Microsoft creates tool to scan MikroTik routers for TrickBot infections

Jimmy · March 18, 2022, 10:32pm

Notning CVE News but new story: https://www.bleepingcomputer.com/news/security/microsoft-creates-tool-to-scan-mikrotik-routers-for-trickbot-infections/

Buckeye · March 19, 2022, 3:08am

Has anyone had luck getting this to work? When I point it at my lab hEX S running 7.2rc4 it does this:

C:\Downloads\Mikrotik\routeros-scanner-main>python main.py -h
usage: main.py [-h] -i IP -p PORT -u USERNAME [-ps PASSWORD] [-J]

optional arguments:
  -h, --help            show this help message and exit
  -i IP, --ip IP        The tested Mikrotik IP address
  -p PORT, --port PORT  The tested Mikrotik SSH port
  -u USERNAME, --userName USERNAME
                        User name with admin Permissions
  -ps PASSWORD, --password PASSWORD
                        The password of the given user name
  -J                    Print the results as json format
C:\Downloads\Mikrotik\routeros-scanner-main>python main.py -i 192.168.89.1 -u demo -p 22 -ps ***redacted***
Mikrotik ip address: 192.168.89.1

Traceback (most recent call last):
  File "C:\Downloads\Mikrotik\routeros-scanner-main\main.py", line 62, in <module>
    main(args)
  File "C:\Downloads\Mikrotik\routeros-scanner-main\main.py", line 31, in main
    res = command.run_ssh(ssh_client)
  File "C:\Downloads\Mikrotik\routeros-scanner-main\commands\dns.py", line 16, in run_ssh
    sus_dns, recommendation = self.check_results_ssh(res, enabled)
  File "C:\Downloads\Mikrotik\routeros-scanner-main\commands\dns.py", line 27, in check_results_ssh
    if int(item['ttl'].partition('s')[0]) > 200000:
ValueError: invalid literal for int() with base 10: '3d15h25m1'

C:\Downloads\Mikrotik\routeros-scanner-main>

mada3k · March 19, 2022, 9:30am

Can’t get it to work either

  File "/usr/local/lib/python3.9/site-packages/paramiko/transport.py", line 1498, in auth_password
    raise SSHException("No existing session")
paramiko.ssh_exception.SSHException: No existing session

pe1chl · March 19, 2022, 11:09am

It likely is intended to work with RouterOS v6.

Jotne · March 19, 2022, 3:31pm

This is just a quick walk trough on what the Microsoft script does. It may not be 100% correct (my python knowledge are not high), but should give an idea.

basecommand.py
Used to run other commands?

dns.py
/ip dns print
Test if remote dns is allowed

/ip dns cache print detail
Test of cahce is enabled and warn to turn it of if its not needed.

files.py
/file print detail
Test to see if some file has http download or /tool fetch and warn about it

fwnat.py
/ip firewall nat print detail
Test to see if dest-nat is correctly setup.

fwrules.py
/ip firewall filter print detail
Test all fw rules. It seems not to test any thing

ports.py
/ip service print detail
Test all service port. Sees if some are change from default and recommend not use 22 for SSH

proxy.py
/ip proxy print
/ip proxy access print detail
Test if proxy is enabled and recommend to turn it of

scheduler.py
/system scheduler print detail
Test to see if some file has http download or /tool fetch and warn about it

socks.py
/ip socks print
/ip socks access print detail
Test if socks is enabled and recommend to turn it of

users.py
/user print detail
Test if user admin exists, recommend to remove it and create a good password

version.py
/system resource print
Test firmware version, but not sure how.