** Update: A cool cool guy named Dylan Taylor wrote a java implementation of this script: http://fioswepcalc.webs.com/ if you need an offline version **
** Update: I wrote a bash implementation to make it easy to script, and for offline usage: http://xkyle.com/other/fioscalc.sh **
In my previous post I showed a correlation between the WEP key of a Verizon FiOS install and the MAC address of the access point. This was simply a collection of experimental data that I gathered.
Thanks to Fred Williams? for pointing out the correlation between the ESSID and the WEP. With these powers combined form:
Well.. Not exactly. If there was a super hero with the phrase: “Hack the Planet” instead of “Save the Planet” I would have chosen it.
So what is the deal?
The first part of the key is a combination of the second and third part of the MAC, which is either 1801 or 1F90.
The second part of the key is this forumula.. hold on to your butts:
The 5-character SSID name is a base-36 number of the lower 48 bits (6 hex digits) of the WEP key. The string is reversed, with the most significant digit on the right.
Base-36 numbers uses 0-9 followed A-Z to represent 36 digits (0123456789ABCDEFGHIJKLMNOPQRSTUVWXYZ)
It maps out like this:
0=00, 1=01, 2=02, 3=03, 4=04, 5=05,
6=06, 7=07, 8=08, 9=09, A=10, B=11,
C=12, D=13, E=14, F=15, G=16, H=17,
I=18, J=19, K=20, L=21, M=22, N=23,
O=24, P=25, Q=26, R=27, S=28, T=29,
U=30, V=31, W=32, X=33, Y=34, Z=35To go through an example, the SSID name of “E3X12″ comes out as follows.
E*(36^0) is 14 * 1 = 14
3*(36^1) is 03 * 36 = 108
X*(36^2) is 33 * 1296 = 42,768
1*(36^3) is 01 * 46656 = 46,656
2*(36^4) is 02 * 1679616 = 3,359,232
Add these up, and you get 3,448,778 decimal which is 349FCA in Hexadecimal notation.
The first 4 hex digits of the WEP key are the 2nd and 3rd byte from the MAC address as indicated in the original post above.
Thanks again Fred! To math majors this is like a beam of light coming down from the heavens
So I wrote this Javascript calculator (my first javascript program actually) in order to aid the calculation of the keys! Just type in your neighbor’s ESSID and out comes the KEY!
(Sorry about the iframe if that is an issue to you. Goto here if it is.)
Want to try it out? Here is a list of keys I’ve collected in my travels. Theres are cracked with Aircrack-ng, not calculated.
E3X12,1801349FCA
NAMX2,18014B311F
MWXV2,180149FF66
R0LC7,1801BC5C6B
JE2K7,1801C1B02B
HH150,1F900396C5
3RA18,1801CDF4AF
OQ838,1801CF5700
7WY20,1F90021D27
C7WA0,1F9007C188
DJP80,1F90063349
BJ2Z0,1F9018F797
RSHZ0,1F901944DB
Could be my browser settings but the calculator isn’t working. Nothing happens when I click on “Calculate key” and I get “Error On Page” in status bar.
Err… I don’t know. Could be a browser setting. What browser/platform are you using? I kinda only tested it in firefox….
And try http://xkyle.com/other/wep.html, that is direct url to the iframe.
I’m wondering if Verizon or Actiontec has corrected this blunder in the recent versions of their Actiontec FIOS routers.
I live in an area where FIOS was only recently lit up (January of this year). Here’s what my neighborhood looks like courtesy NetStumbler:
http://img25.imageshack.us/img25/4420/ap2v.png
As you can see, there are plenty of FIOS routers around. But I immediately noticed several problems:
(1) Look at the MAC prefixes of all the identifiable Actiontec routers (the ones with five-character base36 SSIDs). All are 00:21:63. That’s entirely different from the 00:18:01 and 00:1F:90 prefixes reported here and in Fred Williams’ comment at http://gigamike.wordpress.com/2008/05/06/verizons-false-sense-of-security-with-fios-installations/
(2) Almost all the base36 SSIDs shown in my screen capture, if run through your calculator, produce a result that’s one digit too long. E.g., “P75QA” yields “18 01 11 2E 6E 5″ and “1F 90 11 2E 6E 5″. I suppose this could only be possible if *these* SSIDs were being based on something entirely different than MACs. (?)
(3) Regarding the alternate way of obtaining these routers’ WEP keys (sniffing their wireless traffic for MAC addresses). Unless I’m grossly misinterpreting it, the blog post at http://gigamike.wordpress.com/2008/07/09/verizons-false-sense-of-security-returns/ seems to be saying that these Actiontecs’ WEP keys originate from their wired LAN MAC addresses, *not* from their wireless MAC addresses. If that’s correct, then going further, it also appears to be saying that there are two places to find their wired LAN MACs when sniffing their wireless traffic: (a) in their frequently-occurring ‘IGMP Membership Report’ and ‘Spanning Tree Protocol’ update packets (sent every second), and (b) in the “source address” header fields of their encrypted_data packets. Well, I opened up CommView for Wi-Fi 6.0.581 and sniffed my nearest neighbor (“P75QA”). From him, I saw nothing from category (a). Just beacon packet after beacon packet (in which the “source address” MAC and “BSSID” MAC header fields were both 00:21:63:48:8D:A5). On the other hand, when it came to category (b), there were in fact differences between the encrypted data packets’ BSSID fields (always 00:21:63:48:8D:A5) and their “source address” fields (varied between 00:21:1E:73:73:4B, 00:21:1E:07:5D:63, and 00:1F:C4:94:4C:48). I wasn’t sure why the source MAC fields were varying between three different addresses, but since all of these packets *were* coming from BSSID 00:21:63:48:8D:A5, and since all their destination MAC fields were FF:FF:FF:FF:FF:FF, I assumed that *one* of those three source MACs had to contain the WEP key. Alas, neither 211E73734B nor 211E075D63 nor 1FC4944C48 would authenticate as the WEP key for P75QA. I even tried replacing their first two chunks (211E) with the corresponding chunks from the BSSID MACs, but those (216373734B, 2163075D63, and 2163944C48) wouldn’t authenticate either.
Any thoughts?
Sorry for the long comment, but FYI. I’m not much into raiding others’ wireless APs, but after encountering this report about Actiontec’s (and/or Verizon’s) carelessness, I simply couldn’t resist trying it out for myself.
1. These are probably different models, or a different version of the firmware that defaults to something different. On the ones that I have seen, the LAN mac is only off by one of the WLAN mac. But! Can you crack any of those? Maybe they have the same basic algorithm, just a different initial few bits?
2. Hmm, If you could crack them maybe we could figure out what kind of system they are using, but then again maybe they are doing random wep keys. But you are right, it looks like their setup doesn’t work with my calculator.
3. That sounds like bullcrap to me. How would one get STP or IGMP packets off an encrypted network? You can’t. The only thing unencrypted is what you are saying, the beacons. I like your thinking regarding substituting the initial two bytes with the alternative macs. However, are you sure those other beacons were not simply from other APs on the same channel?
PS. If you need to talk more in private feel free to email me kyle@xkyle.com, better than a comment conversation. As far as I know there is nothing illlegal about cracking wep keys per say, just unauthorized access to a network (ie, connecting to it after you get the key).
Kyle
hey help me out i have had fios telvision only for the last 4 mos today i got internet the guy just took the wep code off my router and said your all set. does that mean all this tije i could have had free internet by just putting in the wep off the router? cuz my laptop kept picking up the signal now i gotta pay 25 dollars for the net. the installer said i wouldnt have had a gateway but he was on in one second. email me at johngrosso007@yahoo.com thanks
Re: bullcrap, by my saying “nothing in category (a),” I meant that I observed no STP/IGMP-MR packets by virtue of seeing no encrypted_data packets “every second,” which is how Fred Williams described their frequency. (He admitted owning an Actiontec, so it seemed plausible he knew what they were and how often they appeared by being able to see his own network decrypted.) Anyway, the point of his post appears to have been that normally you can only scope out an Actiontec’s wired LAN-side MAC (and thus WEP key) via the source_MAC headers of encrypted_data packets from the AP to associated clients … *but* that absent any associated clients (which would normally mean you’re out of luck), you *aren’t* actually out of luck, because the AP also generates those regular [encrypted] STP/IGMP-MR packets whose source_MAC headers also contain the AP’s wired LAN-side MAC.
Regarding the irregular encrypted_data packets I saw from the 00:21:1E and 00:1F:C4 source MACs: Gigamike told me in his blog that they’re Motorola MACs. That nicely explained their origins. FIOS installations use TCP/IP networked Motorola QIP STB/DVR boxes. What I was seeing was cable box broadcast chatter. (Shesh…)
Anyway, a short while after posting my comment in your blog, I read elsewhere that those Actiontec STP/IGMP-MR packets Fred mentioned were sent “periodically” (as opposed to second-after-second). That got me wondering which version of the story was accurate, and if I’d therefore even looked at P75QA’s channel long enough. So I tried once more, this time for hours. Also filtered to grab only ((BSSID == 00:21:63:48:8D:A5) && (FSubType != 08h) && ((dest_MAC != FF:FF:FF:FF:FF:FF) && (source_MAC != 00:21:1E:73:73:4B || 00:21:1E:07:5D:63 || 00:1F:C4:94:4C:48))). Result: nada. No Actiontec MACs at all, or even any additional vendor-unidentifiable MACs (on the logic that if this model Actiontec’s 00:21:63 WLAN MAC was not yet in the MAC prefix registries, neither might be its wired LAN MAC). There was only chatter from MAC addresses for a couple consumer electronics devices and Intel and Apple PC NICs. One in particular even stuck out as bizarre: 00:18:3A, which I instantly recognized as the prefix of the Westell DSL modems Verizon installs in this area. But I figured maybe the guy was using his old DSL modem’s LAN ports as a free hub and thought nothing more of it.
Long story short, this mystery began unraveling itself when I decided to look at a different FIOS AP. Doing so proved equally fruitless — no Actiontec or unidentifiable MACs, etc. But then I saw 0:18:3A again on THIS guy’s AP. No WAY could THAT be a coincidence. Googled. Lo and behold, turns out only very recently Verizon began contracting with Westell in addition to Actiontec for the manufacture of its FIOS modems. Further research lead me to find that these Westells (model 9100/9100EM) borrow much of the Actiontecs’ firmware, just adapted for the Westells’ chipset.
Which explained all at once the non-Actiontec 00:21:63 WLAN MACs, why I had Actiontec-like SSIDs all over the neighborhood, and why I was seeing Westell source_MACs elsewhere in their traffic. And once all that fell into place, I realized I’d found these APs’ wired LAN MACs after all (xx:18:3A:__:__:__). But alas, no dice on their being equal to the WEP keys. (Tried.) Guess Westell is smarter than Actiontec.
Oh yeah. A postscript. Just this evening, I found . Note the firmware revision (“E”). Gigamike and Fred Williams were describing rev. “D” Actiontecs when they revealed the LAN MAC/SSID –> WEP key tricks. Sure enough, this rev. “E” router’s SSID does not convert into its depicted WEP key. It does convert into a string of the proper length OTOH, but then again, a minority of the SSIDs in my NetStumbler capture did as well[*]. So looks like the new Actiontecs are in fact finally fixed (and that perhaps their fixed firmware got used as the basis for the Westell firmware). Judging by the sticker in this picture, I’d assume even the wired LAN MACs aren’t useful for determining the WEP keys (this one starting with 4B8F and all…).
[*] Interestingly enough, my NetStumbler screen capture was sorted by WLAN MAC, and the SSIDs that *do* convert to base16 strings of the proper length (with your calculator) are all grouped together. Perhaps there’s still some kind of simple math happening inside these things that generates their SSIDs (and WEP keys?) based off their MACs; just not as simple as in the earlier revisions? (Hopefully the firmware programmers read a FAQ or two about one-way hashing…)
Oops. I shouldn’t have put that URL in angle brackets. “Just this evening, I found” should’ve been followed by http://i.ehow.com/images/GlobalPhoto/Articles/4707790/wirelesslabel_Full.jpg
Don,
Many thanks for your continued research in this department. I know that the layer 2 stuff (Src and dst MAC’s) are not encrypted, but the packet payload would be. This means that you can tell what other types of devices are on the network, as your research shows. I want to say that the MAC of the access point itself wouldn’t show up in wireshark.. but I might be wrong.
Thank you for providing that picture of the other Acctiontec router. You are right, this formula does not apply to this style AP, but maybe there is a correlation. Maybe someday I will come out with a “Wep Key Calc 2!”
Any idea what the WPS PIN is on that thing?
Don’t know about wireshark. I’m using CommView for WiFi right now, which is decent enough. It shows the BSSID, source_MAC, and dest_MAC headers for every packet captured.
Incidentally, the reason I said I was confident the 00:18:3A source_MACs I saw were in deed these APs’ wired-side LAN MACs can be seen here: http://img17.imageshack.us/img17/2030/pupnp.png
Notice the *destination* MAC addresses and google “01:00:5E:7F:FF:FA” “membership report”. So these are apparently the STP/IGMP-MR traffic bursts Fred talked about, meaning the source_MAC should be the wired LAN-side MAC just as he said. But as said earlier, at least with these Westell Actiontec clones, those LAN MACs don’t work as the WEP key, alas.
Looking forward to wepcalc 2.0!
About the WPS pin, it’s a newer feature showing up in modern routers. http://en.wikipedia.org/wiki/Wi-Fi_Protected_Setup
I see, I thought Fred was implying that those packets where visible in plain text, but yes, the Source and Destination macs are visible through wep, I now understand what he means by getting the LAN mac. In my experience the LAN and WAN mac differ only at the end, and for this application you only need the first couple of bytes of the mac (which identify the vendor) which are the same on both sides for these style Acctiontecs.
Again Totally Awesome!
I noticed this a while back wrote an article for 2600 about this which was submitted it to them on January 18th 2009. It has yet to be published… However, there is more to this. Fire up kismet and look at the clients for any given AP. You’ll notice that one of the “clients” has a MAC in the same range. I’m pretty sure the WEP key is actually the WAN MAC address minus the first octet… The Verizon routers that I was working on were the Actiontec MI424WR.
