Router and Firewall questions

[hayabusa]

Depends... if you're coming from the outside (public internet) to your internal network, then you'll need to find a port or service forwarded through the router, to an internal machine, to attack, or find some way to get access through a host on the inside.  Malicious email / website to push code down, or deceive user into running some shellcode or something with a reverse shell, etc.  ARP redirection will only be applicable on the same network / subnet, not to fully bypass a router from the outside, in.

[dasecretzofwar]

ok so i understand now how to do the mitm attacks with the arp poisioning but lets say i have a router ip address of 74.xxx.xxx.xxx ok how would i see the other computers within that network. Using nmap to scan shows filtered for the router. Now i can successfully do this within my own network IE connected to my router do mitm router to my desktop ie target 1 192.168.1.1 target 2 192.168.1.102 but to do this remotely i'm still lost?

[hayabusa]

OK, again, if your router ports aren't being forwarded through (as I'd mentioned in my previous response) you won't be able to 'see into the internal network, behind the router,' via an nmap scan or the like.  All you can do is work with ports that DO get through (aren't being filtered) or you're going to have to try to be manipulative and accomplish some sort of client-side exploit, via webpage / email / whatever, and gain reverse shell access to a machine that IS behind the firewall.

Basically, if NO ports and services are being allowed past the router / firewall, then there ARE no exploits that'll gain you access (which seems to be the direction you're WANTING to go,) further than the public interface of the router or firewall, unless you gain access via a client-side exploit.  You could TRY to firewalk past the firewall / router (manipulate packets' time-to-live to try to enumerate hosts behind it,) but if all of the ports are being filtered AT the router, than you won't get any further via that method, either.

[dasecretzofwar]

sorry about that i didn't see the first one so more or less if i filter the ports there is no way in no matter what the only way would be client side exploit like you stated there is no way to essentially fool the firewall on the router to let me pass unless a port is forwarded correct? Does this include packet sniffing even tho i may not be able to open a shell but could i remotely packet sniff on that router remotely if all ports are filtered?

[hayabusa]

Your only other options would be if you somehow accessed any configured remote management on the router, or found some sort of exploit for said router, that gave you the ability to reconfigure it, etc.  But otherwise, that'd be correct.

[Equix3n-]

Does this include packet sniffing even tho i may not be able to open a shell but could i remotely packet sniff on that router remotely if all ports are filtered?

Sniffing only works if you're on the same network as the machines whose data you want to sniff.
Could you be more clear?

[dasecretzofwar]

Is there a way to guess what type of router it is nmap -A doesn't work since all ports are filtered. What steps could be taken to more or less enumerate the router itself instead of the computers behind?

[dasecretzofwar]

To me at least and i could be wrong but that just seems to easy. Like all I have to do is filter every port on the router and there's no connection allowed to it and essentially makes my network impenetrable. Like i said that just seems way to easy to me.

[Equix3n-]

Are you running some remote management service on the router, like telnet ot perhaps SNMP? Someone could connect to them and try to enumerate it.

You can also try using p0f , however, I'm not sure if it can detect type of router.

However, since you're using a NAT configuration, you aren't scanning any of your systems. Instead your nmap scan shows the result of router ports. Unless you're forwarding some port from your router to any of your system you shouldn't worry about someone compromising your system from the outside. There are, however, other methods to bypass your router. Someone could try a social engineering attack against you and try to take advantage of client side exploits to launch a reverse shell back to attacker or install a malware to get hold of your password and other data.

[dasecretzofwar]

p0f only works if your on the network doesn't work remotely correct?

[Equix3n-]

p0f works for remote systems too. It sniffs the packets coming from the remote host to your system and based on the header fields tries to discern the OS type.
However, I don't think it has signatures to detect router type.

Have you tried using fragmentation? Most of the firewalls now are not easily fooled by it but you can still try. Also, note that an attacker need not try to compromise your system from the outside.  He could gain access to your systems by other methods such as malwares and make a reverse connection (Netcat, anyone?) to him.  Or he could exploit a browser vulnerability and gain access through it. All these methods are used to bypass the firewalls.

Protection by firewall is a combination of properly configuring it and using good ACLs. Attackers test you ACL while trying to bypass your firewall. Also like I earlier pointed out, make sure that you don't use remote management like telnet on your router. Normally you don't need it for a home network.