4

Let's say an attacker gained access to the admin panel of a home router with port 21, 23 and 80 open.

I mean the attacker has full control over the router, thus being able to port forward, etc...

How could he gain access to the machines connected to this router?

schroeder
  • 123,438
  • 55
  • 284
  • 319
mumei
  • 59
  • 3
  • You have appeared to answer your own question; if a port forward can be configured, then the attacker sends traffic directly to each machine. – schroeder Sep 07 '15 at 02:44
  • Of course you have to note that in most cases the target machine does not run services that make use of port forwording (utorrent/vnc/homeserver...). Also, even with access to the router you are left with little to no idea about the target machine as the only info the router web interface and the telnet commands give is the internal ip of the target. – mumei Sep 07 '15 at 13:06
  • Windows machines have many, many ports that will respond to incoming connections. You seem to have some unstated pre-conditions in your question. Can you flesh out your question a little more? – schroeder Sep 07 '15 at 15:49

2 Answers2

2

A compromised router could be used to pivot around your network, via port/vulnerability scanning and malicious payload delivery. Additionally changing routes or tunnelling your traffic via an illegitimate VPN, could be possible. This process could be very noisy though.

Personally I would only use port forwarding for the administrator interface on the router to give myself remote access to it. (Presuming I compromised the router via a LAN connection)

I may use also use port forwarding for other interesting services like IP cameras, personal PC's/servers, NAS drives etc, depending on my objectives and the scope of the attack.

I think the most obvious attack would be DNS hijacking, done correctly an attacker could enumerate all of your personal information.

Additional they could set up full packet capture on all of your LAN and internet traffic that passes through that router.

TheJulyPlot
  • 7,669
  • 6
  • 30
  • 44
  • Although all the attacks you mentioned above could be achieved, none of them includes accessing the internal network. And thanks* – mumei Sep 07 '15 at 13:09
  • Very true, but they could be used to leverage assets on the internal network and infect internal assests with malicious payloads. Also port forwarding had been discussed for inbound access, so I was just attempting to show an additional attack vector that could be used with port forwarding to expose internal assests to the external network. Just filling in some of the gaps of what may be possible. – TheJulyPlot Sep 07 '15 at 13:14
1

There could be a few scenarios here that might work.

  1. As you say above forward a port/bunch of ports from an internal host to the external IP address. Attack that IP.

  2. The router itself has an OS, usually a cut down 'nix of some sort. If you could gain access to that then you would have one NIC on the Internal network. You could potentially use that as a spring board onto the internal network.

  3. If the device supports it, set-up a VPN to a device within your control. It might be feasible to set-up routing between your network and the target network. Technically harder but could be done with the right situation.

poperob
  • 189
  • 2
  • Lets say for example: I have access to a router through open ports (http,telnet,ftp). how can i use that to access the inside network(lan) and (for example) run a port scan on the machine. Just like if i was part of that network. – mumei Sep 07 '15 at 12:59