Features - mrhenrike/MikrotikAPI-BF GitHub Wiki

Features

Language: English · Português (pt-BR)

Complete feature overview of MikrotikAPI-BF v3.10.0.

Architecture

mikrotikapi-bf.py       # Main entry point (v3.10.0)
core/
  api.py               # RouterOS binary API protocol implementation
  apiros_client.py     # Alternative API client (full binary + SSL) (v3.8.0+)
  cli.py               # Interactive REPL CLI
  export.py            # Multi-format export (JSON/CSV/XML/TXT/SARIF)
  log.py               # Logging subsystem
  progress.py          # Progress bar with ETA
  retry.py             # Retry logic with exponential backoff
  session.py           # Persistent session management
modules/
  decoder.py           # RouterOS file decoder: user.dat/.backup/supout.rif
  discovery.py         # Network device discovery
  fingerprint.py       # Device fingerprinting + risk scoring
  mac_server.py        # Layer-2 MNDP discovery + MAC-Telnet (v3.3.0+)
  proxy.py             # Proxy/SOCKS5 support
  reports.py           # Audit report generation
  stealth.py           # Fibonacci delays + UA rotation
  wordlists.py         # Smart wordlist engine
xpl/
  auditor.py           # 8-phase automated security audit (v3.10.0+)
  cve_db.py            # CVE database (47 entries — local + NVD API)
  exploits.py          # 100 exploit classes
  npk_decoder.py       # NPK package analyzer
  nvd_shodan.py        # NVD API + Shodan integration
  offline_analyzer.py  # Offline artifact analyzer
  scanner.py           # Vulnerability scanner
tools/
  binary_analysis.py   # Offline firmware binary analysis (LIEF + Capstone)
nse/                   # 8 Nmap NSE scripts

Feature Summary

1. RouterOS Binary API Protocol

Full implementation of the Mikrotik RouterOS API v1/v2 binary protocol (port 8728/8729-TLS):

  • Word-based encoding/decoding
  • TLS support (port 8729)
  • Automatic length calculation
  • Response parsing into structured dictionaries

2. Stealth Mode

Evade IDS/WAF/logging:

  • Fibonacci delays: Non-uniform inter-request timing (1, 1, 2, 3, 5, 8, 13... seconds)
  • User-Agent rotation: Rotates through 50+ realistic browser/tool UA strings
  • Configure: --stealth, --delay-min, --delay-max

See: Stealth Mode

3. Persistent Sessions

Never lose progress on long attacks:

  • Auto-save progress every N attempts
  • Deduplication — never retry already-tested combos
  • ETA calculation based on current rate
  • Resume with --resume SESSION_NAME

See: Sessions

4. Device Fingerprinting

Before attacking, understand the target:

  • RouterOS version (from API banner, Winbox, HTTP headers)
  • Hardware model (RB450Gx4, CHR, CCR, etc.)
  • Serial number
  • Open ports and enabled services
  • Risk score (0–10 based on firmware age + known CVEs)

See: Fingerprinting

5. CVE/NVD Integration

After fingerprinting:

  • Queries NVD API for CVEs matching detected RouterOS version
  • Falls back to local CVE database if NVD unavailable
  • Lists applicable CVEs with CVSS score and description

6. Post-Login Service Validation

After finding valid API credentials, validate access across other services:

  • FTP (port 21)
  • SSH (port 22, via paramiko)
  • Telnet (port 23)
  • Winbox (port 8291)

7. Proxy / SOCKS5

Route all traffic through Tor or any proxy:

  • socks5://127.0.0.1:9050 — Tor
  • http://proxy.example.com:8080
  • Thread count auto-limited to 1 when using Tor (prevents circuit reuse)

8. Multi-Format Export

results/
  mikrotik_192.168.88.1_20260328_123456.json
  mikrotik_192.168.88.1_20260328_123456.csv
  mikrotik_192.168.88.1_20260328_123456.xml
  mikrotik_192.168.88.1_20260328_123456.txt
  mikrotik_192.168.88.1_20260328_123456.sarif.json   # SARIF v2.1.0 (v3.10.0+)

See: Export

11. 8-Phase Security Audit (v3.10.0+)

Full automated security audit via REST API — no brute-force needed:

  1. System enumeration (identity, resource, packages, health)
  2. Service & network mapping
  3. User & credential audit (blank password, default creds)
  4. REST API injection testing (scheduler, path traversal, SSRF)
  5. Winbox protocol probing (port 8291)
  6. SNMP analysis (default communities)
  7. Undocumented/debug endpoint discovery
  8. Configuration export & firewall audit
python mikrotikapi-bf.py -t 192.168.1.1 --audit --export sarif -U admin -P pass

12. Direct Exploit Execution (v3.10.0+)

Run any registered exploit PoC by CVE ID:

python mikrotikapi-bf.py -t 192.168.1.1 --run-exploit CVE-2018-14847

9. Network Discovery

Scan an entire subnet for Mikrotik devices:

  • SNMP probe (community string public, private, custom)
  • TCP connect to port 8728 (RouterOS API)
  • Winbox port detection (8291)
  • HTTP header detection
  • Results exported to file or piped directly to attack mode

10. Wordlist Engine

Smart wordlist management:

  • Separate user/password lists OR combo files (user:pass)
  • Auto-variation generation (leet, reverse, camelcase, appended digits)
  • Deduplication
  • Supports multi-GB wordlists via streaming (no full load into memory)

See also: Stealth Mode · Sessions · Export · Fingerprinting