Hey Guys!

It sounds to me like the router running a NAT service also. Although you can grap information through open holes in the firewall. You would have to be able to comprimise the system that had a globally unique IP address and then work your way in. Hitting the router would be pretty much the only solution if it is completely playing host to the workstations themselves. If any of the stations are multihomed and are running on both a real IP/subnet as apposed to an internal IP/Subnet then you could focus on that beyond the firewall (if security is a little tight). Firewalls by default will not pass broadcasts so any type of netbios hack is out of the question (assuming this is windows). I would personnaly see if SNMP was enabled and if the community strings have public/private name schemes. I could then gather information based on the MIB. As far as hacking the router? Well....linksys routers that have html interfaces store the router pwd in the html code so I might start from there. If you are using a Linksys router with software version 1.35-1.39 you are potentially victim. Get the updated firmware. That is pretty much the first hole that I can come up with.

Cordially,

Sp1d3r