Meris RouterOS Checker
This tool will check a list of ip addresses of RouterOS-based routers to validate if they were infected with Meris.
The tool will:
- Attempt to connect using credentials in credentials.txt file (1 pair of credentials per line, default provided)
- Attempt to exploit the router using CVE-2018-14847
The tool supports:
- RouterOS API
- SSH
- WinBox (tested for <= 6.42)
The tool uses:
- Modified version of https://github.com/tenable/routeros/tree/master/poc/bytheway (by tenable) for WinBox operations
- RouterOS API module (https://pypi.org/project/RouterOS-api/) for RouterOS API operations
- paramiko for ssh operations
The tool will output exploited.csv file with a table of results for each provided IP address.
Note: To build modified version of bytheway, use provided cpp files instead of original main.cpp when building. You need to name the binaries btw
and btw_stage2
respectively, and put them next to the tool
Detection rules
The tool will attempt to list scheduler scripts, and attempt to check if it contains any IoCs listed in indicators.txt
. The tool will also attempt to match scheduler scripts contents to the regex https?://[^/]+/poll/[0-9a-fA-F]{8}-[0-9a-fA-F]{4}-[0-9a-fA-F]{4}-[0-9a-fA-F]{4}-[0-9a-fA-F]{12}
, and flag the matches as possible infections.
Tool usage
The tool requires either an --ip
or --ipfile
option.
--ip
option takes a single ip address as input, --ipfile
takes a file with a list of ips, one ip per file, as input.
Optionally, --threads
can be used to tune the number of threads, with default being 16.