_ _
___ _ _ _ _ _|_|___| |_ ___ _ _
| . | | | | | | | | . | . |_'_|
| _|_ |_____|_|_|_|___|___|_,_|
|_| |___|
A MikroTik's Winbox protocol honeypot. pywinbox
parses and understands Winbox communications log them and answer to them working as a medium interaction honeypot or work as a proxy to forward them to a real/virtualized system to.
pywinbox
also includes a MNDP (MikroTik Neighbor Discovery Protocol) script to broadcast its presence in a network. Winbox application uses this protocol to find MikroTik servers in the network.
pywinbox
uses a set of simple rules to detect suspicious behavior or vulnerabilities exploitation. Current existing detections:
- CVE-2018-14847
- CVE-2019-3943
Launch pywinbox
as a medium interaction honeypot:
python3 pywinboxserver.py
Launch pywinbox
as a proxy pointing to a real/virtualized MikroTik server:
python3 pywinboxproxy.py
To set the different parameters for both server and proxy, change the next values in the different configuration sections.
Configuration parameters used by both server and proxy.
users_file
: Path pointing to the desireduser.dat
file that contains the users credentials to be stolen by the attackers.dump_folder
: Folder to dump oll the conenctions for later analysis.protocols
: Enabled protocols. Current available protocols areplaintext
andecsrp5
.
[shared]
users_file=/data/user.dat
dump_folder=/data/pywinbox/dumps
protocols=plaintext,ecsrp5
Configuration parameters used only by the proxy functionality:
host
: IP address to listen to.port
: TCP port to listen to.upstream_host
: IP address of the server to forward the connections to.upstream_port
: TCP port where the real server is listening to.ecsrp5_user
: Username used to log into the upstream server if ECSRP5 protocol is used.ecsrp5_password
: Password used to log into the upstream server if ECSRP5 protocol is used.
[proxy]
host=192.168.1.3
port=8291
upstream_host=10.10.1.1
upstream_port=8291
ecsrp5_user=admin
# leave ecsrp5_password empty for default empty password
ecsrp5_password=
Configuration parameters used only by the server functionality:
host
: IP address to listen to.port
: TCP port to listen to.
[server]
host=192.168.1.3
port=8291
Confiuration parameters to set how the information is logged
console
: Print log informatin in the conosolecolored
: Ifconsole=yes
, then print the log information with different colors depending on the printed message.indent
: Integer to set the number of spaces to indent the JSON lines. Leave it blank to avoid identation.file
: Log file path. Leave it blank if you don't want to log in a file.
[logger]
colored=no
indent=
console=no
file=/var/log/pywinbox.log
Configuration parameters used by the MNDP script to broadcast its presence as MikroTik server does.
mac
: Set a specific MAC address. If this parameter is commented, a random MAC address is generated.mac_oui
: Commeented by default. Uncomment this to use a predefined OUI and a random NIC.identity
: Set theidentity
parameter.version
: Set theversion
parameter.platform
: Set theplatform
parameter.software_id
: Set thesoftware_id
parameter. If this is commented, a randomsoftware_id
is generated.board
:xSet theboard
parameter.
[mndp]
# Comment mac to generate a random MAC address
#mac=SE:TM:AC:AD:DR:ES
# Uncomment mac_oui to use a predefined OUI and a random NIC
#mac_oui=00:11:22
identity=MikroTik
version=6.40.1 (stable)
platform=MikroTik
# Comment software_id to generate a random ID
#software_id=ABCD-1234
board=x86
- https://github.com/tenable/routeros/blob/master/poc/bytheway/README.md
- https://www.zscaler.es/blogs/security-research/glupteba-campaign-exploits-mikrotik-routers-still-large
- https://github.com/MarginResearch/mikrotik_authentication
- https://margin.re/2022/02/mikrotik-authentication-revealed/
- https://margin.re/content/files/2022/11/Pulling_MikroTik_into_the_Limelight-RECon-2022.pdf
- https://kirils.org/slides/2017-09-15_prez_15_MT_Balccon_pub.pdf