EH-Net

I was trying to figure out at my house here i have 3 different computers hooked up with different flavors of linux as well as windows and different vm's within those I am trying to more or less set up my own network and then seeing if the different firewalls and what not i have set up work. I have a router obviously for this and am not forwarding any ports to any computer so when i use nmap everything is stuck in filtering for all the ports per the router firewall. Which is normal i want it to be as realistic as possible but i can't seem to get past the router to my actual machine itself. So my question is how to proceed from there. If anyone could point me in the right direction i would greatly appreciate it.

What is it you're trying to accomplish?

If your router (NAT device/firewall) does not forward traffic, then you can't get beyond it to your network.

Typically the border device (router or firewall) forwards traffic it receives per its ruleset to the correct internal server.

Is this all internal or are you trying to get through your router from the internet?

You're not going to be able to do a great deal without having anything available.

Does the router have any known vulnerabilities?

You might be able to do an ack scan, but those should be stopped by a stateful firewall.

You could also experiment with client-side attacks (as if a user opened a malicious web site, email, PDF, etc.).

i must say that your post isnt really clear. Are you trying to scan through the internal network or through the internet? if you cant see any ports your firewall does its work good. you must open them to connect to the other system. remember that there has to be a service behind it also!

As stated, your router is blocking the traffic.  If you want to test the security of each of the different distributions you may want to invest a few bucks on a cheap 10/100 hub.  A router will only send traffic out to specific ports, unless you flood it and make it fail back to be a hub, or you use ARP spoofing, or any number of other tricks.  But if you are just doing it for testing, then get a hub which sends traffic to all ports, regardless of which computer it is destined for.

@unsupported

you mentioned that one could flood a router or do ARP poisoning in order to capture the traffic. But doesn't a router operate in Layer-3? As far as I am concerned a router is not affected by such an attack?

or am I wrong?

@JollyJokker

A lot of the routers out there now days have switches built into them, and there layer 2/3 devices. I know of a couple of places using Cisco layer 2/3 devices as their edge routers, and connecting servers or other switches off of them at the same time.

Haven't tried arp poisoning something like that yet (don't have any in my labs), but would be interested in seeing what happens.

i'm scanning through the internet remote computer so for instance i'm on my laptop going into my router i have a dyndns account set up so it's straight through i'm not forwarding any ports and nmap reads the following:

PORT    STATE    SERVICE     VERSION
21/tcp  filtered ftp
22/tcp  filtered ssh
53/tcp  filtered domain
80/tcp  filtered http
110/tcp filtered pop3
139/tcp filtered netbios-ssn
143/tcp filtered imap
443/tcp filtered https

so everything is filtered at the router itself is there anyway through that or would you say it's pretty secure?

also the ARP poisioning i understand most of it but more or less what is happening with the router i know the dhcp service is going to submit an ip address to the router based upon the router's mac address. And then the router essentially is the new dhcp server for the local network. But essentially is the ARP poisioning doing?

In a rather generic nutshell -

ARP poisoning basically tricks devices on the network into associating an IP address from a valid host (or router) to another host or router, by propagating the secondary device's MAC address into the ARP tables.

It's not really a DHCP attack.  ARP poisoning basically tells the victim, "Forget what you know about your default gateway (router).  I am  your default gateway.  Send all your traffic to me."  You don't need DHCP on the network to accomplish this.  Once the victim believes that the attacker's MAC address belongs to the default gateway (router), he will send all Internet bound traffic to the attacker.  The attacker will sniff the traffic and forward it to the actual router.   This is why it is called a man-in-the-middle attack.

ok so I get that now and the man in the middle attack and sniffing the data. But what i'm trying to figure out is ok so we have this router I use ettercap or whatever tool to do the arp poisoning and route the packets through my computer first and then to the router so i see the packets all in pretty much hex and really doesn't make much sense i can read and binary but not sure what i'm looking at with the sniffing here but then how from there how would i select the specific computer and ultimately get a shell on it which is my ultimate goal to learn to do? Like I said i'm kinda new to this and more of a hands on type of learner which is why i set the network up in my house like this and pretty much closed everything to see if what i read in several books and what not i could put to actual use and then go from there to secure it more and then try to break it again LOL.

You should Google a few sniffing articles so that you understand what kind of data goes over the wire.   There are many ways to compromise your victim once you are able to sniff traffic.   Think about how many protocols send authentication data in plain-text.   Think about all the web attacks, XSS, particularly.   You should take a look at tools like dsniff and BeEF. 

