httpCRASH Posted April 21, 2012 Share Posted April 21, 2012 (edited) Hi, I have a couple of branded Netgear routers, i have direct console access, and can see they are running openwrt KAMIKAZE (7.09) but cant find the wireless conf, i know i can flash them with a standart openwrt image and get them running, but for the fun of it i would like to find the WPA2 key they have already, and see if they are all the same :D anyone who knows a way to display the key, or to locate the config file when its not in the standart location? EDIT: I have also tried to connect to one with reaver to try and get the info via WPS, but reaver wont associate, and it dossent look like win7 gets the WPS connection box either when trying to connect to it, but i know that WPS should be enable on them, because thats the way they are paired (they are used as a network brigde) Edited April 21, 2012 by httpCRASH Quote Link to comment Share on other sites More sharing options...
Mr-Protocol Posted April 21, 2012 Share Posted April 21, 2012 check /etc/config/wireless or find / -name wireless Quote Link to comment Share on other sites More sharing options...
httpCRASH Posted April 21, 2012 Author Share Posted April 21, 2012 check /etc/config/wireless or find / -name wireless have tried both yesterday, without any luck, but is there another config file somewhere that tells the system what config files to use? Quote Link to comment Share on other sites More sharing options...
digip Posted April 22, 2012 Share Posted April 22, 2012 If you know the password, just grep the system for it?? Quote Link to comment Share on other sites More sharing options...
httpCRASH Posted April 23, 2012 Author Share Posted April 23, 2012 If you know the password, just grep the system for it?? yes, but unfortunally i dont know the password, when you buy theese boxes you have no access, and can only pair them with the WPS buttons. and they are completly useless as anything other that a wireless bridge. if you flash them with a clean install of openwrt they work fine, but it would be more fun to find the wireless key and see if they are all the same from new :) Quote Link to comment Share on other sites More sharing options...
digip Posted April 23, 2012 Share Posted April 23, 2012 Routers don't ship with WPA keys or settings on by default. Unless you bought it used or second hand, it should have no passwords set for anything, other than the default admin passwod out fo the box, which if you have, you would be able to log on to the admin interface, and see the screen showing the WPA password. Quote Link to comment Share on other sites More sharing options...
Mr-Protocol Posted April 23, 2012 Share Posted April 23, 2012 Read: http://hostap.epitest.fi/gitweb/gitweb.cgi?p=hostap.git;a=blob_plain;f=hostapd/hostapd.conf Quote Link to comment Share on other sites More sharing options...
httpCRASH Posted April 24, 2012 Author Share Posted April 24, 2012 (edited) Routers don't ship with WPA keys or settings on by default. Unless you bought it used or second hand, it should have no passwords set for anything, other than the default admin passwod out fo the box, which if you have, you would be able to log on to the admin interface, and see the screen showing the WPA password. im sorry to say it, but your totally wrong, theese are bought branded and fully locked down directly from Viasat (a TV provider) with only one purpose, to make a wireless bridge from your internet connection to where you want your IPTV boxes.. they dont tell the users that it is actually routers, and the instructions is only that you can press the WPS button to sync your units, the SSID is hidden, but i have found it as "Viasat-on-demand" and running WPA2 Edited April 24, 2012 by httpCRASH Quote Link to comment Share on other sites More sharing options...
httpCRASH Posted April 24, 2012 Author Share Posted April 24, 2012 Read: http://hostap.epitest.fi/gitweb/gitweb.cgi?p=hostap.git;a=blob_plain;f=hostapd/hostapd.conf thanks, will look into that when i get home from work :) Quote Link to comment Share on other sites More sharing options...
digip Posted April 24, 2012 Share Posted April 24, 2012 im sorry to say it, but your totally wrong, theese are bought branded and fully locked down directly from Viasat (a TV provider) with only one purpose, to make a wireless bridge from your internet connection to where you want your IPTV boxes.. they dont tell the users that it is actually routers, and the instructions is only that you can press the WPS button to sync your units, the SSID is hidden, but i have found it as "Viasat-on-demand" and running WPA2 But thats a different scenario, if its a "pre-configured" device from the TV company vs a new out of the box router. I thought you bought a router, not something pre-configured. If they send these things out to customers in mass, they might all have the same passwords for easy configuration by techs over the phone. Try the aircrack suite to capture the handshake and crack the hash by deauthing the TV or other connected devices, see if that works. As far as Reaver is concerned, I think that only allows you a connection via the WPS pin exchange, but doesn't actually show a WPA key handshake in any way. Only way to find out is sniff it while doing the pairing and see if aircrack finds a handshake during the pairing. Once this device is on the network though, can you see its IP address? Can you nmap it, see what ports are open, like back door admin access over http on some random port? What happens if you MITM its connection with the rest of the network. Is it plain text data or all SSL/TLS encrypted traffic? I would imagine there has to be an administrative interface on some listening port for the management of the device, either for techs to update them or reset them before rolling out to customers. Could also try a direct connection via crossover cable to the WAN interface on the device from your PC (if it has a WAN port on the back) and see what type of data it sends out, or use a LAN tap between the device and your router/modem or whatever its connected to and see what kind of traffic its sending. If you can find the name of the bin file it uses for configuration, you might be able to tftp pull it off the device and use other tools to uncompress the bin file and read through the data for the passwords. int0x80 mentioned a link to a tutorial on how to do this in another thread before but I don't have it handy. Search the forums for it. Quote Link to comment Share on other sites More sharing options...
httpCRASH Posted April 24, 2012 Author Share Posted April 24, 2012 (edited) If they send these things out to customers in mass, they might all have the same passwords for easy configuration by techs over the phone. exactly my point, and if this is true i think its a big security risk for the customers (if i can find the WPA key others can too) As far as Reaver is concerned, I think that only allows you a connection via the WPS pin exchange, but doesn't actually show a WPA key handshake in any way. i have just seen a couple of pics like these, and therefore thought reaver might be useful ;) Once this device is on the network though, can you see its IP address? Can you nmap it, see what ports are open, like back door admin access over http on some random port? What happens if you MITM its connection with the rest of the network. Is it plain text data or all SSL/TLS encrypted traffic? I would imagine there has to be an administrative interface on some listening port for the management of the device, either for techs to update them or reset them before rolling out to customers. Could also try a direct connection via crossover cable to the WAN interface on the device from your PC (if it has a WAN port on the back) and see what type of data it sends out, or use a LAN tap between the device and your router/modem or whatever its connected to and see what kind of traffic its sending. what exactly would you want this for? i already have root access with an TTL connection to the main board as shown above ;) I know that i could bruteforce the WPA, but because i have root access this should not be nessesary in my opinion :) Edited April 24, 2012 by httpCRASH Quote Link to comment Share on other sites More sharing options...
httpCRASH Posted April 24, 2012 Author Share Posted April 24, 2012 (edited) Read: http://hostap.epitest.fi/gitweb/gitweb.cgi?p=hostap.git;a=blob_plain;f=hostapd/hostapd.conf okay, this is getting even more weird... hostapd.conf is not the right one either, it looks more like an example conf. root@WN602:/# find / -name hostapd.conf /etc/hostapd.conf root@WN602:/# cat /etc/hostapd.conf |grep wpa ssid=wpa-test # wpa_psk or wpa_passphrase must be set and wpa_key_mgmt must include WPA-PSK. # in wpa_key_mgmt. #wpa=1 # secret in hex format (64 hex digits), wpa_psk, or as an ASCII passphrase # wpa_psk (dot11RSNAConfigPSKValue) # wpa_passphrase (dot11RSNAConfigPSKPassPhrase) #wpa_psk=0123456789abcdef0123456789abcdef0123456789abcdef0123456789abcdef #wpa_passphrase=secret passphrase #wpa_psk_file=/etc/hostapd.wpa_psk #wpa_key_mgmt=WPA-PSK WPA-EAP #wpa_pairwise=TKIP CCMP #wpa_group_rekey=600 #wpa_strict_rekey=1 #wpa_gmk_rekey=86400 root@WN602:/# EDIT: Think i got it, found this file, and the SSID looks right... WSC_ath0.conf ignore_file_errors=1 logger_syslog=-1 logger_syslog_level=2 logger_stdout=-1 logger_stdout_level=2 debug=0 dump_file=/tmp/hostapd.dump ctrl_interface=/var/run/hostapd ctrl_interface_group=0 ssid=Viasat-on-demand dtim_period=2 max_num_sta=255 macaddr_acl=0 auth_algs=1 ignore_broadcast_ssid=0 wme_enabled=0 ieee8021x=0 eapol_version=2 eapol_key_index_workaround=0 eap_server=1 eap_user_file=/etc/wpa2/hostapd.eap_user # # WEP Selected # # # WPA-PSK Selected # wpa=2 wpa_passphrase=wn82M7a.9oLGQ wpa_key_mgmt=WPA-PSK wpa_pairwise=CCMP wpa_gmk_rekey=3600 # # Open (NO) Security # # # WSC configuration section # wps_disable=0 wps_upnp_disable=0 wps_version=0x10 wps_auth_type_flags=0x0023 wps_encr_type_flags=0x000f wps_conn_type_flags=0x01 wps_config_methods=0x0086 wps_configured=1 # wps_configured=1 wps_rf_bands=0x03 wps_manufacturer=Netgear, Inc. wps_model_name=WN602 wps_model_number=V2H1 wps_serial_number=none wps_friendly_name=FriendlyNameHere wps_manufacturer_url=http://manufacturer.url.here wps_model_description=Model description here wps_model_url=http://model.url.here wps_upc_string=upc string here wps_default_pin=20143107 wps_dev_category=6 wps_dev_sub_category=1 wps_dev_oui=0050f204 wp_dev_name=WN602(Wireless AP-2.4G) wps_os_version=0x00000001 wps_atheros_extension=0 wps_ap_setup_locked=0 wps_upnp_ad_period=1800 wps_upnp_ad_ttl=4 Edited April 24, 2012 by httpCRASH Quote Link to comment Share on other sites More sharing options...
Laggboxx Posted July 1, 2013 Share Posted July 1, 2013 okay, this is getting even more weird... Text Hi, Im just curious since i have the same units. How do you flash them? I've been trying to find a way for days and i feel i might lack some knowledge. Exactly what version of Open Wrt do you use and are you flashing it trough TFTP ? Help would be much appreciated! Regards. Quote Link to comment Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.