admin/HomeAudit
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
e498e32d480d8908d33ee4ccefcabe08ec27e8a0
HomeAudit/router_diagnostic.sh
admin fb869f1131 Initial commit
2025-08-24 11:13:39 -04:00

246 lines
11 KiB
Bash
Executable File
Raw Blame History

#!/bin/bash
# Router Diagnostic Script
# Actually determines if router is compromised based on evidence
echo "🔍 ROUTER DIAGNOSTIC - EVIDENCE-BASED ANALYSIS"
echo "=============================================="
echo "Timestamp: $(date)"
echo ""
ROUTER_IP="192.168.50.1"
LOG_FILE="router_diagnostic_$(date +%Y%m%d_%H%M%S).log"
# Function to check router accessibility
check_router_access() {
echo "1. Router Accessibility Check" | tee $LOG_FILE
echo "============================" | tee -a $LOG_FILE
echo "" | tee -a $LOG_FILE
echo "Testing router connectivity..." | tee -a $LOG_FILE
if ping -c 3 -W 2 $ROUTER_IP > /dev/null 2>&1; then
echo "✅ Router is reachable" | tee -a $LOG_FILE
else
echo "❌ Router is not reachable" | tee -a $LOG_FILE
return 1
fi
echo "" | tee -a $LOG_FILE
echo "Testing router web interface..." | tee -a $LOG_FILE
if timeout 5 curl -s http://$ROUTER_IP > /dev/null 2>&1; then
echo "✅ Router web interface is accessible" | tee -a $LOG_FILE
else
echo "❌ Router web interface is not accessible" | tee -a $LOG_FILE
fi
}
# Function to check for actual compromise indicators
check_compromise_indicators() {
echo "" | tee -a $LOG_FILE
echo "2. Compromise Indicator Analysis" | tee -a $LOG_FILE
echo "===============================" | tee -a $LOG_FILE
echo "" | tee -a $LOG_FILE
echo "Checking DNS settings for hijacking..." | tee -a $LOG_FILE
echo "Current DNS servers:" | tee -a $LOG_FILE
cat /etc/resolv.conf | grep nameserver | tee -a $LOG_FILE
# Check for suspicious DNS servers
SUSPICIOUS_DNS=$(cat /etc/resolv.conf | grep nameserver | grep -v "127.0.0.53\|8.8.8.8\|1.1.1.1\|192.168.50.1")
if [ ! -z "$SUSPICIOUS_DNS" ]; then
echo "⚠️ SUSPICIOUS DNS SERVERS DETECTED:" | tee -a $LOG_FILE
echo "$SUSPICIOUS_DNS" | tee -a $LOG_FILE
else
echo "✅ DNS servers appear normal" | tee -a $LOG_FILE
fi
echo "" | tee -a $LOG_FILE
echo "Checking routing table for hijacking..." | tee -a $LOG_FILE
echo "Default routes:" | tee -a $LOG_FILE
ip route | grep default | tee -a $LOG_FILE
# Check for suspicious default routes
SUSPICIOUS_ROUTES=$(ip route | grep default | grep -v "192.168.50.1")
if [ ! -z "$SUSPICIOUS_ROUTES" ]; then
echo "⚠️ SUSPICIOUS DEFAULT ROUTES DETECTED:" | tee -a $LOG_FILE
echo "$SUSPICIOUS_ROUTES" | tee -a $LOG_FILE
else
echo "✅ Default routes appear normal" | tee -a $LOG_FILE
fi
echo "" | tee -a $LOG_FILE
echo "Checking for man-in-the-middle attacks..." | tee -a $LOG_FILE
echo "ARP table entries for router:" | tee -a $LOG_FILE
arp -n | grep $ROUTER_IP | tee -a $LOG_FILE
# Check for ARP spoofing
ROUTER_MAC=$(arp -n | grep $ROUTER_IP | awk '{print $3}' | head -1)
if [ ! -z "$ROUTER_MAC" ]; then
echo "Router MAC address: $ROUTER_MAC" | tee -a $LOG_FILE
# Check if multiple MAC addresses for same IP
MAC_COUNT=$(arp -n | grep $ROUTER_IP | wc -l)
if [ $MAC_COUNT -gt 1 ]; then
echo "⚠️ MULTIPLE MAC ADDRESSES FOR ROUTER - POSSIBLE ARP SPOOFING!" | tee -a $LOG_FILE
else
echo "✅ Single MAC address for router" | tee -a $LOG_FILE
fi
fi
}
# Function to check for suspicious network activity
check_suspicious_activity() {
echo "" | tee -a $LOG_FILE
echo "3. Suspicious Network Activity Check" | tee -a $LOG_FILE
echo "===================================" | tee -a $LOG_FILE
