MITM inside router

[log]

Here's something I've been thinking about for a long time: you know when you go into a bar, ask for the wifi password and notice that the router has the default user and pass set?

How easy if at all possible would it be to somehow sniff that traffic from somewhere else? Maybe it's even possible to automate things like capturing certain types of packages, cookies or even capture some credentials?

Maybe I'm way off, I'm a complete rookie in this field. In that case I'd be very grateful if somebody explained why it can't be done!

Thanks in advance!

[cooper]

Well, you could set yourself up outside the front door and have your own AP mimic the one from inside. Since you know the login you can present your AP with the same settings and due to distance your signal will be stronger than the one from within the venue. End result is people will connect to you and so long as you push their traffic through to the real AP they'll be none the wiser. Your biggest hurdle is going to be the simple fact that more and more network traffic is HTTPS these days but the stuff that isn't can easily be yours for the taking.

[digip]

In theory, if you own the device as Cooper mentioned, should be able to log the traffic at the router/device(why router if you can use a few wifi cards and impersonate with soft AP?) or forward it off, then you could see virtually everything,sans SSL, which, if you insert your own certificate, can possibly strip SSL as well. Only thing you probably wouldn't be able to see is VPN Tunneled or SSH traffic going across the wires, which would still be encrypted.

[log]

Thanks for your answers cooper and digip. I was mostly aiming to modifying the victim router itself to somehow route all traffic through a remote server, and maybe sniff stuff in there?

[cooper]

Well I can assure you that your victim *WILL* notice and since you'd be flashing firmware you get 1 shot at glory with the non-glory scenario being a router-shaped bookstand.

[digip]

Thanks for your answers cooper and digip. I was mostly aiming to modifying the victim router itself to somehow route all traffic through a remote server, and maybe sniff stuff in there?

If you added your own DNS servers to the users router in place of their ISP provided ones, you would be able to force them to request all sites and such through you. This should be seamless so long as they don't hard code DNS servers in their NIC settings. This requires you to setup your own DNS server though.

[cooper]

HTTPS is going to be a problem too. That plain won't work that way.

[log]

I'll be investigating about creating DNS servers, thanks guys.

My thoughts were also like: "If a router is openwrt -compatible, I should be able to install a modified version of openwrt that suits my needs". In my head, these mods made to openwrt were things like pineapple infusions to perform various attacks.

[xor-function]

Check if your router's admin menu contains settings for an http proxy, input the info of a proxy server you control (vps). Once this is done all regular http traffic will be forwarded to this proxy. You could then start capturing traffic from the router on the proxy.

Taking this further you can inject traffic from the proxy server. On squid you can enable a url rewrite program ( you have to create this program ).

I found using an http proxy, without touching https works well. This is pretty much what many organizations do to their internal network (content filter).

I've found that when tampering with DNS the individual can get stuck in a redirection loop or some client side scripts for the web page you are trying to spoof are hosted on that very domain so they aren't loaded by the web browser which alerts them of a problem.