TRENDnet WPA disclosure & dictionaries for attack



Previously disclosed in WiFi-libre
* Fulldisclosure WPA TRENDnet (https://www.wifi-libre.com/topic-199-fulldisclosure-wpa-trendnet.html)
* Diccionarios para routers TRENDnet (https://www.wifi-libre.com/topic-200-diccionarios-para-routers-trendnet.html#p1012)



http://pix.toile-libre.org/upload/original/1438999378.png

Hi guys!
I wanted to share with you this disclosure about TRENDnet routers i have been working on.
So...
... Let's have a look to the default WPA key of a TRENDnet router :


http://pix.toile-libre.org/upload/original/1438999777.png

As you can see the default key is 11 digits long.

The three first digits are the numbers used in the model name.
If the model is "TEW-818DRU"; than the WPA passphrase will start with 818
If the model is a TEW-815DAP, than the 3 first digits of the passphrase will be 815
... and so on...
The 8 last digits are the same than the 8 last digits of the serial number
In the end of the serial two digits are always the same according to the model (position 2 and 3 in the srting)


At the end we have 6 unknowns digits remaining.
This 6 unknown digits are numbers
That gives us one million possible WPA passphase,
Something that you can be brute forced in a few minutes with any kind of hardware

The default essid contains the name of the model,
So if the default ssid is in use an attacker would recover the WPA key nearly instantanly
If the essid has been changed he would need to spend some more time, but not so much :
By checking the maximum transmission rate in the probes he would already limit himself to something like 4-5 dictionaries to try.

This a little collection of dictionaries for TRENDnet.
They are zipped, you just need to unzip them.
Once you unzipped them their weight is a little more than 10 MB.
I give you also "the formula" for every dictionary .
All downloads are direct link without advertisement (account google drive)


TEW-828DRU (ac 3200)
formula : 828XRGXXXXX ( X are numbers )
download : TEW-828DRU (https://drive.google.com/open?id=0B4KnE5P5kRPoc001cnJ3dHp3a3c)


TEW-823DRU (ac 1750)
formula : 823X23XXXXX ( X are numbers )
download : TEW-823DRU (https://drive.google.com/open?id=0B4KnE5P5kRPoSm1aa1laNU94OW8)


TEW-820DAP (ac 1750)
formula : 820X20XXXXX ( X are numbers )
download : TEW-820DAP (https://drive.google.com/open?id=0B4KnE5P5kRPocWlkRVY0eG1TS2s)


TEW-818DRU (ac 1900)
formula : 818XRGXXXXX ( X are numbers )
download : TEW-818DRU (https://drive.google.com/open?id=0B4KnE5P5kRPoLV9wRW1TNkRZR00)


TEW-815DAP (ac 1750)
formula : 815XACXXXXX ( X are numbers )
download : TEW-815DAP (https://drive.google.com/open?id=0B4KnE5P5kRPoLU5sUGNOZkxUNEE)


TEW-813DRU (ac 1200)
formula : GXXXRXXX ( X are numbers )
download : TEW-813DRU (https://drive.google.com/open?id=0B4KnE5P5kRPoNkhsVVlTRUdLMms)


TEW-812DRU (ac 1750)
formula : 812XRDXXXXX ( X are numbers )
download : TEW-812DRU (https://drive.google.com/open?id=0B4KnE5P5kRPocmpsLXgyYmV5VVk)


TEW-811DRU (ac 1200)
formula : 811XREXXXXX ( X are numbers )
download : TEW-811DRU (https://drive.google.com/open?id=0B4KnE5P5kRPoRzEtTFlTRzY3ZDA)


TEW-753DAP (n 600)
formula : 753X7DXXXXX ( X are numbers )
download : TEW-753DAP (https://drive.google.com/open?id=0B4KnE5P5kRPoMVc4S0JSYkZnRHc)


TEW-752DRU (n 600)
formula : 752RDXXXXXX ( X are numbers )
download : TEW-752DRU (https://drive.google.com/open?id=0B4KnE5P5kRPoV2lwb0xOX1o1M1U)


