Security in Cyprus is bad. That is not a surprise.

Primetel uses insecure default passwords in their WIFI routers. A WPA password can be cracked in 4-5 seconds with a simple laptop. If you are interested in the details see below.

I used Primetel on the my previous apartment. The password was on the form of 12345678. 8 Digits, all integers. I thought that was strange, the password doesn’t have enough entropy, So I caclulated how must time someone needs to brute force the password.

At a rate of 900/passwords per second (a simple laptop) this can be brute forced in 30 hours. Its not that good but at least its not as bad as the whole Cyta/Thomson thing.

Soon I noticed some passwords containing a letter, like 1234567a 123456f8 sometimes 2. That is somewhat better, or so I thought. Clearly I didn’t have the whole story.

When I moved to another apartment I reconnected with PrimeTel. Then I noticed that the 4 first digits of the password were the same, only the latest 4 digits changed. That made me wonder. The first digits are clearly connected to the client. Are the latest 4 digits based on something else like mac or SSID ? There was a question bugging me, that needed to be answered.

That kids, is the garden variety programmer/hacker OCD. Sometimes useful, most times just annoying 🙂

Then I make a list of people I know, public places with Primetel routers, and aggregate their passwords, SSID (Wireless network name), bssid (The mac address of the router). All these information (excluding the password) are broadcasted for each router, you can easily see them.

I pushed the data to Dropbox for continue the research when I had time.

Then I forgot about the matter, until I was on an airplane for 2 hours with no internet. I opened my tablet, started reading a book. The of course I was bored from the first 5 minutes.

Then I saw the file in front of me staring at me: primetel.txt. Ok why not, lets take a look. I started looking at the numbers, and some patterns emerged. In all cases digits 3-4 of the password were the same as the password.

Example:

Mac: 00:21:96:2b:13:bc
Password     29 79 13 b4

Also latest 2 digits had some similarity. After some more intense number watching I noticed the second pattern.

  • If the last 2 digits of the mac address is an odd number then the latest 2 digits had a difference of one. If lets say the last 2 digits of the mac are 11, then the last 2 digits of the password are 10
  • If the last 2 digits of the mac address is an even number, then the latest 2 digits of the password was the latest 2 digits of the mac – 8. If for example 12 will give 04.

In our example 00:21:96:2b:13:bc:

  • The last 2 digits of the mac is bc (even number)
  • The latest 2 password digits are bc – 08 = b4

Another example is: 2c:ab:25:b9:22:85

  • The latest 2 digits are 85 (odd number)
  • Latest 2 password numbers are 85 – 1 = 84

That drops the entropy a lot. All possible passwords are basically 9000 since the first part is always decimal. That can be cracked in about 10 seconds with a simple laptop.

Not bad at all.

So I introduce my tool: primeTeller. Using the logic described here, generates a wordlist with 9000 passwords, and one of them is the password of your router.

What most people don’t know is that these matters are not just a matter of “someone is using my wifi”. The password is used to encrypt data. If someone has your password, then he is able to monitor your online activities wirelessly, from a great distance.

 

  • arisgoku

    Εγώ όταν επικοινώνησα μαζί τους για να μου αλλάξουν τον κωδικό του wifi μιας και έχουν κλειδωμένο τον ρούτερ μου είπαν ότι ο κωδικός πρέπει να είναι μήκος 8 χαρακτήρων που να περιλαμβάνει μόνο αριθμούς και τα γράμματα a-e, A-E. Ενδιαφέρων άθρο πάντως, μπορεί να μετατραπεί σε κάποιο android app;

    Reply

    • admin Post author

      Ναι και αυτό το ξέρω και είναι και αυτό γελοίο.

      To ouput του προγράμματος είναι ένα wordlist που δεν έχει ιδιαίτερη χρησιμότητα για το android μιας και χρειάζεσε κάποιο tool της κατηγορίας του aircrack/airodump για να κάνεις μια πετυχημένη επίθεση.

      Και για packet capture/injection χρειάζεσε root συσκευή.

      Reply

  • poulaki

    Kleo. Interesting work, part of me moving away from them is that I couldn’t access their shitty router in the first place. I would be interested in an android app even if it requires root, imo propose something in xda I am sure people wouldn’t mind jumping in to support a project like this

    Reply

  • agrotis

    They have informed me that now it is possible to change the wireless password using My PrimeTel website. Seems to work.

    Reply

  • Johnson

    I don’t know how to make python work, can you help me please, FC:8B:97:19:AF:39 – this is the MAC address need. Thank you very much.

    Reply

  • george

    re pedia pos na xrisimopiiso worldlist horis handshake

    Reply

Leave a Reply