Gathering information behind a home router

What's the best way to setup a home network? Why should I care about BGP?

Gathering information behind a home router

Post by karunkun on Fri Jun 20, 2014 10:30 am
([msg=81566]see Gathering information behind a home router[/msg])

Hey all,
I've been under the impression that in the absence of internet-facing vulnerable services on a network, an attacker might try to compromise the router itself and use that as a point from which to attack machines inside the network. So with that assumption, I figured I'd try to sate my curiosity and see just what one could do once a router was under malicious control. The problem is, I honestly don't know much about what can be done, and Google is only so helpful (actually, I mostly have to use Bing these days as I'm behind the Great Firewall and I don't currently have a proper VPN at my disposal. Ugh. But that's neither here nor there.)

Now, since the point of this exercise doesn't yet involve the actual exploitation of said router (I'll get to that when I feel I'm ready), I set up a simple D-Link router I had available inside my network with unsecured remote administration enabled, and put a computer running a couple virtual machines behind it.

This means, as you've probably figured out, that I can have complete? control of the router from outside the LAN. From here I know of a few things that can be done, like changing the DNS to a malicious server to redirect traffic to spoofed sites, and whatnot. Aside from that, I can also see which machines are connected to the router. What I'm not so sure about is whether there is any way to gather further information about these machines from outside the network. I tried port forwarding and scanning that range with Nmap, but still all I can see are the web administration port for the router, and port 21 which shows up as tcpwrapped and is not accepting incoming connections.

Does anybody know of any way to scan or otherwise obtain a little more information about the computers behind a compromised router? I feel like I've hit a dead end.

On a similar note, how would this be different if the router in question were an enterprise-grade router? I can't exactly afford a nice Cisco or other of that type, so I can't test it myself at this point in time, but it's still something I'd like to know about.

If anyone could shed some light on this subject for me, I would really appreciate it.
I'm usually a friendly sort. Feel free to say hi. =)
karunkun
New User
New User
 
Posts: 4
Joined: Wed Aug 26, 2009 12:18 am
Location: Guangzhou, China
Blog: View Blog (0)


Re: Gathering information behind a home router

Post by cyberdrain on Sat Jun 21, 2014 7:13 pm
([msg=81586]see Re: Gathering information behind a home router[/msg])

With only the admin password and the settings on the router I don't think there is much you can do. However, once you get root access to the device (might be the same as admin in this case) and its file systems and you can actually run some commands, you could pivot traffic of your pc to the compromised router into the network. Now with an enterprise grade router, I think that past exploitation, there's not much difference, again you just pivot the traffic through it. Usually exploits that work through a NAT and routers use a connect-back approach, like a daemon waiting for connections to the backdoored device.
Free your mind / Think clearly
I use the sarcasm color for both sarcasm and irony
User avatar
cyberdrain
Addict
Addict
 
Posts: 1502
Joined: Sun Nov 27, 2011 1:58 pm
Blog: View Blog (0)


Re: Gathering information behind a home router

Post by limdis on Sun Jun 22, 2014 12:04 pm
([msg=81607]see Re: Gathering information behind a home router[/msg])

When attacking networks you have to keep in mind that things work in layers (generally). You can go many different directions with it and having one thing compromised doesn't mean you have root access to everything. Once you manage to get into the wireless network you are in a prime spot to better footprint the network, Nmap everything for example to see what is running what. Start packet captures to see web traffic. Getting router access would be like a 'step 2'. Once you have access you are pretty much in control. The only downside is not having physical access to it. Cyberdrain linked a cool thing you can do and that is in essence what you can do once you have router access. Aside from controlling who can access the network you can have all traffic rerouted to a custom proxy and record everything. But really it depends on what your goals are. If you just want information on the devices on the network, connect to it and pull what you can from the router, then Nmap every device for OS's, etc.
"The quieter you become, the more you are able to hear..."
"Drink all the booze, hack all the things."
User avatar
limdis
Moderator
Moderator
 
Posts: 1433
Joined: Mon Jun 28, 2010 5:45 pm
Blog: View Blog (0)



Return to Networking

Who is online

Users browsing this forum: No registered users and 0 guests