It depends on what the data is, that you sniff.  You can read the ascii text in packets, so if you happen to be sniffing, for example, traffic going to an html login page that isn't ssl encrypted, you might see plaintext passwords, and the like.  You might also see, as Ketchup noted, a relevant filename, xss vulnerabilities, or exploitable php script being accessed, etc.  Consequently, you might see other ports and services show up in the trace, that you weren't aware of, that are open on the server being queried, so you can then banner grab or research and target attacks that are relevant to the services running on those ports.  This is all a learning process, and there are often times, when I'm scanning in this fashion, that I spot new services and ports that I wasn't previously aware of (new stuff, yay!) and I can learn what those services are, and how to exploit them.

It's a process, but one worth learning, as, even if you DON'T pursue security, in the end, you will have a much better knowledge of what goes on within the network in question.

OK I will definitely look into the sniffing portion but how do i still get around this router?

Depends... if you're coming from the outside (public internet) to your internal network, then you'll need to find a port or service forwarded through the router, to an internal machine, to attack, or find some way to get access through a host on the inside.  Malicious email / website to push code down, or deceive user into running some shellcode or something with a reverse shell, etc.  ARP redirection will only be applicable on the same network / subnet, not to fully bypass a router from the outside, in.

ok so i understand now how to do the mitm attacks with the arp poisioning but lets say i have a router ip address of 74.xxx.xxx.xxx ok how would i see the other computers within that network. Using nmap to scan shows filtered for the router. Now i can successfully do this within my own network IE connected to my router do mitm router to my desktop ie target 1 192.168.1.1 target 2 192.168.1.102 but to do this remotely i'm still lost?

OK, again, if your router ports aren't being forwarded through (as I'd mentioned in my previous response) you won't be able to 'see into the internal network, behind the router,' via an nmap scan or the like.  All you can do is work with ports that DO get through (aren't being filtered) or you're going to have to try to be manipulative and accomplish some sort of client-side exploit, via webpage / email / whatever, and gain reverse shell access to a machine that IS behind the firewall.

Basically, if NO ports and services are being allowed past the router / firewall, then there ARE no exploits that'll gain you access (which seems to be the direction you're WANTING to go,) further than the public interface of the router or firewall, unless you gain access via a client-side exploit.  You could TRY to firewalk past the firewall / router (manipulate packets' time-to-live to try to enumerate hosts behind it,) but if all of the ports are being filtered AT the router, than you won't get any further via that method, either.

sorry about that i didn't see the first one so more or less if i filter the ports there is no way in no matter what the only way would be client side exploit like you stated there is no way to essentially fool the firewall on the router to let me pass unless a port is forwarded correct? Does this include packet sniffing even tho i may not be able to open a shell but could i remotely packet sniff on that router remotely if all ports are filtered?

Your only other options would be if you somehow accessed any configured remote management on the router, or found some sort of exploit for said router, that gave you the ability to reconfigure it, etc.  But otherwise, that'd be correct.

Sniffing only works if you're on the same network as the machines whose data you want to sniff.
Could you be more clear?

Is there a way to guess what type of router it is nmap -A doesn't work since all ports are filtered. What steps could be taken to more or less enumerate the router itself instead of the computers behind?

To me at least and i could be wrong but that just seems to easy. Like all I have to do is filter every port on the router and there's no connection allowed to it and essentially makes my network impenetrable. Like i said that just seems way to easy to me.

Are you running some remote management service on the router, like telnet ot perhaps SNMP? Someone could connect to them and try to enumerate it.

You can also try using p0f , however, I'm not sure if it can detect type of router.

However, since you're using a NAT configuration, you aren't scanning any of your systems. Instead your nmap scan shows the result of router ports. Unless you're forwarding some port from your router to any of your system you shouldn't worry about someone compromising your system from the outside. There are, however, other methods to bypass your router. Someone could try a social engineering attack against you and try to take advantage of client side exploits to launch a reverse shell back to attacker or install a malware to get hold of your password and other data.

p0f only works if your on the network doesn't work remotely correct?

p0f works for remote systems too. It sniffs the packets coming from the remote host to your system and based on the header fields tries to discern the OS type.
However, I don't think it has signatures to detect router type.

Have you tried using fragmentation? Most of the firewalls now are not easily fooled by it but you can still try. Also, note that an attacker need not try to compromise your system from the outside.  He could gain access to your systems by other methods such as malwares and make a reverse connection (Netcat, anyone?) to him.  Or he could exploit a browser vulnerability and gain access through it. All these methods are used to bypass the firewalls.

Protection by firewall is a combination of properly configuring it and using good ACLs. Attackers test you ACL while trying to bypass your firewall. Also like I earlier pointed out, make sure that you don't use remote management like telnet on your router. Normally you don't need it for a home network.