Re: Router Access

[Peter Lee <lists () eppix com au>]

Sherwyn Williams wrote:
> This might be a dumb question but here goes!
>
>     once someone gets access to a say linksys for instance apart from 
> setting up remote access to the router, or getting the clients real 
> ipaddress, what else can someone do. I am doing a pentest, and I want to 
> show what are some of the ways that someone can use the router acess to 
> the advantage.

If you get privileged access, then apart from the obvious denial of 
service, how about:

- Running debug commands to capture traffic.  Your mileage will 
certainly vary depending on the capabilities of the box, i.e. I don't 
know that you'll get a nice, friendly pcap file, but you might learn 
some useful things.  Like DNS IP's you can spoof :-)

- Turning off ACL's to expose DMZ boxes, or flood IDS sensors.

- Turning on ip directed-broadcast for smurfing.

- If they use AAA authentication on this router, change the RADIUS 
server to your box, wait for people to start authenticating, and now you 
can capture passwords.

- You might be able to use NAT to rewrite selected destination IP's to 
an IP you control, for the purposes of MITM attacks, sniffing passwords, 
phishing etc.

- If you can't use NAT, what about a tunnel (say IPSec) to again 
redirect selected traffic to your box, where you can proxy/NAT it along 
to the real site while playing with it at your leisure.

- If you are a really skilled adversary, you might have your own custom 
software image with all sorts of goodies you can upload to the router. 
We're probably getting into tinfoil-hat territory now, however.

NB I haven't actually tried any of these, I'm not a router guru, but 
they all seem possible to me, and what's more important they should be 
enough to scare your client into properly securing their routers.