Results 1 to 11 of 11

Thread: TRENDnet WPA disclosure & dictionaries

  1. #1
    Join Date
    2013-Sep
    Posts
    264

    TRENDnet WPA disclosure & dictionaries

    TRENDnet WPA disclosure & dictionaries for attack



    Previously disclosed in WiFi-libre
    * Fulldisclosure WPA TRENDnet
    * Diccionarios para routers TRENDnet




    Hi guys!
    I wanted to share with you this disclosure about TRENDnet routers i have been working on.
    So...
    ... Let's have a look to the default WPA key of a TRENDnet router :


    As you can see the default key is 11 digits long.
    1. The three first digits are the numbers used in the model name.
      If the model is "TEW-818DRU"; than the WPA passphrase will start with 818
      If the model is a TEW-815DAP, than the 3 first digits of the passphrase will be 815
      ... and so on...
    2. The 8 last digits are the same than the 8 last digits of the serial number
      In the end of the serial two digits are always the same according to the model (position 2 and 3 in the srting)


    At the end we have 6 unknowns digits remaining.
    This 6 unknown digits are numbers
    That gives us one million possible WPA passphase,
    Something that you can be brute forced in a few minutes with any kind of hardware

    The default essid contains the name of the model,
    So if the default ssid is in use an attacker would recover the WPA key nearly instantanly
    If the essid has been changed he would need to spend some more time, but not so much :
    By checking the maximum transmission rate in the probes he would already limit himself to something like 4-5 dictionaries to try.

    This a little collection of dictionaries for TRENDnet.
    They are zipped, you just need to unzip them.
    Once you unzipped them their weight is a little more than 10 MB.
    I give you also "the formula" for every dictionary .
    All downloads are direct link without advertisement (account google drive)


    TEW-828DRU (ac 3200)
    formula : 828XRGXXXXX ( X are numbers )
    download : TEW-828DRU


    TEW-823DRU (ac 1750)
    formula : 823X23XXXXX ( X are numbers )
    download : TEW-823DRU


    TEW-820DAP (ac 1750)
    formula : 820X20XXXXX ( X are numbers )
    download : TEW-820DAP


    TEW-818DRU (ac 1900)
    formula : 818XRGXXXXX ( X are numbers )
    download : TEW-818DRU


    TEW-815DAP (ac 1750)
    formula : 815XACXXXXX ( X are numbers )
    download : TEW-815DAP


    TEW-813DRU (ac 1200)
    formula : GXXXRXXX ( X are numbers )
    download : TEW-813DRU


    TEW-812DRU (ac 1750)
    formula : 812XRDXXXXX ( X are numbers )
    download : TEW-812DRU


    TEW-811DRU (ac 1200)
    formula : 811XREXXXXX ( X are numbers )
    download : TEW-811DRU


    TEW-753DAP (n 600)
    formula : 753X7DXXXXX ( X are numbers )
    download : TEW-753DAP


    TEW-752DRU (n 600)
    formula : 752RDXXXXXX ( X are numbers )
    download : TEW-752DRU


    TEW-751DR (n 600)
    formula : 751RDXXXXXX ( X are numbers )
    download : TEW-751RD


    TEW-750DAP (n 600)
    formula : 750RDXXXXXX ( X are numbers )
    download : TEW-750DAP


    TEW-735AP (n 300)
    formula : 735X7AXXXXX ( X are numbers )
    download : TEW-735AP


    TEW-733GR (n 300)
    formula : 733RNXXXXXX ( X are numbers )
    download : TEW-733GR


    TEW-732BR (n 300)
    formula : 732X32XXXXX ( X are numbers )
    download : TEW-732BR

    I couldn't get data for absolutely all the models , so if you have any datas, please share them.





    Take care && Enjoy!
    Last edited by kcdtv; 2015-08-09 at 20:22.

