode-useridx user.idx

# Layer-2 MAC-Server attack
python mikrotikapi-bf.py --mac-discover --mac-brute -d passwords.lst

Nmap NSE Usage

# Install NSE scripts
cp nse/*.nse /usr/share/nmap/scripts/ && nmap --script-updatedb

# Full discovery
nmap -p 80,8291,8728 --script "mikrotik-*" 192.168.1.0/24

# Check CVE-2018-14847
nmap -p 8291 --script mikrotik-winbox-cve-2018-14847 192.168.1.1

# Brute-force API
nmap -p 8728 --script mikrotik-api-brute \
  --script-args userdb=users.lst,passdb=passwords.lst 192.168.1.1

🗺️ Attack Surface Mapping

Full Attack Surface — Coverage Status (v3.10.0)

MikrotikAPI-BF Full Attack Surface Map

Complete RouterOS attack surface with MikrotikAPI-BF coverage indicators (✓ covered / ✗ not yet covered)

🟠 Access Vectors — Coverage Detail

Access Vectors Coverage

Orange = Access Vectors. Green ✓ = covered. Red ✗ = not yet covered.

Access Vector Port(s) Tool Coverage How
telnet TCP/23 ✅ Covered Post-login validation (--validate telnet)
ssh TCP/22 ✅ Covered Post-login validation + EDB-28056 (ROSSSH heap)
web (WebFig/REST) TCP/80, 443 ✅ Covered REST API brute-force + 10+ CVE/EDB exploits
winbox TCP/8291 ✅ Covered CVE-2018-14847, CVE-2018-10066, CVE-2021-27263 + NSE script
ftp TCP/21 ✅ Covered Post-login validation + CVE-2019-3976/3977 + EDB-44450
samba (SMB) TCP/445 ✅ Covered CVE-2018-7445, CVE-2022-45315
mactel (MAC-Telnet) TCP/20561 ✅ Covered modules/mac_server.py — MNDP + brute (v3.3.0+)
dude TCP/2210 ❌ Not covered The Dude monitoring client — no PoC
setup (Netinstall) UDP/5000 ❌ Not covered Physical/LAN boot vector
netboot TFTP/69 ❌ Not covered Physical LAN only
btest TCP/2000 ❌ Not covered Bandwidth Test — protocol not implemented
dhcp UDP/67-68 ❌ Not covered Out of scope
console RS-232 ❌ Not covered Physical serial access only
Woobm-USB USB ❌ Not covered Physical access only

Coverage: 7 / 14 Access Vectors (50%) — all network-accessible vectors covered

🔵 Access Targets — Coverage Detail

Access Targets Coverage

Blue = Access Targets. Green ✓ = covered. Red ✗ = not yet covered.

Access Target Component Coverage CVEs / Notes
filesystem /flash/rw/store/ ⚠️ Partial CVE-2018-14847 reads user.dat; CVE-2019-3943 path traversal
supout.rif Diagnostic file ✅ Covered CVE-2023-30799 (FOISted) — priv escalation via supout upload
.npk Package files ✅ Covered CVE-2019-3977/3976 — arbitrary exec/read via NPK
.backup Config backup ❌ Not covered No exploit for backup file extraction/abuse
FLASH Internal flash ❌ Not covered Requires filesystem or physical access
NAND NAND storage ❌ Not covered Low-level, physical access
HDD Hard disk (CHR) ❌ Not covered CHR-specific — no direct exploit path
kvm Virtual machine ❌ Not covered KVM hypervisor — out of scope

📄 CLI Reference (All Flags)

