mikhailartamonov/router-cve-audit

# router-cve-audit Defensive CVE audit toolkit for consumer / SOHO routers and small-network gear. Detection-only — no exploitation, no brute-force. **Vendor coverage** (8): MikroTik (RouterOS), TP-Link, Huawei, D-Link, ASUS, Zyxel, Keenetic, Ubiquiti. ~36 KEV-tracked CVEs and ~30 EOL device families hardcoded in [`safe_versions.json`](safe_versions.json) (auto-flagged as CRITICAL even when firmware version is not extractable). ## Pipeline naabu / port_scanner.py → httpx → nuclei → inventory_collector.py (open ports) (web fingerprint) (CVE detection) (RouterOS-specific: SNMP / RouterOS API / Webfig / Winbox banner) │ ▼ version_check.py (severity vs safe_versions.json) │ ▼ report_generator.py (REPORT.md + PROBLEMS_FOUND.md) │ ▼ scan_inventory.py (history of what/when scanned) Wrapped by `audit/nuclei_runner.sh` (single command end-to-end) and `tests/lan_smoke.sh` (Phase A driver — adds passive MNDP listener). ## Quick start # 1. Clone git clone https://github.com//router-cve-audit.git cd router-cve-audit # 2. Install Project Discovery binaries (Linux/macOS) go install -v github.com/projectdiscovery/nuclei/v3/cmd/nuclei@latest go install -v github.com/projectdiscovery/naabu/v2/cmd/naabu@latest go install -v github.com/projectdiscovery/httpx/cmd/httpx@latest nuclei -update-templates # Windows: download .exe from Project Discovery Releases page, # place in ./bin/ — nuclei_runner.sh auto-prepends to PATH. # 3. Optional Python deps for SNMP / RouterOS API pip install pysnmp librouteros # 4. Configure cp .env.example .env # Edit .env: set TARGET_SUBNETS=192.168.1.0/24 # 5. Run bash audit/nuclei_runner.sh # Or: bash tests/lan_smoke.sh (Phase A — adds passive MNDP listener) # 6. Review cat results/$(ls -1t results/ | head -1)/REPORT.md cat PROBLEMS_FOUND.md ## Tools | Script | Purpose | |---|---| | `audit/port_scanner.py` | TCP-connect port scanner (pure Python; replacement for `naabu` on Windows where AV flags it) | | `audit/inventory_collector.py` | RouterOS-focused vendor / version detection (SNMP → RouterOS API → Webfig → Winbox banner → Bandwidth Test :2000) | | `audit/mndp_listener.py` | Passive UDP/5678 listener for MikroTik Neighbor Discovery (only same-L2 broadcast domain) | | `audit/version_check.py` | Severity evaluator vs `safe_versions.json` (KEV-aware, branch-aware for RouterOS) | | `audit/report_generator.py` | Builds `REPORT.md` per run + appends to `PROBLEMS_FOUND.md` | | `audit/scan_inventory.py` | Tracks scan history (`scan_log.jsonl` + `scan_inventory.json`) — coverage gaps view | | `audit/geo_lookup.py` | IP/CIDR → country/city/ASN. `--country KH` pulls all RIR-registered netblocks via [RIPEstat](https://stat.ripe.net/) | | `audit/cve_refresh.py` | Pulls [CISA KEV catalog](https://www.cisa.gov/known-exploited-vulnerabilities-catalog), highlights gaps in `safe_versions.json` | | `audit/coverage_map.py` | Renders `scan_inventory` + `geo_cache` into a single static HTML table | | `audit/nuclei_runner.sh` | End-to-end pipeline driver | | `tests/lan_smoke.sh` | Phase A driver (LAN smoke test) — same as `nuclei_runner.sh` + MNDP listener | ## Configuration - **`.env`** (gitignored): `TARGET_SUBNETS`, `MODE` (lan/prod), `STEALTH`, `SNMP_COMMUNITY`, `ROS_USER`, `ROS_PASS`, `ROS_API_TLS`, `IPINFO_TOKEN` - **`config.yaml`**: discovery ports, nuclei tags, rate limits, severity rules - **`safe_versions.json`**: vendor-specific CVE rules + EOL device list ## Stealth mode `MODE=prod STEALTH=1` activates: - `port_scanner` / `naabu`: 30 pps, 10 concurrency - `nuclei`: 5 rps, 10 concurrency, 15s timeout - Custom Mozilla User-Agent (instead of default `Nuclei` signature) Designed to stay below typical IDS port-flood thresholds during legitimate authorized audits. **Not** a mechanism to evade the network owner — see [`DISCLAIMER.md`](DISCLAIMER.md). ## Why not just use Shodan / Censys? Shodan/Censys provide passive datasets compiled from internet-wide scans — great for external attack-surface monitoring, but you don't control: - Scan freshness (data may be days/weeks stale) - Coverage of internal RFC 1918 ranges (they can't see those) - Vendor-specific deep checks (e.g., RouterOS Bandwidth-Test :2000 fingerprint, ASUS KadNap port :53282 IoC) This toolkit is for **active audit of networks you control**, where you need fresh data, full visibility into private ranges, and vendor-specific intelligence beyond generic web fingerprinting. ## Limitations - **MikroTik 7.x** hides version from public HTTP responses by design — for exact version you need SNMP community **or** RouterOS API credentials **or** same-L2 reachability for MNDP - **MNDP listener** requires being in the same broadcast domain as targets - **Naabu** on Windows may be flagged as PUA by Windows Defender — use the bundled Python `port_scanner.py` (slower, but no driver / AV issues) - **`naabu`** on Linux requires root for SYN scan, or `setcap cap_net_raw=ep` on the binary; otherwise falls back to TCP-connect (slower) ## License [MIT](LICENSE) — see `LICENSE` file.