I've been under the impression that in the absence of internet-facing vulnerable services on a network, an attacker might try to compromise the router itself and use that as a point from which to attack machines inside the network. So with that assumption, I figured I'd try to sate my curiosity and see just what one could do once a router was under malicious control. The problem is, I honestly don't know much about what can be done, and Google is only so helpful (actually, I mostly have to use Bing these days as I'm behind the Great Firewall and I don't currently have a proper VPN at my disposal. Ugh. But that's neither here nor there.)
Now, since the point of this exercise doesn't yet involve the actual exploitation of said router (I'll get to that when I feel I'm ready), I set up a simple D-Link router I had available inside my network with unsecured remote administration enabled, and put a computer running a couple virtual machines behind it.
This means, as you've probably figured out, that I can have complete? control of the router from outside the LAN. From here I know of a few things that can be done, like changing the DNS to a malicious server to redirect traffic to spoofed sites, and whatnot. Aside from that, I can also see which machines are connected to the router. What I'm not so sure about is whether there is any way to gather further information about these machines from outside the network. I tried port forwarding and scanning that range with Nmap, but still all I can see are the web administration port for the router, and port 21 which shows up as tcpwrapped and is not accepting incoming connections.
Does anybody know of any way to scan or otherwise obtain a little more information about the computers behind a compromised router? I feel like I've hit a dead end.
On a similar note, how would this be different if the router in question were an enterprise-grade router? I can't exactly afford a nice Cisco or other of that type, so I can't test it myself at this point in time, but it's still something I'd like to know about.
If anyone could shed some light on this subject for me, I would really appreciate it.
I'm usually a friendly sort. Feel free to say hi. =)