"Tool kit" to generate the default WPS PIN from spanish Livebox 2.1 and Livebox Next by Orange.
[]
Naranja MekaniK (nmk) is a tool kit that proposes different ways to generate the default WPS PIN from:
- Arcadyan ARV7519RW22
- Arcadyan ARV7520CW22
- Arcadyan VRV9510KWAC23
The two frist Access Points are also known as Livebox 2.1 and the third one is known as Livebox Next
The PIN algorithm was investigated and found by wifi-libre members: Todo sobre al algoritmo WPS Livebox Arcadyan (Orange-XXXX)
It is similar to the one discovered by Stefan Viehböck on Arcadyan easy-box: (Vodafone EasyBox Default WPS PIN Algorithm Weakness
0range has several millions of clients in Spain and has been using exclusivly this three AP models since 2012.
Notice that Orange disabled remotely the WPS PIN mode on this devices since the publication of the full disclosure. The vulnerability is no longer exploitable unless the device was not actualized since August-September 2017
nmk.sh requires wash 1.6.3 (or a superior version) and its dependencies.
Steps to follow in a debian based system in order to install the latest version of reaver (it includes wash):
- Install the dependencies
sudo apt install libpcap-dev
- Install reaver
git clone https://github.com/t6x/reaver-wps-fork-t6x.git
cd reaver-wps-fork-t6x/src/
./configure
make
sudo make install
Visit reaver t6x repository for more information about wash and reaver.
- Clone this repository
git clone https://github.com/kcdtv/nmk.git
- Execute the script with administrator privileges
cd nmk; sudo bash nmk.sh
- If several interfaces are avalaible user is prompted to choose one
[] - Once an interface is selected the scan begins and when a vulnerable target is detected it is reported with its PIN genrated
[] - Press CTRL + C to stop the scan and the script.
Interface is left in monitor mode in order to perform a reaver attack with the default PIN.
In good conditions the WPA keys from ARV7520CW22 and VRV9510KWAC23 are recovered inmediatly Due to a very bad implementation of the WPS protocole, recovering the WPA key from the ARV7519RW22 is extremly tedious (to not say impossible).
python orangen.py < 4 last digits mac WAN > < 4 last digits serial >
free tips: The four last digits from WAN mac are the same than the four last digits from default eSSID. If default eSSID is not used you can get the 4 digits by substracting 2 from bSSID (in base 16).
Locate your terminal in your "nmk" folder and invocate bash to execute the script
bash orangen.sh
User will be prompted to enter bSSID (from the 2.4Ghz network) and the four last digits from serial number.
Full disclosure "Arcadyan livebox PIN generator" is a colective work by wifi-libre, scripts by kcdtv