Hacking – How to hack WPA/WPA2 Password with BackTrack through cracking WPS?

Last week I’ve read small news on c’t magazine saying that the default password of EasyBox router used for Vodafone, Telecom, Arcor in Germany … was hacked by Sebastian Petters. That means if someone is using default settings of EasyBox, you can get his WLAN password easily and then access his network. This default password was generated by a algorithm and this algorithm was patented. Therefore like other patents, the complete description of algorithm was simply exposed on internet (http://www.patent-de.com/20081120/DE102007047320A1.html if you can read German). As you can see the algorithm is pretty simple, it just takes the MAC address of router, makes some computations with base changing, xor,plus… Therefore all we have to do is get the MAC address of victim, make a copy of the algorithm ourselves and then generate the default WLAN password.

Let’s make an example. Almost of my neighbors are simple persons, they order DSL lines, install the hardwares and let all settings like they were from factory. So here is a snapshot of all available wireless networks around me. Some of SSID names were changed but some of them are default and I can easily recognize which one is an EasyBox router.

Ubuntu - All available networks

I just choose one of them, for example the “EasyBox-F1xxxx” giving me a good signal. Open a Terminal (Ctr-Alt-T in Ubuntu) and execute this command

servuskevin@pegasus:~$ sudo iwlist wlan0 scanning

This command prints out a long list of all networks with their detailed information. Let’s scroll down till our victim “EasyBox-F1xxxx”, ok it’s MAC address is 88:25:2C:xx:xx:xx.

Ubuntu - MAC address of a access point

So we have what we need. Now let’s implement the algorithm and calculate the default password. If you’re lazy then I’ve written a small web app to calculate it

http://easyboxarcadyanstandardwpakey.apphb.com/

Easybox Arcadyan Standard Wpa Key

Go there, enter the MAC Address of victim and you’ll get the default password of that box. Of course this algorithm is only correct for router produced by Arcadyan Technology Corporation. If victim has another one, then … reverse yourself the algorithm and share with me. I also want to integrate more algorithms in that web app.

Here is the evidence that “Easybox-Fxxxxx” was hacked

Ubuntu - Network connected

So that is the first part of this blog. It’s about “cool” news from March and it maybe concerns only on people who live in Germany. The second part will discuss how we can crack a WPA/WPA2 password through WPS vulnerability. For more detailed information how this vulnerability works, I recommend you to read this article http://www.mediafire.com/?dmsp5nt7ga6duqr . I know it’s again “cool” news but I was really surprised that after months there is no update of firmware on for some routers therefore I think the exploit still works on a lot of routers. Through this vulnerability, the WPA password can be recovered in plain-text once the attack on the access point WPS is initiated, which takes me 10 hours on a Intel Petium Dual Core 2GHz with Backtrack. The duration depends on which program you use to crack and your CPU.

This exploit defeats WPS via an intelligent brute force attack to the static WPS (Wi-Fi Protected Setup) PIN. This vulnerability exposes a side-channel attack against Wi-Fi Protected Access (WPA) versions 1 and 2 allowing the extraction of the Pre-Shared Key (PSK) used to secure the network. By guessing the PIN, the first 4-number will be checked and then, the final number is a checking number used to satisfy an algorithm. The complexity dramatically decreases the maximum possible authentication attempts needed from 10^8 =100.000.000 to 10^4 + 10^4 =20.000. And as the 8th digit of the PIN is always a checksum of digit one to digit seven, there are at most 10^4 + 10^3 =11.000 attempts needed to find the correct PIN.

WPS Brute force algorithm

So it’s just short description about the vulnerability. Let’s make an example with real network. This time we need a BackTrack Live CD, if you read my blog about hacking WEP before http://hintdesk.com/hacking-how-to-hack-wep-password-with-backtrack/, you’ll understand how BackTrack CD works. The second requirement is again a USB WLAN supporting monitor mode. I use my beloved Netgear Wg111v2. If you don’t have any, you can find a model like mine at Amazon from this link below.
Netgear Wg111v2 Usb Wifi Card Includes Driver Cd and USB Extender Cable

In Backtrack, Open a Terminal console and scan all available networks.

root@bt:~$ sudo iwlist wlan0 scanning

Choose one of available networks, notice his MAC address. We need MAC address later for reaver to exploit. In my case, I choose “ALICE-WLANxx” as my victim as example. Next step, we have to set our USB WLAN in monitor mode.

root@bt:~$ sudo airmon-ng start wlan0

Execute “reaver” to exploit this victim. Reaver is a WPA attack tool developed by Tactical Network Solutions that exploits a protocol design flaw in WPS. It will determine an access point’s PIN and then extract the PSK. On average Reaver takes about 4 – 10 hours to extract the WPA PSK from the access point and roughly 95% of modern consumer-grade access points ship with WPS enabled by default. The code is published under http://reaver-wps.googlecode.com/ , there is also a professional version but a free one works already perfectly.

root@bt:~$ sudo reaver -i mon0 -b <MAC-ADDRESS-OF-VICTIM> -vv

Let your computer run, it takes long time to finish. When program finishes, you get time elapsed and the WPA PSK in plain text.

