Hacking – How to hack WPA/WPA2 Password with BackTrack through cracking WPS?
Last week I’ve read small news on c’t magazine saying that the default password of EasyBox router used for Vodafone, Telecom, Arcor in Germany … was hacked by Sebastian Petters. That means if someone is using default settings of EasyBox, you can get his WLAN password easily and then access his network. This default password was generated by a algorithm and this algorithm was patented. Therefore like other patents, the complete description of algorithm was simply exposed on internet (http://www.patent-de.com/20081120/DE102007047320A1.html if you can read German). As you can see the algorithm is pretty simple, it just takes the MAC address of router, makes some computations with base changing, xor,plus… Therefore all we have to do is get the MAC address of victim, make a copy of the algorithm ourselves and then generate the default WLAN password.
Let’s make an example. Almost of my neighbors are simple persons, they order DSL lines, install the hardwares and let all settings like they were from factory. So here is a snapshot of all available wireless networks around me. Some of SSID names were changed but some of them are default and I can easily recognize which one is an EasyBox router.
I just choose one of them, for example the “EasyBox-F1xxxx” giving me a good signal. Open a Terminal (Ctr-Alt-T in Ubuntu) and execute this command
servuskevin@pegasus:~$ sudo iwlist wlan0 scanning
This command prints out a long list of all networks with their detailed information. Let’s scroll down till our victim “EasyBox-F1xxxx”, ok it’s MAC address is 88:25:2C:xx:xx:xx.
So we have what we need. Now let’s implement the algorithm and calculate the default password. If you’re lazy then I’ve written a small web app to calculate it
http://easyboxarcadyanstandardwpakey.apphb.com/
Go there, enter the MAC Address of victim and you’ll get the default password of that box. Of course this algorithm is only correct for router produced by Arcadyan Technology Corporation. If victim has another one, then … reverse yourself the algorithm and share with me. I also want to integrate more algorithms in that web app.
Here is the evidence that “Easybox-Fxxxxx” was hacked
So that is the first part of this blog. It’s about “cool” news from March and it maybe concerns only on people who live in Germany. The second part will discuss how we can crack a WPA/WPA2 password through WPS vulnerability. For more detailed information how this vulnerability works, I recommend you to read this article http://www.mediafire.com/?dmsp5nt7ga6duqr . I know it’s again “cool” news but I was really surprised that after months there is no update of firmware on for some routers therefore I think the exploit still works on a lot of routers. Through this vulnerability, the WPA password can be recovered in plain-text once the attack on the access point WPS is initiated, which takes me 10 hours on a Intel Petium Dual Core 2GHz with Backtrack. The duration depends on which program you use to crack and your CPU.
This exploit defeats WPS via an intelligent brute force attack to the static WPS (Wi-Fi Protected Setup) PIN. This vulnerability exposes a side-channel attack against Wi-Fi Protected Access (WPA) versions 1 and 2 allowing the extraction of the Pre-Shared Key (PSK) used to secure the network. By guessing the PIN, the first 4-number will be checked and then, the final number is a checking number used to satisfy an algorithm. The complexity dramatically decreases the maximum possible authentication attempts needed from 10^8 =100.000.000 to 10^4 + 10^4 =20.000. And as the 8th digit of the PIN is always a checksum of digit one to digit seven, there are at most 10^4 + 10^3 =11.000 attempts needed to find the correct PIN.
So it’s just short description about the vulnerability. Let’s make an example with real network. This time we need a BackTrack Live CD, if you read my blog about hacking WEP before http://hintdesk.com/hacking-how-to-hack-wep-password-with-backtrack/, you’ll understand how BackTrack CD works. The second requirement is again a USB WLAN supporting monitor mode. I use my beloved Netgear Wg111v2. If you don’t have any, you can find a model like mine at Amazon from this link below.
Netgear Wg111v2 Usb Wifi Card Includes Driver Cd and USB Extender Cable
In Backtrack, Open a Terminal console and scan all available networks.
root@bt:~$ sudo iwlist wlan0 scanning
Choose one of available networks, notice his MAC address. We need MAC address later for reaver to exploit. In my case, I choose “ALICE-WLANxx” as my victim as example. Next step, we have to set our USB WLAN in monitor mode.
root@bt:~$ sudo airmon-ng start wlan0
Execute “reaver” to exploit this victim. Reaver is a WPA attack tool developed by Tactical Network Solutions that exploits a protocol design flaw in WPS. It will determine an access point’s PIN and then extract the PSK. On average Reaver takes about 4 – 10 hours to extract the WPA PSK from the access point and roughly 95% of modern consumer-grade access points ship with WPS enabled by default. The code is published under http://reaver-wps.googlecode.com/ , there is also a professional version but a free one works already perfectly.
root@bt:~$ sudo reaver -i mon0 -b <MAC-ADDRESS-OF-VICTIM> -vv
Let your computer run, it takes long time to finish. When program finishes, you get time elapsed and the WPA PSK in plain text.
If you don’t want to use Reaver or it doesn’t work for your case. Then there is another tool called wpscrack.py, it’s a little faster but it only work for some types of router. You can download it from this link http://www.mediafire.com/?cdnlz85squ0jwu5 . To exploit, run this command after setting your USB WLAN to monitor mode.
root@bt:~$ sudo wpscrack.py –iface mon0 –client <YOUR-MAC-ADDRESS> –bssid <MAC-ADDRESS-OF-VICTIM> --ssid <NAME-OF-VICTIM> -v
It is really a serious vulnerability but I don’t understand why the vendors still always set WPS on as default. There are some routers were fixed but a lot of them are still vulnerable because there is no update for firmware to turn off WPS. The only thing you can do is use the old router without WPS or turn off WPS if your router allows. Nothing is now secure.
hello, i was testing this and couldn’t help but notice something confusing: in your own tutorial, the MAC starts with 88:25:2C, yet in your app (and in the screenshot of the app), only MACs starting with 00:12:BF are supported.
Please advise.
@tom : That is bug of application. I fixed it. It should now work for any “Arcadyan Technology Corporation” router.
Now at zhis time 11.06.2012 it isnt fixed, i have try it, it gives no answer to Macs with 88:25:2C:xx.
Can you fix it again?
Thx Chris
@chris: I tried with 88:25:2C:12:34:56 and it works as image at following link
http://hintdesk.com/Pics/2012%20-%2006/BlogRongchaua%2011.06.2012%200000.jpg
Can you tell me more exactly about error you have? Maybe with a snapshot is better.
Hi, great blog entry! I have a problem though… Obviously, Windows user.
I have already used your calculator once, finding the MAC address of a router and did so with a cmd command. I forgot to write it down, and my searches don’t give any success now. Can’t find the command.
Do you know it?
Thank you.
@Mark: You can use command “netsh wlan show all” to view all information of your available networks. For more detailed about this command, you can view with “netsh wlan show /?”. Regards.
I can’t seem to be able to put wpscrack.py to work, it keeps repeating the same pin (0000000)
I use backtrack 5r3 and I have installed scapy (2.2.0).
could someone help me, please?
@ramalhoms : Try with reaver as described in post, wpscrack.py is fast but it doesn’t work with all kinds of router.
Hello, I would like to install the saver as the backtrack r2 wpscrack.pk I try gfustaria reaver since I do not like a lot and been seeing that this is much faster, please help me, or if a program that already has built I have it downloaded from the wpscrack.py here but not as ye tried installing do everything, I put the program on a usb and unzip it and pulled the two files on the desktop of backtrack 5R2 but not installed, then open a terminal and I copy the files and Pegos in terminal and nothing, please digamen as I have to install, Greetings …
admin , Can u send me your email address ?
How about the following
Vendor is: TP-LINK Technologies Co.,Ltd.. Only routers of Arcadyan Technology Corporation are supported
Vendor is: HUAWEI TECHNOLOGIES CO.,LTD. Only routers of Arcadyan Technology Corporation are supported
Vendor is: Research In Motion. Only routers of Arcadyan Technology Corporation are suppo
http://easyboxarcadyanstandardwpakey.apphb.com/
@wireless: that means your routers are not supported.
Are u going to add alogorithm for these routers.
@wirless: No, it takes time for reversing the algorithm.
i already have pin code for router how can i usr reaver to hack fast not geuss the numbers and tack lots of time plesssssss replay to my email plllllese
Great tool, unbelievable firms still make this mistake.
One issue: 50:7E:5D shows-up using MAC Lookup As: Arcadyan Technology Corporation*
But in your tool it says the vendor isn’t known and won’t calculate a key.
Any chance this is a bug?
Cheers,
John.
* http://aruljohn.com/mac.pl
@John: I updated the mac list for Arcadyan. It should work now.
Hey ! thx for your guide, but i have a problem :S
I have no internet connection at home, and since we are going to move out in a few months my parents dont plan to get internet for the rest of the time,
I can use the wlan of one of my neighbors, but he lives one floor under my next door neighbor. I can only use his wlan because my lil sister is friends with a girl that lives their, and she once went there with her laptop, whichafter i found out their wlan passwor…
However, the connection is really weak and i can only use it in a room where i usually have no access too. So i want to find out the key of one of my other neighbors so i have a better signal
But most of them have alice and some named their w-lan so i dont know which router they have.
Can you help me out?
@Winchester: Try to get the mac addresses of routers and use this website to find out which router is that http://easyboxarcadyanstandardwpakey.apphb.com/.
How can I download this software…Sir.
Vendor is: TP-LINK Technologies Co.,Ltd.. Only routers of Arcadyan Technology Corporation are supported
Vendor is: HUAWEI TECHNOLOGIES CO.,LTD. Only routers of Arcadyan Technology Corporation are supported
No algorithm for this ?
@samual : Until now there is no algorithm for those kinds of routers.
Also mac addresses with 7c:4f:b5 are ones for Arcadyan Technology too.. Tool reports those as wrong too.
@Bryan: List was updated and Bug was fixed.
I’ve made an app for Android, which calculates the default Pass for EasyBox Routers. (Like the Web-App here)
Who wants to try simply search in the PlayStore for SpeedKey
@admin
Very good article, I also found this WPS bug before and can verify, that Reaver works best with Alice Routers made by Arcadyan. But I never had the time to share my experience in the way like you did.
i thought all vodafone boxes are easyboxes?
@Mpl: Maybe. But not all easyboxes are made by arcadyan.
1- how i can get victim MAC by windows software? name one ?
2- if i have the pin code , how i can get access to the router ?
sorry, for this stupid questions but i am not proffisional in this field
@yehya: Read the my answer at comment section above for Mark. You’ll find command. For second question, run this command when you already have WPS Pin
reaver -i mon0 -a -f -c 4 -b MAC_ADDRESS_OF_VICTIM_ROUTER -vv -x 60 -L –pin=XXXXXXXX –mac=YOUR_MAC_ADDRESS #NAME_OF_WLAN
Read more at this link https://code.google.com/p/reaver-wps/issues/detail?id=203