"What would you spend a couple of hours doing? Run a dictionary attack on the router's admin port, 443?"

No, nothing that crude (but lots of "secure" routers still have the default password [admin:admin]). And there's a lot of useful information in Keef's profile that could indicate possible passwords [I'd try PA28R201 for a start] and avenues for social engineering.

From the responses to probes it is possible to deduce the make/model of router and what services it is offering, then it's just a question of sending it the right queries/packets to exploit vulnerabilities and gain access to the network. Once in, there's always a weakly secured host that will contain information that gives useful tips to crack the others.