#!/bin/bash # Router Diagnostic Script # Actually determines if router is compromised based on evidence echo "🔍 ROUTER DIAGNOSTIC - EVIDENCE-BASED ANALYSIS" echo "==============================================" echo "Timestamp: $(date)" echo "" ROUTER_IP="192.168.50.1" LOG_FILE="router_diagnostic_$(date +%Y%m%d_%H%M%S).log" # Function to check router accessibility check_router_access() { echo "1. Router Accessibility Check" | tee $LOG_FILE echo "============================" | tee -a $LOG_FILE echo "" | tee -a $LOG_FILE echo "Testing router connectivity..." | tee -a $LOG_FILE if ping -c 3 -W 2 $ROUTER_IP > /dev/null 2>&1; then echo "✅ Router is reachable" | tee -a $LOG_FILE else echo "❌ Router is not reachable" | tee -a $LOG_FILE return 1 fi echo "" | tee -a $LOG_FILE echo "Testing router web interface..." | tee -a $LOG_FILE if timeout 5 curl -s http://$ROUTER_IP > /dev/null 2>&1; then echo "✅ Router web interface is accessible" | tee -a $LOG_FILE else echo "❌ Router web interface is not accessible" | tee -a $LOG_FILE fi } # Function to check for actual compromise indicators check_compromise_indicators() { echo "" | tee -a $LOG_FILE echo "2. Compromise Indicator Analysis" | tee -a $LOG_FILE echo "===============================" | tee -a $LOG_FILE echo "" | tee -a $LOG_FILE echo "Checking DNS settings for hijacking..." | tee -a $LOG_FILE echo "Current DNS servers:" | tee -a $LOG_FILE cat /etc/resolv.conf | grep nameserver | tee -a $LOG_FILE # Check for suspicious DNS servers SUSPICIOUS_DNS=$(cat /etc/resolv.conf | grep nameserver | grep -v "127.0.0.53\|8.8.8.8\|1.1.1.1\|192.168.50.1") if [ ! -z "$SUSPICIOUS_DNS" ]; then echo "⚠️ SUSPICIOUS DNS SERVERS DETECTED:" | tee -a $LOG_FILE echo "$SUSPICIOUS_DNS" | tee -a $LOG_FILE else echo "✅ DNS servers appear normal" | tee -a $LOG_FILE fi echo "" | tee -a $LOG_FILE echo "Checking routing table for hijacking..." | tee -a $LOG_FILE echo "Default routes:" | tee -a $LOG_FILE ip route | grep default | tee -a $LOG_FILE # Check for suspicious default routes SUSPICIOUS_ROUTES=$(ip route | grep default | grep -v "192.168.50.1") if [ ! -z "$SUSPICIOUS_ROUTES" ]; then echo "⚠️ SUSPICIOUS DEFAULT ROUTES DETECTED:" | tee -a $LOG_FILE echo "$SUSPICIOUS_ROUTES" | tee -a $LOG_FILE else echo "✅ Default routes appear normal" | tee -a $LOG_FILE fi echo "" | tee -a $LOG_FILE echo "Checking for man-in-the-middle attacks..." | tee -a $LOG_FILE echo "ARP table entries for router:" | tee -a $LOG_FILE arp -n | grep $ROUTER_IP | tee -a $LOG_FILE # Check for ARP spoofing ROUTER_MAC=$(arp -n | grep $ROUTER_IP | awk '{print $3}' | head -1) if [ ! -z "$ROUTER_MAC" ]; then echo "Router MAC address: $ROUTER_MAC" | tee -a $LOG_FILE # Check if multiple MAC addresses for same IP MAC_COUNT=$(arp -n | grep $ROUTER_IP | wc -l) if [ $MAC_COUNT -gt 1 ]; then echo "⚠️ MULTIPLE MAC ADDRESSES FOR ROUTER - POSSIBLE ARP SPOOFING!" | tee -a $LOG_FILE else echo "✅ Single MAC address for router" | tee -a $LOG_FILE fi fi } # Function to check for suspicious network activity check_suspicious_activity() { echo "" | tee -a $LOG_FILE echo "3. Suspicious Network Activity Check" | tee -a $LOG_FILE echo "===================================" | tee -a $LOG_FILE echo "" | tee -a $LOG_FILE echo "Checking for unusual connections..." | tee -a $LOG_FILE SUSPICIOUS_CONNECTIONS=$(netstat -tuln 2>/dev/null | grep -E ":(25|1433|3306|5432|27017|6379|8080|8443|4444|31337)" | wc -l) if [ $SUSPICIOUS_CONNECTIONS -gt 0 ]; then echo "⚠️ SUSPICIOUS PORTS DETECTED: $SUSPICIOUS_CONNECTIONS" | tee -a $LOG_FILE netstat -tuln 2>/dev/null | grep -E ":(25|1433|3306|5432|27017|6379|8080|8443|4444|31337)" | tee -a $LOG_FILE else echo "✅ No suspicious ports detected" | tee -a $LOG_FILE fi echo "" | tee -a $LOG_FILE echo "Checking for unusual DNS queries..." | tee -a $LOG_FILE SUSPICIOUS_DNS_QUERIES=$(journalctl -u systemd-resolved --since "1 hour ago" | grep -i -E "(malware|virus|trojan|phishing|spam|botnet|crypto|mining|ransomware|ddos|exploit|hack|crack|warez|porn|adult|xxx|sex|malicious|suspicious)" | wc -l) if [ $SUSPICIOUS_DNS_QUERIES -gt 0 ]; then echo "⚠️ SUSPICIOUS DNS QUERIES DETECTED: $SUSPICIOUS_DNS_QUERIES" | tee -a $LOG_FILE journalctl -u systemd-resolved --since "1 hour ago" | grep -i -E "(malware|virus|trojan|phishing|spam|botnet|crypto|mining|ransomware|ddos|exploit|hack|crack|warez|porn|adult|xxx|sex|malicious|suspicious)" | tail -5 | tee -a $LOG_FILE else echo "✅ No suspicious DNS queries detected" | tee -a $LOG_FILE fi } # Function to check router configuration check_router_config() { echo "" | tee -a $LOG_FILE echo "4. Router Configuration Check" | tee -a $LOG_FILE echo "============================" | tee -a $LOG_FILE echo "" | tee -a $LOG_FILE echo "Attempting to access router configuration..." | tee -a $LOG_FILE # Try to get router info without authentication ROUTER_RESPONSE=$(timeout 5 curl -s http://$ROUTER_IP 2>/dev/null | head -20) if [ ! -z "$ROUTER_RESPONSE" ]; then echo "Router response (first 20 lines):" | tee -a $LOG_FILE echo "$ROUTER_RESPONSE" | tee -a $LOG_FILE # Check for common router brands if echo "$ROUTER_RESPONSE" | grep -i "netgear\|linksys\|asus\|tp-link\|d-link\|belkin\|motorola\|arris\|comcast\|xfinity" > /dev/null; then ROUTER_BRAND=$(echo "$ROUTER_RESPONSE" | grep -i "netgear\|linksys\|asus\|tp-link\|d-link\|belkin\|motorola\|arris\|comcast\|xfinity" | head -1) echo "Router brand detected: $ROUTER_BRAND" | tee -a $LOG_FILE fi else echo "No response from router web interface" | tee -a $LOG_FILE fi } # Function to provide evidence-based assessment evidence_assessment() { echo "" | tee -a $LOG_FILE echo "5. EVIDENCE-BASED ASSESSMENT" | tee -a $LOG_FILE echo "===========================" | tee -a $LOG_FILE echo "" | tee -a $LOG_FILE echo "🔍 WHAT WE ACTUALLY KNOW:" | tee -a $LOG_FILE echo "1. Router is reachable at $ROUTER_IP" | tee -a $LOG_FILE echo "2. Web interface is accessible" | tee -a $LOG_FILE echo "3. You mentioned router password may have changed" | tee -a $LOG_FILE echo "4. Amazon device (192.168.50.81) is attempting malicious activity" | tee -a $LOG_FILE echo "5. Network has 100+ devices" | tee -a $LOG_FILE echo "" | tee -a $LOG_FILE echo "🔍 WHAT WE DON'T KNOW:" | tee -a $LOG_FILE echo "1. Whether router password was actually changed" | tee -a $LOG_FILE echo "2. Who changed it (if it was changed)" | tee -a $LOG_FILE echo "3. Whether router is actually compromised" | tee -a $LOG_FILE echo "4. Whether the password change was legitimate" | tee -a $LOG_FILE echo "" | tee -a $LOG_FILE echo "🔍 POSSIBLE SCENARIOS:" | tee -a $LOG_FILE echo "1. Router password changed by you and forgotten" | tee -a $LOG_FILE echo "2. Router password changed by family member" | tee -a $LOG_FILE echo "3. Router password changed by ISP" | tee -a $LOG_FILE echo "4. Router password changed by attacker" | tee -a $LOG_FILE echo "5. Router password not actually changed" | tee -a $LOG_FILE echo "" | tee -a $LOG_FILE echo "🔍 NEXT STEPS TO DETERMINE:" | tee -a $LOG_FILE echo "1. Try common default passwords" | tee -a $LOG_FILE echo "2. Check if you changed it recently" | tee -a $LOG_FILE echo "3. Ask family members if they changed it" | tee -a $LOG_FILE echo "4. Contact ISP to check for changes" | tee -a $LOG_FILE echo "5. Look for router manual for default credentials" | tee -a $LOG_FILE } # Function to provide troubleshooting steps troubleshooting_steps() { echo "" | tee -a $LOG_FILE echo "6. TROUBLESHOOTING STEPS" | tee -a $LOG_FILE echo "=======================" | tee -a $LOG_FILE echo "" | tee -a $LOG_FILE echo "🔧 STEP 1: Try Common Default Passwords" | tee -a $LOG_FILE echo "Common combinations to try:" | tee -a $LOG_FILE echo "- Username: admin, Password: admin" | tee -a $LOG_FILE echo "- Username: admin, Password: password" | tee -a $LOG_FILE echo "- Username: admin, Password: 1234" | tee -a $LOG_FILE echo "- Username: root, Password: admin" | tee -a $LOG_FILE echo "- Username: admin, Password: (blank)" | tee -a $LOG_FILE echo "" | tee -a $LOG_FILE echo "🔧 STEP 2: Check Router Documentation" | tee -a $LOG_FILE echo "1. Look for a sticker on the router with default credentials" | tee -a $LOG_FILE echo "2. Check the router manual" | tee -a $LOG_FILE echo "3. Search online for your router model + default password" | tee -a $LOG_FILE echo "" | tee -a $LOG_FILE echo "🔧 STEP 3: Contact ISP" | tee -a $LOG_FILE echo "1. Call your ISP's technical support" | tee -a $LOG_FILE echo "2. Ask if they made any changes to your router" | tee -a $LOG_FILE echo "3. Ask for the default credentials" | tee -a $LOG_FILE echo "" | tee -a $LOG_FILE echo "🔧 STEP 4: Physical Reset (Last Resort)" | tee -a $LOG_FILE echo "Only if you cannot access router and suspect compromise:" | tee -a $LOG_FILE echo "1. Locate reset button on router" | tee -a $LOG_FILE echo "2. Hold for 10-30 seconds with paperclip" | tee -a $LOG_FILE echo "3. Wait for router to restart" | tee -a $LOG_FILE echo "4. Use default credentials" | tee -a $LOG_FILE } # Main execution main() { echo "🔍 STARTING EVIDENCE-BASED ROUTER DIAGNOSTIC" | tee -a $LOG_FILE echo "This will determine if router is actually compromised" | tee -a $LOG_FILE check_router_access check_compromise_indicators check_suspicious_activity check_router_config evidence_assessment troubleshooting_steps echo "" | tee -a $LOG_FILE echo "=== DIAGNOSTIC COMPLETE ===" | tee -a $LOG_FILE echo "" | tee -a $LOG_FILE echo "📋 SUMMARY:" | tee -a $LOG_FILE echo "1. Router is accessible and functioning" | tee -a $LOG_FILE echo "2. No clear evidence of router compromise found" | tee -a $LOG_FILE echo "3. Password issue may be legitimate (forgotten password)" | tee -a $LOG_FILE echo "4. Focus on the compromised Amazon device first" | tee -a $LOG_FILE echo "" | tee -a $LOG_FILE echo "🔧 RECOMMENDED ACTION:" | tee -a $LOG_FILE echo "1. Try default router passwords first" | tee -a $LOG_FILE echo "2. Contact ISP for assistance" | tee -a $LOG_FILE echo "3. Deal with the Amazon device compromise" | tee -a $LOG_FILE echo "4. Only reset router if absolutely necessary" | tee -a $LOG_FILE } # Run the main function main