Flag Short Description Default
--target -t Target IP/hostname
--target-list -T File with targets (one per line)
--user -U Single username admin
--passw -P Single password
--userlist -u Username wordlist file
--passlist -p Password wordlist file
--dictionary -d Combo file (user:pass)
--delay-mode Delay profile: high,balanced,stealth,custom high
--seconds -s Custom delay in seconds (with --delay-mode custom) profile-based
--threads Thread count (max 300; >15 requires --high-threads) 2
--api-port RouterOS API port 8728
--rest-port RouterOS REST port 8729
--http-port HTTP port 80
--ssl Use HTTPS/API-SSL false
--ssl-port HTTPS port 443
--validate Post-login validation (ftp,ssh,telnet)
--verbose -v Show failed attempts false
--verbose-all -vv Full debug false
--progress Progress bar + ETA false
--stealth Stealth delays + UA rotation false
--fingerprint Advanced device fingerprinting false
--exploit Run exploit scanner after BF false
--scan-cve Standalone CVE scan (no BF) false
--all-cves Show all CVEs (ignore version) false
--run-exploit Run specific exploit by CVE ID
--audit Full 8-phase security audit via REST false
--audit-report Audit report output directory results
--proxy Proxy URL (socks5://...)
--interactive Start interactive REPL false
--max-retries Connection retry count 1
--export Formats: json,csv,xml,txt,sarif
--export-all Export to all formats false
--export-dir Output directory results
--resume Resume previous session false
--force Force new session false
--list-sessions List saved sessions
--mac-discover MNDP broadcast discovery false
--mac-brute Brute via MAC-Telnet false
--mac-scan-cve CVE-2018-14847-MAC false
--mac-iface-ip Local IP for MNDP 0.0.0.0
--decode-userdat Decode user.dat offline
--decode-useridx Companion user.idx
--decode-backup Decode .backup archive
--analyze-npk Analyze NPK package
--decode-supout List supout.rif sections

Full guide: Wiki — Complete Usage Guide · pt-BR

🧭 Attack Surface Coverage by Service

Service Port Brute-Force CVE/Exploits NSE Script
RouterOS API TCP/8728 ✅ Primary target Brute-force/rate-limit exposure validation mikrotik-api-brute.nse
REST API TCP/80,443 ✅ HTTP Basic Auth CVE-2019-3924, 2019-3943, 2023-30799, 2023-30800, 2024-35274 mikrotik-default-creds.nse
Winbox TCP/8291 ⚠️ Not (no auth lib) CVE-2018-14847, 2018-10066, 2021-27263 mikrotik-winbox-cve-2018-14847.nse
FTP TCP/21 ✅ Post-login CVE-2019-3976, 2019-3977, EDB-44450
SSH TCP/22 ✅ Post-login EDB-28056 (ROSSSH)
Telnet TCP/23 ✅ Post-login
SMB TCP/445 CVE-2018-7445, CVE-2022-45315
SNMP UDP/161 EDB-31102, EDB-6366
MAC-Telnet TCP/20561 ✅ L2 only CVE-2018-14847-MAC

🔎 Full Exploit Coverage (47 entries)

