Skip to content

Blamp26/router-audit

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

4 Commits
 
 
 
 
 
 
 
 
 
 

Repository files navigation

Router Firmware Audit Framework

Static analysis tool for router firmware — extracts filesystem, finds hardcoded secrets, checks ELF binaries for security flags, and audits config files for misconfigurations.

Features

  • Firmware extraction — NPK (MikroTik), SquashFS, JFFS2, tar/gz
  • Secret detection — hardcoded passwords, API tokens, weak hashes
  • Binary analysis — dangerous imports, NX/canary/RELRO flags via ELF parsing
  • Config auditing — UPnP misconfigs, exposed API variables
  • JSON reports — machine-readable output for integration

Demo

$ ./router-audit routeros-7.14.3.npk --quiet --output report.json

[+] Extracted to: /tmp/router-audit-work/npk-root
[+] Secrets found: 8
[+] Vulnerabilities: 410 in 129 binaries
[+] Config issues: 8
[+] Report saved to: report.json

Usage

# Full analysis
./router-audit firmware.npk

# Secrets only
./router-audit firmware.npk --secrets-only

# Vulnerabilities only
./router-audit firmware.npk --vulns-only

# Quiet mode with JSON report
./router-audit firmware.npk --quiet --output report.json

# Skip specific modules
./router-audit firmware.npk --no-vulns
./router-audit firmware.npk --no-configs

# Analyze already extracted directory
./router-audit /path/to/extracted/

Build

# Dependencies (Debian/Kali)
sudo apt install build-essential cmake libarchive-dev \
                 libpcap-dev libcapstone-dev libmbedtls-dev libtins-dev
pipx install jefferson

# nlohmann/json (header-only)
mkdir -p third_party/nlohmann
wget https://github.com/nlohmann/json/releases/download/v3.11.3/json.hpp \
     -O third_party/nlohmann/json.hpp

# Build
mkdir build && cd build
cmake ..
make -j$(nproc)

Tested on

Firmware Format Result
MikroTik RouterOS 7.14.3 NPK 8 secrets, 410 vulns, 8 config issues
TP-Link TL-WR841N SquashFS

Architecture

src/
├── firmware/
│   ├── extractor      — format detection + extraction (NPK/SquashFS/JFFS2/tar)
│   ├── fs_walker      — filesystem traversal + file classification
│   └── elf_parser     — ELF header parsing utilities
├── analysis/
│   ├── secret_finder  — regex-based secret detection with noise filtering
│   ├── vuln_checker   — ELF import table + security flag analysis
│   └── config_auditor — XML/JSON misconfiguration detection
├── fingerprint/
│   ├── scanner        — network port scanning + banner grabbing
│   └── identifier     — device model/firmware identification
├── report/
│   ├── json_report    — structured JSON output
│   └── terminal_report— colored terminal output
└── utils/
    ├── pattern        — shared regex patterns
    └── process        — subprocess management

What It Finds

Secrets

  • Hardcoded passwords and credentials
  • API tokens and license keys
  • Weak MD5 hashes
  • Exposed cryptographic keys

Binary Vulnerabilities

  • Dangerous function imports (strcpy, system, sprintf, gets...)
  • Missing NX/DEP (executable stack)
  • Missing stack canary
  • Missing RELRO (writable GOT)

Config Issues

  • Exposed UPnP service descriptors
  • Suspicious UPnP actions (e.g. MagicOn)
  • Sensitive variables leaked in API templates
  • Endpoints without visible authentication

Tech Stack

C++20 · libarchive · libcapstone · libtins · mbedTLS · nlohmann/json

Supported Firmware Formats

Format Magic Notes
MikroTik NPK 1e f1 d0 ba 4096-byte header + SquashFS
SquashFS 73 71 73 68 Direct extraction via unsquashfs
JFFS2 85 19 Via jefferson
tar/gz/zip Via libarchive

About

No description, website, or topics provided.

Resources

Stars

0 stars

Watchers

0 watching

Forks

Releases

No releases published

Packages

 
 
 

Contributors