Metasploit’s post-exploitation module to extracts Mikrotik Winbox credentials

Metasploit’s post gather modules are useful to gathering additional information from a host after a Metasploit session has opened.

This module is a Post-Exploitation Windows Gather to perform credentials extraction against the Mikrotik Winbox when the “Keep Password” option is selected in Winbox.

I sent a Pull Request to Rapid7 wich was accepted and this module is now part of metasploit. So, now I’m a metasploit contributor 😉


  • Get a session on Windows host (meterpreter, shell and powershell sessions are supported)
  • Run: run post/windows/gather/credentials/winbox_settings
  • If any users in the system has a Keep Password enabled in Winbox, the credentials will be printed out