Home / vulnerabilitiesPDF  

TRENDnet WPA Default Key Brute Forcing

Posted on 09 August 2015
Source : packetstormsecurity.org Link

 

TRENDnet WPA Disclosure (with dictionaries for brute force attack)

author : kcdtv
website(s): www.wifi-libre.com
www.crack-wifi.com

TIMELINE

Fully disclosed the 5th of august 2015 :
-
https://www.wifi-libre.com/topic-199-fulldisclosure-wpa-trendnet.html
(full disclosure - in spanish)
-
https://www.wifi-libre.com/topic-200-diccionarios-para-routers-trendnet.html
(attack dictionary)

DESCRIPTION of the BREACH

The WPA default key of TRENDnet access points are 11 digits long (8 in
one case)
The three first digits are the number used in the model name
The rest (8 last digits) is the end of the serial number of the device
where two digits are always known
That means that in a TRENDnet default WPA passphrase we have 5 known
digits and 6 unknown digits (2 knwon digits and 6 unknown digits when
key is 8 digits long)
This 6 unknown digits are numbers.
So we have 10⁶ possibles passphrase.
A brute force attack against an handshake can be easily done with any
kind of hardware in a few minutes (a few seconds with a good video card
and hashcat/pyrit)

MODELS AFFECTED

This list is not exhaustive; all TRENDnet routers seem to be affected by
this breach :

- TEW-828DRU (ac 3200)
- TEW-823DRU (ac 1750)
- TEW-820DAP
- TEW-818DRU (ac 1900)
- TEW-815DAP (ac 1750)
- TEW-813DRU (ac 1200)
- TEW-812DRU (ac 1750)
- TEW-811DRU (ac 1200)
- TEW-753DAP (n 600)
- TEW-752DRU (n 600)
- TEW-751DR (n 600)
- TEW-750DAP (n 600)
- TEW-735AP (n 300)
- TEW-733GR (n 300)
- TEW-732BR (n 300)
...to be continued...

DETAILS ABOUT THE WPA KEY STRUCTURE + DICTIONARY FOR ATTACK

The "X" are the 6 numbers that have to be brute-forced to recover the
default WPA passphrase

TEW-828DRU (ac 3200)
passphrase structure : 828XGRXXXXX
dictionary can be downloaded at
https://drive.google.com/open?id=0B4KnE5P5kRPoc001cnJ3dHp3a3c

TEW-823DRU (ac 1750)
passphrase structure : 823X23XXXXX
dictionary can be downloaded at
https://drive.google.com/open?id=0B4KnE5P5kRPoSm1aa1laNU94OW8

TEW-820DAP
passphrase structure : 820X20XXXXX
dictionary can be downloaded at
https://drive.google.com/open?id=0B4KnE5P5kRPocWlkRVY0eG1TS2s

TEW-818DRU (ac 1900)
passphrase structure : 818XGRXXXXX
dictionary can be downloaded at
https://drive.google.com/open?id=0B4KnE5P5kRPoLV9wRW1TNkRZR00

TEW-815DAP (ac 1750)
passphrase structure : 815XACXXXXX
dictionary can be downloaded at
https://drive.google.com/open?id=0B4KnE5P5kRPoLU5sUGNOZkxUNEE

TEW-813DRU (ac 1200)
passphrase structure : GXXXRXXX
dictionary can be downloaded at
https://drive.google.com/open?id=0B4KnE5P5kRPoNkhsVVlTRUdLMms

TEW-812DRU (ac 1750)
passphrase structure : 812XRDXXXXX
dictionary can be downloaded at
https://drive.google.com/open?id=0B4KnE5P5kRPocmpsLXgyYmV5VVk

TEW-811DRU (ac 1200)
passphrase structure : 811XREXXXXX
dictionary can be downloaded at
https://drive.google.com/open?id=0B4KnE5P5kRPoRzEtTFlTRzY3ZDA

TEW-753DAP (n 600)
passphrase structure : 753X7DXXXXX
dictionary can be downloaded at
https://drive.google.com/open?id=0B4KnE5P5kRPoMVc4S0JSYkZnRHc

TEW-752DRU (n 600)
passphrase structure : 752RDXXXXXX
dictionary can be downloaded at
https://drive.google.com/open?id=0B4KnE5P5kRPoV2lwb0xOX1o1M1U

TEW-751DR (n 600)
passphrase structure : 751RDXXXXXX
dictionary can be downloaded at
https://drive.google.com/open?id=0B4KnE5P5kRPoNlVTOFpFV0labFE

TEW-750DAP (n 600)
passphrase structure : 750RDXXXXXX
dictionary can be downloaded at
https://drive.google.com/open?id=0B4KnE5P5kRPoc0tJZC1sb1FfUnc

TEW-735AP (n 300)
passphrase structure : 735X7AXXXXX
dictionary can be downloaded at
https://drive.google.com/open?id=0B4KnE5P5kRPodl9GSnAta2pFVlU

TEW-733GR (n 300)
passphrase structure : 733RNXXXXXX
dictionary can be downloaded at
https://drive.google.com/open?id=0B4KnE5P5kRPoT3BWRmNBQ2JERGM

TEW-732BR (n 300)
passphrase structure : 732X32XXXXX
dictionary can be downloaded at
https://drive.google.com/open?id=0B4KnE5P5kRPoNEVrbTBzWXFhV0k

The dictionaries are about 10 MB each once they are unzipped.
All links are direct.
Enjoy! :)

SEVERITY OF THE BREACH

With the WPA keys an intruder can access the network and also decrypt
sniffed traffic
He could also perform much more intrusive action such as a Transparent
rogue AP with a MITM

RECOMMENDATION

- Users have to change the default WPA key by a stronger one.
- Manufacturers should never base their wpa key generation on an
element "externally guessable" (such as bssid, model, serial, essid
etc..) and they should always use at some point an irreversible hash
function in their algorithm.

 

TOP

Malware :

Exploits :