#!/usr/bin/python2.7# -*- coding: utf-8 -*-import osimport randomimpor

1. #!/usr/bin/python2.7
2. # -*- coding: utf-8 -*-
3.  
4. import os
5. import random
6. import sys
7.  
8. # link between commercial fancy name and model name
9. association = {
10. "F9K1104v1":"N900",
11. "F9K1105V2":"N450",
12. "F7D2301v1":"N300"}
13.  
14.  
15. class router():
16.     def __init__(self, lmac="", wmac="", passw="", wpin="", model="", serial=""):
17.         # WLAN MAC
18.         self.lmac = lmac
19.         # WAN MAC
20.         self.wmac = wmac
21.         # default password
22.         self.passw = passw
23.         # default WPS pin
24.         self.wpin = wpin
25.         # model name
26.         self.model = model
27.         # serial number
28.         self.serial = serial
29.  
30.  
31. class finder():
32.     def __init__(self,routers, verbose = False):
33.         self.verbose = verbose
34.         self.routers = routers
35.         self.table = randomtable()
36.         self.ftable = [[], [], [], [], [], [], [], []]
37.  
38.     def check(self):
39.         yesvector = list(8*[True])
40.         for router in self.routers:
41.             # compute pass
42.             tmp_pass = friendship(router.wmac,self.table)
43.             # check pass
44.             for digit in xrange(8):
45.                 if yesvector[digit] & (tmp_pass[digit] != router.passw[digit]):
46.                     yesvector[digit] = False
47.         for valid_digit in xrange(8):
48.             if yesvector[valid_digit]:
49.                 self.ftable[valid_digit].append(self.table[valid_digit])
50.                 if self.verbose:
51.                     print "Found one valid vector for",valid_digit
52.  
53.     def farm(self,times=30):
54.         for i in xrange(times):
55.             self.check()
56.             self.table = randomtable()
57.  
58.     def prftable(self):
59.         for i in xrange(8):
60.             print "Line",i
61.             for extracted in xrange(12):
62.                 for line in self.ftable[i]:
63.                     if line[0] == extracted:
64.                         print hex(extracted)[2:], hp(line[1])
65.  
66.     def save(self,filename):
67.         with open(filename+".ftable",'w') as ofi:
68.             # prefix
69.             ofi.write("123456789FTABLE\n")
70.             # number of routers : 4 bytes      
71.             ofi.write(str(len(self.routers))+'\n')
72.  
73.             # routers
74.             for router in self.routers:
75.                 ofi.write(''.join([chr(int("0x"+i,16)) for i in router.lmac.split(":")])+"#")
76.                 ofi.write(''.join([chr(int("0x"+i,16)) for i in router.wmac.split(":")])+"#")
77.                 ofi.write(''.join([chr(int("0x"+router.passw[i:i+1],16)) for i in xrange(0,len(router.passw),2)])+"#")
78.                 ofi.write(router.wpin+"#")
79.                 ofi.write(router.model+chr(0))
80.                 ofi.write(router.serial+"\n")
81.  
82.             # FTABLE \o/
83.  
84.             for i in xrange(8):
85.                 for extracted in xrange(12):
86.                     for line in self.ftable[i]:
87.                         if line[0] == extracted:
88.                             ofi.write(str(extracted)+chr(0xff))
89.                             ofi.write(''.join([chr(int("0x"+line[1][a]+line[1][a+1],16)) for a in xrange(0,len(line[1]),2)])+chr(0xff))
90.  
91.             ofi.close()
92.  
93.  
94.  
95.  
96. def randomtable():
97.     # Each of the eight characters of the default passphrase are created by substituting a corresponding hex-digit of the wan mac address using a static substitution table.
98.     substitution_table = []
99.     for index_caractere_pass in xrange(8): # 8 digits password
100.         caractere_extrait = random.randrange(12)
101.         dictionnary = []
102.         for lettre in xrange(0x10): # 16 possible digits
103.             decalage = random.randrange(0x10)
104.             dictionnary.append(hex((lettre+decalage)%0x10)[2:])
105.         substitution_table.append([caractere_extrait,dictionnary])
106.     return substitution_table
107.  
108.  
109. def friendship(mac,table):
110.     """ Friendship is magic"""
111.     #return ''.join([substitution[l.lower()] for l in ''.join([i for i in mac.split(":")])])
112.     mac = ''.join([i for i in mac.split(":")])
113.     #r = ' '.join([substitution[mac[table[i]].lower()]+"\033[31m"+str(mac[table[i]])+"\033[32m"+str(table[i])+"\033[0m" for i in xrange(len(table))])
114.     r = ''.join([ table[i][1][int("0x"+mac[table[i][0]].lower(),16)] for i in xrange(len(table)) ])
115.     return r
116.  
117. # Belkin N300 Model F7D2301v1
118. # the first 5 digits of the password are calculated correctly. It is likely that the algorithm differs only in the tables used.
119.  
120. def hp(l):
121.     r = ''
122.     for i in l:
123.         r += "\033[3"+str(int("0x"+i,16)%10)+"m"+i+"\033[0m"
124.  
125.     return r
126.  
127.  
128. if __name__ == "__main__":
129.     os.system("clear")
130.     a = router("08:86:3B:51:99:0C", "08:86:3B:51:99:0E", "ae6da694", "53475961", "F9K1104v1", "321202GH102606")
131.     b = router("08:86:3B:C2:07:F4", "08:86:3B:C2:07:F5", "7e9697f4", "37932640", "F9K1105V2", "20214GE5200059")
132.     c = router("94:44:52:76:7A:CA", "94:44:52:76:7A:CA", "c47c7395", "61599130", "F7D2301v1", "121021G2101136")
133. #   c = router("94:44:52:76:7A:CA", "94:44:52:76:7A:CA", "C47C7395", "61599130", "F7D2301v1", "121021G2101136")
134. #   d = router("00:1C:DF:DA:FA:F9", "00:1C:DF:DA:FA:FA", ""        , "43510979", "F5D8231-4", "150831R8501045")
135. #   e = router("00:22:75:CE:DB:6E", "00:22:75:CE:DB:6E", ""        , "51478575", "F5D8232-4", "20006823200146")
136.  
137.     f = finder([a,b,c])
138.     f.farm(30000)
139.     f.prftable()
140.     f.save("azertyu")