MKX is a tool for auditing IoT and network devices, searching for vulnerabilities and information about the target device. Originally developed to obtain information from MikroTik devices, new functionalities have been added that can be useful for analyzing a wide variety of devices and protocols.
To find vulnerabilities in MikroTik devices on the network, MKX can scan target devices using protocols such as MNDP and SNMP, seeking information about the hardware and RouterOS of the devices. The information obtained here can be of great value to anyone analyzing network security. For example, you can find out the firmware version of the device, and then search for any CVEs for this specific version. But below you will see that MKX already implements attacks from some known CVEs.
Warning
This vulnerability analysis script is provided "as is" and is intended solely for educational, research, and testing purposes in controlled environments with proper authorization. Before running this script, please ensure that you have the necessary permission to perform security testing on the target devices. The responsibility for using this script lies entirely with the user. The author is not responsible for any damages, losses, or legal consequences arising from improper or unauthorized use of this code.
- Discovery of MikroTik devices on the local network through the MikroTik Neighbor Discovery (MNDP) protocol that runs on
UDPport5678. - Obtaining information from a specific MikroTik device or all devices in an IP range using the SNMP protocol.
- Obtain information from devices running the Simple Service Discovery Protocol (SSDP) and Universal Plug and Play (UPnP) protocols.
- PoC of CVE-2018-14847 that allows obtaining user credentials in vulnerable versions of RouterOS.
- DDoS attack by sending packets to all ports randomly or to a specific port.
- Attack that crashes the web interface of RouterOS versions 6 > 6.49.10 - CVE-2023-30800.
You can install MKX with your preferred Python package manager, here we will use pipx:
pipx install mkxIf you don't want to install the tool on your machine, you can run a docker container with MKX already pre-installed:
docker run -it --name mkx ghcr.io/henriquesebastiao/mkx:latestNote
When using the docker version, if you want to run features that listen to devices on your local network, run the container with the --network host option.
Now you can run MKX and start learning how to use it. Get a list of possible commands with:
mkx --help
# Or even an explanation of a specific command or subcommand.
mkx [COMMAND] --helpMKX is developed using the Typer library, so you'll have a CLI that, as the Typer developers say, "You'll love using!" โจ.
When you run mkx --help you will see the main available commands separated into groups, the two main ones being:
Exploit- Commands to execute specific attacks.OSINT - Obtaining Information- Commands for obtaining information about devices and services on the network.
$ mkx --help
Usage: mkx [OPTIONS] COMMAND [ARGS]...
Tool for auditing MikroTik routers, searching for vulnerabilities and information about the
target device.
โญโ Options โโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโฎ
โ --version -v Returns the version of mkx. โ
โ --install-completion Install completion for the current shell. โ
โ --show-completion Show completion for the current shell, to copy it or โ
โ customize the installation. โ
โ --help Show this message and exit. โ
โฐโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโฏ
โญโ About โโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโฎ
โ doc Open the project repository on GitHub. โ
โฐโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโฏ
โญโ Exploits โโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโฎ
โ exploit Search for credentials of a RouterOS v6.42 vulnerable (CVE-2018-14847). โ
โ ddos Perform targeted DDoS attacks on devices. โ
โ kill-web-server Attack that crashes the web interface of RouterOS versions 6 > 6.49.10 โ
โ (CVE-2023-30800). โ
โฐโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโฏ
โญโ OSINT - Obtaining Information โโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโฎ
โ mikrotik Search for devices on the network via MikroTik Neighbor Discovery โ
โ (MNDP). โ
โ snmp Get information via SNMP from devices with default community (public). โ
โ upnp Explore devices on the network with the Universal Plug and Play (UPnP) โ
โ port open. โ
โฐโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโฏThe mkx commands can contain subcommands; you can also use the --help flag to run them and get information on how to execute them.
Here are some examples of subcommand help messages:
$ mkx snmp --help
Usage: mkx snmp [OPTIONS] TARGET [COMMUNITY] [PORT] COMMAND [ARGS]...
Get information via SNMP from devices with default community (public).
With this command it is possible to obtain various information from MikroTik devices that
have a vulnerable SNMP service.
As a target, you can pass an IP address, a network, or a grepable Nmap output file
containing the IP addresses to search.
You can scan port 161 on a network with Nmap and save the discovered hosts to a file with
the command:
sudo nmap -sU -p 161 --open -oG nmap-out.txt 192.168.88.1/24
Using Nmap to find hosts with vulnerable ports and then passing the file with the IPs to MKX
is more efficient than searching for information on all IPs on the network with mkx.
This way we will not try to search for information on addresses that do not have the SNMP
port open.
Examples:
mkx snmp 172.16.0.1
mkx snmp 172.16.0.1/24 -j
mkx snmp 172.16.0.1/24 -s
mkx snmp /home/user/nmap-out.txt
โญโ Arguments โโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโฎ
โ * target TEXT Target IP address or network, or the path to an nmap โ
โ output file in grepable format, containing the target IP โ
โ addresses. โ
โ [required] โ
โ community [COMMUNITY] Information submission community. [default: public] โ
โ port [PORT] SNMP UDP port. [default: 161] โ
โฐโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโฏ
โญโ Options โโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโฎ
โ --json -j Saves the data obtained when searching for information on a network in โ
โ a JSON file. โ
โ --silent -s It does not perform verbose printing when searching for information on โ
โ a network, but saves a JSON file with results at the end.. โ
โ --help Show this message and exit. โ
โฐโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโฏ$ mkx ddos tcp --help
Usage: mkx ddos tcp [OPTIONS] TARGET [PORT]
Sends arbitrary packets via TCP to the device causing CPU overload.
You can send packets to an IP address or domain, on a specific port, or on all ports from 1
to 65534 randomly.
Examples:
mkx ddos tcp 192.168.88.1
mkx ddos tcp 192.168.88.1 -rv
mkx ddos tcp 192.168.88.1 8080
mkx ddos tcp server.local
โญโ Arguments โโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโฎ
โ * target TEXT Target IP address or domain. [required] โ
โ port [PORT] TCP port to be attacked. [default: 80] โ
โฐโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโฏ
โญโ Options โโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโฎ
โ --random -r Attacks random ports between 1 and 65534. โ
โ --verbose -v Enable verbosity. โ
โ --help Show this message and exit. โ
โฐโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโฏMKX is open source software licensed under the GPL-3.0 license.