ID Title CVSS Auth PoC Fixed in
CVE-2018-7445 SMB Stack Buffer Overflow 9.8 No EDB-44290 6.41.4
CVE-2018-10066 Winbox Auth Bypass 8.1 No EDB-44813 6.42
CVE-2018-14847 Winbox Credential Disclosure (Chimay-Red) 9.1 No EDB-45220 6.42.1
CVE-2018-14847-MAC Winbox via MNDP (Layer-2) 9.1 No 6.42.1
CVE-2019-3924 WWW Firewall/NAT Bypass 9.8 No EDB-46444 6.43.12
CVE-2019-3943 HTTP Path Traversal 8.8 No EDB-46731 6.43.8
CVE-2019-3976 NPK Arbitrary File Read 6.5 Yes 6.45.7
CVE-2019-3977 NPK Arbitrary Code Execution 7.5 Yes 6.45.7
CVE-2019-3978 DNS Cache Poisoning 7.5 No EDB-47566 6.45.7
CVE-2019-3981 DNS Forwarder MitM 7.5 No 6.45.7
CVE-2020-20215 MPLS Out-of-Bounds Write (DoS) 7.5 Yes 6.47
CVE-2020-5720 UDP Fragment Crash 7.5 Yes 6.46.5
CVE-2021-27263 Winbox Auth Bypass (7.0.x) 7.5 No 7.1
CVE-2021-36522 www Authenticated RCE via Scheduler 8.8 Yes 6.49.3
CVE-2021-41987 RADIUS Client Buffer Overflow 8.1 No 6.49.1/7.1
CVE-2022-34960 Container Privilege Escalation 8.8 Yes 7.6
CVE-2022-45313 SMB Heap Use-After-Free 8.8 No 6.49.7/7.6
CVE-2022-45315 SMB Authenticated Stack Overflow 8.8 Yes EDB-51451 6.49.7
CVE-2023-30799 FOISted — supout.rif Privilege Escalation 9.1 Yes 6.49.9
CVE-2023-30800 WWW Stack-Based Buffer Overflow 8.2 No 6.49.9
CVE-2024-27887 OSPF Route Injection 7.5 No
CVE-2024-2169 BFD Reflection/Amplification Loop 7.5 No Mitigate
CVE-2024-35274 Authenticated RCE via Scheduler Injection 8.8 Yes Pending
CVE-2025-6563 RouterOS 7.x WebFig XSS/Open Redirect 6.1 No Pending
CVE-2017-20149 www Password Exposure 7.5 No 6.38.5
CVE-2025-61481 WebFig HTTP Credential Exposure 7.5 No Pending
CVE-2025-10948 REST API Stack Buffer Overflow RCE 9.8 No Pending
MIKROTIK-CONFIG-001 WireGuard Private Key Exposure Yes Design
MIKROTIK-CONFIG-002 Packet Sniffer Remote Streaming Yes Design
MIKROTIK-CONFIG-003 SSRF via /rest/tool/fetch Yes Design
MIKROTIK-CONFIG-004 Scheduler Command Injection Yes Design
MIKROTIK-CONFIG-005 REST API Path Traversal Probe Yes Design
MIKROTIK-JAILBREAK-001 SSH Backup Patch Root Shell 9.8 Yes 6.41rc56
CVE-2018-14847-DECRYPT Winbox Credential Decryption 9.1 No 6.42.1
EDB-31102 RouterOS 3.x SNMP SET DoS No EDB ✓ ≤ 3.2
EDB-6366 RouterOS 3.x SNMP Unauthorized Write No EDB ✓ ≤ 3.13
EDB-44283/44284 Chimay-Red Stack Clash RCE (MIPSBE+x86) 9.8 No EDB < 6.38.4
EDB-44450 FTP Daemon DoS No EDB 6.41.4
EDB-43317 ICMP DoS (6.40.5) Yes EDB 6.40.5
EDB-41752 RouterBoard DoS (6.38.5) Yes EDB 6.38.5
EDB-41601 ARP Table Overflow DoS No EDB All
EDB-28056 ROSSSH sshd Remote Heap Corruption No EDB Multiple
EDB-24968 Syslog Server Windows 1.15 BoF DoS No EDB ✓ Win app
EDB-18817 Generic Router DoS No EDB Multiple
EDB-52366 RouterOS 7.19.1 WebFig Reflected XSS No EDB 7.19.1
EDB-48474 Router Monitoring System 1.2.3 SQLi No EDB Web app
EDB-39817 DNSmasq/Mikrotik Web Interface SQLi No EDB Web app

✓ = EDB Verified | All PoCs are detection-only — no destructive payloads sent.
Full guide: Wiki — EDB Exploit Coverage

