So, it turns out there was already a tool capable of exploiting what I discovered, the only thing I am is the first person to notice this flaw on the maker routers, and now, bring it to public. The affected router brand is Thomson and, as I recently got access to a latest model of this routers (TG784n)*, I have to re-phrase my initial statement. This flaw can only be found on older models of this brand of routers.
*: I found a colleague with this kind of router, and he gave me visual access to the router (the only thing I needed to test the flaw) and the wireless key I got trough the calculations differed from the default wireless key found in the sticker. So I assume that newer models (maybe from 2010/11 to the future) do not have this vulnerability.
In order to explain my findings, I have to introduce some background:
As some (or all, given that we are on a security related forum) of you may know, back in 2008, Kevin Devine discovered a flaw in SpeedTouch and Thomson routers that would allow him to calculate the default wireless encryption key for each router. He released a tool capable of calculating and providing the user with the default password, only using the last 6 characters of the default SSID (More info @ GNUCitizen.org ).
But, somewhat around 2010, Thomson fixed this vulnerability by changing the last 6 digits of the default SSID (now they match the last 6 digits of the wireless interface MAC address, instead of the last 6 digits from the sha1 hash [read link above]). Unfortunately, it was still insecure, since with Kevin's findings, it was possible to generate a password list for every router made in 2010/2011 (and now 2012) that would substantially reduce the brute-force attack time against a WPA handshake (I talked about this vulnerability in this forums a while back, a quick search should reveal it). That must be why they changed the whole algorithm in newer models.
Now, with the recent discovery of WPS vulnerabilities, one of them being that the routers give too much information about themselves, such as maker, model and Serial Number ("Oh!" you say ), it was easy to develop a way to use this information to get the default wireless key:
Using a tool called wpscan (not the WordPress one) developed by SourceSec, an attacker could get a output like this (values are fictional):
From this, an attacker could check if the router has this flaw (by checking the model, in blue) and if it was vulnerable, he would grab the Serial Number and start the calculation process:
root@bt~#:wpscan -i mon0
Version : 0x10
WPS State : 0x02
Response Type : 0x03
UUID-E : 0xcx1x1xex8xfxfx0x8xax7x0xdxdx4x2x
Manufacturer : THOMSON
Model Name : Thomson TG
Model Number : 787
Serial Number : 1011TSABC
Primary Device Type : 0x0123456789012345
Device Name : Thomson TG787
Config Methods : 0x0001
RF Bands : 0x00
Add "CP" to the beginning of the string and remove "TS" value (always the 2 characters in-between the first 4 numbers and the last 3 characters):
Convert last 3 characters to hexadecimal (and convert lowercase to uppercase, case it has letters):
Process this last string trough sha-1:
Grab the first 10 digits, Uppercase them, and here is the default wireless key:
Note: If you're going to test this, please try to isolate your AP on a specific channel, airodump that channel and run wpscan after. I'm telling you this because "WPScan actively sends 802.11 probe requests to access points that advertise WPS support", and that could be considered illegal (I'm not sure, but just to be safe...).
P.S.: This vulnerability can be fixed by turning off WPS, wich is enabled by default. It can be done trough telnet (never found the option on the web interface), this site will help with the commands needed. Obviously, even after turning off WPS, the router will not be secure if it has the default password set (due to the other vulnerabilities I mentioned earlier).