Jump to content

Trying To Find Wpa2 Key For Branded Netgear Router


httpCRASH

Recommended Posts

Hi,

I have a couple of branded Netgear routers, i have direct console access, and can see they are running openwrt KAMIKAZE (7.09)

but cant find the wireless conf, i know i can flash them with a standart openwrt image and get them running, but for the fun of it i would like to find the WPA2 key they have already, and see if they are all the same :D

anyone who knows a way to display the key, or to locate the config file when its not in the standart location?

EDIT: I have also tried to connect to one with reaver to try and get the info via WPS, but reaver wont associate, and it dossent look like win7 gets the WPS connection box either when trying to connect to it, but i know that WPS should be enable on them, because thats the way they are paired (they are used as a network brigde)

79347194-6A14-44DA-8ADE-D056D7768BB1.JPG

C0B742D0-857C-40EB-8C96-E6034C8DEBA5.JPG

8132CED7-7E19-4F71-A80E-2E1159DB922E.JPG

Edited by httpCRASH
Link to comment
Share on other sites

If you know the password, just grep the system for it??

Link to comment
Share on other sites

If you know the password, just grep the system for it??

yes, but unfortunally i dont know the password, when you buy theese boxes you have no access, and can only pair them with the WPS buttons.

and they are completly useless as anything other that a wireless bridge.

if you flash them with a clean install of openwrt they work fine, but it would be more fun to find the wireless key and see if they are all the same from new :)

Link to comment
Share on other sites

Routers don't ship with WPA keys or settings on by default. Unless you bought it used or second hand, it should have no passwords set for anything, other than the default admin passwod out fo the box, which if you have, you would be able to log on to the admin interface, and see the screen showing the WPA password.

Link to comment
Share on other sites

Routers don't ship with WPA keys or settings on by default. Unless you bought it used or second hand, it should have no passwords set for anything, other than the default admin passwod out fo the box, which if you have, you would be able to log on to the admin interface, and see the screen showing the WPA password.

im sorry to say it, but your totally wrong, theese are bought branded and fully locked down directly from Viasat (a TV provider) with only one purpose, to make a wireless bridge from your internet connection to where you want your IPTV boxes..

they dont tell the users that it is actually routers, and the instructions is only that you can press the WPS button to sync your units, the SSID is hidden, but i have found it as "Viasat-on-demand" and running WPA2

Edited by httpCRASH
Link to comment
Share on other sites

im sorry to say it, but your totally wrong, theese are bought branded and fully locked down directly from Viasat (a TV provider) with only one purpose, to make a wireless bridge from your internet connection to where you want your IPTV boxes..

they dont tell the users that it is actually routers, and the instructions is only that you can press the WPS button to sync your units, the SSID is hidden, but i have found it as "Viasat-on-demand" and running WPA2

But thats a different scenario, if its a "pre-configured" device from the TV company vs a new out of the box router. I thought you bought a router, not something pre-configured. If they send these things out to customers in mass, they might all have the same passwords for easy configuration by techs over the phone. Try the aircrack suite to capture the handshake and crack the hash by deauthing the TV or other connected devices, see if that works.

As far as Reaver is concerned, I think that only allows you a connection via the WPS pin exchange, but doesn't actually show a WPA key handshake in any way. Only way to find out is sniff it while doing the pairing and see if aircrack finds a handshake during the pairing.

Once this device is on the network though, can you see its IP address? Can you nmap it, see what ports are open, like back door admin access over http on some random port? What happens if you MITM its connection with the rest of the network. Is it plain text data or all SSL/TLS encrypted traffic? I would imagine there has to be an administrative interface on some listening port for the management of the device, either for techs to update them or reset them before rolling out to customers. Could also try a direct connection via crossover cable to the WAN interface on the device from your PC (if it has a WAN port on the back) and see what type of data it sends out, or use a LAN tap between the device and your router/modem or whatever its connected to and see what kind of traffic its sending.

If you can find the name of the bin file it uses for configuration, you might be able to tftp pull it off the device and use other tools to uncompress the bin file and read through the data for the passwords. int0x80 mentioned a link to a tutorial on how to do this in another thread before but I don't have it handy. Search the forums for it.

