-
Notifications
You must be signed in to change notification settings - Fork 9
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
- Loading branch information
Showing
1 changed file
with
16 additions
and
8 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -1,3 +1,11 @@ | ||
| /* | ||
| * ---------------------------------------------------------------------------- | ||
| * "THE BLASTY-WARE LICENSE" (Revision 1): | ||
| * <[email protected]> wrote this file. As long as you retain this notice and don't | ||
| * sell my work you can do whatever you want with this stuff. If we meet some | ||
| * day, and you think this stuff is worth it, you can intoxicate me in return. | ||
| * ---------------------------------------------------------------------------- | ||
| */ | ||
| /* | ||
| * upc_keys.c -- WPA2 passphrase recovery tool for UPC%07d devices | ||
| * =============================================================== | ||
|
|
@@ -6,21 +14,21 @@ | |
| * purely the ESSID. Sadly, these days aren't over yet. We've seen | ||
| * some excellent recent research by Novella/Meijer/Verdult [1][2] | ||
| * lately which illustrates that these issues still exist in recent | ||
| * devices/firmwares. I set out to dig up one of these algorithms | ||
| * and came up with this little tool. | ||
| * devices/firmwares. I set out to dig up one of these algorithms | ||
| * and came up with this little tool. | ||
| * | ||
| * The attack is two-fold; in order to generate the single valid | ||
| * WPA2 phrase for a given network we need to know the serialnumber | ||
| * of the device.. which we don't have. Luckily there's a correlation | ||
| * between the ESSID and serial number as well, so we can generate a | ||
| * list of 'candidate' serial numbers (usually around ~20 or so) for | ||
| * list of 'candidate' serial numbers (usually around ~20 or so) for | ||
| * a given ESSID and generate the corresponding WPA2 phrase for each | ||
| * serial. (This should take under a second on a reasonable system) | ||
| * | ||
| * Use at your own risk and responsibility. Do not complain if it | ||
| * fails to recover some keys, there could very well be variations | ||
| * out there I am not aware of. Do not contact me for support. | ||
| * | ||
| * | ||
| * Cheerz to p00pf1ng3r for the code cleanup! *burp* ;-) | ||
| * Hugs to all old & new friends who managed to make it down to 32c3! ykwya! | ||
| * | ||
|
|
@@ -29,12 +37,12 @@ | |
| * Cya, | ||
| * blasty <[email protected]> // 20151231 | ||
| * | ||
| * UPDATE 20160108: I added support for 5GHz networks. Specifying network | ||
| * type is mandatory now. But as a bonus you get less candidates. :-) | ||
| * | ||
| * P.S. Reversing eCos and broadcom CFE sux | ||
| * P.P.S. I don't think this is able to recover phrases for 5ghz networks | ||
| * atm but I will look into fixing this soon once I find some time, someone | ||
| * else can feel free to one up me as well. ;-) | ||
| * | ||
| * $ gcc -O2 -o upc_keys upc_keys.c -lcrypto | ||
| * $ gcc -O2 -o upc_keys upc_keys.c -lcrypto | ||
| * | ||
| * References | ||
| * [1] https://www.usenix.org/system/files/conference/woot15/woot15-paper-lorente.pdf | ||
|
|
||