Page 3 of 4 FirstFirst 1234 LastLast
Results 21 to 30 of 35

Thread: What can someone do after discovering a "exploit"?

  1. #21
    Senior Member
    Join Date
    Feb 2012
    Location
    Cyberspace
    Posts
    174

    Default Re: What can someone do after discovering a "exploit"?

    Ok.. done some further study...And this algorithm definitely works with Thomson TG585 v7 router. I have calculated WPA PSK manually as well as with this python script http://pastebin.com/tjV2RZ23 and it matches.

    I am now talking about Thomson TG585 v8

    Here is an output of wps2key for TG585 v8:

    Code:
    root@bt:~/scripts/wpstools# ./wps2key.py -i mon0
    WARNING: No route found for IPv6 destination :: (no default route?)
    
    BSSID: 08:76:FF:10:4B:D4
    ESSID: Thomson104BD4
    ----------------------------------------------------------
    Version                           : 0x10
    WPS State                         : 0x02
    Response Type                     : 0x03
    UUID-E                            : 0x71a8e7f061795361a4c9736bfc330c12
    Manufacturer                      : THOMSON
    Model Name                        : Thomson TG
    Model Number                      : 585 v8
    Serial Number                     : 1040SF3DH
    DEFAULT KEY                       : 9438086AB8
    Primary Device Type               : 0x00060050f2040001
    Device Name                       : Thomson TG585 v8
    Config Methods                    : 0x0084
    RF Bands                          : 0x03
    I also have calculated the default key manually and had arrived with the following sha-1 hash
    9438086ab83e2d16eaffccd167f4c0ef6aa6feae

    So far so good except this is the not the printed WPA PSK key..

    Here is the details printed on the sticker on the modem:

    Mac: 08:76:FF:10:0E:81 (Note the difference in MAC Address, I was rather surprised)
    Access Key: NRMWF6EN
    S/N: CP1040SF3DH
    WPA Key: CA0CFFE8B2

    Note the Key which is printed is different from what was calculated.

    So the question is what is the new algorithm and is there something I am doing here wrong.

    Reagrds

  2. #22
    Junior Member
    Join Date
    Jun 2012
    Posts
    42

    Default Re: What can someone do after discovering a "exploit"?

    Quote Originally Posted by Snayler View Post
    No! I'm not that smart Back in April 2008, Kevin Devine discovered that flaw (calculating the default password from the serial number) and created a PoC where you can calculate all possible default passwords based on the last 6 chars of the default SSID. Around 2009/2010, Thomson (I guess) fixed this issue by changing the last chars of the SSID to the last 6 chars of the AP's MAC address. This fixed the vulnerability found by Kevin, but I discovered that the router freely announces it's serial number through WPS. So I just had to check Kevin's discovery on how to calculate the default password from the serial number and ta-da! Vulnerability found. If you want, you can read more about Kevin's findings in the link posted by hannah. If you want a more hardcore explanation, you can read it here:
    Code:
    http://www.hakim.ws/st585/KevinDevine/
    Cheers!
    Thanks for the info! It's amazing he was able to reverse-engineer the setup installer to arrive at the conclusion.

    I'm most interested in this topic because I'm working on the exact same task with AT&T Uverse router configurations. I posted my progress in http://www.backtrack-linux.org/forum...ad.php?t=50963 this thread.

    I'm pretty sure the default WPA PSK is derived from the BSSID somehow, because the serial number is just the decimal form of the BSSID. Using some kind of hashing function makes sense, because it's easy to ensure uniform output. I don't think there is any setup executable available for these routers, but I'm excited to try some different hashing methods to see what I get.

  3. #23
    My life is this forum Snayler's Avatar
    Join Date
    Jan 2010
    Posts
    1,418

    Default Re: What can someone do after discovering a "exploit"?

    Quote Originally Posted by hannah View Post
    [CODE]Mac: 08:76:FF:10:0E:81 (Note the difference in MAC Address, I was rather surprised)
    Access Key: NRMWF6EN
    S/N: CP1040SF3DH
    WPA Key: CA0CFFE8B2

    Note the Key which is printed is different from what was calculated.

    So the question is what is the new algorithm and is there something I am doing here wrong.

    Reagrds
    No, you're doing it right. That router has the new algorithm, you can check it by looking at the serial number, if it starts with 10 (means it was made in 2010) it will probably not be vulnerable (early 2010 routers are still exploitable). They started using the new algorithm on new routers and as far as I know, this new algorithm is not known.

    Quote Originally Posted by ternarybit View Post
    Thanks for the info! It's amazing he was able to reverse-engineer the setup installer to arrive at the conclusion.

    I'm most interested in this topic because I'm working on the exact same task with AT&T Uverse router configurations. I posted my progress in http://www.backtrack-linux.org/forum...ad.php?t=50963 this thread.