TEW-751DR (n 600)
formula : 751RDXXXXXX ( X are numbers )
download : TEW-751RD (https://drive.google.com/open?id=0B4KnE5P5kRPoNlVTOFpFV0labFE)


TEW-750DAP (n 600)
formula : 750RDXXXXXX ( X are numbers )
download : TEW-750DAP (https://drive.google.com/open?id=0B4KnE5P5kRPoc0tJZC1sb1FfUnc)


TEW-735AP (n 300)
formula : 735X7AXXXXX ( X are numbers )
download : TEW-735AP (https://drive.google.com/open?id=0B4KnE5P5kRPodl9GSnAta2pFVlU)


TEW-733GR (n 300)
formula : 733RNXXXXXX ( X are numbers )
download : TEW-733GR (https://drive.google.com/open?id=0B4KnE5P5kRPoT3BWRmNBQ2JERGM)


TEW-732BR (n 300)
formula : 732X32XXXXX ( X are numbers )
download : TEW-732BR (https://drive.google.com/open?id=0B4KnE5P5kRPoNEVrbTBzWXFhV0k)

I couldn't get data for absolutely all the models , so if you have any datas, please share them.





Take care && Enjoy! :)

beautiful. Thank you kcdtv =]

I was not expecting feedback at 5'30 am but it might be a more decent hour for you. :D
Thanks! Have a good night (or day) :)

I did not tried any of it. Been Kali-less for a while now. Just recognized that it was (is) very well presented, and absent a more pertinent feedback from my end, thought that I'd encourage your clean and precise ways.. and it is 1:30 *should really get to bed* ;) zzzz

Nice work!

Awesome post, nice going !

Just noticed that in the 'formula' for the 818 you note; 818XGRXXXXX, but in the password list it is correctly listed as 818XRGXXXXX

Oupssss. yes indeed,
i corrected the first post (i had the same mistake with TEW828DRU, the list is correct but i wrote the formula wrong inverting G and R )
thank you TAPE, :D

Some news :
Thanks to kcD4MdG2yD9r we can see (if we understand disassembled firmware) the generation of the WPA key (The snapshot is from a TRENDnet TEW-818DRU firmware)
http://oi62.tinypic.com/r0twjk.jpg
I also forget to say that the full disclosure has been published in english in "packet storm" : TRENDnet WPA Default Key Brute Forcing (https://packetstormsecurity.com/files/132983/TRENDnet-WPA-Default-Key-Brute-Forcing.html)
Thanks Todd :)

Post scriptum If anyone has or find on the web some data from TEW-824DRU ( or any unsupported device, but especially this 824 ) please post them here or contact me threw personal message here, mail or in wifi-libre. Thanks :)

Excelent post! I would imagine that if any of these routers support WPS and broadcast their serial, it would make quick work of them!

really interesting since the pixie-wps attack and reaver fork at times comes up with serials instead of 000001 etc like real ones, even against APs that don't yield pixie results. May be a new potential exploit in the work if they use serials or mac addresses for their WPS generation algorithms.

The majority of TRENDnet routers support WPS and WPS is enabled with default settings, often with a unique PIN that cannot be changed in web interface.
You can check the default settings in the TRENDnet emulator pages : TRENDnet (http://www.trendnet.com/products/emulators.asp)
The couple of devices i could physically and wirelessly reach where not giving their serial number in the WPS probes (or it was a stupid string like 12345678)
But there is a bunch of routers with very different chipset and characteristics, so...

About new flows I will publish here a thread about WPS and TRENDnet when i will be back from holidays with a little funny disclosure of the PIN algorithm for the 2 last models (ac3200 & ac1900) ; I didn't have time to do it before holidays - sorry about that - but I just need to settle down a little home and prepare it ( I will probably do it this weekend - holidays are finishing for me :mad: )
One of my problem was that i wanted to make a C code instead of bash for the "new reaver" team if they wanted to introduce it but i didn't have time to learn enough...
see you soon