Advertisement
If you have a new account but are having problems posting or verifying your account, please email us on hello@boards.ie for help. Thanks :)
Hello all! Please ensure that you are posting a new thread or question in the appropriate forum. The Feedback forum is overwhelmed with questions that are having to be moved elsewhere. If you need help to verify your account contact hello@boards.ie

Predictable WPA keys for 2000 series modems

Options
  • 13-06-2008 2:02pm
    #1
    Martyr
    Closed Accounts Posts: 1,567 ✭✭✭


    the default WPA keys on 2000 series routers from eircon are predictable.
    there is also a hidden backdoor on certain models from Motorama, not necessarily supplied by eircon.


Comments

  • Options
    #2
    accensi0n
    Registered Users Posts: 2,745 ✭✭✭accensi0n


    Average Joe wrote: »
    the default WPA keys on 2000 series routers from eircon are predictable.
    there is also a hidden backdoor on certain models from Motorama, not necessarily supplied by eircon.


    Any more details AJ?


  • Options
    #3
    Martyr
    Closed Accounts Posts: 1,567 ✭✭✭Martyr


    Any more details AJ?

    not at this time, maybe later.


  • Options
    #4
    Martyr
    Closed Accounts Posts: 1,567 ✭✭✭Martyr


    maybe some already know this, but if you type the word "magic" at the console of the netopia router, you get access to more commands and information:
    Terminal shell v1.0
Copyright ®2006 Netopia, Inc.  All rights reserved.
Netopia Model 2247-02 High-Power Wireless DSL Ethernet Managed Switch
Running Netopia SOC OS version 7.7.0 (build r3)
Multimode ADSL Capable
(Admin completed login: Full Read/Write access)

Netopia-2000/12345678> magic
 (poof!)

Netopia-2000/12345678#

    brcm                          to read/write broadcom switch
loopback                      to set the interface in loopback mode
rma_count                     to perform RMA functions
sslclient                     to send HTTPS request to the Server. Default Port is 433
wan_type                      to Set WAN interface type
ata                           to issue commands related to remote ATA configuration
access_code                   to show if access code is valid
bootflags                     to show or set the bootflags
checksum                      to calculate and display the cksums
console                       to make this session the console
mem                           to display or edit system memory
trace                         to toggle routing tracing
crash                         to cause system death
adsldebug                     to debug commands
dsm                           to DSM commands
set_language                  to set web display language
peer-address                  to print IP address of this shell user

    inside each of those commands are more features again, which i haven't looked at much, but maybe somebody finds it interesting..


  • Options
    #5
    Martyr
    Closed Accounts Posts: 1,567 ✭✭✭Martyr


    Average Joe wrote:
    ...not necessarily supplied by eircon.

    correction, there are atleast 2 logins which aren't documented and 1 of these works for the routers supplied by eircon.

    this means that even if an admin password is set, someone locally can still bypass it using 1 of the hidden credentials.

    you have full access to everything.
    there could be more hidden that i haven't came across yet.


  • Options
    #6
    CptSternn
    Registered Users Posts: 1,530 ✭✭✭CptSternn


    This is not a new revelation. The eircom WPA backdoor has been out there for almost two years. Eircom is STILL selling all new routers with the same bad security. In fact, when they were contacted about this two years ago they claimed they had addressed the issue and that all customers effected had been notified.

    All appears to be ****e since know one I know who has eircom broadband was notified and to this day I can log on every eircom wireless router I find.

    There is another thread about this, but the short and skinny is this -

    All eircom wirless routers use the same naming convention -

    eircom 123 4567

    The last few digits then can be used to calculate the key. There were a few web pages that had a javascript that did it for you - just plunk in the number and it shoots out the key. I actually have a java app which does the same thing.


  • Advertisement
  • Options
    #7
    Martyr
    Closed Accounts Posts: 1,567 ✭✭✭Martyr


    CptSternn wrote:
    This is not a new revelation. The eircom WPA backdoor has been out there for almost two years

    can you cite sources please..i'm not aware the routers were ever shipped with WPA by default, from what i understand, its always been WEP.
    CptSternn wrote:
    In fact, when they were contacted about this two years ago they claimed they had addressed the issue and that all customers effected had been notified.

    contacted by whom?
    All appears to be ****e since know one I know who has eircom broadband was notified and to this day I can log on every eircom wireless router I find.

    please elaborate
    CptSternn wrote:
    The last few digits then can be used to calculate the key. There were a few web pages that had a javascript that did it for you - just plunk in the number and it shoots out the key. I actually have a java app which does the same thing.

    I think you're talking about the WEP key generator, what i'm discussing is not related to this problem.

    *New* routers being shipped have WPA enabled, and i claim that the WPA keys can be predicted remotely using some code.

    the backdoor being discussed ..its simply alternate login credentials that can be used to bypass
    any admin gateway password.
    obviously for this to work, you need to be on the same network.


  • Options
    #8
    Martyr
    Closed Accounts Posts: 1,567 ✭✭✭Martyr


    in "magic mode" you have much more detail than regular mode.
    for example, using:
    show http pages

    you get a list of HTTP + XML pages available through port 80.
    below are the ones used for uPnP which is inherently insecure.
    /devdescr.xml
/dslfdevdescr.xml
/l3f_scdp.xml
/dslf_devinfo.xml
/dslf_lancfgsec.xml
/dslf_devcfg.xml
/ManagementServer.xml
/wcic_scpd.xml
/wipc_scdp.xml
/wpppc_scpd.xml
/wpc_scpd.xml
/lhcm_scpd.xml
/wlancfg.xml

    because there is no authentication, there is possibility for all kinds of silent attacks against the owner of a router.

    these are accomplished through simple uPnP commands, which have been demonstrated to work against BT HH routers by GnuCitizen, in various ways..

    its of course possible to switch it off, although it may "break" some programs, correct me if i'm wrong.


