/nmk

WiFi Scanner and Default WPS PIN Generator for Livebox 2.1 and Lievbox Next from Orange (Spain)

Primary LanguageShellGNU General Public License v3.0GPL-3.0

nmkBash4.2-shield License-shield

"Tool kit" to generate the default WPS PIN from spanish Livebox 2.1 and Livebox Next by Orange.
[livebox1]

Description

Naranja MekaniK (nmk) is a tool kit that proposes different ways to generate the default WPS PIN from:

  • Arcadyan ARV7519RW22
  • Arcadyan ARV7520CW22
  • Arcadyan VRV9510KWAC23
    The two frist Access Points are also known as Livebox 2.1 and the third one is known as Livebox Next

About the WPS breach

The PIN algorithm was investigated and found by wifi-libre members: Todo sobre al algoritmo WPS Livebox Arcadyan (Orange-XXXX)
It is similar to the one discovered by Stefan Viehböck on Arcadyan easy-box: (Vodafone EasyBox Default WPS PIN Algorithm Weakness
0range has several millions of clients in Spain and has been using exclusivly this three AP models since 2012. Notice that Orange disabled remotely the WPS PIN mode on this devices since the publication of the full disclosure. The vulnerability is no longer exploitable unless the device was not actualized since August-September 2017

Dependencies

nmk.sh requires wash 1.6.3 (or a superior version) and its dependencies.
Steps to follow in a debian based system in order to install the latest version of reaver (it includes wash):

  • Install the dependencies
sudo apt install libpcap-dev
  • Install reaver
git clone https://github.com/t6x/reaver-wps-fork-t6x.git
cd reaver-wps-fork-t6x/src/
./configure
make
sudo make install

Visit reaver t6x repository for more information about wash and reaver.

How to use nmk.sh?

  • Clone this repository
git clone https://github.com/kcdtv/nmk.git
  • Execute the script with administrator privileges
cd nmk; sudo bash nmk.sh
  • If several interfaces are avalaible user is prompted to choose one
    [livebox3]
  • Once an interface is selected the scan begins and when a vulnerable target is detected it is reported with its PIN genrated
    [livebox4]
  • Press CTRL + C to stop the scan and the script.
    Interface is left in monitor mode in order to perform a reaver attack with the default PIN.
    In good conditions the WPA keys from ARV7520CW22 and VRV9510KWAC23 are recovered inmediatly Due to a very bad implementation of the WPS protocole, recovering the WPA key from the ARV7519RW22 is extremly tedious (to not say impossible).

How to use orangen.py

python orangen.py < 4 last digits mac WAN > < 4 last digits serial > 

free tips: The four last digits from WAN mac are the same than the four last digits from default eSSID. If default eSSID is not used you can get the 4 digits by substracting 2 from bSSID (in base 16).

How to use orangen.sh

Locate your terminal in your "nmk" folder and invocate bash to execute the script

bash orangen.sh

User will be prompted to enter bSSID (from the 2.4Ghz network) and the four last digits from serial number.

Credits

Full disclosure "Arcadyan livebox PIN generator" is a colective work by wifi-libre, scripts by kcdtv