• How To Brute Force ATT UVerse WPA or WPA2 WiFi Quickly Without Rainbow Tables

    by  • June 17, 2012 • Tutorial

    Linux Terminal How to Brute Force WPA WPA2 Uverse Wireless Key

    Linux Terminal How to Brute Force WPA WPA2 Uverse Wireless Key

    Ok, this is going to be a quick tutorial. We will be working in Debian, although theoretically you can use any Linux. To complete this tutorial you will need:

    *Some type of Linux, VM or Physical Install

    *Wifite, Aircrack-ng, any WiFi tool that accepts a wordlist

    *A small amount of time to generate the wordlist (>91GB)

    This tutorial was created by me, and I don’t know of any others who have exploited this issue yet, though I believe it could be possible I am not the first to speak about this.

    ATT Uverse is set up with a stock 10-digit password that we know to be numeric. This limits the amount of options the password can be, and with one line, we are able to generate the entire range of possible passwords in BASH, which we will then run through some type of password list script.

    Initially, in the past, the modem/router combos they were shipping were the 2WIRE421 networks that you would see. It would say 2WIRE and then the last three numbers of the serial number. Or maybe it is the first three.. Anyway, at the time of that router, they were suggesting, well actually, according to multiple inside sources who I know personally, install men (or women) were told to use the resident’s phone number as the default password. This is so that when the user calls tech support mentioning that their internet wasn’t working, they could just say to try using your phone number as the password if the password hadn’t been changed.

    ATT caught some shit for this from the security community, so the high paid geniuses being the geniuses they are, decided to make a new router/modem combo, make it black, and then this time, put a large yellow label with a 10 character passcode. Normally, this approach would preclude this attack, but like I mentioned before, we are dealing with some boss-type genii here, and this time it was a completely numeric code, thus making it entire orders of magnitude easier for us to just brute force.

    The pass code is 10 digits. This can be broken quickly and easily, and this attack will successfully not only generate a wordlist, but a wordlist with EVERY phone number for EVERY area code, by way of possessing every single 10 character combo possible. (123)456-7890 <—- 10 digits

     

    On with the hack!

    Type this code into a new terminal, and give it time to generate the file. The file should be several GB of info, and could take about 10-30 minutes to generate. If that is too long for you, obviously you have never computed your own tables with GenPMK and Pyrit and CowPatty the old fashioned way, like you would with a mixed-case alphanumeric like you would normally with any other password.

    This time, we know the passwords to be strictly numeric and 10 digits, so what we are doing is telling the processor to count from 1000000000 to 9999999999, and then store the output list into a file that we can later use as our wordlist. This will cover every password that is set up stock from ATT for Uverse. In order to make it easier to assist you when you call tech support, the techs are instructed to use the stock numeric password on this big yellow sticker on the side of the router. This makes it nice and uniform and easier for people to just leave it the way it is, which is better for us.

    I do not advocate using cracked passwords. It is legal to crack the password, however it is illegal to use it in any way, which includes connecting to the network for proof of concept.

    That being said, change your MAC address so you will not be caught if you should decide to commit a federal crime today. (To each his own)

    We have created this easy video showing you how to change your MAC Address very easily via the terminal in under 30 seconds.

    on with the show! Here is the command!

    seq 1000000000 9999999999 >> ATTUVERSE  <– filename. anything will do here.

    now, you can test this function and see the output that you are expecting with this quick test

    seq 100 5000

    which will give you all the numbers in a nice list from 100 to 5,000. What the >> Wokka Wokka is there for us to add all of this output to the end of a file easily and save it for later use. You can experiment with it if you like, just remember that when using the wokka wokka, you will not see the output, you will ony notice that the cursor prompt goes away for the duration of the computation.

    You should now prop up your laptop on something to allow airflow to the fans, or build this nifty laptop cooling table like I did this weekend, and go ahead and grab yourself a snickers.

    When you come back, be sure to create your list of victims, ahem, I mean, captive wireless access points in your wifi radio-lab where none of the signals can escape into the wild. Remember, we cannot use this in the public because how would your neighbor feel safe if you could watch their nanny cam whenever you want to eh?

    My laptop has been churning numbers for about 10 minutes now, and my file is already up around 5 GB, so needless to say I won’t be offering a download for this number list, but luckily you can generate your own faster than some of you could have downloaded it anyway.

    Take this time to generate a 4-Way-Handshake like you would normally do when mangling the flimsy WPA and WPA2 wifi encryption protocols, and when you are done with the handshake and the number list computation, you can add it into something like Pyrit, Cowpatty or Aircrack-ng like this:

    aircrack-ng -w path/to/ATTUVERSE  /path/to/att-4way-shake.cap

    this would have your password in a short amount of time, and much faster than had you used Rainbow tables with full on words in the list.

    NOTE:

    I used this same attack back in the day to generate all the useful telephone numbers in an area code, because when Comcast sets up their wifi, they are instructed to use the subscribers phone number as the password for the wifi. A quick yellow page lookup will tell you the phone number. This same thing goes for how to hack 2wire routers. Same story with the phone numbers.

    Happy Hacking!! If this tutorial helped you out, please go to my YouTube channel, and THUMB UP a few of my videos so that I can make a little bit of scratch to keep this whole thing going.

    About

    James is an active member of his local tech community in Memphis, TN. He is a student of Science at the local college and an Information Security hobbyist, as well as an outspoken Linux Advocate, and open source proponent. After a hard day at the console, James likes to enjoy a vintage 2012 Mountain Dew, with a robe and a pipe by the fire.