How to Bruteforce a WPA Fon Wlan

[Reeth]

Hey Community,


In this little Tutorial i'm gonna show you, hot to Bruteforce nearby Fon Routers

So the interesting thing which I note, is that a Fon AP's default WPA passphrase is it's serial number, printed under the box. These serial numbers are sequential, thus making it very easy to guess their entire range.

So for this i use a little Perl Script, which generates a file, included all Numbers from 807200000 till 8702555555

Code:

#!/usr/bin/perl
$n = 8702000000;
while ($n <= 8702555555) { system ("echo $n >> numbers.txt"); $n++; }

So then we need a WPA Handshake to try out. I'm not gonna describe how you get one because there are million Posts about it.

Then we Simply use Aircrack and start Bruteforcing

aircrack-ng fon-01.cap -w /root/fon/numbers.txt

So this is it Cracked.

IF you have further questions feel free to a PM or visit my Blog.
In German = My_0wn_Remote
In English = my_english_remote

I also created a littel Tutorial Video for this whole thing

YouTube - How to Bruteforce a nearby WPA Fon Wlan [3]

Maybee it is worth for the Video Section, i can't measure

=) Reeth

[or4n9e]

Quote:

included all Numbers from 807200000 till 8702555555

How do you come to that assumption? I have 7 Foneras (2100 model) and all my serial numbers are out of that particular range. JFYI, there already have been some efforts from FoneraHacks forums-member verticalfall to create precomputed WPA tables for the MyPlace SSID (covering several ranges of Fonera serial numbers) - unfortunately I cannot find the link currently though.

Nice project!

[Reeth]

hey or4n9e
yeah that could be possible, that it not fits in your country maybee they change the Serial Number in different Countries...but i don't think so...
I also have 2 Fonera 2100 Routers but they all got S/N with 8072....Numbers...

[Gitsnik]

Quote:

Originally Posted by Reeth

but they all got S/N with 8072....Numbers...

Have a look through the various forums around the place, I can assure you that, like the man said, they do not all fall within the 8072 range.

That said, the sheer size of the serial key not withstanding, you could just compute the numerics for all the possibilities at that width of serial numbers (10^10 or something - it's early and my math-fu is weak without coffee). It wouldn't even be hard to do, so let me try hack something up while I write this post (it will be untested ):

Code:

#!/usr/bin/perl
open(DICT, ">outputfile.txt") || die "Bugger: $!";
my $i = "0000000000";
while($i < 10000000000) {
    my $j = sprintf("%010d", $i);
    print DICT "$j\n";
    $i++;
}
close(DICT);

The numbers are large, you are dealing with 10,000,000,000 possibilities which is a lot, a pyrit box might be able to generate them fast enough, but for my taste that is a bit of a stretch.

That would work for any 10 numeric digit WPA key by the way, and removes the need for targeted mishaps like the original.

Also it removes that terrible call to echo which would slow the generation down.

[Snayler]

My fon S/N starts with 8704... Seems that the only number that repeats itself is the first "8"...

[pureh@te]

I have a word list which contains all possible combinations of 10 digit hex and it is about 37 gigs, just FYI

[Reeth]

Quote:

My fon S/N starts with 8704... Seems that the only number that repeats itself is the first "8"...

you ment the first 3 ? because the range i did create was from 807200000 till 8702555555

@Snalyer what kind of fon did you use ?

What are the standard Ranges for

Fon ?
Fon+
.....
are there any correlations ?

[Snayler]

Quote:

Originally Posted by Reeth

you ment the first 3 ? because the range i did create was from 807200000 till 8702555555

Sorry, i misread your post. I thought it was from 807200000 to 807255555. But still, it wouldn't get my default WPA password.

Quote:

Originally Posted by Reeth

@Snalyer what kind of fon did you use ?

FON2100A/B/C

[Gitsnik]

Quote:

Originally Posted by pureh@te

I have a word list which contains all possible combinations of 10 digit hex and it is about 37 gigs, just FYI

hex as in A to F as well?

How long does it take your pyrit box to get through that list (is it included in the timing stats we've already seen) ?

[kidFromBigD]

Quote:

Originally Posted by pureh@te

I have a word list which contains all possible combinations of 10 digit hex and it is about 37 gigs, just FYI

Quote:

Originally Posted by Gitsnik

hex as in A to F as well?

How long does it take your pyrit box to get through that list (is it included in the timing stats we've already seen) ?

Hey pureh@te -- do you mean to say your wordlist is 8 digits of hex, 0->F inclusive? I just did a quick calculation and that file would be ~37Gig, so just wondering if that's what you mean? Thanks!