| Routers Thomson WPA SpeedTouch |
|
|
|
Author: hrodgar (more information) Installing the package stkeys for Wifiway wget http://www.wifiway.org/stkeys/install.sh.gz gzip -d install.sh.gz chmod +x install.sh ./install.sh Introduction To determine the vulnerability of the WPA, today continues to be impossible to break the encryption. As for weaknesses, the attack on the key PSK is the usual practice, which are focused programs as Aircrack and coWPAtty. The system has good strength at the moment, we have something else… Are there any weakness that affects the system? Yes, Because if you study the process of generating data on computers preconfigured by manufacturers and/or ISPs. There is a relevant piece of information for this approach: Most people who have a wireless network keeps preconfigured parameters in the teams, both WEP/ WPA, either through ignorance of the subject. And if not, to check just have to scan networks in which we see that a high percentage of the networks found maintain factory settings or set up by the ISPs in its ESSID, which gives the impression that what's happening with the password . With this, think that the manufacturers and/or ISPs use a very complex process for the generation of these parameters, in order to avoid all the strong encryption protocol (at least WPA) will be diminished because of this process. Everyone knows the fragility of the algorithms for generating these data networks such as the type Wlan-XX, Dlinkwireless, Adsl-xxxx,…, which have help us to the creation of applications that use brute force and/or reverse application Algorithm facilitating the the process to know the key. In this case, we decided to apply this test in the nets WEP/WPA SpeedTouchXXXXXX, routers of Thomsom manufacturer. The protagonist: Router Thomson. As we see in this case, the weakness in the implementation of the data preconfigured affects to the router, which can be affected not one, even other ISPs and even other countries. These networks are generated by routers Thomsom, models 580i and 585v6 . The process of installing and configuring of these routers can be seen by the software, itself has the algorithm for the generation of data preconfigured. In this case, the only information introduced during the process to make a single network, is the serial number of your router. That already gives an important clue. Previously, he had read anything about Kevin Devine, a similar discovery made in the case of Eircom networks, which had the decryption algorithm used to generate the WEP key that come configured. As I got in touch with him, and we came to investigate. Through reverse engineering, Kevin was able to establish a first indication of how the parameters were generated based on the serial number. From there, it was necessary to have a router for practice, since otherwise the installation program is stopped. So I began to search a Thomson router. Thanks to Pazienzia, who give us one. From here, things were rolling and rolling… The algorithm exposed. Case SpeedTouchXXXXXX networks. As I said, it could be proved that the base of the process is the serial number. So, we will analyze such CP0615JT109 (53). From the observations made was arrived at following approach: CP YY WW DB XXX (CC) Where, it means everything? ... YY is the year of manufacture. (2006)? WW is the week of the year. (15) one week of April? DB is the code production / manufacturing. ( JT ) ? CC is the code configuration. (53)? style 00 - ZZ (0-9/AZ) The value XXX only speculate. Perhaps represents the number of unit? With this, and taking as an example "CP0615JT109 (53)" the process is as follows: Eliminate values CC and PP serial number. "CP0615109" XXX convert to hex values. "CP0615313039" Process by SHA-1 algorithm 742da831d2b657fa53d347301ec610e1ebf8a3d0 The last 3 bytes hexadecimal become a chain of 6 ASCII characters, and if we add to the word "SpeedTouch" with what we have in ESSID the defect. "SpeedTouchF8A3D0" The first 5 bytes hexadecimal become a chain of 10 ASCII characters, with what we have the default WEP / WPA key. "742DA831D2" And that's all ... Recovery. The method developed here using brute force is a bit simple... but enough for the moment. We use the data to find out the hash ESSID whole, by applying the algorithm on possible serial numbers and by comparison. Theoretically, with 3 bytes of ESSID in the case of these networks, are not required more than 2 attempts to take access to the network. In cases where only 2 bytes are used in the ESSID will generate many more potential keys (being an average of 80). Even so, this greatly improves the chances of an attacker to access the router, still protected with WPA - more if you can capture a handshake and use the Aircrack, Cain & Abel or even coWPAtty mode for offline decipher. In any case, we must remember that this tool can be used so that we can check on our network this weakness, or with the permission of the owner. The tool: stkeys Descarga del código fuente en español: http://download.wifislax.com:8080/stkeys_ES_src.zip m5d: 6472d51a88010754756154d93d7fb2be (ver notas al final) (see notes at the end) To compile the code into Linux, using gcc: gcc -fomit-frame-pointer -O3 -funroll-all-loops stkeys.c sha1.c -ostkeys It is possible that you haul to compile some type errors "implicit declaration…", which does not affect the process. Emphasize that the code has been used OpenSSL implementation of SHA-1 algorithm, which is why it makes the process very quickly. In implementing the programme, you will:  Pratical Case Sample usage in a router with Thomson model ST585v6 ESSID "SpeedTouchF8A3D0":  In this example, the correct password is obtained in the first option. Credits: First, Kevin Devine, for the fantastic work the algorithm to find and develop this application. En el siguiente enlace, podréis hallar (en inglés) un “howto” del proceso técnico y otros datos. In the following link, you'll find (in English) "howto" process and other technical data. Incluye una animación en flash en la que se comprueba la velocidad del proceso: Includes a flash animation in which it verifies the speed of the process: We also thank Pazienzia (member of the forum Elhacker.net) to provide its "forgotten" router for tests, as well as Renzo and bonebag by the USB adapter. And finally, when you forums and Forero of seguridadwireless and Elhacker.net, without providing the necessary data had not been possible to check such information as well as by Hwagm borrow a hole to accommodate the program, and of course, to the essence of Pianist ;-) Notes on draft: Este proyecto continúa vivo. This project is still alive. A los que tengáis ganas de investigar el tema mas a fondo, en el enlace indicado en los créditos encontraréis curiosidades como que se han hallado más algoritmos, parece que relacionados con el sistema de encriptación WEP y posiblemente antiguos. Those who are willing to investigate the issue more thoroughly, the link you will find described in the credits as curiosities that have been found more algorithms, which seems related WEP encryption system and possibly older. Es por esto que aunque lo aquí desarrollado sirve para redes WEP o WPA, es posible que para las WEP no sea 100% fiable. That is why although the developed here serves to WEP or WPA networks, it is possible that for WEP is not 100% reliable. De todas formas, para comprender un poco el alcance del proyecto, recomiendo visitar el siguiente link: Anyway, to understand somewhat the scope of the project, I recommend visiting the following link: |
| Next > |
|---|