Backtrack reaver result

If you don’t want to use Reaver or it doesn’t work for your case. Then there is another tool called wpscrack.py, it’s a little faster but it only work for some types of router. You can download it from this link http://www.mediafire.com/?cdnlz85squ0jwu5 . To exploit, run this command after setting your USB WLAN to monitor mode.

root@bt:~$ sudo wpscrack.py –iface mon0 –client <YOUR-MAC-ADDRESS> –bssid <MAC-ADDRESS-OF-VICTIM> --ssid <NAME-OF-VICTIM> -v

It is really a serious vulnerability but I don’t understand why the vendors still always set WPS on as default. There are some routers were fixed but a lot of them are still vulnerable because there is no update for firmware to turn off WPS. The only thing you can do is use the old router without WPS or turn off WPS if your router allows. Nothing is now secure.

43 thoughts on “Hacking – How to hack WPA/WPA2 Password with BackTrack through cracking WPS?”

  1. hello, i was testing this and couldn’t help but notice something confusing: in your own tutorial, the MAC starts with 88:25:2C, yet in your app (and in the screenshot of the app), only MACs starting with 00:12:BF are supported.

    Please advise.

  2. @tom : That is bug of application. I fixed it. It should now work for any “Arcadyan Technology Corporation” router.

  3. Now at zhis time 11.06.2012 it isnt fixed, i have try it, it gives no answer to Macs with 88:25:2C:xx.

    Can you fix it again?

    Thx Chris

  4. Hi, great blog entry! I have a problem though… Obviously, Windows user.
    I have already used your calculator once, finding the MAC address of a router and did so with a cmd command. I forgot to write it down, and my searches don’t give any success now. Can’t find the command.
    Do you know it?
    Thank you.

  5. @Mark: You can use command “netsh wlan show all” to view all information of your available networks. For more detailed about this command, you can view with “netsh wlan show /?”. Regards.

  6. I can’t seem to be able to put wpscrack.py to work, it keeps repeating the same pin (0000000)
    I use backtrack 5r3 and I have installed scapy (2.2.0).

  7. @ramalhoms : Try with reaver as described in post, wpscrack.py is fast but it doesn’t work with all kinds of router.

  8. Hello, I would like to install the saver as the backtrack r2 wpscrack.pk I try gfustaria reaver since I do not like a lot and been seeing that this is much faster, please help me, or if a program that already has built I have it downloaded from the wpscrack.py here but not as ye tried installing do everything, I put the program on a usb and unzip it and pulled the two files on the desktop of backtrack 5R2 but not installed, then open a terminal and I copy the files and Pegos in terminal and nothing, please digamen as I have to install, Greetings …

  9. How about the following

    Vendor is: TP-LINK Technologies Co.,Ltd.. Only routers of Arcadyan Technology Corporation are supported

    Vendor is: HUAWEI TECHNOLOGIES CO.,LTD. Only routers of Arcadyan Technology Corporation are supported

    Vendor is: Research In Motion. Only routers of Arcadyan Technology Corporation are suppo

    http://easyboxarcadyanstandardwpakey.apphb.com/

  10. i already have pin code for router how can i usr reaver to hack fast not geuss the numbers and tack lots of time plesssssss replay to my email plllllese

  11. Great tool, unbelievable firms still make this mistake.

    One issue: 50:7E:5D shows-up using MAC Lookup As: Arcadyan Technology Corporation*
    But in your tool it says the vendor isn’t known and won’t calculate a key.

    Any chance this is a bug?

    Cheers,

    John.

    * http://aruljohn.com/mac.pl

  12. Hey ! thx for your guide, but i have a problem :S

    I have no internet connection at home, and since we are going to move out in a few months my parents dont plan to get internet for the rest of the time,
    I can use the wlan of one of my neighbors, but he lives one floor under my next door neighbor. I can only use his wlan because my lil sister is friends with a girl that lives their, and she once went there with her laptop, whichafter i found out their wlan passwor…

    However, the connection is really weak and i can only use it in a room where i usually have no access too. So i want to find out the key of one of my other neighbors so i have a better signal
    But most of them have alice and some named their w-lan so i dont know which router they have.

    Can you help me out?

  13. Vendor is: TP-LINK Technologies Co.,Ltd.. Only routers of Arcadyan Technology Corporation are supported

    Vendor is: HUAWEI TECHNOLOGIES CO.,LTD. Only routers of Arcadyan Technology Corporation are supported

    No algorithm for this ?

  14. Also mac addresses with 7c:4f:b5 are ones for Arcadyan Technology too.. Tool reports those as wrong too.

  15. I’ve made an app for Android, which calculates the default Pass for EasyBox Routers. (Like the Web-App here)
    Who wants to try simply search in the PlayStore for SpeedKey :)

    @admin
    Very good article, I also found this WPS bug before and can verify, that Reaver works best with Alice Routers made by Arcadyan. But I never had the time to share my experience in the way like you did.

  16. 1- how i can get victim MAC by windows software? name one ?

    2- if i have the pin code , how i can get access to the router ?

    sorry, for this stupid questions but i am not proffisional in this field

  17. Thanks for your guide!

    I am trying a mac address starting w/ 88:25:2C in your keygen but nothing happens. Noticed another comment mentioning the same problem. Is there way around this or will this be solved in your keygen? Thank you!

  18. Hello and thanks for the post.
    I checked the access points in my network and came up with the following result. There are different manufactures such as AVM, Netgear, Sphairon and Arcadyan and unknown as with regards to your website (see below). So I tried the Arcadyan routers. One of them actually started responding to the brute force attack. But then it suddenly did no longer accept the numbers and reaver tried the same over and over. The other two Arcadyans did not accept any number – reaver tried the first one again and again. So I tried another manufacturer Sphairon and I was lucky! I managed to gather the WPA PSK over night and now I can connect. It is a Alice router. Therefore, please update your post/website. The mac address is like 00:1C:28:76:??:??

    There are two routers which are not identified by your website – here are the mac addresses:
    1E:5A:3E:50:??:?? named DIRECT-i4[TV]UE46ES6100
    8A:25:2C:C9:??:?? named EasyBox-??????

    Thanks again. Happy surfing.

  19. @John:
    1. Maybe you already know that the hack with default key works only until Arcadyan fixes the problem. If the generated key doesn’t work, it means that
    - either victim has changed the default one
    - or victim has new generation of Arcadyan boxes which are already fixed.

    2. The brute force attack with reaver as discussed in post, works only if WPS of router is ON. If that feature is turned off, reaver can’t hack into. In new generation of routers, even if WPS is ON, you can’t hack it because they change the way they work. They don’t reply with clues for guessing WPS number anymore. Anyway, remember to use the latest version of reaver, may be there are some fixes in latest version.

    3. 00:1c:28:xx:xx:xx is from Sphairon Technologies GmbH, I updated the list. 1E:5A:3E:xx:xx:xx and 8A:25:2c:xx:xx:xx are not registered. I don’t know which vendor they are,too.

    Thank you very much for your feedback.

  20. Thanks for your reply. The vendor look-up already correctly stated Sphairon as the manufacturer of 00:1c:28:xx:xx:xx. I want to make sure you did not missed that: I successfully managed to hack into this one although it is not built by Arcadyan.

  21. Hi, I tried using the web app to gain access to an Arcadyan router, MAC address 84:9c:a6:xx:xx:xx. The web app gives the result “vendor: arcadyan technology corporation. Only routers of arcadyan technology corporation are supported.”

    Why do I get this message instead of a password? I should note that this concerns a VGV7519 router, not an EasyBox model.

    Thanks a lot for your help! Happy new year

  22. In you AppSite i put the mac 7F:4E….
    Its a easy box router and in your app say

    Vendor is: . Only routers of Arcadyan Technology Corporation are supported

  23. Hi Luis,
    can you give me at least the first 3 groups of MAC address. It seems to be a new MAC address.

    Moreover as I commented above, not all Easy Box are made by Arcadyan and maybe Arcadyan hat already fixed that bug. The tricks may now work only with old Arcadyan Easy Box.

  24. I don’t know if this is even relevant anymore, but with MAC addresses starting in 88:03:55, I get the result “Vendor is: Arcadyan Technology Corp.. Only routers of Arcadyan Technology Corporation are supported.”

Leave a Reply

Your email address will not be published. Required fields are marked *

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <strike> <strong>