  2. #2
    Join Date
    2013-Aug
    Location
    lost in space
    Posts
    580
    beautiful. Thank you kcdtv =]
    Kali Linux USB Installation using LinuxLive USB Creator
    Howto Install HDD Kali on a USB Key
    Clean your laptop fan | basic knowledge

  3. #3
    Join Date
    2013-Sep
    Posts
    264
    I was not expecting feedback at 5'30 am but it might be a more decent hour for you.
    Thanks! Have a good night (or day)

  4. #4
    Join Date
    2013-Aug
    Location
    lost in space
    Posts
    580
    I did not tried any of it. Been Kali-less for a while now. Just recognized that it was (is) very well presented, and absent a more pertinent feedback from my end, thought that I'd encourage your clean and precise ways.. and it is 1:30 *should really get to bed* zzzz
    Kali Linux USB Installation using LinuxLive USB Creator
    Howto Install HDD Kali on a USB Key
    Clean your laptop fan | basic knowledge

  5. #5
    Nice work!
    This is a Kali-Linux support forum - not general IT/infosec help.

    Useful Commands: OS, Networking, Hardware, Wi-Fi
    Troubleshooting: Kali-Linux Installation, Repository, Wi-Fi Cards (Official Docs)
    Hardware: Recommended 802.11 Wireless Cards

    Search: https://www.kali.org/search/
    Documentation: http://docs.kali.org/ (Offline PDF version)
    Bugs Reporting & Tool Requests: https://bugs.kali.org/
    Kali Tool List, Versions & Man Pages: http://tools.kali.org/

  6. #6
    Awesome post, nice going !

    Just noticed that in the 'formula' for the 818 you note; 818XGRXXXXX, but in the password list it is correctly listed as 818XRGXXXXX

  7. #7
    Join Date
    2013-Sep
    Posts
    264
    Oupssss. yes indeed,
    i corrected the first post (i had the same mistake with TEW828DRU, the list is correct but i wrote the formula wrong inverting G and R )
    thank you TAPE,

  8. #8
    Join Date
    2013-Sep
    Posts
    264
    Some news :
    Thanks to kcD4MdG2yD9r we can see (if we understand disassembled firmware) the generation of the WPA key (The snapshot is from a TRENDnet TEW-818DRU firmware)

    I also forget to say that the full disclosure has been published in english in "packet storm" : TRENDnet WPA Default Key Brute Forcing
    Thanks Todd

    Post scriptum If anyone has or find on the web some data from TEW-824DRU ( or any unsupported device, but especially this 824 ) please post them here or contact me threw personal message here, mail or in wifi-libre. Thanks

  9. #9
    Join Date
    2015-Mar
    Posts
    141
    Excelent post! I would imagine that if any of these routers support WPS and broadcast their serial, it would make quick work of them!

  10. #10
    Join Date
    2015-Jun
    Posts
    48
    really interesting since the pixie-wps attack and reaver fork at times comes up with serials instead of 000001 etc like real ones, even against APs that don't yield pixie results. May be a new potential exploit in the work if they use serials or mac addresses for their WPS generation algorithms.

  11. #11
    Join Date
    2013-Sep
    Posts
    264
    The majority of TRENDnet routers support WPS and WPS is enabled with default settings, often with a unique PIN that cannot be changed in web interface.
    You can check the default settings in the TRENDnet emulator pages : TRENDnet
    The couple of devices i could physically and wirelessly reach where not giving their serial number in the WPS probes (or it was a stupid string like 12345678)
    But there is a bunch of routers with very different chipset and characteristics, so...

    About new flows I will publish here a thread about WPS and TRENDnet when i will be back from holidays with a little funny disclosure of the PIN algorithm for the 2 last models (ac3200 & ac1900) ; I didn't have time to do it before holidays - sorry about that - but I just need to settle down a little home and prepare it ( I will probably do it this weekend - holidays are finishing for me )
    One of my problem was that i wanted to make a C code instead of bash for the "new reaver" team if they wanted to introduce it but i didn't have time to learn enough...
    see you soon

Similar Threads

  1. building dictionaries on my keywords or my data ?
    By asqueee in forum General Archive
    Replies: 6
    Last Post: 2013-10-11, 13:26

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •