Monday, July 14, 2014

HOTBOX or FiberBOX Wifi Access in Israel

I live in Israel, and work at HOT CATV Company, that provide Internet services.

The prime modem/router that you can get from this company -- "Hotbox DOCSIS 3.0 Cable Modem/Wireless Router", manufactured by SAGEMCOM.

There is new one "FiberBOX" also, that have the same issue explained at bottom.

By Default, WiFi ESSID: HOTBOX-1234 (1234 is last four characters of CM-MAC of the box)

And the password is CM-MAC address.

Lets see all SAGEM MACs:
http://www.adminsubnet.com/mac-address-finder/sagem

As we already know from the ESSID, '1234' are the last four characters of cm-mac, and we know the starting six characters of Vendor ID, we can bruteforce it pretty fast.

For example:
Your neighbour has HOTBOX or Fiberbox (only difference in ESSID: Fiber-1234), with default ESSID 'HOTBOX-1DE4' ok?

We know the starting Vendor ID's (for example):
18622c
2c3996
2ce412
348aae
3c81d8
4c17eb
681590
6c2e85
7c034c
7c03d8

00789e
90013b
94fef4
c0ac54
c0d044
c8cd72
cc33bb
d86ce9
e8be81
e8f1b0
f08261
The last thing that we need to know its 7'th and 8'th character.
So, make a simple bash script that will capture 'handshake', then create a dictionary with all possible MACs, and bruteforce that 'handshake' with pyrit (for example). 
I promise, it will not take more than 10 seconds to crack the handshake.

Maybe i will post a script in next posts.

8 comments:

  1. CM-MAC это подразумевается мак cable modem ?

    ReplyDelete
  2. Hi,
    Did you make a scrit to create a dictionary with all possible MACs?

    ReplyDelete
  3. Does this vulnerability still relevant? I tried to find the MAC's address of two networks with default ESSID's but couldn't find any. one is 7915 and the other is 432C. Would really appreciate your help...

    ReplyDelete
  4. MAK-адреса лучше брать из первоисточника:
    https://regauth.standards.ieee.org/standards-ra-web/pub/view.html#registries

    ReplyDelete
  5. Thanks, caught one.
    Used Crunch to generate the last 6 numbers with 4 of them known as in:
    @@4428
    %%4428
    @%4428
    %24428

    @=lowercase letters
    %=numbers

    The passwords are in lowercase.

    Then used Hashcat Combination Attack. One wordlist on the left with all the Sagecom macs running up against a wordlist that was crunched looking for those 2 missing letters\numbers.

    Instant hit. GG WP. ez when you know that "secret" ;)

    ReplyDelete