Not so random 11 digits? H112-370
#1
Question 
Hello everyone.

Nice to be here with the HC community Smile


I have a huawei router 5GCPE H112-370

This device have a [0-9][A-Z]
or from what i see it..

I was thinking that modern routers have gotten better in terms of security.
in the past there was routers that had 8 digits default password which is really dumb..

But right now this 11 digit password seems unbreakable, or at least this is how i see it.

But there is something that made me think again about this one !
After some digging on google i found out that this model "H112-370"

Have the same first 8 digits of IMEI number
and the first 11 digits of S/N
the last 7 digits of imei is dynamic.
same thing with S/N the last 5 digits are also dynamic.

here is example:

SSID:Zain_H112-7FFA
S/N: 1123700800035334
IMEI: 867206042032305
WPA: FAMGJ2YQNFM
WPS: 32630534
_____________________
SSID:Zain_H112-F4CF
S/N: 1123700800005629
IMEI: 867206040998028
WPA: J65TFH1N8QH
WPS: 39100238

End of example..

maybe it's some how generates the WPA from the serial number or imei?
i have a firmware if anyone is interested, but sadly it's encrypted binary file Smile

If anyone has encountered a similar situation i would really like to hear from you.

Thanks...
Reply
#2
Look at the evolution of the pskracker algorithm for nvg589 and nvg599! It's in the user contribution / default keyspace
Reply
#3
(07-27-2021, 10:06 PM)drsnooker Wrote: Look at the evolution of the pskracker algorithm for nvg589 and nvg599! It's in the user contribution / default keyspace

Thanks i will see it !
Reply
#4
(07-27-2021, 10:06 PM)drsnooker Wrote: Look at the evolution of the pskracker algorithm for nvg589 and nvg599! It's in the user contribution / default keyspace

Well i feel dumb.

tried to understand that algorithm but i didn't get it.

i will try to extract the firmware with binwalk and see what information i can get
Reply
#5
This was pulled from the firmware from one of the routers. I'm sure SoxRok2212 doesn't mind me sharing, but the algo you're looking for is likely similar

#!/bin/sh

# Generate a unique video SSID from the box's serial number

charset="abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789!\"#\$%&'()*+,-./:;<=>?@[]_\`{|}~\\"

cat /sys/module/board/parameters/serialnumber | openssl sha1 | awk '
{
hash = $2;

sizeof_charset=split( chars, charset, "" );

hex[0] = "0";
hex[1] = "1";
hex[2] = "2";
hex[3] = "3";
hex[4] = "4";
hex[5] = "5";
hex[6] = "6";
hex[7] = "7";
hex[8] = "8";
hex[9] = "9";
hex[10] = "a";
hex[11] = "b";
hex[12] = "c";
hex[13] = "d";
hex[14] = "e";
hex[15] = "f";

for(a=0; a<16; a++)
{
for(b=0; b<16; b++)
{
idx = 16*a + b;
str = sprintf( "%s%s", hex[a], hex[b] );
bighex[ str ] = idx;
}
}

resultstr = "";

for(i=1; i<= length(hash) && i <= 14; i += 2)
{
str = substr(hash, i, 2);
idx = bighex[ str ];
idx = idx % sizeof_charset;
resultstr = resultstr charset[idx];
}

print "vATT" resultstr;
}' chars=$charset
Reply