** Update:  A cool cool guy named Dylan Taylor wrote a java implementation of this script: http://fioswepcalc.webs.com/ if you need an offline version **

** Update: I wrote a bash implementation to make it easy to script, and for offline usage: http://xkyle.com/other/fioscalc.sh **

In my previous post I showed a correlation between the WEP key of a Verizon FiOS install and the MAC address of the access point. This was simply a collection of experimental data that I gathered.

Thanks to Fred Williams? for pointing out the correlation between the ESSID and the WEP. With these powers combined form:

Well.. Not exactly. If there was a super hero with the phrase: “Hack the Planet” instead of “Save the Planet” I would have chosen it.

So what is the deal?

The first part of the key is a combination of the second and third part of the MAC, which is either 1801 or 1F90.

The second part of the key is this forumula.. hold on to your butts:

The 5-character SSID name is a base-36 number of the lower 48 bits (6 hex digits) of the WEP key. The string is reversed, with the most significant digit on the right.

Base-36 numbers uses 0-9 followed A-Z to represent 36 digits (0123456789ABCDEFGHIJKLMNOPQRSTUVWXYZ)
It maps out like this:
0=00, 1=01, 2=02, 3=03, 4=04, 5=05,
6=06, 7=07, 8=08, 9=09, A=10, B=11,
C=12, D=13, E=14, F=15, G=16, H=17,
I=18, J=19, K=20, L=21, M=22, N=23,
O=24, P=25, Q=26, R=27, S=28, T=29,
U=30, V=31, W=32, X=33, Y=34, Z=35

To go through an example, the SSID name of “E3X12″ comes out as follows.

E*(36^0) is 14 * 1 = 14
3*(36^1) is 03 * 36 = 108
X*(36^2) is 33 * 1296 = 42,768
1*(36^3) is 01 * 46656 = 46,656
2*(36^4) is 02 * 1679616 = 3,359,232
Add these up, and you get 3,448,778 decimal which is 349FCA in Hexadecimal notation.
The first 4 hex digits of the WEP key are the 2nd and 3rd byte from the MAC address as indicated in the original post above.

Thanks again Fred! To math majors this is like a beam of light coming down from the heavens

So I wrote this Javascript calculator (my first javascript program actually) in order to aid the calculation of the keys! Just type in your neighbor’s ESSID and out comes the KEY!
(Sorry about the iframe if that is an issue to you. Goto here if it is.)
</p> <p>Your browser does not support iframes.</p> <p>
Want to try it out? Here is a list of keys I’ve collected in my travels. Theres are cracked with Aircrack-ng, not calculated.

E3X12,1801349FCA
NAMX2,18014B311F
MWXV2,180149FF66
R0LC7,1801BC5C6B
JE2K7,1801C1B02B
HH150,1F900396C5
3RA18,1801CDF4AF
OQ838,1801CF5700
7WY20,1F90021D27
C7WA0,1F9007C188
DJP80,1F90063349
BJ2Z0,1F9018F797
RSHZ0,1F901944DB

Take a look at some wireless keys that I’ve collected from some Verizon FiOS installs around Tampa:

00-18-01-EA-3D-99,E3X12,6,WEP,1801349FCA
00-18-01-F0-6D-C4,NAMX2,1,WEP,18014B311F
00-18-01-F0-95-78,MWXV2,11,WEP,180149FF66
00-18-01-FD-4F-0E,R0LC7,1,WEP,1801BC5C6B
00-18-01-FE-15-46,JE2K7,1,WEP,1801C1B02B
00-18-01-FF-DF-DD,HH150,1,WEP,1F900396C5
00-1F-90-E0-B1-F8,3RA18,6,WEP,1801CDF4AF
00-1F-90-E0-B5-AC,OQ838,6,WEP,1801CF5700
00-1F-90-E2-7E-61,7WY20,6,WEP,1F90021D27
00-1F-90-E3-1E-90,C7WA0,6,WEP,1F9007C188
00-1F-90-E3-2E-07,DJP80,6,WEP,1F90063349
00-1F-90-E6-A7-D5,BJ2Z0,11,WEP,1F9018F797
00-1F-90-E6-D4-E3,RSHZ0,4,WEP,1F901944DB

What you are looking at here is MAC, SSID, Channel, Encryption, Key.

Notice that they are all WEP, 64bit, with 5 Alpha numeric SSID’s.

I want to emphasize that these are the defaults, and only geeks, nerds and the like change the defaults.

Here is a typical type of router (actiontec) that does this:

Take a real close look at two of the examples:

00-18-01-FE-15-46,JE2K7,1,WEP,1801C1B02B
00-1F-90-E2-7E-61,7WY20,6,WEP,1F90021D27

Notice the relationship the MAC and the key have. Let me split up the bytes for you:

00:18:01:FE:15:46   -  18:01:C1:B0:2B

Verizon, or Actiontec, or someone is setting the first byte of the 40bit key to the second byte of the MAC of the unit. And then they are setting the second byte of the key to the third byte of the MAC!

You can look on the list, and this is mostly the case, there is some overlap on the OIDs. (sometimess it is 1801, sometimes 1f90) Why is this useful? Well if you know it is a FiOS install, you have already decreased your “64bit” key to a real “40bit” key, and you already know 16 bits of it, so you only have to crack 24 bits. This is insane. This is like guessing 3 letters.

The way to use this is with the Aircrack-ng program. Capture some packets, and use the -d option to tell it what the key starts with.

aircrack-ng -d 1801 stupid-fios.cap

You will get the key in No time! Silly Verizon, you didn’t think we would notice you weren’t using constructed (not random) keys?

Have FiOS yourself? Want to share your MAC and default key in the comments?