Page 1 of 3 123 LastLast
Results 1 to 10 of 26

Thread: router penetration and overcoming

  1. #1

    router penetration and overcoming

    Greetings,

    I have recently received an offer from a friend of my to test his home network for topmost security, so that I could gain further practice on security penetration and himself in security penetration prevention. Old news and a peice of cake, until I discovered he had a router. Now, only a few of you that speak to me off of AO may know that a router is my bane of security penetration. I see no possible way to crack a router, although I know it can be done and has been done. My point is this: What methods and tactics do you all use to bypass router protection (this would go for firewalls too) so that you can either A: remove the router completely out of the equasion .. or B: craft packets well enough to control the network with the router still active.

    Any thoughts or suggestions? I figure it is time I learn this aspect of security for a change, rather than throw my hands up everytime a router (or software firewall) comes into the game plan. My thank in advance for your ideas. Right now I'm currently running a good old nmap -sS -P0 -v -D decoy1,decoy2,.....decoy13 -T Sneaky hisip so I'm hoping he left the configuration port open.

    regards,
    Pooh Sun Tzu

  2. #2
    HeadShot Master N1nja Cybr1d's Avatar
    Join Date
    Jul 2003
    Location
    Boston, MA
    Posts
    1,840
    Find out what router/firewall he's using and research for vulnerabilities about that router/firewall. Hopefully his router is not fully patched up yet...so you might get lucky

  3. #3
    AO übergeek phishphreek's Avatar
    Join Date
    Jan 2002
    Posts
    4,325
    Yes, most routers are just hardware running a sofware/firmware operating system.

    Some of them will run a varient of *nix. (Surprise!).

    However, some of them are propritary (Cisco IOS).

    Just like any other software... a router can have flaws that allow you to disable, bypass or take control of. It just depends on which router and how up to date it is... like cybr1d pointed out.

    If the user has no ports open on their router... then you don't have much choice but to attack the router... or use social eng. to get them to let you in... (surprise package... etc.)

    For example: I have my router configured to allow remote users (read myself) to certain services from certain subnets/ip addresses. If someone else tries to access it and they are not in the allowed addresses... then they will be denied. They'd then have to find out which ip addresses are allowed... and proxy to match it. Good luck...

    It won't do you much good to "disable" a router... because that is the gateway in and out of the network.
    Good for DoS... but not for penetration testing.

    Just as an example... look at this "exploiting cisco routers" article...

    Part 1
    Part 2
    Quitmzilla is a firefox extension that gives you stats on how long you have quit smoking, how much money you\'ve saved, how much you haven\'t smoked and recent milestones. Very helpful for people who quit smoking and used to smoke at their computers... Helps out with the urges.

  4. #4
    Thanks a ton for the information so far guys. phishy, so in short, if all the ports are shut off and set to deny, I would either have to proxy (tunnel? confused) my way in by acting as an allowed IP address... otherwise I'm SOL for penetration?

  5. #5
    AO übergeek phishphreek's Avatar
    Join Date
    Jan 2002
    Posts
    4,325
    Originally posted here by pooh sun tzu
    Thanks a ton for the information so far guys. phishy, so in short, if all the ports are shut off and set to deny, I would either have to proxy (tunnel? confused) my way in by acting as an allowed IP address... otherwise I'm SOL for penetration?
    On my config, yes. But some routers (like home linksys routers) and the such don't allow you to filter by ip address. They will just forward prots. I'm using ACLs (access control lists)... so I can set who and what has access to where. Not every router will allow this. You'd either have to find a flaw in the IOS that I'm using... or find some way to access my network tunneling through some proxy... or go to the site that I've allowed.

    Or, you might be able to trick me into downloading a program you've created... that will "call home" and give you access...
    Quitmzilla is a firefox extension that gives you stats on how long you have quit smoking, how much money you\'ve saved, how much you haven\'t smoked and recent milestones. Very helpful for people who quit smoking and used to smoke at their computers... Helps out with the urges.

  6. #6
    AO Decepticon CXGJarrod's Avatar
    Join Date
    Jul 2002
    Posts
    2,038
    Originally posted here by pooh sun tzu
    Thanks a ton for the information so far guys. phishy, so in short, if all the ports are shut off and set to deny, I would either have to proxy (tunnel? confused) my way in by acting as an allowed IP address... otherwise I'm SOL for penetration?
    Most of the stuff I have seen are mainly to DOS the router. I have been doing a little research since Cybrid challenged me to see if I could do something to his router and firewall. (Of course I have only been looking at one or two brands of routers exploit links) A lot depends on whether they have updated firmware or not, since most of the info I am finding seems a bit dated. (6-12 months old)
    N00b> STFU i r teh 1337 (english: You must be mistaken, good sir or madam. I believe myself to be quite a good player. On an unrelated matter, I also apparently enjoy math.)

  7. #7
    Or, you might be able to trick me into downloading a program you've created... that will "call home" and give you access...
    A trojan for instance would make perfect sense, but wouldn't that depend upon the ruleset for outgoing on the router? Even if I told it to form up on port 79, the router would still have to allow it. Not sure how that would help incalling home, unless the router didn't have outgoing rulesets...

    I have been doing a little research since Cybrid challenged me to see if I could do something to his router and firewall.
    Any information either of you find, if you could post the results and how-you-did-it's here, that would be amazing

  8. #8
    AO Decepticon CXGJarrod's Avatar
    Join Date
    Jul 2002
    Posts
    2,038
    Originally posted here by pooh sun tzu

    Any information either of you find, if you could post the results and how-you-did-it's here, that would be amazing
    I will post it if I find anything. Just gotta get some tie over the weekend to do some looking.

    A trojan for instance would make perfect sense, but wouldn't that depend upon the ruleset for outgoing on the router? Even if I told it to form up on port 79, the router would still have to allow it. Not sure how that would help incalling home, unless the router didn't have outgoing rulesets...
    Or what about something that you send (like a trojan) that would modify the router settings? User opens .exe - then exe exploits router from the inside and opens ports.

    N00b> STFU i r teh 1337 (english: You must be mistaken, good sir or madam. I believe myself to be quite a good player. On an unrelated matter, I also apparently enjoy math.)

  9. #9
    AO übergeek phishphreek's Avatar
    Join Date
    Jan 2002
    Posts
    4,325
    Originally posted here by pooh sun tzu
    A trojan for instance would make perfect sense, but wouldn't that depend upon the ruleset for outgoing on the router? Even if I told it to form up on port 79, the router would still have to allow it. Not sure how that would help incalling home, unless the router didn't have outgoing rulesets...
    Yes... but then you could be smart... and say... what services do everyone allow out?
    Http? Ftp? Hmmm?
    Quitmzilla is a firefox extension that gives you stats on how long you have quit smoking, how much money you\'ve saved, how much you haven\'t smoked and recent milestones. Very helpful for people who quit smoking and used to smoke at their computers... Helps out with the urges.

  10. #10
    But the reason they usually allow them out are because they are running the actual services. I don't think a trojan could bind on the same port if another service is being used. I taught him well enough, so we WON'T open a port he isn't using.

    I'll look into a writing a quick script that will alter his router from his personal computer, and then have it kill itself after one usage, and keep it nonmorphing. Shouldn't be too difficult, when I can figure out his router information that is.

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •