Page 1 of 2 12 LastLast
Results 1 to 10 of 16

Thread: Sky Routers WPA

  1. #1

    Default Sky Routers WPA

    I know there was some talk about the security of the above routers, my girlfriend recently got broadband & a sky router, asked me to test it & see how vunerable it is.

    So, I fireup BT, get my handshake all in under 1 min but no success on aircrack.....

    To be honest, I think this & most routers now a days are pretty 1/2 decent, but this one in particular, I was unable to crack, mostly because of the default WPA key, which was obviously under the router I think the key was something like X57FxsKK now who has a key like that in their dictionary word list eh?

    So to the satisfied look on my girlfriends face, I told her just leave it as it is & don't change it to something like my name, or her pets name which is easy & all will be fine

    If anyone has managed to crack sky routers a different way, please share, but seeing it face on & trying it....... I don't think it can be done ( unless the average user will change their DEFAULT WPA KEY to a common used dictionary word

  2. #2
    Senior Member
    Join Date
    Jan 2006
    Posts
    1,334

    Default

    The issue was with their "custom firmware'd" DG834G's

    Basically, they'd used a simple algorithm to chew up the MAC address and spit out a WPA key. The algorithm has been "discovered" and "reversed"
    So, once you have the MAC you're almost home. No need for any hassles with handshake capturing or key cracking!

    Nowadays they're using a new router (can't remember the make/model (2wire??) but it's a black one - you'll either have the white DG834G or "the black one" )
    They haven't used the same simple algorithm on the black ones, so it'll no longer work anyway.

    There was also some talk about preparing a "rainbow table" for their WPA keys too.

    They've been extremely weird about their whole setup really.
    You can only find out your *own* username and password via a html injection attack on the router!

  3. #3

    Default

    The one that she (my girlfriend has) is the small black one, I've not looked too much into how they set the algorithm, so not really sure on how it works the way you mentioned by being discovered & reversed, it's something I'd prob look into in the near future, but since I don't own one at my flat, I can't practice all that much

    The usual default user/pass had been set for router browser - since she threw the paperwork away (women eh!)

    So at least I was able to physically browse & change that for her & she's happy, prob sorted.

    Cheers for reply & letting me know your thoughts

  4. #4
    Senior Member
    Join Date
    Jan 2006
    Posts
    1,334

    Default

    The black one is the new one which isn't "vulnerable" to the WPA thing.

    As for the customised Netgear DG834G (white one):

    The username and password I was referring to is the actual PPOA connection credentials.
    They pre-set it all for you and then refuse to tell you what it is.
    They want you to use the provided router, for some strange reason.
    The firmware is customised from the standard Netgear one and omits the u/n & p/w, as well as other info, from the web-based GUI.
    There is no ssh or telnet, etc running.
    There is one r/w file in the system. Using an html injection technique you can force it to dump the contents from files containing your u/n & p/w etc, to the r/w file and then d/l the file onto your local machine

    I haven't looked at the new "black" ones..........

  5. #5
    Junior Member
    Join Date
    Apr 2007
    Posts
    57

    Default

    I remember this one, they used the MAC address & an algorithm to generate the WPA key. BT's 2wire also suffers from the same issue.

    anyhoo... these links that might help you dig deeper if u want, and i bet you do

    https://www.cm9.net/skypass/ - this one covers three different router models

    http://www.asininemonkey.com/netgear...#URL_Injection - this was the user / pass "recovery" for the old white netgear model. It also covers a few other interesting pieces.

    After that there is the "Unofficial" sky user forums. There a fair bit of info in there but it needs trawling to get most out of it. It's not bad.

    http://www.skyuser.co.uk/

    enjoy

  6. #6
    Member
    Join Date
    Feb 2010
    Posts
    204

    Default

    Firstly we are confusing two issues

    1 is the generation of the user and pass for the adsl connection
    2 is the generation of the WPA key

    1 is for changing to a different router, no use for us in pentesting
    2 is what we need to concentrate on


    its been done for the v1, do i know the algo? sure.... would I pass it on... not at this moment.

    All the information is out there, its just a matter of figuring it out.... but lets do it the proper way, and that way we can do many other routers that use this method

    Source codes for routers are available online, but some coding is non - gpl thats why you cant find the algo in there.

    You need to get a working image, break it down into its relevant parts e.g bootloader, nvram etc, mount it in linux and start searching.

    This is for the DG834G

    http://www.vandersmagt.nl/1/firmware.php


    It should be a similar method for the GT model.


    Another method is to use an emulator such as gxemul in big endian mode, then run it, change mac address at console and carry on booting

  7. #7
    Member
    Join Date
    Feb 2010
    Posts
    204

    Default

    if you can find a uclibc decompiler that would be very useful to decomplie some of the binaries, i think the file "rc" is what we should be looking into

  8. #8
    Just burned his ISO
    Join Date
    Apr 2008
    Posts
    3

    Default

    shame there was no more replies to this HM as version 2 routers would be good also

  9. #9
    Member
    Join Date
    Feb 2010
    Posts
    204

    Default

    more info

    download the source from here
    ftp://downloads.netgear.com/files/GP...28_src.tar.bz2

    then extract the target file

    download IDA pro and open some of those files in there

    target/usr/sbin is a good place to start, particularly the rc binary, remember its mipsb you need, should automatically sort this out

    open files in unix -elf



    I'll give you a tip on the algo ---- first function is that the mac address is passed thru md5sum

  10. #10
    Just burned his ISO
    Join Date
    May 2008
    Posts
    6

    Default

    Here's an excerpt of the code for anybody interested.

    Code:
    .rodata:004172B0  32 68 68 58 00 00 00 00  2F 74 6D 70 2F 6D 61 63  2hhX..../tmp/mac
    .rodata:004172C0  00 00 00 00 62 72 30 00  25 73 40 73 6B 79 64 73  ....br0.%s@skyds
    .rodata:004172D0  6C 00 00 00 6D 64 35 73  75 6D 20 2F 74 6D 70 2F  l...md5sum /tmp/
    .rodata:004172E0  6D 61 63 00 25 78 00 00  25 73 25 30 32 78 00 00  mac.%x..%s%02x..
    .rodata:004172F0  25 73 25 64 00 00 00 00  53 4B 59 25 73 00 00 00  %s%d....SKY%s...
    .rodata:00417300  77 69 66 69 5F 73 73 69  64 00 00 00 77 69 66 69  wifi_ssid...wifi
    .rodata:00417310  5F 63 68 61 6E 6E 65 6C  00 00 00 00 25 63 00 00  _channel....%c..
    .rodata:00417320  77 69 66 69 5F 70 73 6B  5F 70 77 64 00 00 00 00  wifi_psk_pwd....
    .rodata:00417330  00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00  ................
    "The file /tmp/mac contains the router's MAC address converted to a ASCII string of 12 hex characters, and the md5sum program generates the MD5 hash function value for the specified file."

    Here's a good site to perform hash functions _www.fileformat.info/tool/hash.htm

    Maybe somebody with a better knowledge of programming can figure this out.

    Regards

    EDIT:

    Is the MAC address used from the wireless interface? I can't see much point in the attack if it uses the MAC from the wired side.

Page 1 of 2 12 LastLast

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •