exploit the possibilities
Home Files News &[SERVICES_TAB]About Contact Add New

TRENDnet WPA Default Key Brute Forcing

TRENDnet WPA Default Key Brute Forcing
Posted Aug 6, 2015
Authored by kcdtv

TRENDnet WPA default keys are constructed insecurely making cracking achievable. In this advisory are links to useful dictionaries for cracking various models affected.

tags | advisory
SHA-256 | 14ea0ec60c2c7c9acb67d3c3f6ab17ec493e3b5ec2c93221dd1cec83e86c45d0

TRENDnet WPA Default Key Brute Forcing

Change Mirror Download
         TRENDnet WPA Disclosure (with dictionaries for brute force attack)

author : kcdtv
website(s): www.wifi-libre.com
www.crack-wifi.com

TIMELINE

Fully disclosed the 5th of august 2015 :
-
https://www.wifi-libre.com/topic-199-fulldisclosure-wpa-trendnet.html
(full disclosure - in spanish)
-
https://www.wifi-libre.com/topic-200-diccionarios-para-routers-trendnet.html
(attack dictionary)


DESCRIPTION of the BREACH

The WPA default key of TRENDnet access points are 11 digits long (8 in
one case)
The three first digits are the number used in the model name
The rest (8 last digits) is the end of the serial number of the device
where two digits are always known
That means that in a TRENDnet default WPA passphrase we have 5 known
digits and 6 unknown digits (2 knwon digits and 6 unknown digits when
key is 8 digits long)
This 6 unknown digits are numbers.
So we have 10⁶ possibles passphrase.
A brute force attack against an handshake can be easily done with any
kind of hardware in a few minutes (a few seconds with a good video card
and hashcat/pyrit)

MODELS AFFECTED

This list is not exhaustive; all TRENDnet routers seem to be affected by
this breach :

- TEW-828DRU (ac 3200)
- TEW-823DRU (ac 1750)
- TEW-820DAP
- TEW-818DRU (ac 1900)
- TEW-815DAP (ac 1750)
- TEW-813DRU (ac 1200)
- TEW-812DRU (ac 1750)
- TEW-811DRU (ac 1200)
- TEW-753DAP (n 600)
- TEW-752DRU (n 600)
- TEW-751DR (n 600)
- TEW-750DAP (n 600)
- TEW-735AP (n 300)
- TEW-733GR (n 300)
- TEW-732BR (n 300)
...to be continued...

DETAILS ABOUT THE WPA KEY STRUCTURE + DICTIONARY FOR ATTACK

The "X" are the 6 numbers that have to be brute-forced to recover the
default WPA passphrase

TEW-828DRU (ac 3200)
passphrase structure : 828XGRXXXXX
dictionary can be downloaded at
https://drive.google.com/open?id=0B4KnE5P5kRPoc001cnJ3dHp3a3c

TEW-823DRU (ac 1750)
passphrase structure : 823X23XXXXX
dictionary can be downloaded at
https://drive.google.com/open?id=0B4KnE5P5kRPoSm1aa1laNU94OW8

TEW-820DAP
passphrase structure : 820X20XXXXX
dictionary can be downloaded at
https://drive.google.com/open?id=0B4KnE5P5kRPocWlkRVY0eG1TS2s

TEW-818DRU (ac 1900)
passphrase structure : 818XGRXXXXX
dictionary can be downloaded at
https://drive.google.com/open?id=0B4KnE5P5kRPoLV9wRW1TNkRZR00

TEW-815DAP (ac 1750)
passphrase structure : 815XACXXXXX
dictionary can be downloaded at
https://drive.google.com/open?id=0B4KnE5P5kRPoLU5sUGNOZkxUNEE

TEW-813DRU (ac 1200)
passphrase structure : GXXXRXXX
dictionary can be downloaded at
https://drive.google.com/open?id=0B4KnE5P5kRPoNkhsVVlTRUdLMms

