This project is a compliance scanner for Mikrotik routers. It verifies best practices have been implemented and the attack surface of your router is minimized as much as possible.
See the License section below for licensing details, and the Manito Networks Router Hardening Guide for Mikrotik to see an outline of what all will eventually be covered beyond what's currently supported.
Our goal is to provide an easy to use Python script that supports the best practices documented in the Manito Networks Router Hardening Guide for Mikrotik routers. We think that network audits should be:
- Objective
- Repeatable
- Automatable
By using an automated script and standard JSON output we hope you'll be able to make regular device scanning part of your culture.
The scanner has the following features and functions:
- Quick Installation
- Weighted Scoring
- Default Credential Checks
- TCP Services Scan
- SNMP Public Community Check
It takes about 10 minutes to clone the Github repository, add your router IP addresses to the config.py file, and run your first scan.
Check out the installation documentation for the few quick commands to get up and running.
Network audits (and indeed all audits) should be objective and repeatable, with a scoring system to help prioritize remediation steps. The scanner provides a composite weighted score, with critical vulnerabilities (eg factory-default logins) weighted heavier than less-pressing issues like running FTP instead of SSH.
The following overall grading system is used:
| Check | Scoring | Weight | Criticality |
|---|---|---|---|
| Factory-default Credentials | Pass / Fail | Heavy | High |
| Running TCP Services | Numeric | Normal | Low to Moderate |
| "Public" SNMP Communities | Pass / Fail | Heavy | High |
Scores and their respective weights are combined into a composite score so you can compare devices side-by-side and prioritize remediation.
One of the most important things to do on a device before bringing it online is to change the factory-default credentials. Compromised devices on the internet using factory credentials are a huge contributor to botnets like Mirai and others, and it's important you don't allow your devices to be co-opted into DDoS attacks and spam networks.
The scanner checks for services running on the router, including:
| Service | Score Penalty | Remediation Suggestion |
|---|---|---|
| FTP | Yes | Use SSH for secure remote file transfer |
| SSH | -- | -- |
| Telnet | Yes | Use SSH for secure remote console access |
| DNS | -- | -- |
| HTTP | Yes | Use HTTPS for web interface access |
| BGP | -- | -- |
| HTTPS | -- | -- |
| SOCKS Proxy | -- | -- |
| PPTP VPN | Yes | Upgrade to IPSEC or SSL-based VPNs |
| MME Gateway Protocol | -- | -- |
| Bandwidth Test Server | Yes | Disable when not in use |
| UPnP | -- | -- |
| Winbox | -- | -- |
| API | Yes | Use API-SSL |
| API-SSL | -- | -- |
| HTTP Proxy | -- | -- |
See the config.py file for point deductions per service.
SNMP reachability with the default "public" community string is checked, because a device open for SNMP queries is an information goldmine during the Scanning and Enumeration phase of an attack.
A Linux or Windows computer with Python 2.7 and access to PIP for installing required modules.
Install by cloning the latest Git repo, then run the Ubuntu installation script.
See the installation documentation for more information.
If you run into any issues during or after installation check out the "Run Scans" installation section for helpful commands and debugging options.
We encourage people who use the scanner to contribute to the project if they find a bug or documentation issue, or want to see a feature added. See the Contributing page for more information about contributing code to the project.
Copyright (c) 2016, Manito Networks, LLC All rights reserved.
Redistribution and use in source and binary forms, with or without modification, are permitted provided that the following conditions are met:
-
Redistributions of source code must retain the above copyright notice, this list of conditions and the following disclaimer.
-
Redistributions in binary form must reproduce the above copyright notice, this list of conditions and the following disclaimer in the documentation and/or other materials provided with the distribution.
-
Neither the name of the copyright holder nor the names of its contributors may be used to endorse or promote products derived from this software without specific prior written permission.
THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
"Mikrotik" is a trademark of Mikrotikls SIA.
Copyright (c) 2016, Manito Networks, LLC All rights reserved.