I live in Israel, and work at HOT CATV Company, that provide Internet services.
The prime modem/router that you can get from this company -- "Hotbox DOCSIS 3.0 Cable Modem/Wireless Router", manufactured by SAGEMCOM.
There is new one "FiberBOX" also, that have the same issue explained at bottom.
By Default, WiFi ESSID: HOTBOX-1234 (1234 is last four characters of CM-MAC of the box)
And the password is CM-MAC address.
Lets see all SAGEM MACs:
http://www.adminsubnet.com/mac-address-finder/sagem
As we already know from the ESSID, '1234' are the last four characters of cm-mac, and we know the starting six characters of Vendor ID, we can bruteforce it pretty fast.
For example:
Your neighbour has HOTBOX or Fiberbox (only difference in ESSID: Fiber-1234), with default ESSID 'HOTBOX-1DE4' ok?
We know the starting Vendor ID's (for example):
So, make a simple bash script that will capture 'handshake', then create a dictionary with all possible MACs, and bruteforce that 'handshake' with pyrit (for example).
I promise, it will not take more than 10 seconds to crack the handshake.
Maybe i will post a script in next posts.
The prime modem/router that you can get from this company -- "Hotbox DOCSIS 3.0 Cable Modem/Wireless Router", manufactured by SAGEMCOM.There is new one "FiberBOX" also, that have the same issue explained at bottom.
By Default, WiFi ESSID: HOTBOX-1234 (1234 is last four characters of CM-MAC of the box)
And the password is CM-MAC address.
Lets see all SAGEM MACs:
http://www.adminsubnet.com/mac-address-finder/sagem
As we already know from the ESSID, '1234' are the last four characters of cm-mac, and we know the starting six characters of Vendor ID, we can bruteforce it pretty fast.
For example:
Your neighbour has HOTBOX or Fiberbox (only difference in ESSID: Fiber-1234), with default ESSID 'HOTBOX-1DE4' ok?
We know the starting Vendor ID's (for example):
18622cThe last thing that we need to know its 7'th and 8'th character.
2c3996
2ce412
348aae
3c81d8
4c17eb
681590
6c2e85
7c034c
7c03d8
00789e
90013b
94fef4
c0ac54
c0d044
c8cd72
cc33bb
d86ce9
e8be81
e8f1b0
f08261
So, make a simple bash script that will capture 'handshake', then create a dictionary with all possible MACs, and bruteforce that 'handshake' with pyrit (for example).
I promise, it will not take more than 10 seconds to crack the handshake.
Maybe i will post a script in next posts.
CM-MAC это подразумевается мак cable modem ?
ReplyDeleteCable-Modem MAC
ReplyDeleteHi,
ReplyDeleteDid you make a scrit to create a dictionary with all possible MACs?
yes sure, it is very simple :)
Deletecan you share this script?
DeleteDoes this vulnerability still relevant? I tried to find the MAC's address of two networks with default ESSID's but couldn't find any. one is 7915 and the other is 432C. Would really appreciate your help...
ReplyDeleteMAK-адреса лучше брать из первоисточника:
ReplyDeletehttps://regauth.standards.ieee.org/standards-ra-web/pub/view.html#registries
Thanks, caught one.
ReplyDeleteUsed Crunch to generate the last 6 numbers with 4 of them known as in:
@@4428
%%4428
@%4428
%24428
@=lowercase letters
%=numbers
The passwords are in lowercase.
Then used Hashcat Combination Attack. One wordlist on the left with all the Sagecom macs running up against a wordlist that was crunched looking for those 2 missing letters\numbers.
Instant hit. GG WP. ez when you know that "secret" ;)