Penetration Testing mailing list archives
Re: Router Access
From: Peter Lee <lists () eppix com au>
Date: Thu, 02 Jun 2005 11:08:30 +1000
Sherwyn Williams wrote:
This might be a dumb question but here goes!once someone gets access to a say linksys for instance apart from setting up remote access to the router, or getting the clients real ipaddress, what else can someone do. I am doing a pentest, and I want to show what are some of the ways that someone can use the router acess to the advantage.
If you get privileged access, then apart from the obvious denial of service, how about:
- Running debug commands to capture traffic. Your mileage will certainly vary depending on the capabilities of the box, i.e. I don't know that you'll get a nice, friendly pcap file, but you might learn some useful things. Like DNS IP's you can spoof :-)
- Turning off ACL's to expose DMZ boxes, or flood IDS sensors. - Turning on ip directed-broadcast for smurfing.- If they use AAA authentication on this router, change the RADIUS server to your box, wait for people to start authenticating, and now you can capture passwords.
- You might be able to use NAT to rewrite selected destination IP's to an IP you control, for the purposes of MITM attacks, sniffing passwords, phishing etc.
- If you can't use NAT, what about a tunnel (say IPSec) to again redirect selected traffic to your box, where you can proxy/NAT it along to the real site while playing with it at your leisure.
- If you are a really skilled adversary, you might have your own custom software image with all sorts of goodies you can upload to the router. We're probably getting into tinfoil-hat territory now, however.
NB I haven't actually tried any of these, I'm not a router guru, but they all seem possible to me, and what's more important they should be enough to scare your client into properly securing their routers.
Current thread:
- Re: Router Access, (continued)
- Re: Router Access Michael J McCafferty (Jun 02)
- Re: Router Access Matt (Jun 02)
- Lan access via wifi Sherwyn Williams (Jun 06)
- Re: Lan access via wifi Jose Selvi (Jun 06)
- Message not available
- Message not available
- Message not available
- Re: Lan access via wifi Sherwyn Williams (Jun 06)
- Re: Lan access via wifi Peter Van Epp (Jun 06)
- Re: Lan access via wifi Sherwyn Williams (Jun 07)
- Re: Lan access via wifi DokFLeed (Jun 07)
- Lan access via wifi Sherwyn Williams (Jun 06)