Re: Router Access

From: Dan Henage (mckennage_at_gmail.com)
Date: 06/02/05

  • Next message: Steve Friedl: "Re: Router Access" 
    Date: Wed, 1 Jun 2005 17:35:14 -0700
To: pen-test@securityfocus.com

    Since they are likely running NAT and DHCP on the LAN behind the
    Linksys router (this is typical for small businesses), there is a lot
    you can do.

    For example, if they are using DHCP, you can change the DNS servers on
    the router to point to a DNS server you control, and use that to force
    users to invalid web sites without their knowledge (such as a phishing
    attack).

    Also, I usually like to look at the list of current DHCP clients in
    the DHCP clients table. You can get some information there such as the
    names and IP addresses. If you are doing a remote test, then you can
    set the DMZ host to the first of those clients, do a complete port
    scan and VA, then change the DMZ to the second host, and so on. This
    will allow you almost direct access to all the clients on the LAN. You
    can also guess IP addresses for clients that might not be using DHCP,
    or possibly figure out a way to use logging on the router to see what
    traffic is going out.

    Also, you might be able to upload hacked firmware to the router to get
    additional functionality, such as a Linux shell on the router. This
    way you might be able to do things like sniff all traffic and have it
    forwarded to you. Obviously that's going to be very intrusive.

    Dan Henage

    On 6/1/05, Sherwyn Williams <sherwill22@tmail.com> wrote:
    > This might be a dumb question but here goes!
    >
    > once someone gets access to a say linksys for instance apart from
    > setting up remote access to the router, or getting the clients real
    > ipaddress, what else can someone do. I am doing a pentest, and I want to
    > show what are some of the ways that someone can use the router acess to
    > the advantage.
    >
    >
    >
    > Sherwyn Williams
    > Technical Consultant
    > (917) 650-5139
    > Sherwill22@tmail.com
    >

  • Next message: Steve Friedl: "Re: Router Access"

    Relevant Pages

    • Re: DNS Problem??
      ... In the DHCP field at the router, ... > DNS but it adds the 'public' side DNS automatically. ... Do you have another SERVER class machine with the clients? ...
      (microsoft.public.windows.server.dns)
    • Re: networking / vpn / dhcp question
      ... Most vpn routers also have the ability to provide DHCP addresses - just ... clients to get their ip addresses from the dhcp server on the router. ... > we want each remote office to establish a full time vpn link ...
      (microsoft.public.win2000.networking)
    • Re: Networking Question - VLANs on SBS 2003 Premium SP1
      ... DHCP running on the router. ... Set the DHCP on the router, to make a exclusion of IP range. ... you can set the SBS use fix IP by run the CEICW. ... all gust wireless clients will get IP address from DHCP on the ...
      (microsoft.public.windows.server.sbs)
    • help
      ... Network, routers, DHCP and PXE ... wget vs fetch ... It's a Thomson SpeedTouch 585 router. ...
      (freebsd-questions)
    • Re: How do I configure SBS 2003 as a DHCP server?
      ... To disable the private "LAN" side DHCP service (not the DHCP service on the ... of the PPPoE adapter and enable your Speedstream as a DSL modem and router. ... For the Vista computer to interact with SBS, ... Windows Small Business Server 2003: ...
      (microsoft.public.windows.server.sbs)