Sky Routers WPA

**samsung** · 04-30-2008, 01:39 PM

I know there was some talk about the security of the above routers, my girlfriend recently got broadband & a sky router, asked me to test it & see how vunerable it is.

So, I fireup BT, get my handshake all in under 1 min but no success on aircrack.....

To be honest, I think this & most routers now a days are pretty 1/2 decent, but this one in particular, I was unable to crack, mostly because of the default WPA key, which was obviously under the router I think the key was something like X57FxsKK now who has a key like that in their dictionary word list eh?

So to the satisfied look on my girlfriends face, I told her just leave it as it is & don't change it to something like my name, or her pets name which is easy & all will be fine

If anyone has managed to crack sky routers a different way, please share, but seeing it face on & trying it....... I don't think it can be done ( unless the average user will change their DEFAULT WPA KEY to a common used dictionary word

**Re@lity** · 04-30-2008, 02:13 PM

The issue was with their "custom firmware'd" DG834G's

Basically, they'd used a simple algorithm to chew up the MAC address and spit out a WPA key. The algorithm has been "discovered" and "reversed"
So, once you have the MAC you're almost home. No need for any hassles with handshake capturing or key cracking!

Nowadays they're using a new router (can't remember the make/model (2wire??) but it's a black one - you'll either have the white DG834G or "the black one"

)
They haven't used the same simple algorithm on the black ones, so it'll no longer work anyway.

There was also some talk about preparing a "rainbow table" for their WPA keys too.

They've been extremely weird about their whole setup really.
You can only find out your *own* username and password via a html injection attack on the router!

**samsung** · 04-30-2008, 04:24 PM

The one that she (my girlfriend has) is the small black one, I've not looked too much into how they set the algorithm, so not really sure on how it works the way you mentioned by being discovered & reversed, it's something I'd prob look into in the near future, but since I don't own one at my flat, I can't practice all that much

The usual default user/pass had been set for router browser - since she threw the paperwork away (women eh!)

So at least I was able to physically browse & change that for her & she's happy, prob sorted.

Cheers for reply & letting me know your thoughts

**Re@lity** · 04-30-2008, 07:17 PM

The black one is the new one which isn't "vulnerable" to the WPA thing.

As for the customised Netgear DG834G (white one):

The username and password I was referring to is the actual PPOA connection credentials.
They pre-set it all for you and then refuse to tell you what it is.
They want you to use the provided router, for some strange reason.
The firmware is customised from the standard Netgear one and omits the u/n & p/w, as well as other info, from the web-based GUI.
There is no ssh or telnet, etc running.
There is one r/w file in the system. Using an html injection technique you can force it to dump the contents from files containing your u/n & p/w etc, to the r/w file and then d/l the file onto your local machine

I haven't looked at the new "black" ones..........

**imported_Speedy** · 05-01-2008, 08:10 AM

I remember this one, they used the MAC address & an algorithm to generate the WPA key. BT's 2wire also suffers from the same issue.

anyhoo... these links that might help you dig deeper if u want, and i bet you do

https://www.cm9.net/skypass/ - this one covers three different router models

http://www.asininemonkey.com/netgear...#URL_Injection - this was the user / pass "recovery" for the old white netgear model. It also covers a few other interesting pieces.

After that there is the "Unofficial" sky user forums. There a fair bit of info in there but it needs trawling to get most out of it. It's not bad.

http://www.skyuser.co.uk/

enjoy

**hm2075** · 05-02-2008, 05:50 AM

Firstly we are confusing two issues

1 is the generation of the user and pass for the adsl connection
2 is the generation of the WPA key

1 is for changing to a different router, no use for us in pentesting
2 is what we need to concentrate on

its been done for the v1, do i know the algo? sure.... would I pass it on... not at this moment.

All the information is out there, its just a matter of figuring it out.... but lets do it the proper way, and that way we can do many other routers that use this method

Source codes for routers are available online, but some coding is non - gpl thats why you cant find the algo in there.

You need to get a working image, break it down into its relevant parts e.g bootloader, nvram etc, mount it in linux and start searching.

This is for the DG834G

http://www.vandersmagt.nl/1/firmware.php

It should be a similar method for the GT model.

Another method is to use an emulator such as gxemul in big endian mode, then run it, change mac address at console and carry on booting

**hm2075** · 05-02-2008, 06:25 AM

if you can find a uclibc decompiler that would be very useful to decomplie some of the binaries, i think the file "rc" is what we should be looking into

**NITRICACID2K** · 05-03-2008, 08:45 AM

shame there was no more replies to this HM as version 2 routers would be good also

**hm2075** · 05-08-2008, 04:36 PM

more info

download the source from here
ftp://downloads.netgear.com/files/GP...28_src.tar.bz2

then extract the target file

download IDA pro and open some of those files in there

target/usr/sbin is a good place to start, particularly the rc binary, remember its mipsb you need, should automatically sort this out

open files in unix -elf

I'll give you a tip on the algo ---- first function is that the mac address is passed thru md5sum

**norm360** · 05-16-2008, 11:58 AM

Here's an excerpt of the code for anybody interested.

Code:

.rodata:004172B0  32 68 68 58 00 00 00 00  2F 74 6D 70 2F 6D 61 63  2hhX..../tmp/mac
.rodata:004172C0  00 00 00 00 62 72 30 00  25 73 40 73 6B 79 64 73  ....br0.%s@skyds
.rodata:004172D0  6C 00 00 00 6D 64 35 73  75 6D 20 2F 74 6D 70 2F  l...md5sum /tmp/
.rodata:004172E0  6D 61 63 00 25 78 00 00  25 73 25 30 32 78 00 00  mac.%x..%s%02x..
.rodata:004172F0  25 73 25 64 00 00 00 00  53 4B 59 25 73 00 00 00  %s%d....SKY%s...
.rodata:00417300  77 69 66 69 5F 73 73 69  64 00 00 00 77 69 66 69  wifi_ssid...wifi
.rodata:00417310  5F 63 68 61 6E 6E 65 6C  00 00 00 00 25 63 00 00  _channel....%c..
.rodata:00417320  77 69 66 69 5F 70 73 6B  5F 70 77 64 00 00 00 00  wifi_psk_pwd....
.rodata:00417330  00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00  ................

"The file /tmp/mac contains the router's MAC address converted to a ASCII string of 12 hex characters, and the md5sum program generates the MD5 hash function value for the specified file."

Here's a good site to perform hash functions _www.fileformat.info/tool/hash.htm

Maybe somebody with a better knowledge of programming can figure this out.

Regards

EDIT:

Is the MAC address used from the wireless interface? I can't see much point in the attack if it uses the MAC from the wired side.

BackTrack Linux - Penetration Testing Distribution

Thread: Sky Routers WPA

Thread Tools

Search Thread

Display

Sky Routers WPA

Posting Permissions