    I'm pretty sure the default WPA PSK is derived from the BSSID somehow, because the serial number is just the decimal form of the BSSID. Using some kind of hashing function makes sense, because it's easy to ensure uniform output. I don't think there is any setup executable available for these routers, but I'm excited to try some different hashing methods to see what I get.
    We currently have a case in my country where someone was able to dump the algorithm from a router distributed by a major ISP. The instructions are in Assembly for ARM and there is a community trying to reverse-engineer the instructions. So far it is known that the code is calculating the wpa-key based on the router's MAC address. I believe Thomson is using a similar technique on their new algorithm.
    Last edited by Snayler; 07-22-2012 at 10:26 AM.

  4. #24
    Senior Member
    Join Date
    Feb 2012
    Location
    Cyberspace
    Posts
    174

    Default Re: What can someone do after discovering a "exploit"?

    Quote Originally Posted by hannah View Post
    Code:
    root@bt:~/scripts/wpstools# ./wps2key.py -i mon0
    
    BSSID: 08:76:FF:10:4B:D4
    ESSID: Thomson104BD4
    (IMHO) the PSK key will be derived from the MAC address of the router as the ESSID is derived from the MAC address. Still a guess work though. It was mentioned in Post #12 anyway.
    Last edited by hannah; 07-22-2012 at 11:07 PM.

  5. #25
    Senior Member
    Join Date
    Feb 2012
    Location
    Cyberspace
    Posts
    174

    Default Re: What can someone do after discovering a "exploit"?


  6. #26
    Just burned their ISO
    Join Date
    Sep 2012
    Posts
    7

    Default Re: What can someone do after discovering a "exploit"?

    Quote Originally Posted by Snayler View Post
    Hi again! Someone edited the wpscan.py script to include the hash calculations for Thomson routers. If you want to give it a try, here's the modified code:
    pastebin - wps2key.py
    Could you please tell me how to use this? Or report me to a place where i can learn

  7. #27
    My life is this forum thorin's Avatar
    Join Date
    Jan 2010
    Posts
    2,629

    Default Re: Exploit Discovery

    Quote Originally Posted by snafu777 View Post
    Snayler,
    pentrite,

    English.... Learn it. Your grammar sucks.
    At least it made me learn a new word, whether me meant to or not http://dictionary.reference.com/browse/evolute
    I'm a compulsive post editor, you might wanna wait until my post has been online for 5-10 mins before quoting it as it will likely change.

    I know I seem harsh in some of my replies. SORRY! But if you're doing something illegal or posting something that seems to be obvious BS I'm going to call you on it.

  8. #28
    My life is this forum Snayler's Avatar
    Join Date
    Jan 2010
    Posts
    1,418

    Default Re: What can someone do after discovering a "exploit"?

    Quote Originally Posted by msramalho View Post
    Could you please tell me how to use this? Or report me to a place where i can learn
    You can use it with your BT distro. Just download, and issue the following commands on a terminal (I'll assume you have root, so no need for sudo):
    Code:
    cd /directory/of/downloaded/wpscan/
    cp ./wpscan.py /usr/bin/wpscan
    chmod +x /usr/bin/wpscan
    After this, you can type "wpscan" into your terminal window and use the program.

  9. #29
    Senior Member daedalus1776's Avatar
    Join Date
    Jan 2012
    Location
    Australia
    Posts
    112

    Default Re: What can someone do after discovering a "exploit"?

    Quote Originally Posted by msramalho View Post
    Could you please tell me how to use this? Or report me to a place where i can learn
    Sure. Link: www.google.com

  10. #30
    Just burned their ISO
    Join Date
    Sep 2012
    Posts
    7

    Default Re: What can someone do after discovering a "exploit"?

    Quote Originally Posted by daedalus1776 View Post
    Sure. Link: www.google.com
    Of course I tried that first.

Page 3 of 4 FirstFirst 1234 LastLast

Similar Threads

  1. Replies: 5
    Last Post: 03-26-2012, 11:42 AM
  2. Replies: 4
    Last Post: 02-24-2011, 04:52 PM
  3. Win2003 / R2 und exploit "ms08_067" Problem
    By Drake379 in forum Anfänger Ecke
    Replies: 3
    Last Post: 05-10-2010, 05:54 AM
  4. Video Demo "Vom POC zum Exploit SEH" by ozzy
    By ozzy66 in forum Tutorials und Howtos
    Replies: 5
    Last Post: 01-20-2010, 10:41 AM
  5. msfcli cannot load "listening" exploit?
    By bruk0ut in forum OLD BT4beta Bugs and Fixes
    Replies: 8
    Last Post: 03-10-2009, 07:53 PM

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •