First of all you would need to identify the type of router the victim is using. Afterwards, do some research on that router and if it has any open ports the ISP's techs connect on to troubleshoot it. Look for vulnerabilities for that router. Other then that, I couldn't think of anything else. There's not much you can do about that, especially with NAT enabled and no open management ports.