From: Peter Lee (lists@eppix.com.au)
Date: Wed Jun 01 2005 - 21:08:30 EDT
Sherwyn Williams wrote:
> This might be a dumb question but here goes!
>
> once someone gets access to a say linksys for instance apart from
> setting up remote access to the router, or getting the clients real
> ipaddress, what else can someone do. I am doing a pentest, and I want to
> show what are some of the ways that someone can use the router acess to
> the advantage.
If you get privileged access, then apart from the obvious denial of
service, how about:
- Running debug commands to capture traffic. Your mileage will
certainly vary depending on the capabilities of the box, i.e. I don't
know that you'll get a nice, friendly pcap file, but you might learn
some useful things. Like DNS IP's you can spoof :-)
- Turning off ACL's to expose DMZ boxes, or flood IDS sensors.
- Turning on ip directed-broadcast for smurfing.
- If they use AAA authentication on this router, change the RADIUS
server to your box, wait for people to start authenticating, and now you
can capture passwords.
- You might be able to use NAT to rewrite selected destination IP's to
an IP you control, for the purposes of MITM attacks, sniffing passwords,
phishing etc.
- If you can't use NAT, what about a tunnel (say IPSec) to again
redirect selected traffic to your box, where you can proxy/NAT it along
to the real site while playing with it at your leisure.
- If you are a really skilled adversary, you might have your own custom
software image with all sorts of goodies you can upload to the router.
We're probably getting into tinfoil-hat territory now, however.
NB I haven't actually tried any of these, I'm not a router guru, but
they all seem possible to me, and what's more important they should be
enough to scare your client into properly securing their routers.
This archive was generated by hypermail 2.1.7 : Sat Apr 12 2008 - 10:54:22 EDT