Firewall/NAT

Is it possible to gain access to the internal LAN via a broadband (ADSL) router, if I know the router password?

I've heard that users should always change their default router passwords as this can be exploited to allow hackers to gain access to the internal LAN (computers connected to the router) and can gain access to files stored on every pc on that lan. Is this true? If yes, then how is it done? I have done some searching but came up with nothing. Please enlighten us on this matter.

I have also read some threads which says that certain ports should be forwarded to be able to gain access to the internal Lan, but this was not very clear.

What is a malicious user able to accomplish if he knows the password of my broadband (ADSL) router? (Besides knowing my WAN username & password and resetting my router)

Any comments will be much appreciated

That very much depends on the capabilities of your ADSL router. A lot of routers come with the capability to forward ports, execute pings etc.

Some of them can list the open connections - giving an attacker insight about host addresses on the LAN. Or if the router supports executing a ping, an attacker could do a broacast ping to gain a rudimentary list of hosts on the LAN. With the LAN addresses, he could set up port forwardings to whichever hosts he likes and run exploits on those hosts.

In case that ADSL router is more than just a simple blackbox, he might even be able to flash the operating system if there's a firmware upload and run e.g. Linux - giving him an unlimited number of potential exploits to run against your LAN machines....

Another thing is, that a router might permit adding redirects or DNS overrides etc. redirecting your traffic where you don't want it to go - e.g. you netbanking, sending your password to the attacker instead of the bank... the possibilities are endless.

I'd say the list goes on and on and on. It's pretty much like giving away any password: it's just a bad idea.

so youre saying that its not just as simple as "i have router password so i have access to your lan" ?

Meaning advanced techniques are required to be able to access the internal lan?

Yes, it is possible. I'm leaving it at that because there is nothing good you could do if I told you how. I'm also going to lock your duplicate threads because they aren't m0n0wall related, this isn't a training grounds for script kiddies, which is where this appears to be going.

If you have m0n0wall-specific questions, you're welcome to start new threads. You are NOT welcome to start more threads along these lines.