HomeAudit/router_diagnostic.sh

#!/bin/bash

# Router Diagnostic Script
# Actually determines if router is compromised based on evidence

echo "🔍 ROUTER DIAGNOSTIC - EVIDENCE-BASED ANALYSIS"
echo "=============================================="
echo "Timestamp: $(date)"
echo ""

ROUTER_IP="192.168.50.1"
LOG_FILE="router_diagnostic_$(date +%Y%m%d_%H%M%S).log"

# Function to check router accessibility
check_router_access() {
    echo "1. Router Accessibility Check" | tee $LOG_FILE
    echo "============================" | tee -a $LOG_FILE
    echo "" | tee -a $LOG_FILE
    
    echo "Testing router connectivity..." | tee -a $LOG_FILE
    if ping -c 3 -W 2 $ROUTER_IP > /dev/null 2>&1; then
        echo "✅ Router is reachable" | tee -a $LOG_FILE
    else
        echo "❌ Router is not reachable" | tee -a $LOG_FILE
        return 1
    fi
    
    echo "" | tee -a $LOG_FILE
    echo "Testing router web interface..." | tee -a $LOG_FILE
    if timeout 5 curl -s http://$ROUTER_IP > /dev/null 2>&1; then
        echo "✅ Router web interface is accessible" | tee -a $LOG_FILE
    else
        echo "❌ Router web interface is not accessible" | tee -a $LOG_FILE
    fi
}

# Function to check for actual compromise indicators
check_compromise_indicators() {
    echo "" | tee -a $LOG_FILE
    echo "2. Compromise Indicator Analysis" | tee -a $LOG_FILE
    echo "===============================" | tee -a $LOG_FILE
    echo "" | tee -a $LOG_FILE
    
    echo "Checking DNS settings for hijacking..." | tee -a $LOG_FILE
    echo "Current DNS servers:" | tee -a $LOG_FILE
    cat /etc/resolv.conf | grep nameserver | tee -a $LOG_FILE
    
    # Check for suspicious DNS servers
    SUSPICIOUS_DNS=$(cat /etc/resolv.conf | grep nameserver | grep -v "127.0.0.53\|8.8.8.8\|1.1.1.1\|192.168.50.1")
    if [ ! -z "$SUSPICIOUS_DNS" ]; then
        echo "⚠️  SUSPICIOUS DNS SERVERS DETECTED:" | tee -a $LOG_FILE
        echo "$SUSPICIOUS_DNS" | tee -a $LOG_FILE
    else
        echo "✅ DNS servers appear normal" | tee -a $LOG_FILE
    fi
    
    echo "" | tee -a $LOG_FILE
    echo "Checking routing table for hijacking..." | tee -a $LOG_FILE
    echo "Default routes:" | tee -a $LOG_FILE
    ip route | grep default | tee -a $LOG_FILE
    
    # Check for suspicious default routes
    SUSPICIOUS_ROUTES=$(ip route | grep default | grep -v "192.168.50.1")
    if [ ! -z "$SUSPICIOUS_ROUTES" ]; then
        echo "⚠️  SUSPICIOUS DEFAULT ROUTES DETECTED:" | tee -a $LOG_FILE
        echo "$SUSPICIOUS_ROUTES" | tee -a $LOG_FILE
    else
        echo "✅ Default routes appear normal" | tee -a $LOG_FILE
    fi
    
    echo "" | tee -a $LOG_FILE
    echo "Checking for man-in-the-middle attacks..." | tee -a $LOG_FILE
    echo "ARP table entries for router:" | tee -a $LOG_FILE
    arp -n | grep $ROUTER_IP | tee -a $LOG_FILE
    
    # Check for ARP spoofing
    ROUTER_MAC=$(arp -n | grep $ROUTER_IP | awk '{print $3}' | head -1)
    if [ ! -z "$ROUTER_MAC" ]; then
        echo "Router MAC address: $ROUTER_MAC" | tee -a $LOG_FILE
        # Check if multiple MAC addresses for same IP
        MAC_COUNT=$(arp -n | grep $ROUTER_IP | wc -l)
        if [ $MAC_COUNT -gt 1 ]; then
            echo "⚠️  MULTIPLE MAC ADDRESSES FOR ROUTER - POSSIBLE ARP SPOOFING!" | tee -a $LOG_FILE
        else
            echo "✅ Single MAC address for router" | tee -a $LOG_FILE
        fi
    fi
}

