Last week I’ve read small news on c’t magazine saying that the default password of EasyBox router used for Vodafone, Telecom, Arcor in Germany … was hacked by Sebastian Petters. That means if someone is using default settings of EasyBox, you can get his WLAN password easily and then access his network. This default password was generated by a algorithm and this algorithm was patented. Therefore like other patents, the complete description of algorithm was simply exposed on internet (http://www.patent-de.com/20081120/DE102007047320A1.html if you can read German). As you can see the algorithm is pretty simple, it just takes the MAC address of router, makes some computations with base changing, xor,plus… Therefore all we have to do is get the MAC address of victim, make a copy of the algorithm ourselves and then generate the default WLAN password.
Let’s make an example. Almost of my neighbors are simple persons, they order DSL lines, install the hardwares and let all settings like they were from factory. So here is a snapshot of all available wireless networks around me. Some of SSID names were changed but some of them are default and I can easily recognize which one is an EasyBox router.
I just choose one of them, for example the “EasyBox-F1xxxx” giving me a good signal. Open a Terminal (Ctr-Alt-T in Ubuntu) and execute this command
servuskevin@pegasus:~$ sudo iwlist wlan0 scanning
This command prints out a long list of all networks with their detailed information. Let’s scroll down till our victim “EasyBox-F1xxxx”, ok it’s MAC address is 88:25:2C:xx:xx:xx.
So we have what we need. Now let’s implement the algorithm and calculate the default password. If you’re lazy then I’ve written a small web app to calculate it
Go there, enter the MAC Address of victim and you’ll get the default password of that box. Of course this algorithm is only correct for router produced by Arcadyan Technology Corporation. If victim has another one, then … reverse yourself the algorithm and share with me. I also want to integrate more algorithms in that web app.
Here is the evidence that “Easybox-Fxxxxx” was hacked
So that is the first part of this blog. It’s about “cool” news from March and it maybe concerns only on people who live in Germany. The second part will discuss how we can crack a WPA/WPA2 password through WPS vulnerability. For more detailed information how this vulnerability works, I recommend you to read this article http://www.mediafire.com/?dmsp5nt7ga6duqr . I know it’s again “cool” news but I was really surprised that after months there is no update of firmware on for some routers therefore I think the exploit still works on a lot of routers. Through this vulnerability, the WPA password can be recovered in plain-text once the attack on the access point WPS is initiated, which takes me 10 hours on a Intel Petium Dual Core 2GHz with Backtrack. The duration depends on which program you use to crack and your CPU.
This exploit defeats WPS via an intelligent brute force attack to the static WPS (Wi-Fi Protected Setup) PIN. This vulnerability exposes a side-channel attack against Wi-Fi Protected Access (WPA) versions 1 and 2 allowing the extraction of the Pre-Shared Key (PSK) used to secure the network. By guessing the PIN, the first 4-number will be checked and then, the final number is a checking number used to satisfy an algorithm. The complexity dramatically decreases the maximum possible authentication attempts needed from 10^8 =100.000.000 to 10^4 + 10^4 =20.000. And as the 8th digit of the PIN is always a checksum of digit one to digit seven, there are at most 10^4 + 10^3 =11.000 attempts needed to find the correct PIN.
So it’s just short description about the vulnerability. Let’s make an example with real network. This time we need a BackTrack Live CD, if you read my blog about hacking WEP before http://hintdesk.com/hacking-how-to-hack-wep-password-with-backtrack/, you’ll understand how BackTrack CD works. The second requirement is again a USB WLAN supporting monitor mode. I use my beloved Netgear Wg111v2. If you don’t have any, you can find a model like mine at Amazon from this link below.
Netgear Wg111v2 Usb Wifi Card Includes Driver Cd and USB Extender Cable
In Backtrack, Open a Terminal console and scan all available networks.
root@bt:~$ sudo iwlist wlan0 scanning
Choose one of available networks, notice his MAC address. We need MAC address later for reaver to exploit. In my case, I choose “ALICE-WLANxx” as my victim as example. Next step, we have to set our USB WLAN in monitor mode.
root@bt:~$ sudo airmon-ng start wlan0
Execute “reaver” to exploit this victim. Reaver is a WPA attack tool developed by Tactical Network Solutions that exploits a protocol design flaw in WPS. It will determine an access point’s PIN and then extract the PSK. On average Reaver takes about 4 – 10 hours to extract the WPA PSK from the access point and roughly 95% of modern consumer-grade access points ship with WPS enabled by default. The code is published under http://reaver-wps.googlecode.com/ , there is also a professional version but a free one works already perfectly.
root@bt:~$ sudo reaver -i mon0 -b <MAC-ADDRESS-OF-VICTIM> -vv
Let your computer run, it takes long time to finish. When program finishes, you get time elapsed and the WPA PSK in plain text.
If you don’t want to use Reaver or it doesn’t work for your case. Then there is another tool called wpscrack.py, it’s a little faster but it only work for some types of router. You can download it from this link http://www.mediafire.com/?cdnlz85squ0jwu5 . To exploit, run this command after setting your USB WLAN to monitor mode.
root@bt:~$ sudo wpscrack.py –iface mon0 –client <YOUR-MAC-ADDRESS> –bssid <MAC-ADDRESS-OF-VICTIM> --ssid <NAME-OF-VICTIM> -v
It is really a serious vulnerability but I don’t understand why the vendors still always set WPS on as default. There are some routers were fixed but a lot of them are still vulnerable because there is no update for firmware to turn off WPS. The only thing you can do is use the old router without WPS or turn off WPS if your router allows. Nothing is now secure.