TEW-812DRU (ac 1750)
passphrase structure : 812XRDXXXXX
dictionary can be downloaded at
https://drive.google.com/open?id=0B4KnE5P5kRPocmpsLXgyYmV5VVk

TEW-811DRU (ac 1200)
passphrase structure : 811XREXXXXX
dictionary can be downloaded at
https://drive.google.com/open?id=0B4KnE5P5kRPoRzEtTFlTRzY3ZDA

TEW-753DAP (n 600)
passphrase structure : 753X7DXXXXX
dictionary can be downloaded at
https://drive.google.com/open?id=0B4KnE5P5kRPoMVc4S0JSYkZnRHc

TEW-752DRU (n 600)
passphrase structure : 752RDXXXXXX
dictionary can be downloaded at
https://drive.google.com/open?id=0B4KnE5P5kRPoV2lwb0xOX1o1M1U

TEW-751DR (n 600)
passphrase structure : 751RDXXXXXX
dictionary can be downloaded at
https://drive.google.com/open?id=0B4KnE5P5kRPoNlVTOFpFV0labFE

TEW-750DAP (n 600)
passphrase structure : 750RDXXXXXX
dictionary can be downloaded at
https://drive.google.com/open?id=0B4KnE5P5kRPoc0tJZC1sb1FfUnc

TEW-735AP (n 300)
passphrase structure : 735X7AXXXXX
dictionary can be downloaded at
https://drive.google.com/open?id=0B4KnE5P5kRPodl9GSnAta2pFVlU

TEW-733GR (n 300)
passphrase structure : 733RNXXXXXX
dictionary can be downloaded at
https://drive.google.com/open?id=0B4KnE5P5kRPoT3BWRmNBQ2JERGM

TEW-732BR (n 300)
passphrase structure : 732X32XXXXX
dictionary can be downloaded at
https://drive.google.com/open?id=0B4KnE5P5kRPoNEVrbTBzWXFhV0k

The dictionaries are about 10 MB each once they are unzipped.
All links are direct.
Enjoy! :)

SEVERITY OF THE BREACH

With the WPA keys an intruder can access the network and also decrypt
sniffed traffic
He could also perform much more intrusive action such as a Transparent
rogue AP with a MITM

RECOMMENDATION

- Users have to change the default WPA key by a stronger one.
- Manufacturers should never base their wpa key generation on an
element "externally guessable" (such as bssid, model, serial, essid
etc..) and they should always use at some point an irreversible hash
function in their algorithm.
Login or Register to add favorites

File Archive:

November 2024

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Nov 1st
    30 Files
  • 2
    Nov 2nd
    0 Files
  • 3
    Nov 3rd
    0 Files
  • 4
    Nov 4th
    12 Files
  • 5
    Nov 5th
    44 Files
  • 6
    Nov 6th
    18 Files
  • 7
    Nov 7th
    9 Files
  • 8
    Nov 8th
    8 Files
  • 9
    Nov 9th
    3 Files
  • 10
    Nov 10th
    0 Files
  • 11
    Nov 11th
    14 Files
  • 12
    Nov 12th
    20 Files
  • 13
    Nov 13th
    63 Files
  • 14
    Nov 14th
    18 Files
  • 15
    Nov 15th
    8 Files
  • 16
    Nov 16th
    0 Files
  • 17
    Nov 17th
    0 Files
  • 18
    Nov 18th
    18 Files
  • 19
    Nov 19th
    7 Files
  • 20
    Nov 20th
    13 Files
  • 21
    Nov 21st
    6 Files
  • 22
    Nov 22nd
    48 Files
  • 23
    Nov 23rd
    0 Files
  • 24
    Nov 24th
    0 Files
  • 25
    Nov 25th
    60 Files
  • 26
    Nov 26th
    0 Files
  • 27
    Nov 27th
    44 Files
  • 28
    Nov 28th
    0 Files
  • 29
    Nov 29th
    0 Files
  • 30
    Nov 30th
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2024 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close