Free FIOS anyone?

Or how to “crack” super fast WEP in < 1 minute.

I’ve been known to “borrow” internet from time to time ::shifty eyes:: and my recent moves have been no different. The place I was at last month was served by Comcast so getting online was a breeze with some fancy tools, but since then I’ve now moved to a COX neighborhood and the amount of work involved has proven to be much more involved than original anticipated.

For the time being, I’m stuck waiting for COX to come out and plug in some stuff; without getting into too many details lets just say I didn’t feel like being a jerk to the techs and giving everyone on the block free TV/cable internet. More on this in a later post…

For now I was back to the old fashion wireless internet “auditing”. The nice thing about this location is the sheer number of people with some really nice high speed connections. I spent half a day blowing through as many AP’s as I could only to continuously stumble upon these 5 character long SSID’s that ended up belonging to FIOS users. Whats worse is the 64 bit WEP keys they where using where pretty similar too. Check it out:

9FRV0 : '1801169C95'
9YCQ3 : '1F905FA711'
A8GP8 : '1F90DF266A'
GV062 : '1801378BEC'
Q0BL2 : '1801426D0A'

*there where about 15 more just like these

Notice anything? Here’s a hint, the first 4 characters of the WEP key appear to be common with two variations, ’1801′ and ’1F90′, appearing in this sample set. These characters match up to the 2-6th wireless MAC address octets from the AP itself.

Now, you could capture some packets with aircrack and do something like:

aircrack-ng -d XXXX capturefile.cap

where XXX is the __:XX:XX:__:__:__ portion of the access points mac, but who has the time for that shit anymore ;)

At this point you should be appalled. This is security at its very worst. These users think they’re secure; as if it wasn’t bad enough that verizon is using WEP by default, a well known hackable wireless ‘encryption’. Lets delve a little deeper…

A quick google search led to someone mentioning that if you Base36 the SSID, convert it to hex, and throw that after the four characters from the MAC, it should equal the key.

Well then lets try! Let’s just use the ‘9FRV9‘ SSID from above to see if this really works.

I needed a base36 converter so I went here and did the following:
base36 of ssid: 15852492
base36 results in hex: F1E3CC

Wait wait wait, thats not right. The unknown part of our key should be ‘169C95‘!

After reading up on base36 I decided to try it myself and see what happens:
In [2]: b36d('9FRV0')
Out[2]: 1481877

In [3]: hex(1481877)
Out[3]: '0x169c95'

Well now that’s more like it!

So why the difference in my b36d function? Turns out this is not how you do base36! My implementation of base36 wasn’t reversing the string, and it appears I’m not the only one making this mistake ::cough::Verizon::cough::. That said, mine worked, so who cares.

So now giving the mac structure of: __:18:01:__:__:__ we can guess the key as: 1801169c95

Pretty cool stuff. I decided this was useful enough to automate so I threw together a quick script and its now up in a repo on my bitbucket. Check it out here:

I’m not going to internet white knight it and tell you not to use this information in a bad way; I’m not that naive. What I do want to stress is that you secure the networks of those you can help, and maybe lend a neighborly helping hand if you see this going on.

Verizon needs to seriously reconsider their actions here and re-evaluate how they handle their customers. Right now its a free for all on fiber internet, and eventually someones going to get burned by this.

Continue reading » · Written on: 05-20-09 · No Comments »

Leave a Reply