Metasploit Router Question

[Sector.Xero]

I have a router setup at home. Now I've heard having a router is a level of protection, but can it be defeated?

The question I'm asking is. Can a hacker who knows my external IP address of (77.77.77.77) go across the internet and connect to my router. Then ultimately running an exploit on specific client on my private network. Like specifically targeting 192.168.1.1?

Is there any guide to this?

[Sparda]

Potentially yes. This depends on a big list of things however.

The major thing that might make this possible are having ports forwarded in the router or having the router run a serivce that is exposed to the Internet. UPnP needs disabling and never enabling again. You can check what ports have services listening on them with Shields Up. Also change your router username and password.

Bare in mind that 'turning the firewall on' does not automagiclly make your network or your computers secure, many different types of attack rely on some thing in your network 'inviting' the attacker in side your network (so to speak). The 'invitation' can occur any number of ways, the main method is by visiting web pages and your browser been exploited.

[Darkmist!]

pardon the noob question,

but if you have an SPI firewall enabled (which mosty routers have) and NAT configured, then how would you connect to a host behind the router to exploit it?

doesn't the SPI firewall only allow packets in that are responding to a request originated from behind the NAT router?

[Sparda]

but if you have an SPI firewall enabled (which mosty routers have) and NAT configured, then how would you connect to a host behind the router to exploit it?

Port forwarding, misconfiguration and the evil of UPnP.

[digininja]

If you have NAT enabled then that is saying to the firewall/router "Allow all traffic on this port directly through to the other machine". On basic firewalls the firewall is then basically disabled for that port.

[Darkmist!]

Port forwarding, misconfiguration and the evil of UPnP.

ah so you are automatically connected to the machine for which the port is forwarded to from the firewall then. how about attacking multiple targets that have the same port opened on the firewall to them.

if you are just sending a connection request to the port, get you a handshake on the multiple machines that the port is forwarded to?

[Sparda]

ah so you are automatically connected to the machine for which the port is forwarded to from the firewall then. how about attacking multiple targets that have the same port opened on the firewall to them.

if you are just sending a connection request to the port, get you a handshake on the multiple machines that the port is forwarded to?

Can't forward one port to multiple internal address... at least, not in any way that it would work as you might expect.

[Darkmist!]

Can't forward one port to multiple internal address... at least, not in any way that it would work as you might expect.

ah gotcha. well i was thinking on along the line of utorrent for example.

say there was an exploit within it that if you sent a payload to it that it would allow remote access of a machine.

if you have 2 computers on a network that have that port opened up on the routers firewall, then you sent the exploit payload to the port on the firewall, would you get both machines or just one

thanks for all of the replies so far, im just getting into pen testing and this is a question that ive had for a long time

[Sparda]

ah gotcha. well i was thinking on along the line of utorrent for example.

say there was an exploit within it that if you sent a payload to it that it would allow remote access of a machine.

if you have 2 computers on a network that have that port opened up on the routers firewall, then you sent the exploit payload to the port on the firewall, would you get both machines or just one

thanks for all of the replies so far, im just getting into pen testing and this is a question that ive had for a long time

You are still trying to forward one port to two address which can't work.

If the two torrent clients used two different ports, that would work.

[Darkmist!]

You are still trying to forward one port to two address which can't work.

If the two torrent clients used two different ports, that would work.

ah ok, understood. forgot about that fact.

thanks for the help and the responses!

[digip]

I think you can port forward to a multicast addresses from a router which will hit anyone listening for IGMP membership broadcasts, but multicast forwarding has to be enabled and usually its filtered/disabled by default unless you turn it on. Upnp, which again, will listen and then do whatever the hell you tell it to can cause all kinds of havoc though. Upnp is generally bad and should be turned off not only on the router, but on the host machines as well. You can disable it under services.msc in windows xp and later.

Also, if you use a third party firewall with manual port range blocking, see if it also has an option to block IGMP and Multicast requests/broadcasts. You can even go as far as blocking all broadcasts, then set up static IP addresses and static arp entries for the router and any known mac addresses's for other devices on the lan so you cut down on the broadcasts and chatter on the network. Do this on each machine, as well as use mac address filtering on the router so no other devices can get an address on the router.

Check out IronGeeks video: http://www.irongeek.com/i.php?page=videos/...and-play-upnp-1

[shonen]

Nice write up digip and thanks for supplying the linkage. You now have me curious as to what kind of stuff you can do to a UPNP enabled device. I may have to google it up if we get quite during work.

cheers mate.

**EDIT**

I did a quick google search and read through and thought I would share.

http://www.gnucitizen.org/blog/hacking-the-interwebs

http://www.gnucitizen.org/blog/flash-upnp-attack-faq

http://www.gnucitizen.org/blog/bt-ho...-bt-home-hub-5

[Sparda]

You now have me curious as to what kind of stuff you can do to a UPNP enabled device.

Any thing you want, literally. UPnP is evil.

[shonen]

You aint wrong there Sparda. The changing DNS is attribute is pretty interesting.

Just a quick question, I am assuming cicso equipment (not talking linksys) does not support UPNP or at least has it disabled by default? Also what about other brands of enterprise lvl routers from other manufactures?

[digip]

I think mostly it is consumer brand routers(linksys is cisco by the way) you will see upnp capailities in. I cant see a reason any enterprise or corporate product would EVER want upnp capabilities in any of its products except maybe a network printer device, and even then, there are hacks for using printers to enter networks as a sort of mitm proxy agent, so upnp should be disabled at all costs.

upnp.org has a list of standard devices that use upnp.

[Darkmist!]

this right here is why the hak5 community is the best on the web. thanks for all of the information and advice you have given me. i will be pouring over this tonight!

thanks again to all

digip and shonen ftw

[shonen]

ahh awesome, thanks for the clarification on Cisco based equipment digip, much appreciated. Well after having a good 2nd read through from the links I posted I can't imagine why any home user who is the slightest bit tech savvy would enable it either, the fact that the attack is not platform specific and can utilize flash or java makes it even more powerful and flexible. I think I will turn UPNP off after this posting.

*nods* Couldn't agree more about the community on here, its definitely the most insightful and helpful one I have come across.

I will also add that some all in one modem/routers have been shipped to unsuspecting customers by their ISP that have the web interface for the router accessible from the cloud. Worse still these can be searched via google and some use the default user name and password login credentials

check it

[digininja]

I've recently had access to a 6 or so new APs and routers from different manufacturers and most of them have had upnp on by default.

Insecurity out of the box is the way most manufacturers seem to go unfortunately.

[digip]

I think it was the JetDirect printers that people used as stepping stones into networks as well, as they let you telnet into them directly with no passwords set most of the time. You can then pull down lan side ip information for their internal DNS servers, gateways, etc, and get the mac address of the printer itself, spoofing your mac address as the printer, thus getting you closer to the inside network. If you were physically located near them and they had wireless access and you found the mac address of said printer, I imagine you could then get onto the network much easier, then send some upnp commands to port forward/open ports on any equipment responding, such as routers, desktops, etc, making holes in their network to reach inside.

[Darkmist!]

i remember something about a web interface being blocked by java only and that if you used noscript to block the code that the web ui was just open and could be modified.