Page 1 of 1

Gathering information behind a home router

PostPosted: Fri Jun 20, 2014 10:30 am
by karunkun
Hey all,
I've been under the impression that in the absence of internet-facing vulnerable services on a network, an attacker might try to compromise the router itself and use that as a point from which to attack machines inside the network. So with that assumption, I figured I'd try to sate my curiosity and see just what one could do once a router was under malicious control. The problem is, I honestly don't know much about what can be done, and Google is only so helpful (actually, I mostly have to use Bing these days as I'm behind the Great Firewall and I don't currently have a proper VPN at my disposal. Ugh. But that's neither here nor there.)

Now, since the point of this exercise doesn't yet involve the actual exploitation of said router (I'll get to that when I feel I'm ready), I set up a simple D-Link router I had available inside my network with unsecured remote administration enabled, and put a computer running a couple virtual machines behind it.

This means, as you've probably figured out, that I can have complete? control of the router from outside the LAN. From here I know of a few things that can be done, like changing the DNS to a malicious server to redirect traffic to spoofed sites, and whatnot. Aside from that, I can also see which machines are connected to the router. What I'm not so sure about is whether there is any way to gather further information about these machines from outside the network. I tried port forwarding and scanning that range with Nmap, but still all I can see are the web administration port for the router, and port 21 which shows up as tcpwrapped and is not accepting incoming connections.

Does anybody know of any way to scan or otherwise obtain a little more information about the computers behind a compromised router? I feel like I've hit a dead end.

On a similar note, how would this be different if the router in question were an enterprise-grade router? I can't exactly afford a nice Cisco or other of that type, so I can't test it myself at this point in time, but it's still something I'd like to know about.

If anyone could shed some light on this subject for me, I would really appreciate it.

Re: Gathering information behind a home router

PostPosted: Sat Jun 21, 2014 7:13 pm
by cyberdrain
With only the admin password and the settings on the router I don't think there is much you can do. However, once you get root access to the device (might be the same as admin in this case) and its file systems and you can actually run some commands, you could pivot traffic of your pc to the compromised router into the network. Now with an enterprise grade router, I think that past exploitation, there's not much difference, again you just pivot the traffic through it. Usually exploits that work through a NAT and routers use a connect-back approach, like a daemon waiting for connections to the backdoored device.

Re: Gathering information behind a home router

PostPosted: Sun Jun 22, 2014 12:04 pm
by limdis
When attacking networks you have to keep in mind that things work in layers (generally). You can go many different directions with it and having one thing compromised doesn't mean you have root access to everything. Once you manage to get into the wireless network you are in a prime spot to better footprint the network, Nmap everything for example to see what is running what. Start packet captures to see web traffic. Getting router access would be like a 'step 2'. Once you have access you are pretty much in control. The only downside is not having physical access to it. Cyberdrain linked a cool thing you can do and that is in essence what you can do once you have router access. Aside from controlling who can access the network you can have all traffic rerouted to a custom proxy and record everything. But really it depends on what your goals are. If you just want information on the devices on the network, connect to it and pull what you can from the router, then Nmap every device for OS's, etc.