Hey does anyone have any tips on methodology/steps that should be taken to examine a home router?
It's just a simple router that you see in every home with a DSL/Cable connection.
I was just going to hook 'er up and screenshot pertinent data, such as forwarded ports and what not. I don't think there is really any "forensically sound" method for doing this, is there?
I've already looked into telnet access to the router and it won't provide what I need. I don't think it would be anymore forensically sound either.
Greetings,
The last time I did one of these, I did something similar to the following tasks
1) Document everything in its native state.
2) Sniff network traffic on all interfaces in the network's "native" state.
You've not changed anything at this point, but the firewall's state is changing.
Now things will change. You probably want to disconnect the network interfaces at this point.
1) Log in. Document current state with screenshots/photos.
2) Check for SNMP and logging capabilities. If they're available, collect them in an appropriate manner.
3) Dumped the firmware.
4) Ran nmap against all the interfaces.
-David
Great ideas, thanks. This router was sent so I won't have to do any network monitoring.
Greetings,
The last time I did one of these, I did something similar to the following tasks
1) Document everything in its native state.
2) Sniff network traffic on all interfaces in the network's "native" state.You've not changed anything at this point, but the firewall's state is changing.
Now things will change. You probably want to disconnect the network interfaces at this point.
1) Log in. Document current state with screenshots/photos.
2) Check for SNMP and logging capabilities. If they're available, collect them in an appropriate manner.
3) Dumped the firmware.
4) Ran nmap against all the interfaces.-David
If it is off, there won't be much useful information available. Depending on vendor, you may get some configuration settings and if the firmware was not authentic (downloaded from the net instead of buying an expensive upgrade etc), you may find malware/remote there. I posted a few links on router forensics on my blog last year.
http//
My general process on a live router would be the following
1. Note the router’s status/activity (LEDs)
2. Secure the router? (i.e. pull the network cables unless you are planning on verifying who is currently connected, sniffing, or mapping)
3. Configure your computer’s network settings (for DHCP although this will get you added to the log files so take good notes)
4. Physically connect to the router’s internal network
5. Identify the router’s IP address (and open ports if you want to try to FTP or Telnet)
6. Access the router interface (typicaly using your web browser)
7. Logon (assuming you have the user's password or it's still set to the default)
8. Note the router date/time and the actual date/time
9. Download/copy the router’s log files
10. Download/copy the router’s settings
11. Map the network?
For a router whose power has been turned off, steps 1, 2, 11, and probably 9 as well may not apply. Turning off a router usually deletes log files as they are stored in volatile memory.
You may want to research and download any hidden files (if you know of any) as some (e.g. Wizard.htm on the Linksys WRT54GX) contain useful information such as the router PASSWORD. Some of them also contain configuration information unavailable through the usual web interface so they could also tell you if the router's settings have been modified/hacked.
Also, if you don't have the password, you can check out phenoelit for the default passord (http//
Only one router that I know of has a backdoor password; the Netgear WG602. (Logon super & Password 5777364, or Logon superman Password 21241036) and they are pretty old now. [But if you have a Chinese CISCO clone, you can always phone their embassy and ask politely ) ]
Hope I haven't rambled on too long and that this is perhaps of some future use.