Link to comment
Share on other sites

If they send these things out to customers in mass, they might all have the same passwords for easy configuration by techs over the phone.

exactly my point, and if this is true i think its a big security risk for the customers (if i can find the WPA key others can too) :blink:

As far as Reaver is concerned, I think that only allows you a connection via the WPS pin exchange, but doesn't actually show a WPA key handshake in any way.

i have just seen a couple of pics like these, and therefore thought reaver might be useful ;)

wpshack1_copy-4f04a3f-intro.jpg

Once this device is on the network though, can you see its IP address? Can you nmap it, see what ports are open, like back door admin access over http on some random port? What happens if you MITM its connection with the rest of the network. Is it plain text data or all SSL/TLS encrypted traffic? I would imagine there has to be an administrative interface on some listening port for the management of the device, either for techs to update them or reset them before rolling out to customers. Could also try a direct connection via crossover cable to the WAN interface on the device from your PC (if it has a WAN port on the back) and see what type of data it sends out, or use a LAN tap between the device and your router/modem or whatever its connected to and see what kind of traffic its sending.

what exactly would you want this for? i already have root access with an TTL connection to the main board as shown above ;)

I know that i could bruteforce the WPA, but because i have root access this should not be nessesary in my opinion :)

Edited by httpCRASH
Link to comment
Share on other sites

okay, this is getting even more weird...

hostapd.conf is not the right one either, it looks more like an example conf.

root@WN602:/# find / -name hostapd.conf

/etc/hostapd.conf

root@WN602:/# cat /etc/hostapd.conf |grep wpa

ssid=wpa-test

# wpa_psk or wpa_passphrase must be set and wpa_key_mgmt must include WPA-PSK.

# in wpa_key_mgmt.

#wpa=1

# secret in hex format (64 hex digits), wpa_psk, or as an ASCII passphrase

# wpa_psk (dot11RSNAConfigPSKValue)

# wpa_passphrase (dot11RSNAConfigPSKPassPhrase)

#wpa_psk=0123456789abcdef0123456789abcdef0123456789abcdef0123456789abcdef

#wpa_passphrase=secret passphrase

#wpa_psk_file=/etc/hostapd.wpa_psk

#wpa_key_mgmt=WPA-PSK WPA-EAP

#wpa_pairwise=TKIP CCMP

#wpa_group_rekey=600

#wpa_strict_rekey=1

#wpa_gmk_rekey=86400

root@WN602:/#

EDIT: Think i got it, found this file, and the SSID looks right... WSC_ath0.conf

ignore_file_errors=1
logger_syslog=-1
logger_syslog_level=2
logger_stdout=-1
logger_stdout_level=2
debug=0
dump_file=/tmp/hostapd.dump
ctrl_interface=/var/run/hostapd
ctrl_interface_group=0
ssid=Viasat-on-demand
dtim_period=2
max_num_sta=255
macaddr_acl=0
auth_algs=1
ignore_broadcast_ssid=0
wme_enabled=0
ieee8021x=0
eapol_version=2
eapol_key_index_workaround=0
eap_server=1
eap_user_file=/etc/wpa2/hostapd.eap_user
#
# WEP Selected
#
#
# WPA-PSK Selected
#
wpa=2
wpa_passphrase=wn82M7a.9oLGQ
wpa_key_mgmt=WPA-PSK
wpa_pairwise=CCMP
wpa_gmk_rekey=3600
#
# Open (NO) Security
#

#
# WSC configuration section
#

wps_disable=0
wps_upnp_disable=0
wps_version=0x10
wps_auth_type_flags=0x0023
wps_encr_type_flags=0x000f
wps_conn_type_flags=0x01
wps_config_methods=0x0086
wps_configured=1
# wps_configured=1
wps_rf_bands=0x03
wps_manufacturer=Netgear, Inc.
wps_model_name=WN602
wps_model_number=V2H1
wps_serial_number=none
wps_friendly_name=FriendlyNameHere
wps_manufacturer_url=http://manufacturer.url.here
wps_model_description=Model description here
wps_model_url=http://model.url.here
wps_upc_string=upc string here
wps_default_pin=20143107
wps_dev_category=6
wps_dev_sub_category=1
wps_dev_oui=0050f204
wp_dev_name=WN602(Wireless AP-2.4G)
wps_os_version=0x00000001
wps_atheros_extension=0
wps_ap_setup_locked=0
wps_upnp_ad_period=1800
wps_upnp_ad_ttl=4

Edited by httpCRASH
Link to comment
Share on other sites

  • 1 year later...

okay, this is getting even more weird...

Text

Hi, Im just curious since i have the same units. How do you flash them?

I've been trying to find a way for days and i feel i might lack some knowledge.

Exactly what version of Open Wrt do you use and are you flashing it trough TFTP ?

Help would be much appreciated!

Regards.

Link to comment
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...