This tool will check a list of ip addresses of RouterOS-based routers to validate if they were infected with Meris.
The tool will:
- Attempt to connect using credentials in credentials.txt file (1 pair of credentials per line, default provided)
- Attempt to exploit the router using CVE-2018-14847
The tool supports:
- RouterOS API
- SSH
- WinBox (tested for <= 6.42)
The tool uses:
- Modified version of https://github.com/tenable/routeros/tree/master/poc/bytheway (by tenable) for WinBox operations
- RouterOS API module (https://pypi.org/project/RouterOS-api/) for RouterOS API operations
- paramiko for ssh operations
The tool will output exploited.csv file with a table of results for each provided IP address.
Note: To build modified version of bytheway, use provided cpp files instead of original main.cpp when building.
You need to name the binaries btw and btw_stage2 respectively, and put them next to the tool
The tool will attempt to list scheduler scripts, and attempt to check if it contains any IoCs listed in indicators.txt.
The tool will also attempt to match scheduler scripts contents to the regex
https?://[^/]+/poll/[0-9a-fA-F]{8}-[0-9a-fA-F]{4}-[0-9a-fA-F]{4}-[0-9a-fA-F]{4}-[0-9a-fA-F]{12}, and flag the matches
as possible infections.
The tool requires either an --ip or --ipfile option.
--ip option takes a single ip address as input, --ipfile takes a file with a list of ips, one ip per file, as input.
Optionally, --threads can be used to tune the number of threads, with default being 16.