Execute python3 winbox.py -t -u [-p ] to demonstrate Winbox client functionality, or leverage the Winbox API to send custom messages to the server. The default password, if omitted, is blank. Below is an example of the client API.

import winbox

w = winbox.Winbox('127.0.0.1')
w.auth('admin', '')
msg = b'M2\x05\x00\xff\x01\x06\x00\xff\t\x01\x07\x00\xff\t\x07\x01\x00\xff\x88\x02\x00\r\x00\x00\x00\x04\x00\x00\x00\x02\x00\xff\x88\x02\x00\x00\x00\x00\x00\x0b\x00\x00\x00'
resp = w.send(msg)
print("Received response: ")
print(resp)

MAC Telnet

The MAC Telnet program only functions in client mode and requires a MikroTik host (version 6.45.1+) running on the same subnet to demonstrate functionality. Run python3 mactelnet.py [-u -p ] to authenticate and create a remote RouterOS terminal within the target host.

Elliptic Curves Utilities

elliptic_curves.py contains cryptographic functions for authentication. It exposes the WCurve class which performs elliptic curve calculations and conversions between Montgomery and Weierstrass curves as well as between affine and weighted projective space. Margin Research’s blog post contains a high-level overview of the EC-SRP5 implementation, and this old, unfinished IEEE submission draft is a nearly identical protocol to what is implemented. Similarities to this draft submission are highlighted below:

1. gen_public_key accepts a private key and returns a public key. This is equivalent to ECPEPKGP-SRP-A. Note: the private key is multiplied over the Weierstrass curve, but the public key returned is the converted Montgomery form x coordinate
2. lift_x plots a provided x coordinate on the Weierstrass curve in affine form. This makes up a component of ECEDP and is used in public key generation
3. redp1 is named according to old MikroTik symbols. This incorporates elements of two functions: it increments the x coordinate until lift_x returns a valid point, similar to ECEDP, and it hashes the x coordinate before plotting, similar to steps in ECPESVDP-SRP-A and ECPEPKGP-SRP-B for computing the pseudo-random point e

Encryption Utilities

encryption.py imports required cryptographic classes and calculates encryption and authentication keys. RouterOS employs Mac-then-Encrypt for all messages and uses HMAC and AES-CBC. It also uses unique send and receive ciphers. Both Winbox and MAC Telnet POCs demonstrate successful encryption and decryption. Note: the AES-CBC implementation uses a modified padding that is similar to PKCS-7. Instead of padding n bytes with character n, the padding is n bytes of character n-1

It is worth mentioning that Winbox fragments the source message - after computing the authentication hash and encrypting - if longer than 0xff. Both Winbox client and server scripts reassemble fragmented messages.