📦 Project Layout

MikrotikAPI-BF/
├── version.py                    # Canonical version source (edit to bump)
├── mikrotikapi-bf.py             # Main entry point (v3.10.0)
├── pyproject.toml                # pip package definition
├── requirements.txt
├── .env.example                  # Environment variable template (safe to commit)
├── SECURITY.md                   # Vulnerability reporting policy
├── mikrotikapi_bf/               # pip installable package
│   ├── __init__.py
│   └── cli.py                    # Entry point for `mikrotikapi-bf` command
├── nse/                          # Nmap NSE scripts (v3.6.0+)
│   ├── README.md
│   ├── mikrotik-api-brute.nse
│   ├── mikrotik-api-info.nse
│   ├── mikrotik-default-creds.nse
│   ├── mikrotik-routeros-version.nse
│   └── mikrotik-winbox-cve-2018-14847.nse
├── core/                         # Core engine
│   ├── api.py                    # RouterOS binary API protocol
│   ├── apiros_client.py          # Alternative API client (full binary protocol + SSL)
│   ├── cli.py                    # Interactive REPL CLI
│   ├── export.py                 # JSON/CSV/XML/TXT/SARIF export
│   ├── log.py                    # Logging subsystem
│   ├── progress.py               # Progress bar + ETA
│   ├── retry.py                  # Retry + backoff
│   └── session.py                # Persistent session management
├── modules/                      # Feature modules
│   ├── decoder.py                # RouterOS file decoder: user.dat/.backup/supout.rif (v3.6.0)
│   ├── discovery.py              # Network discovery
│   ├── fingerprint.py            # Device fingerprinting (Shodan + REST)
│   ├── mac_server.py             # Layer-2 MNDP discovery + MAC-Telnet (v3.3.0)
│   ├── proxy.py                  # Proxy/SOCKS5 support
│   ├── reports.py                # Report generation
│   ├── stealth.py                # Fibonacci delays + UA rotation
│   └── wordlists.py              # Smart wordlist engine
├── xpl/                          # Exploit/CVE engine
│   ├── auditor.py                # 8-phase automated security audit (v3.10.0)
│   ├── cve_db.py                 # CVE database (100 exploits)
│   ├── exploits.py               # 100 exploit classes
│   ├── npk_decoder.py            # NPK package analyzer (v3.6.0)
│   ├── nvd_shodan.py             # NVD API + Shodan integration
│   ├── offline_analyzer.py       # Offline artifact analyzer
│   └── scanner.py                # Vulnerability scanner
├── tools/                        # Standalone utilities (v3.8.0+)
│   └── binary_analysis.py        # Offline firmware binary analysis (LIEF + Capstone)
├── img/                          # Attack surface diagrams
│   ├── mikrotik_full_attack_surface.png
│   ├── mikrotik_access_vectors.png
│   └── mikrotik_access_targets.png
└── examples/
    ├── example_basic.sh  example_discovery.sh  example_stealth.sh
    └── usernames.txt  passwords.txt  combos.txt

🧱 RouterOS Defenses You Will Encounter

  • Session controls and server-side anti-fraud for auth flows
  • Request limits and rate-limiting per source (when configured)
  • Temporary account lockouts and backoff windows
  • Extensive logging (auth failures, rate limiting, HTTP 4xx/5xx)
  • IDS/IPS/NAC and WAF-likes in front of HTTP endpoints

Prefer stealth mode, sensible thread counts, and authorized maintenance windows.

🛡️ Defensive Mitigations for RouterOS Admins

# Disable unused services
/ip service disable telnet,ftp,api

# Restrict API access by source IP
/ip service set api address=10.0.0.0/8

# Disable MAC-Server (L2 exposure)
/tool mac-server set allowed-interface-list=none
/ip neighbor discovery-settings set discover-interface-list=none

# Add firewall to protect management ports
/ip firewall filter
add chain=input connection-state=established,related action=accept
add chain=input src-address=<MGMT-NET>/24 action=accept
add chain=input action=drop

📖 Documentation

Resource Link
GitHub Wiki (en-US) Complete Usage Guide
GitHub Wiki (pt-BR) Guia Completo
EDB Exploit Coverage Wiki — EDB-Exploit-Coverage
NSE Scripts Guide nse/README.md
Security Policy SECURITY.md
Changelog Releases
API Reference docs/API_REFERENCE.md

📋 What's New

v3.10.0 (current)

  • 100 CVE/EDB database entries — comprehensive coverage from 2008 to 2025
  • 97 executable exploit classes — all invocable via --run-exploit <CVE_ID> or --scan-cve --all-cves
  • VU#375660 formal entry — author's own brute-force rate-limiting vulnerability (CERT/CC VINCE)
  • 2020 memory corruption series — 21 CVEs covering NULL pointer, OOB write, memcorrupt in console, graphing, sniffer, resolver, lcdstat, wireless, dot1x, bfd, igmp-proxy, detnet, diskd, mactel, netwatch, traceroute
  • Legacy CVE coverage — CVE-2017-17537/17538, CVE-2015-2350, CVE-2012-6050, CVE-2008-6976
  • 13 EDB entries synced — EDB-31102, EDB-6366, EDB-44283/44284, EDB-44450, EDB-43317, EDB-41752, EDB-41601, EDB-28056, EDB-24968, EDB-18817, EDB-52366, EDB-48474, EDB-39817
  • New exploit classes — DNS cache poisoning, FTP .rsc overwrite, Winbox user enum, VXLAN bypass, DHCPv6 RCE, bridge2 OOB write, REST ACL bypass, IPv6 FW bypass, hotspot XSS, L2TP downgrade, and more

