Sara: RouterOS Security Inspector

RouterOS configuration analyzer to find security misconfigurations and vulnerabilities.

Sara does not bypass authentication, exploit vulnerabilities, or alter RouterOS configurations. It works in read-only mode, requiring no administrative privileges.

If you are unsure about the interpretation of the analysis results, consult an experienced network engineer before making any decisions!

Mechanism

Sara uses netmiko to remotely connect via SSH to RouterOS devices. It executes RouterOS system commands to extract configuration data and analyze it for potential vulnerabilities and signs of compromise. The user connects to the hardware himself using Sara by entering his username and password. Sara executes exactly print based commands, thus not changing the configuration of your hardware in any way. So, by the way, you can even use an RO-only account if you want to. Sara does not use any exploits, payloads or bruteforce attacks. All RouterOS security analysis here is based on pure configuration analysis.

What exactly is Sara checking for?

1. SMB protocol activity – determines whether SMB is enabled, which may be vulnerable to CVE-2018-7445;

2. Check the status of RMI interfaces – identifies active management services (Telnet, FTP, Winbox, API, HTTP/HTTPS);

3. Wi-Fi Security Check – determines whether WPS and PMKID support are enabled, which can be used in WPA2-PSK attacks;

   At the moment, this check has minor stability issues, as different versions of RouterOS have different variations of Wi-Fi configurations. Keep that in mind, but feel free to make an issue, we’ll look into it;

4. Check UPnP – determines whether UPnP is enabled, which can automatically forward ports and threaten network security;

5. Check DNS settings – detects whether allow-remote-requests, which makes the router a DNS server, is enabled;

6. Check DDNS – determines whether dynamic DNS is enabled, which can reveal the real IP address of the device;

7. PoE Test – checks if PoE is enabled, which may cause damage to connected devices;

8. Check RouterBOOT security – determines if RouterBOOT bootloader protection is enabled;

9. Check SOCKS Proxy – identifies an active SOCKS Proxy that could be used by an attacker for pivoting, as well as indicating a potential compromise of the device.

10. Bandwidth Server Test (BTest) – determines whether a bandwidth server is enabled that can be used for a Flood attack by the attacker;

11. Check discovery protocols – determines whether CDP, LLDP, MNDP that can disclose network information are active;

12. Check minimum password length – determines whether the minimum-password-length parameter is set to prevent the use of weak passwords;

13. SSH Check – analyzes SSH settings, including the use of strong-crypto and Port Forwarding permission;

14. Check Connection Tracking – determines whether Connection Tracking is enabled, which can increase the load and open additional attack vectors;

15. RoMON check – detects RoMON activity, which allows you to manage devices at Layer 2;

16. Check Winbox MAC Server – analyzes access by MAC address via Winbox and Telnet, which can be a vulnerability on a local network;

17. Check SNMP – detects the use of weak SNMP community strings (public, private);

18. Check NAT rules – analyzes port forwarding (dst-nat, netmap) that may allow access to internal services from the outside;

19. Check network access to RMI – determines whether access to critical services (API, Winbox, SSH) is restricted to trusted IPs only;

20. Check RouterOS version – analyzes the current version of RouterOS and compares it to known vulnerable versions;

21. RouterOS Vulnerability Check – checks the RouterOS version against the CVE database and displays a list of known vulnerabilities;

22. “Keep Password” in Winbox – warns of potential use of the “Keep Password” feature

23. Check default usernames – defines the use of standard logins (admin, engineer, test, mikrotik);

24. Checking the schedulers – detects malicious tasks that can load remote scripts, perform hidden reboots, or run too often;

25. Check static DNS records – Analyzes static DNS records that can be used for phishing and MITM attacks.

Install & Use