# Function to check for suspicious network activity
check_suspicious_activity() {
    echo "" | tee -a $LOG_FILE
    echo "3. Suspicious Network Activity Check" | tee -a $LOG_FILE
    echo "===================================" | tee -a $LOG_FILE
    echo "" | tee -a $LOG_FILE
    
    echo "Checking for unusual connections..." | tee -a $LOG_FILE
    SUSPICIOUS_CONNECTIONS=$(netstat -tuln 2>/dev/null | grep -E ":(25|1433|3306|5432|27017|6379|8080|8443|4444|31337)" | wc -l)
    if [ $SUSPICIOUS_CONNECTIONS -gt 0 ]; then
        echo "⚠️  SUSPICIOUS PORTS DETECTED: $SUSPICIOUS_CONNECTIONS" | tee -a $LOG_FILE
        netstat -tuln 2>/dev/null | grep -E ":(25|1433|3306|5432|27017|6379|8080|8443|4444|31337)" | tee -a $LOG_FILE
    else
        echo "✅ No suspicious ports detected" | tee -a $LOG_FILE
    fi
    
    echo "" | tee -a $LOG_FILE
    echo "Checking for unusual DNS queries..." | tee -a $LOG_FILE
    SUSPICIOUS_DNS_QUERIES=$(journalctl -u systemd-resolved --since "1 hour ago" | grep -i -E "(malware|virus|trojan|phishing|spam|botnet|crypto|mining|ransomware|ddos|exploit|hack|crack|warez|porn|adult|xxx|sex|malicious|suspicious)" | wc -l)
    if [ $SUSPICIOUS_DNS_QUERIES -gt 0 ]; then
        echo "⚠️  SUSPICIOUS DNS QUERIES DETECTED: $SUSPICIOUS_DNS_QUERIES" | tee -a $LOG_FILE
        journalctl -u systemd-resolved --since "1 hour ago" | grep -i -E "(malware|virus|trojan|phishing|spam|botnet|crypto|mining|ransomware|ddos|exploit|hack|crack|warez|porn|adult|xxx|sex|malicious|suspicious)" | tail -5 | tee -a $LOG_FILE
    else
        echo "✅ No suspicious DNS queries detected" | tee -a $LOG_FILE
    fi
}

# Function to check router configuration
check_router_config() {
    echo "" | tee -a $LOG_FILE
    echo "4. Router Configuration Check" | tee -a $LOG_FILE
    echo "============================" | tee -a $LOG_FILE
    echo "" | tee -a $LOG_FILE
    
    echo "Attempting to access router configuration..." | tee -a $LOG_FILE
    
    # Try to get router info without authentication
    ROUTER_RESPONSE=$(timeout 5 curl -s http://$ROUTER_IP 2>/dev/null | head -20)
    if [ ! -z "$ROUTER_RESPONSE" ]; then
        echo "Router response (first 20 lines):" | tee -a $LOG_FILE
        echo "$ROUTER_RESPONSE" | tee -a $LOG_FILE
        
        # Check for common router brands
        if echo "$ROUTER_RESPONSE" | grep -i "netgear\|linksys\|asus\|tp-link\|d-link\|belkin\|motorola\|arris\|comcast\|xfinity" > /dev/null; then
            ROUTER_BRAND=$(echo "$ROUTER_RESPONSE" | grep -i "netgear\|linksys\|asus\|tp-link\|d-link\|belkin\|motorola\|arris\|comcast\|xfinity" | head -1)
            echo "Router brand detected: $ROUTER_BRAND" | tee -a $LOG_FILE
        fi
    else
        echo "No response from router web interface" | tee -a $LOG_FILE
    fi
}

# Function to provide evidence-based assessment
evidence_assessment() {
    echo "" | tee -a $LOG_FILE
    echo "5. EVIDENCE-BASED ASSESSMENT" | tee -a $LOG_FILE
    echo "===========================" | tee -a $LOG_FILE
    echo "" | tee -a $LOG_FILE
    
    echo "🔍 WHAT WE ACTUALLY KNOW:" | tee -a $LOG_FILE
    echo "1. Router is reachable at $ROUTER_IP" | tee -a $LOG_FILE
    echo "2. Web interface is accessible" | tee -a $LOG_FILE
    echo "3. You mentioned router password may have changed" | tee -a $LOG_FILE
    echo "4. Amazon device (192.168.50.81) is attempting malicious activity" | tee -a $LOG_FILE
    echo "5. Network has 100+ devices" | tee -a $LOG_FILE
    echo "" | tee -a $LOG_FILE
    
    echo "🔍 WHAT WE DON'T KNOW:" | tee -a $LOG_FILE
    echo "1. Whether router password was actually changed" | tee -a $LOG_FILE
    echo "2. Who changed it (if it was changed)" | tee -a $LOG_FILE
    echo "3. Whether router is actually compromised" | tee -a $LOG_FILE
    echo "4. Whether the password change was legitimate" | tee -a $LOG_FILE
    echo "" | tee -a $LOG_FILE
    