v3.9.0

  • --audit — full 8-phase automated security audit via REST API: system enumeration, service mapping, credential audit, injection testing, Winbox probing, SNMP analysis, debug endpoint discovery, firewall audit
  • --run-exploit <CVE_ID> — run any registered exploit PoC directly by ID
  • SARIF v2.1.0 export--export sarif for CI/CD pipeline integration (GitHub Code Scanning, Azure DevOps, etc.)
  • 7 new exploit classes (v3.7.0–v3.9.0):
    • Exploit_CVE_2025_61481 — WebFig HTTP credential exposure
    • Exploit_CVE_2025_10948 — REST API stack buffer overflow RCE
    • Exploit_SSRF_TOOL_FETCH — SSRF via /rest/tool/fetch
    • Exploit_ROUTEROS_JAILBREAK — SSH backup patch root shell (ROS 2.9.8–6.41rc56)
    • Exploit_WINBOX_CRED_DECRYPT — Winbox credential decryption (enhances CVE-2018-14847)
    • Exploit_SCHED_CMD_INJECTION — Scheduler command injection via REST API
    • Exploit_REST_PATH_TRAVERSAL — REST API path traversal probe
  • core/apiros_client.py — alternative RouterOS API client with full binary protocol, MD5 challenge, and anonymous DH SSL
  • tools/binary_analysis.py — offline firmware binary analysis (LIEF ELF parsing + Capstone disassembly)
  • Interactive CLI — new run <CVE_ID> <target> and audit <target> REPL commands
  • Total: 100 exploit classes across 27 CVEs + 5 config findings + 13 Exploit-DB PoCs + 2 novel research PoCs

v3.6.0

  • NSE auto-installermikrotikapi_bf/nse_installer.py copies NSE scripts to Nmap on Windows/Linux/macOS automatically during pip install or pip install --upgrade
  • --install-nse flag and mikrotikapi-install-nse entry point for manual NSE installation
  • 3 more official Nmap MikroTik scripts bundled: mikrotik-routeros-brute.nse, mikrotik-routeros-username-brute.nse, broadcast-mndp-discover.nse
  • 300-thread support--threads N (up to 300) with mandatory --high-threads disclaimer for values > 15
  • Delay profiles for rate-limit validation — new --delay-mode high|balanced|stealth|custom with high as default and custom via -s/--seconds
  • Rate-limiting benchmark snapshot (2026-04-08) — on CHR 7.22.1 default-fresh: high=3.70 att/s, custom(0.05s)=3.15 att/s, balanced=1.85 att/s, stealth=0.79 att/s; sustained high run (300 attempts) remained stable at 3.68 att/s
  • setup.py post-install hook — NSE scripts installed automatically on pip install
  • pyproject.toml fixed — proper setuptools.build_meta backend; package builds and passes twine check
  • GitHub Actions.github/workflows/publish-pypi.yml + publish-testpypi.yml with OIDC trusted publishing
  • PyPI-readydist/mikrotikapi_bf-3.6.0-py3-none-any.whl built and validated

v3.5.3

  • 5 Nmap NSE scripts in nse/: mikrotik-routeros-version, mikrotik-api-brute, mikrotik-default-creds, mikrotik-api-info, mikrotik-winbox-cve-2018-14847
  • pip install supportpyproject.toml + mikrotikapi_bf/ entry point package
  • mikrotikapi-bf --nse-path — prints installed NSE scripts directory for Nmap

v3.5.2

  • version.py — single source of truth for version (all modules import from here)
  • .env.example — safe template committed; .env stays in .gitignore
  • python-dotenv.env loaded automatically at startup

v3.5.1

  • Fix: syntax error in CVE-2025-6563 XSS payload
  • Credits & Acknowledgements section (13 contributors)
  • Comprehensive wiki guides en-US + pt-BR (40+ CLI flags documented)