I’ve recently moved and don’t have any FIOS routers in my immediate area to see if the WLAN MAC Westell MAC is also the WEP key… maybe I’m due for some war driving…
Fred Williams: Good call on noticing the Base-36!
Kyle, I’m Tech Editor at Open Media Boston. I’m currently investigating this security story on Verizon’s FiOS service and have contacted Verizon for comments and answers to some critical questions. In the email I sent them, I included a link to this post. Just a heads up that you might prepare for contact from Verizon. Remember this research is protected by your first amendment rights.
If I have the BSSID (i.e. 00:1F:90:ED:9C:9C) but not the ESSID, how could I calculate the key? I’m trying to test out whether or not the Rev. E Actiontecs still have this same vulnerability, as the installation techs are telling our neighbors that they don’t.
This only works with the BSSID + ESSID, otherwise you must crack the key using normal methods (aircrack).
Thank you, Kyle. What I have found out is that at least with the new Rev. E, this calculator doesn’t work. Plugging in the 5-character SSID no longer gives you the WEP key. That said, cracking WEP is still easy enough for those with too much time on their hands
; sometimes I think that using WEP by default for newbies is almost worse than using nothing, as it gives them a false sense of security. The new Actiontecs easily support WPA2, so not sure why that isn’t used more.
Kyle and all, I’ve published my investigative piece on Verizon’s lax security policies, “Verizon Admits its Default DSL and FiOS Wireless Security ‘Does Not Provide Good Protection against a Hacker’”
http://www.openmediaboston.org/node/706
Thank you for your work on this security vulnerability and your cooperation on providing information and quotes for me.
this is pretty cool, i tried it on four of my neighbors and got them all, haha~ but for most of us who might actually use this to uh…. retrieve lost passwords… um~ we wont have internet access to get to this page, and some are not even going to remember how the numbers work~ it would be pretty cool if you can make a download-able version of this, so we can carry it in our laptops to… retrieve our lost passwords at any time
I don’t know seems that you would have to have access to a laptop and internet access at some time. It is javascript, you can just save that page to your desktop. (just grab the page inside the iframe, you don’t need the whole blog)
Hi, I recently made a Java Application version of this script, and I thought that you would like to know about it, since it is based off of the formulas listed on this blog entry. The site for the script is the one that I set as my website in this comment. Tell me what you think…
Wow that is awesome! I’ll update my post to make that more prominent!
CAN SOMEONE HELP ME.
I NEED THE CODE FOR THIS, 6ST83
This does not work on my SSID. I use FIOS right now, and i was a little concerned when i first saw this. But yea.. it doesn’t give the right WEP key.
my SSID: SB4F5
WEP key: 4********6
using the calculator gives me:
1) 18018AE8A8
2) 1F908AE8A8
And anyone having trouble getting it to work, use Mozilla.
Can you make this calculator work in terminal for the iphonoe for ipod touch I tried and the rev printf and a few other coommands never were ported.
Thanks
Sure no problem! you will need bc and bash if you don’t have them already:
apt-get install bc bashAlso I’ve updated it to work on IE! Thanks to John at http://whatsmyip.org
awesome that works u r the man. Mad Props
Could someone help me need for l0qj3 and vzvv4 and s4181 please just post it on the page thanks alot
I’d like a key/keys for ESUG3 and GVN04. If someone can render a proper key, it’d be much appreciated. Thanks
prostate ejaculations Order Voltarol studying medicine in swiss helping in the growth of secondary muscle for horses mineral loy cc
http://rxdrugs24×7.com/product/plendil.html
Hey can you make this work on the ipod touch without like me using wifi. Like i want to work but without needing internet. Like basically an app. THanks
Dude, your freakn amazing… thanx alot…
works was at my mothers for t day found like 10 fios lines and cracked them all pretty simple
Will not work in baltimore
I NEED THE KEYS FOR NT8FO AND KLVC6 I’M IN DESPERATE NEED OF THESE OR I WOULD ASK I’M USING WINDOWS AND I HAVE A BROADCOM CHIPSET WHICH DOESN’T WORK WITH ANY WEP CRACKING SOFTWARE UNLESS YOU PUT IN A WEEKS WORTH OF WORK AND ANOTHER WEEK OF IV CAPTURING PLEASE HELP!
this calculator really works!!!!!!! amazing!!!!!! around my apparment there are about 7 signal from fios from neighbors and 5 out of 7 got trough!!!! amazing
what is the connection between the mac address and the ssid or the mac address and the key? What I mean is that can I take the mac address and find out what the ssid or the key? Someone can essentially change their ssid and not allow decryption.
Thanks