Actually you can connect to routers. Most routers have their own type of lets say "O/S" installed, or in other words some kind of controlling firmware.
First you would need to enumerate what network devices you have and what their IP address is. If you perform a traceroute on your network you should come up with something like this (I am giving you an example of enumerating routers over the net given a domain)
Traceroute results should look something like this before the last few hops (that is if you have not lost most of your packets by then or the request hasnt timed out.)
some-rtr.somedomain.com (192.168.0.1) <-- look at that bit www.somedomain.com
Now we finally got to our traget but we also know that there is another hop residing before our target that holds a rather aqueward IP address to be published on the www. 192.168.X.X usually are LAN only resident IP addresses which means that you will never find a machine on the net with that IP range. In this case you look at it a different way because the previous hop before our target holds the IP 192.168.0.1, which should be the routing machine on the LAN/WAN our target is running (dont get your hopes up, it could just be another server and not a router, or even in the unlucky cases a hub)
So we take our guesses upon it being a router (actually it is a router in this scenario hence it says, some-rtr. (only the dumb would think its short for UNIX server)
So we have successfully identified the IP of the router, now we want to perform a port scan, but wait you need to specify what region of ports to look for because different routers use different ports
A complete ports list can be found at http://www.neohapsis.com/neolabs/neo-ports/neo-ports.html
so well in this scenario we will take Cisco routers the most commonly used, which use port ranges between, 1-25, 80, 512-515, 2001, 4001, 6001 and 9001. Well do your scan(if your network permits you to do so.) So lets make up some fake results.
Interesting ports open on 192.168.0.1
Port 7 is OPEN running TCP offering ECHO
Port 9 is OPEN running TCP offering DISCARD
Port 13 is OPEN running TCP offering DAYTIME
Port 19 is OPEN running TCP offereing CHARGEN
Port 23 is FILTERED running on protocol TCP and its Telnet (we already have a good port here)
Port 2001 is OPEN running on protocol TCP and is a DC service(uhh not bad either)
Port 6001 is OPEN on TCP offering X11:1 (hehe good too the XRemote port is open)
Ok our guess us pretty certain we are dealing with a Cisco router here but yet we dont know [censored] about it, we want to know O/S its running.
Well before [censored] around too much we will try to telnet to the router itself on ports 23 and 2001.
Wow, look what we got here!
User Access Verification
We smile with great anticipation
We can connect to the router, now you can brute force the password, but I rather go a few steps further to find out exactely what we are dealing with.
So we enumerate the O/S now, piece of advice, do not try to scan several ports at once when enumerating the O/S since alot of modern technology has detection for such scanning attempts and will just block your packets
Or they can flood the remote machine and bring it down, which is not the idea here. If we wanted to DoS people we would be in 1996
So single port scan on port 13 for now, we launch beloved nmap (which also comes for winnt now) and a magical surge over the machine suddendly spits back this info at you.
Port State Protocol Service
3 filtered TCP Daytime
Remote operating system guess: Cisco Router/Switch with IOS 11.2
Rawwwwwwwwwww what bastards, we got what we wanted on the first attempt (wish real life was like this)
Well ive showed you how to enumerate the router, its O/S and how to connect to it. The rest is up to you. I suggest you go googling, I am sure there is tons of revelant information online.
And just a comment.
You can find tons of info out about X-Stop at their site http://www.8e6technologies.com/
So all the above processes can be eliminated!
Never forget that social engeneering is a prime key to cracking, in most cases, Gizmo can tell you LOTS of [censored] about being "Social" with companies and large corporations
/me thinks of some weird telco but cant figure out the name
What a waste of time