v3.5.0

  • modules/decoder.py — Python 3 port of mikrotik-tools: UserDatDecoder, BackupDecoder, SupoutDecoder, MTDatDecoder
  • xpl/npk_decoder.py — NPK package analyzer (18 part types)
  • --target-list / -T — multi-target scanning from file
  • --decode-userdat, --decode-backup, --analyze-npk, --decode-supout
  • 5 new CVEs: CVE-2019-3981, CVE-2020-5720, CVE-2022-45313, CVE-2017-20149, CVE-2025-6563
  • Total: 40 exploit classes | Lab validation on RouterOS 7.20.7 — 8 vulnerabilities confirmed

v3.4.0

  • 13 Exploit-DB public PoC exploits (full EDB Mikrotik list coverage)
  • Complete CVE/EDB coverage table in README

v3.3.0

  • MAC-Server / Layer-2: MNDP discovery, MAC-Telnet brute, CVE-2018-14847-MAC
  • 5 new CVE exploit classes
  • Attack surface diagrams (3 images)

🙏 Credits & Acknowledgements

Contributor Contribution Link
Federico Massa & Ramiro Caire MKBRUTUS — original RouterOS API brute-force concept mkbrutusproject/MKBRUTUS
Kirils Solovjovs (@KirilsSolovjovs) mikrotik-tools: user.dat decoder, backup decoder, NPK format research — ported to Python 3 0ki/mikrotik-tools
Dmitriusan Empty read_sentence() fix + socket timeout retry (issue #3) Dmitriusan/MikrotikAPI-BF
alina0x Multi-target scanning via ips.txt--target-list / -T alina0x/mikrotik-multithread-bf
rafathasan Autosave + session resume improvements rafathasan/MikrotikAPI-BF-Improved
sajadmirave Connection check before brute-force (PR #4) sajadmirave/MikrotikAPI-BF
BasuCert WinboxPoC / MACServerExploit.py — MAC-server attack reference BasuCert/WinboxPoC
Jacob Baines (Tenable) CVE-2019-3924, CVE-2019-3943, CVE-2019-3976/3977/3978 tenable/routeros
BigNerd95 / Lorenzo Santina Chimay-Red Stack Clash PoC (EDB-44283/44284) BigNerd95/Chimay-Red
ShadOS SNMP DoS + SNMP write PoC (EDB-31102, EDB-6366) Exploit-DB
FarazPajohan FTP/ICMP/ARP/RouterBoard DoS PoCs Exploit-DB
kingcope ROSSSH sshd heap corruption (EDB-28056) Exploit-DB
xis_one Syslog Server BoF DoS Metasploit module (EDB-24968) Exploit-DB
hyp3rlinx DNSmasq/Mikrotik SQL Injection (EDB-39817) Exploit-DB
Prak Sokchea RouterOS 7.19.1 WebFig XSS (EDB-52366) Exploit-DB
0xjpuff CVE-2023-30799 (FOISted) PoC reference 0xjpuff/CVE-2023-30799

RouterOS ecosystem diagram adapted from Kirils Solovjovs' research — Balccon 2017.

⚠️ Legal Notice

  • Use — For education, research, and explicitly authorized security testing only. Do not use against systems without formal written permission.
  • No warranty — Provided AS IS under MIT License. No fitness guarantees.
  • No liability — Author(s) not liable for misuse, damages, or third-party claims. Use at your own risk.
  • Attribution — Keep copyright notices. Pull requests and issues are welcome.

💬 Support

Licensed under MIT — see LICENSE.

About

RouterOS Attack & Exploitation Framework — 40 CVE/EDB exploits, MAC-Server L2, credential decoder, NPK analyzer, 300-thread BF, Nmap NSE auto-install, pip package, CVE scanner. v3.5.4

Topics

python mikrotik exploit penetration-testing brute-force cve routeros multi-target iot-security network-security security-research winbox chimay-red cve-scanner credential-bruteforce

Resources

Readme

License

MIT license

Code of conduct

Code of conduct

Contributing

Contributing

Security policy

Security policy
Activity

Stars

73 stars

Watchers

3 watching

Forks

25 forks
Report repository

Releases 25

v3.10.0 — 100 CVE/EDB Exploit Database Latest
Apr 25, 2026
+ 24 releases

Packages

 
 
 

Contributors

Languages