echo "" | tee -a $LOG_FILE
echo "Checking for unusual connections..." | tee -a $LOG_FILE
SUSPICIOUS_CONNECTIONS=$(netstat -tuln 2>/dev/null | grep -E ":(25|1433|3306|5432|27017|6379|8080|8443|4444|31337)" | wc -l)
if [ $SUSPICIOUS_CONNECTIONS -gt 0 ]; then
echo "⚠️ SUSPICIOUS PORTS DETECTED: $SUSPICIOUS_CONNECTIONS" | tee -a $LOG_FILE
netstat -tuln 2>/dev/null | grep -E ":(25|1433|3306|5432|27017|6379|8080|8443|4444|31337)" | tee -a $LOG_FILE
else
echo "✅ No suspicious ports detected" | tee -a $LOG_FILE
fi
echo "" | tee -a $LOG_FILE
echo "Checking for unusual DNS queries..." | tee -a $LOG_FILE
SUSPICIOUS_DNS_QUERIES=$(journalctl -u systemd-resolved --since "1 hour ago" | grep -i -E "(malware|virus|trojan|phishing|spam|botnet|crypto|mining|ransomware|ddos|exploit|hack|crack|warez|porn|adult|xxx|sex|malicious|suspicious)" | wc -l)
if [ $SUSPICIOUS_DNS_QUERIES -gt 0 ]; then
echo "⚠️ SUSPICIOUS DNS QUERIES DETECTED: $SUSPICIOUS_DNS_QUERIES" | tee -a $LOG_FILE
journalctl -u systemd-resolved --since "1 hour ago" | grep -i -E "(malware|virus|trojan|phishing|spam|botnet|crypto|mining|ransomware|ddos|exploit|hack|crack|warez|porn|adult|xxx|sex|malicious|suspicious)" | tail -5 | tee -a $LOG_FILE
else
echo "✅ No suspicious DNS queries detected" | tee -a $LOG_FILE
fi
}
# Function to check router configuration
check_router_config() {
echo "" | tee -a $LOG_FILE
echo "4. Router Configuration Check" | tee -a $LOG_FILE
echo "============================" | tee -a $LOG_FILE
echo "" | tee -a $LOG_FILE
echo "Attempting to access router configuration..." | tee -a $LOG_FILE
# Try to get router info without authentication
ROUTER_RESPONSE=$(timeout 5 curl -s http://$ROUTER_IP 2>/dev/null | head -20)
if [ ! -z "$ROUTER_RESPONSE" ]; then
echo "Router response (first 20 lines):" | tee -a $LOG_FILE
echo "$ROUTER_RESPONSE" | tee -a $LOG_FILE
# Check for common router brands
if echo "$ROUTER_RESPONSE" | grep -i "netgear\|linksys\|asus\|tp-link\|d-link\|belkin\|motorola\|arris\|comcast\|xfinity" > /dev/null; then
ROUTER_BRAND=$(echo "$ROUTER_RESPONSE" | grep -i "netgear\|linksys\|asus\|tp-link\|d-link\|belkin\|motorola\|arris\|comcast\|xfinity" | head -1)
echo "Router brand detected: $ROUTER_BRAND" | tee -a $LOG_FILE
fi
else
echo "No response from router web interface" | tee -a $LOG_FILE
fi
}
# Function to provide evidence-based assessment
evidence_assessment() {
echo "" | tee -a $LOG_FILE
echo "5. EVIDENCE-BASED ASSESSMENT" | tee -a $LOG_FILE
echo "===========================" | tee -a $LOG_FILE
echo "" | tee -a $LOG_FILE
echo "🔍 WHAT WE ACTUALLY KNOW:" | tee -a $LOG_FILE
echo "1. Router is reachable at $ROUTER_IP" | tee -a $LOG_FILE
echo "2. Web interface is accessible" | tee -a $LOG_FILE
echo "3. You mentioned router password may have changed" | tee -a $LOG_FILE
echo "4. Amazon device (192.168.50.81) is attempting malicious activity" | tee -a $LOG_FILE
echo "5. Network has 100+ devices" | tee -a $LOG_FILE
echo "" | tee -a $LOG_FILE
echo "🔍 WHAT WE DON'T KNOW:" | tee -a $LOG_FILE
echo "1. Whether router password was actually changed" | tee -a $LOG_FILE
echo "2. Who changed it (if it was changed)" | tee -a $LOG_FILE
echo "3. Whether router is actually compromised" | tee -a $LOG_FILE
echo "4. Whether the password change was legitimate" | tee -a $LOG_FILE
echo "" | tee -a $LOG_FILE
echo "🔍 POSSIBLE SCENARIOS:" | tee -a $LOG_FILE
echo "1. Router password changed by you and forgotten" | tee -a $LOG_FILE
