I'm new to this forum so first off: let me introduce myself.. 6sygma
In my everyday life I run a very small business selling IT solutions to end users.
Anyways, at the office we have a HG520 with a static IP as the gateway. I recently decided to look into its security and I was quite surprised to discover how vulnerable it is. I managed to learn how to get the admin password in 2 different ways, how to escalate user priviliges to admin ones, and all this from outside the office network. This sent a chill down my spine. Since then: I de-activated all services for the WAN: no more HTTP, Telnet, ICMP, etc.. I also activated the FW but left aside the SPI for now. Now I'm wondering if it is possible to still get past the FW? I'm pretty sure we're still not safe.
I want to test this theory by using IP spoofing to try and fool the gateway into letting me access the config on the web server and modify settings. HTTP is still accessible from the inside, so I want to spoof from outside the TCP packets source address to an internal IP like 192.168.1.7. However it seems that if I spoof a machine which is on the network, that trusted machine will send a TCP RST packet thus killing my attempt. I have therefore the following 2 questions and would greatly appreciate any help on this:
Question 1: If I spoof an internal IP that isn't attributed to a machine on the network, then nobody should send a TCP packet with the RST flag raised to the gateway, right? This might give me enough time to predict the TCP sequence, gain a "real handshake" and continue predicting the responses of the web server and sending it the right packets until I open up again the web interface for the outside world. Am I correct in assuming this?
Question 2: Since I'm operating remotely [from home] with a D-Link router and a dynamic IP, would the TCP packet with the spoofed source adress be accepted and passed on by the routers along the way of my ISP? Please note: my ISP is quite primitive and careless I must say.
Thanks in advance for any answers.