  • Options
    #9
    Martyr
    Closed Accounts Posts: 1,567 ✭✭✭Martyr


    after talking with some people who had access to routers, apparently this doesn't work..so you may try and reply if it works or not.

    to bypass the admin gateway password, type for username: factory ; password: mqrrkcnd

    the other one isn't relevant.


  • Options
    #10
    Martyr
    Closed Accounts Posts: 1,567 ✭✭✭Martyr


    using the xtrakt utility, you can view the contents of each file in its raw state..

    for example, remote management passwords that eircon use to configure your router.
    in the routers configuration - telnet, web + snmp remote management is enabled by default.
    view config
    shows
     remote-mgmt
   telnet-enable on
   web-enable on
   snmp-enable on
   network-1 83.71.139.240
   netmask-1 255.255.255.240
   network-2 0.0.0.0
   netmask-2 0.0.0.0
   network-3 0.0.0.0
   netmask-3 0.0.0.0
   network-4 0.0.0.0
   netmask-4 0.0.0.0
   network-5 0.0.0.0
   netmask-5 0.0.0.0
   network-6 0.0.0.0
   netmask-6 0.0.0.0
   network-7 0.0.0.0
   netmask-7 0.0.0.0
   network-8 0.0.0.0
   netmask-8 0.0.0.0
   network-9 0.0.0.0
   netmask-9 0.0.0.0
   network-10 0.0.0.0
   netmask-10 0.0.0.0

    there are a number of ips allocated for this purpose, as a simple whois will show.
    inetnum:      83.71.139.240 - 83.71.139.255
netname:      EIRCOMNETOPIA
descr:        Eircom Customer Assignment
country:      IE
admin-c:      PM3337-RIPE
tech-c:       PM3337-RIPE
status:       ASSIGNED PA
mnt-by:       TE-MNT
remarks:      Please send spam and other abuse complaints to abuse@eircom.net
source:       RIPE # Filtered

    the username + password are rumoured to be u: admin p: solaris1 (or something like this)

    a list can be obtained from the firmware, here are some randomly lifted out.. 
    theneighborhood
standard
broadband1
9HeXewr8
netopia
ChangeMe
admin
centurytel
cinbell
noway
birch
admin
1234
Mcdsl1
G4t3wa4R2
nimdaten
PPP0Endpoint
password
solaris1
admin
user
noway
user
netadmin
password
anonymous
software
guest
download

    who knows what any of them are for..only one way to be sure is to disassemble the firmware.
    and you can do this using the xtrakt utility and copy of IDA pro.

    who can tell? maybe they're nothing, who cares?


  • Options
    #11
    h57xiucj2z946q
    Closed Accounts Posts: 2,267 ✭✭✭h57xiucj2z946q


    is the WPA weakness in the routers firmware itself or again from the set-up cd?


  • Advertisement
  • Options
    #12
    gerryk
    Registered Users Posts: 1,726 ✭✭✭gerryk


    Average Joe wrote: »
    i claim that the WPA keys can be predicted remotely using some code.

    Is this claim based on any evidence or actual code, or just the fact that eircom are so inept that it has to be the case?


  • Options
    #13
    Martyr
    Closed Accounts Posts: 1,567 ✭✭✭Martyr


    is the WPA weakness in the routers firmware itself or again from the set-up cd?

    the code is in the wizard on the setup cd, but there is no key generation.
    i reversed the 'factory' password algorithm which was also found there too.
    the program allows you to bypass admin password lock.
    Is this claim based on any evidence or actual code, or just the fact that eircom are so inept that it has to be the case?

    eircom didn't write the setup wizard, Netopia did - netopia were also authors of wep key algorithm too - the company is now owned by motorola of course.


  • Options
    #14
    h57xiucj2z946q
    Closed Accounts Posts: 2,267 ✭✭✭h57xiucj2z946q


    how is the key predictable?
    do you have this set-up software?


  • Options
    #15
    Martyr
    Closed Accounts Posts: 1,567 ✭✭✭Martyr


    yes, i got the wizard off a friend who had just signed up for broadband.

    neither WEP/WPA algorithms are used, but they are both in the exe..

    perhaps the key generator is optional for some isp's only, and eircom didn't want the feature for their customers.

    so while not being used, the algorithms can still be reversed.

    DES + HMAC-SHA1 are 2 new crypto algorithms used in the wizard.

    I initially thought DES was part of the key generation, but its only for encrypting debug logs using static key..so yeah, you can decrypt these too.


  • Options
    #16
    elrond
    Registered Users Posts: 53 ✭✭elrond


    Well, I suppose time will tell how true this is, but frankly, who'd be surprised?
    However, in another stunning display of incompetence, Eircom is shipping current gen. Netopia routers with the WPA pre-shared key on a label on the router and on the manual. The key is a 20 digit hex number. The letters in the number are in lowercase. The letters on the labels are, however, in upper case. Presumably there were Windows users involved here :-)

    Fortunately you can get straight into the box with a wired connection, and the key is visible in the wireless setup page (though of course it could otherwise be changed, and having read this thread, it will be as a precaution)


Advertisement