Router Hacking

Glad I stumbled upon this thread

being very curious and all, Ive always wondered if its possible to remotely log in to a unsuspecting victims router, be it via console or web?
say for instance I have my friends public/wan IP (provided by ISP) can I use this to somehow change/alter settings on his router, and possibly setup port forwarding to access his internal network e.g. PC?

Any thoughts/ tips on this?

Should probably mention, i work as a junior technical engineer for an ISP, and have some understanding of what happens in the router interface.

Hate to see no more activity here.

Ok, I assume you are talking about home routers.

In this case security is not that strong and there are a lot of possibilities:

[list=1]
[] Router web management interface is available via internet:
a. Usually it would be on non-default port. So, you have to find this port first . It’s easy to get all open ports with help of nmap. Then just check all of them to find web management interface.
b. Brute force credentials.
[] Publicly known back door in the router:
Examples: https://www.google.com/search?q=home+router+backdoor
[] SNMP with RW rights and well known community string:
Usually SNMP is used on enterprise networking equipment, however, sometimes it could be found on a home routers as well.
If you know SNMP community string (works as a password), you can change router configuration.
[] CSRF attacks targeting user inside a network:
In this case requests to a router will originate from trusted IP.
Obviously user should be authenticated or you you should target router which allows access to configs without authentication. The last one sounds ridiculous but some home routers are vulnerable to it.
[*] Social engineering
You can combine any of the previous steps with social engineering if you know owner of the router.
[/list]

Let’s say you managed to get any of the previous steps to work.

Now you probably want to mess with user.
The easiest way to do it is to change DHCP server settings on a router. You can set DNS to point to your DNS. This way users will use your DNS server. Obviously, you can modify certain DNS replies ;-)

Regarding port forwarding: It’s not as easy as it sounds. You can forward traffic only to the certain IP and port. Thus you need to know which ip is used by a computer you are targeting (If he uses DHCP this IP could be changed at any time). And you need to know which port to use. In case of home PC is not obvious at all.

Well there we go. @f0VM thank you for the helpful reply! A question I have is this; What kind of security do… well, secure routers have, and what methods are used to bypass this?

Gees f0VM, What a woderfull Podt I AM SO OVERWEALMED TO HAV RECEIVED A REPLY…
Jokin, Truth is, i havent been online for some time, only saw the post now.

so, here it is, Thank you very much for the information provided.
it did indeed help me vey much.

An yes I do have a question:

• Can i scan for open ports on a router using the public IP with nmap?
  EXAMPLE:

nmap -sP [public IP/session IP]

P.S no offence intended

Sure you can. Although results will wary depending on vendor and configs.

If router is properly configured and doesn’t have backdoors nmap won’t give you anything. E.g. no open ports.

Thank you, Any other alternatives to nmap, maby something better?