echo "2. Router password changed by family member" | tee -a $LOG_FILE
echo "3. Router password changed by ISP" | tee -a $LOG_FILE
echo "4. Router password changed by attacker" | tee -a $LOG_FILE
echo "5. Router password not actually changed" | tee -a $LOG_FILE
echo "" | tee -a $LOG_FILE
echo "🔍 NEXT STEPS TO DETERMINE:" | tee -a $LOG_FILE
echo "1. Try common default passwords" | tee -a $LOG_FILE
echo "2. Check if you changed it recently" | tee -a $LOG_FILE
echo "3. Ask family members if they changed it" | tee -a $LOG_FILE
echo "4. Contact ISP to check for changes" | tee -a $LOG_FILE
echo "5. Look for router manual for default credentials" | tee -a $LOG_FILE
}
# Function to provide troubleshooting steps
troubleshooting_steps() {
echo "" | tee -a $LOG_FILE
echo "6. TROUBLESHOOTING STEPS" | tee -a $LOG_FILE
echo "=======================" | tee -a $LOG_FILE
echo "" | tee -a $LOG_FILE
echo "🔧 STEP 1: Try Common Default Passwords" | tee -a $LOG_FILE
echo "Common combinations to try:" | tee -a $LOG_FILE
echo "- Username: admin, Password: admin" | tee -a $LOG_FILE
echo "- Username: admin, Password: password" | tee -a $LOG_FILE
echo "- Username: admin, Password: 1234" | tee -a $LOG_FILE
echo "- Username: root, Password: admin" | tee -a $LOG_FILE
echo "- Username: admin, Password: (blank)" | tee -a $LOG_FILE
echo "" | tee -a $LOG_FILE
echo "🔧 STEP 2: Check Router Documentation" | tee -a $LOG_FILE
echo "1. Look for a sticker on the router with default credentials" | tee -a $LOG_FILE
echo "2. Check the router manual" | tee -a $LOG_FILE
echo "3. Search online for your router model + default password" | tee -a $LOG_FILE
echo "" | tee -a $LOG_FILE
echo "🔧 STEP 3: Contact ISP" | tee -a $LOG_FILE
echo "1. Call your ISP's technical support" | tee -a $LOG_FILE
echo "2. Ask if they made any changes to your router" | tee -a $LOG_FILE
echo "3. Ask for the default credentials" | tee -a $LOG_FILE
echo "" | tee -a $LOG_FILE
echo "🔧 STEP 4: Physical Reset (Last Resort)" | tee -a $LOG_FILE
echo "Only if you cannot access router and suspect compromise:" | tee -a $LOG_FILE
echo "1. Locate reset button on router" | tee -a $LOG_FILE
echo "2. Hold for 10-30 seconds with paperclip" | tee -a $LOG_FILE
echo "3. Wait for router to restart" | tee -a $LOG_FILE
echo "4. Use default credentials" | tee -a $LOG_FILE
}
# Main execution
main() {
echo "🔍 STARTING EVIDENCE-BASED ROUTER DIAGNOSTIC" | tee -a $LOG_FILE
echo "This will determine if router is actually compromised" | tee -a $LOG_FILE
check_router_access
check_compromise_indicators
check_suspicious_activity
check_router_config
evidence_assessment
troubleshooting_steps
echo "" | tee -a $LOG_FILE
echo "=== DIAGNOSTIC COMPLETE ===" | tee -a $LOG_FILE
echo "" | tee -a $LOG_FILE
echo "📋 SUMMARY:" | tee -a $LOG_FILE
echo "1. Router is accessible and functioning" | tee -a $LOG_FILE
echo "2. No clear evidence of router compromise found" | tee -a $LOG_FILE
echo "3. Password issue may be legitimate (forgotten password)" | tee -a $LOG_FILE
echo "4. Focus on the compromised Amazon device first" | tee -a $LOG_FILE
echo "" | tee -a $LOG_FILE
echo "🔧 RECOMMENDED ACTION:" | tee -a $LOG_FILE
echo "1. Try default router passwords first" | tee -a $LOG_FILE
echo "2. Contact ISP for assistance" | tee -a $LOG_FILE
echo "3. Deal with the Amazon device compromise" | tee -a $LOG_FILE
echo "4. Only reset router if absolutely necessary" | tee -a $LOG_FILE
}
# Run the main function
main
Reference in New Issue View Git Blame Copy Permalink