Static analysis tool for router firmware — extracts filesystem, finds hardcoded secrets, checks ELF binaries for security flags, and audits config files for misconfigurations.
- Firmware extraction — NPK (MikroTik), SquashFS, JFFS2, tar/gz
- Secret detection — hardcoded passwords, API tokens, weak hashes
- Binary analysis — dangerous imports, NX/canary/RELRO flags via ELF parsing
- Config auditing — UPnP misconfigs, exposed API variables
- JSON reports — machine-readable output for integration
$ ./router-audit routeros-7.14.3.npk --quiet --output report.json
[+] Extracted to: /tmp/router-audit-work/npk-root
[+] Secrets found: 8
[+] Vulnerabilities: 410 in 129 binaries
[+] Config issues: 8
[+] Report saved to: report.json
# Full analysis
./router-audit firmware.npk
# Secrets only
./router-audit firmware.npk --secrets-only
# Vulnerabilities only
./router-audit firmware.npk --vulns-only
# Quiet mode with JSON report
./router-audit firmware.npk --quiet --output report.json
# Skip specific modules
./router-audit firmware.npk --no-vulns
./router-audit firmware.npk --no-configs
# Analyze already extracted directory
./router-audit /path/to/extracted/# Dependencies (Debian/Kali)
sudo apt install build-essential cmake libarchive-dev \
libpcap-dev libcapstone-dev libmbedtls-dev libtins-dev
pipx install jefferson
# nlohmann/json (header-only)
mkdir -p third_party/nlohmann
wget https://github.com/nlohmann/json/releases/download/v3.11.3/json.hpp \
-O third_party/nlohmann/json.hpp
# Build
mkdir build && cd build
cmake ..
make -j$(nproc)| Firmware | Format | Result |
|---|---|---|
| MikroTik RouterOS 7.14.3 | NPK | 8 secrets, 410 vulns, 8 config issues |
| TP-Link TL-WR841N | SquashFS | ✓ |
src/
├── firmware/
│ ├── extractor — format detection + extraction (NPK/SquashFS/JFFS2/tar)
│ ├── fs_walker — filesystem traversal + file classification
│ └── elf_parser — ELF header parsing utilities
├── analysis/
│ ├── secret_finder — regex-based secret detection with noise filtering
│ ├── vuln_checker — ELF import table + security flag analysis
│ └── config_auditor — XML/JSON misconfiguration detection
├── fingerprint/
│ ├── scanner — network port scanning + banner grabbing
│ └── identifier — device model/firmware identification
├── report/
│ ├── json_report — structured JSON output
│ └── terminal_report— colored terminal output
└── utils/
├── pattern — shared regex patterns
└── process — subprocess management
- Hardcoded passwords and credentials
- API tokens and license keys
- Weak MD5 hashes
- Exposed cryptographic keys
- Dangerous function imports (
strcpy,system,sprintf,gets...) - Missing NX/DEP (executable stack)
- Missing stack canary
- Missing RELRO (writable GOT)
- Exposed UPnP service descriptors
- Suspicious UPnP actions (e.g.
MagicOn) - Sensitive variables leaked in API templates
- Endpoints without visible authentication
C++20 · libarchive · libcapstone · libtins · mbedTLS · nlohmann/json
| Format | Magic | Notes |
|---|---|---|
| MikroTik NPK | 1e f1 d0 ba |
4096-byte header + SquashFS |
| SquashFS | 73 71 73 68 |
Direct extraction via unsquashfs |
| JFFS2 | 85 19 |
Via jefferson |
| tar/gz/zip | — | Via libarchive |