首页 | 安全文章 | 安全工具 | Exploits | 本站原创 | 关于我们 | 网站地图 | 安全论坛
  当前位置:主页>安全文章>文章资料>Exploits>文章内容
Sky Broadband Router SR101 - Weak WPA-PSK Generation Algorithm
来源: http://www.planitcomputing.ie 作者:Matt 发布时间:2014-08-11  
# Exploit Title: Sky Broadband Router – Weak algorithm used to generate WPA-PSK Key
# Google Dork: 
# Date: 08/08/2014
# Author: Matt O'Connor / Planit Computing
# Advisory Link:  http://www.planitcomputing.ie/sky-wifi-attack.pdf 
# Version: 
# Category: Remote
# Tested on: Sky SR101 Router
  
  
  
The SR101 routers supplied by Sky Broadband are vulnerable to an offline dictionary attack if the WPA-PSK handshake is obtained by an attacker.
   
The WPA-PSK pass phrase has the following features:
•   Random
•   A to Z Uppercase only
•   8 characters long
•   208,827,064,576 possible combinations ( AAAAAAAA – ZZZZZZZZ ) 26^8
   
We notified Sky Broadband about the problem in January 2014 yet Sky Broadband are still supplying customers with routers / modems that use this weak algorithm.
At the time, graphics cards were expensive and clustering several machines was not financially viable to the average hacker.
  
We purchased a used rig in December 2013, comprising off:
•   Windows 7
•   I3 Processor
•   4GB RAM
•   2TB Drive
•   Radeon HD 5850
  
We generated 26 dictionary files using “mask processor” by ATOM, piping each letter out to its own file, for example:
  
A:  ./mp32 A?u?u?u?u?u?u?u > A.TXT = AAAAAAAA – AZZZZZZZ
B: ./mp32 B?u?u?u?u?u?u?u > B.TXT = BAAAAAAA – BZZZZZZZ
etc
  
Each .txt file weighed in at around 60GB’s each.  The 26 files took up about 1.6TB of storage.
  
We now had the complete key space, partitioned into 26 different files.  This allowed us to distribute the brute force attack amongst multiple computers.  There are other ways with ocl-hashcat but this was the simplest.
  
Using our Radeon HD5850 on standard settings, we were hitting 80,000 keys per second.  Breakdown below:
  
•   26^8 = 208,827,064,576 ( 208 billion possible combinations )
•   26^8 / 80,000 keys per second = 2,610,338 seconds
•   2,610,338 / 60 seconds = 43,505 minutes
•   43,505 / 60 minutes = 725 hours
•   725 hours / 24 hours = 30 Days
  
For €185, we had built a computer that could crack the default Sky Broadband wireless password within 30 days.  The WPA-PSK handshake we used started with the letter S and was cracked within 96 hours.
  
We ended up getting a second machine for the same price which resulted in our maximum cracking time being reduced to 15 days.
  

 
[推荐] [评论(0条)] [返回顶部] [打印本页] [关闭窗口]  
匿名评论
评论内容:(不能超过250字,需审核后才会公布,请自觉遵守互联网相关政策法规。
 §最新评论:
  热点文章
·CVE-2012-0217 Intel sysret exp
·Linux Kernel 2.6.32 Local Root
·Array Networks vxAG / xAPV Pri
·Novell NetIQ Privileged User M
·Array Networks vAPV / vxAG Cod
·Excel SLYK Format Parsing Buff
·PhpInclude.Worm - PHP Scripts
·Apache 2.2.0 - 2.2.11 Remote e
·VideoScript 3.0 <= 4.0.1.50 Of
·Yahoo! Messenger Webcam 8.1 Ac
·Family Connections <= 1.8.2 Re
·Joomla Component EasyBook 1.1
  相关文章
·SHARP MX Series - Denial of Se
·linux/x86 Run /usr/bin/python
·Hitron Technologies CDE-30364
·linux/x86 chmod(777 /etc/passw
·Symantec Endpoint Protection 1
·Yokogawa BKBCopyD.exe Client E
·Wordpress XMLRPC DoS Exploit
·D-Link AP 3200 Multiple Vulner
·CS-Cart 4.2.0 Session Hijackin
·SkaDate Lite 2.0 - Remote Code
·VirtualBox Guest Additions VBo
·Oxwall 1.7.0 - Remote Code Exe
  推荐广告
CopyRight © 2002-2022 VFocuS.Net All Rights Reserved