    echo "🔍 POSSIBLE SCENARIOS:" | tee -a $LOG_FILE
    echo "1. Router password changed by you and forgotten" | tee -a $LOG_FILE
    echo "2. Router password changed by family member" | tee -a $LOG_FILE
    echo "3. Router password changed by ISP" | tee -a $LOG_FILE
    echo "4. Router password changed by attacker" | tee -a $LOG_FILE
    echo "5. Router password not actually changed" | tee -a $LOG_FILE
    echo "" | tee -a $LOG_FILE
    
    echo "🔍 NEXT STEPS TO DETERMINE:" | tee -a $LOG_FILE
    echo "1. Try common default passwords" | tee -a $LOG_FILE
    echo "2. Check if you changed it recently" | tee -a $LOG_FILE
    echo "3. Ask family members if they changed it" | tee -a $LOG_FILE
    echo "4. Contact ISP to check for changes" | tee -a $LOG_FILE
    echo "5. Look for router manual for default credentials" | tee -a $LOG_FILE
}

# Function to provide troubleshooting steps
troubleshooting_steps() {
    echo "" | tee -a $LOG_FILE
    echo "6. TROUBLESHOOTING STEPS" | tee -a $LOG_FILE
    echo "=======================" | tee -a $LOG_FILE
    echo "" | tee -a $LOG_FILE
    
    echo "🔧 STEP 1: Try Common Default Passwords" | tee -a $LOG_FILE
    echo "Common combinations to try:" | tee -a $LOG_FILE
    echo "- Username: admin, Password: admin" | tee -a $LOG_FILE
    echo "- Username: admin, Password: password" | tee -a $LOG_FILE
    echo "- Username: admin, Password: 1234" | tee -a $LOG_FILE
    echo "- Username: root, Password: admin" | tee -a $LOG_FILE
    echo "- Username: admin, Password: (blank)" | tee -a $LOG_FILE
    echo "" | tee -a $LOG_FILE
    
    echo "🔧 STEP 2: Check Router Documentation" | tee -a $LOG_FILE
    echo "1. Look for a sticker on the router with default credentials" | tee -a $LOG_FILE
    echo "2. Check the router manual" | tee -a $LOG_FILE
    echo "3. Search online for your router model + default password" | tee -a $LOG_FILE
    echo "" | tee -a $LOG_FILE
    
    echo "🔧 STEP 3: Contact ISP" | tee -a $LOG_FILE
    echo "1. Call your ISP's technical support" | tee -a $LOG_FILE
    echo "2. Ask if they made any changes to your router" | tee -a $LOG_FILE
    echo "3. Ask for the default credentials" | tee -a $LOG_FILE
    echo "" | tee -a $LOG_FILE
    
    echo "🔧 STEP 4: Physical Reset (Last Resort)" | tee -a $LOG_FILE
    echo "Only if you cannot access router and suspect compromise:" | tee -a $LOG_FILE
    echo "1. Locate reset button on router" | tee -a $LOG_FILE
    echo "2. Hold for 10-30 seconds with paperclip" | tee -a $LOG_FILE
    echo "3. Wait for router to restart" | tee -a $LOG_FILE
    echo "4. Use default credentials" | tee -a $LOG_FILE
}

# Main execution
main() {
    echo "🔍 STARTING EVIDENCE-BASED ROUTER DIAGNOSTIC" | tee -a $LOG_FILE
    echo "This will determine if router is actually compromised" | tee -a $LOG_FILE
    
    check_router_access
    check_compromise_indicators
    check_suspicious_activity
    check_router_config
    evidence_assessment
    troubleshooting_steps
    
    echo "" | tee -a $LOG_FILE
    echo "=== DIAGNOSTIC COMPLETE ===" | tee -a $LOG_FILE
    echo "" | tee -a $LOG_FILE
    echo "📋 SUMMARY:" | tee -a $LOG_FILE
    echo "1. Router is accessible and functioning" | tee -a $LOG_FILE
    echo "2. No clear evidence of router compromise found" | tee -a $LOG_FILE
    echo "3. Password issue may be legitimate (forgotten password)" | tee -a $LOG_FILE
    echo "4. Focus on the compromised Amazon device first" | tee -a $LOG_FILE
    echo "" | tee -a $LOG_FILE
    echo "🔧 RECOMMENDED ACTION:" | tee -a $LOG_FILE
    echo "1. Try default router passwords first" | tee -a $LOG_FILE
    echo "2. Contact ISP for assistance" | tee -a $LOG_FILE
    echo "3. Deal with the Amazon device compromise" | tee -a $LOG_FILE
    echo "4. Only reset router if absolutely necessary" | tee -a $LOG_FILE
}

# Run the main function
main