UPC Wireless Passwords

PlanIT Computing

We done a blog post about UPC and the algorithm used on their routers back in November 2011 and followed up with another one today.

Essentially, their default wireless passwords are uppercase alpha, 8 characters long providing a maximum of 208,827,064,576 possible passwords.

We built a rig for under €200 which goes through the entire key space in under 30 days.

It's possible to reduce the key space as they don't use the same characters sequentially in the password.

Quote from our blog below:

We recently purchased a used rig, comprising off:

• Windows 7
• I3 Processor
• 4GB RAM
• 2TB Drive
• Radeon HD 5850

For a tidy sum of: €185.00


We generated 26 dictionary files using “mask processor” by ATOM, piping each letter out to its own file, for example:

• A: ./mp32 A?u?u?u?u?u?u?u > A.TXT = AAAAAAAA – AZZZZZZZ
• B: ./mp32 B?u?u?u?u?u?u?u > B.TXT = BAAAAAAA – BZZZZZZZ
• etc

Each .txt file weighed in at around 60GB’s each. The 26 files took up about 1.6TB of storage.


We now had the complete key space, partitioned into 26 different files. This allowed us to distribute the brute force attack amongst multiple computers. There are other ways with ocl-hashcat but this was the simplest.


Using our Radeon HD5850 on standard settings, we were hitting 80,000 keys per second. Breakdown below:

• 26^8 = 208,827,064,576 ( 208 billion possible combinations )
• 26^8 / 80,000 keys per second = 2,610,338 seconds
• 2,610,338 / 60 seconds = 43,505 minutes
• 43,505 / 60 minutes = 725 hours
• 725 hours / 24 hours = 30 Days

For €185, we had built a computer that could crack the default UPC wireless password within 30 days. The WPA-PSK handshake we used started with the letter D and was cracked within 96 hours.


We ended up getting a second machine for the same price which resulted in our maximum cracking time being reduced to 15 days.


If you’re using the default password on your UPC broadband connection, we recommend changing it immediately to a more secure password, using a mix of letters, numbers and symbols.


If you have any queries or questions on the above, please feel free to leave a comment.
@planitcomputing

Khannie

Nice work. I wonder how easy it would be to incorporate compression on those text files. They would compress like nobody's business.

On linux you could use a fifo and the application wouldn't even know it was reading a compressed file:

mkfifo a.fifo.txt
gzip A.TXT
gunzip -dc A.TXT.gz > a.fifo.txt

then have the app read from a.fifo.txt

edit: I also wonder how much it would cost to do it on an amazon AWS box. Probably very little.

hooplah

That's interesting. I wonder how much you could reduce the file sizes (and processing time) by if you took out sequential characters.

Spear

PlanIT Computing wrote: »

A: ./mp32 A?u?u?u?u?u?u > A.TXT = AAAAAAAA – AZZZZZZZ
B: ./mp32 B?u?u?u?u?u?u > B.TXT = BAAAAAAA – BZZZZZZZ
etc

Small typo there, that'll produce 7 characters, not 8.

PlanIT Computing

Spear wrote: »

Small typo there, that'll produce 7 characters, not 8.

Thanks, just fixed it there.

PlanIT Computing

hooplah wrote: »

That's interesting. I wonder how much you could reduce the file sizes (and processing time) by if you took out sequential characters.

26 x 25 x 25 x 25 x 25 x 25 x 25 x 25

About 158 billion, compared to 208 billion

0rt

whos taking orders to break handshakes so? :P

Eogclouder

PlanIT Computing wrote: »

We done a blog post about UPC and the algorithm used on their routers back in November 2011 and followed up with another one today.

Essentially, their default wireless passwords are uppercase alpha, 8 characters long providing a maximum of 208,827,064,576 possible passwords.

We built a rig for under €200 which goes through the entire key space in under 30 days.

It's possible to reduce the key space as they don't use the same characters sequentially in the password.

Quote from our blog below:

Rather than generating and saving that much data, why not write something simple that just gives you what you need at that moment in time?

for example, you'd just give it a starting seed and have set of rules of how it would progress, then all you'd need to store is the previous one tried, rules would be applied to give the next attempt and so on.

if it's uppercase Alpha you essentially have a numeric value for each character.
for example UTF8 "A" is 42,

so AAAAAAAA is (42)(42)(42)(42)(42)(42)(42)(42)
"Z" is 5a (90)
so ZZZZZZZZ is (90)(90)(90)(90)(90)(90)(90)(90)

These are min and max boundaries for what you'd need to generate. You can only try so many passwords at one interval of time which means you only need that amount per interval of time. Rather than having everything stored, you could just create what you need when you need it with a simple program.

once you get it a starting set of 8 characters, iteration is very easy to do. For progress you could simply have the last set of, or single character saved to a file, continuation would commence from there

so for example, you pass a string of "AAAAAAAA" as a starting condition to your program

it outputs AAAAAAAB
your brute-forcer tries this
as it's trying it your program queues up the next one to try, and so on>
Seems like it would be more efficient to do this way.
(obviously you'd do it with multiple threads for speed and splitting the work-load)


Am I missing something here?

Khannie

I think that would require some coding (to alter the app that's taking the input).

On linux you could use fifo's as I described before.

mp64 outputs to the fifo, which the cracking program reads from.

For fun I created the A.txt file (68G) and compressed it with gzip (18G) and bzip2 (5.4G). Both of these could be used too.

I wonder what the cost for electricity is too. I presume it's not insignificant. Again I'd love to see what it would cost on an AWS or Rackspace virtual machine.

syklops

Can you link to the original blog post which talked about the algorithm itself?

With the algorithm in one hand and a precompiled rainbow table in the other, Im sure a faster way of cracking can be found.

fleontrotsky

The original password for mu UPC router did indeed use characters sequentially.

PlanIT Computing

fleontrotsky wrote: »

The original password for mu UPC router did indeed use characters sequentially.

What router?

h57xiucj2z946q

fleontrotsky wrote: »

The original password for mu UPC router did indeed use characters sequentially.

Mine too. EPC3925.

PlanIT Computing

Damn - we had access to 16 routers and they were all non-sequential, should of kept quiet on that part

h57xiucj2z946q

PlanIT Computing wrote: »

Damn - we had access to 16 routers and they were all non-sequential, should of kept quiet on that part

The pass is most likely a hash of something, with each hash byte mod 26. where result of 0 - 25 represents A-Z.

0rt

syklops wrote: »

Can you link to the original blog post which talked about the algorithm itself?

With the algorithm in one hand and a precompiled rainbow table in the other, Im sure a faster way of cracking can be found.

Id be interested in having a look as well.