Re: Router Access

[Dan Henage <mckennage () gmail com>]

Since they are likely running NAT and DHCP on the LAN behind the
Linksys router (this is typical for small businesses), there is a lot
you can do.

For example, if they are using DHCP, you can change the DNS servers on
the router to point to a DNS server you control, and use that to force
users to invalid web sites without their knowledge (such as a phishing
attack).

Also, I usually like to look at the list of current DHCP clients in
the DHCP clients table. You can get some information there such as the
names and IP addresses. If you are doing a remote test, then you can
set the DMZ host to the first of those clients, do a complete port
scan and VA, then change the DMZ to the second host, and so on. This
will allow you almost direct access to all the clients on the LAN. You
can also guess IP addresses for clients that might not be using DHCP,
or possibly figure out a way to use logging on the router to see what
traffic is going out.

Also, you might be able to upload hacked firmware to the router to get
additional functionality, such as a Linux shell on the router. This
way you might be able to do things like sniff all traffic and have it
forwarded to you. Obviously that's going to be very intrusive.

Dan Henage


On 6/1/05, Sherwyn Williams <sherwill22 () tmail com> wrote:
> This might be a dumb question but here goes!
>
>     once someone gets access to a say linksys for instance apart from
> setting up remote access to the router, or getting the clients real
> ipaddress, what else can someone do. I am doing a pentest, and I want to
> show what are some of the ways that someone can use the router acess to
> the advantage.
>
>
>
> Sherwyn Williams
> Technical Consultant
> (917) 650-5139
> Sherwill22 () tmail com