2600 Magazine_ The Hacker Quarterly - Digital Edition - Summer 2011 - 2600 Magazine [32]
Of course, this made me even more curious and so I had a look at another two units, discovering the same coincidence. Could it be that OEM set all of the 2200 series encryption keys to the ESN? Only testing will tell, or confirmation from the vendor, heh.
Before you begin auditing anything, keep in mind that you need to have a solid background in counter forensics if you want to get away with anything. Learn the law and how to avoid getting ensnared in it. Also, you'll need to create yourself a dictionary file with all of the conceivable numbers that might be used as default passwords. The manufacturer's code will be the first eight bits of the ESN or the first three digits, which is 091 for my device. This leaves only 18 bits for the manufacturer to assign up to 262,144 codes in this batch, hence the vulnerability. Software like pyrit will tear through a small set of PMK, and even the aircrack-ng suite should be able to accommodate this sort of attack.
I would like to outline the testing procedure in general terms:
Find all Windows installations in your laboratory, and format the hard drives. Install Linux. Maybe back up your older data, maybe not. Consider starting life fresh.
Install Linux on your attack laptop. Install the aircrack-ng suite, either using your distribution package manager or compile from source to increase your credibility. Ubuntu is good. Gentoo is better. If you have trouble with these, you might want to use a LiveCD such as Pentoo, or Backtrack if you are a noob.
Go someplace where a lot of people, particularly businessmen or traveling salespeople work. Perform a scan for VirginMobile named 802.11 wireless networks. The iwlist command from the iwtools suite works well in combination with a modified grep command if you are working in a target-rich environment.
Having obtained the ESSID of your target, next you will need to intercept the WPA handshake. As such, you may find it helpful to dissociate any connected clients using the aireplay-ng tool in the aircrack-ng suite. This tool is remarkably effective. As the client disassociates, it will likely reassociate with the access point during which time you may intercept the handshake. The handshake is the weak point of the crypto process. Protip: Use two network cards so that you can send DEAUTH packets with one while listening in promiscuous mode with the second one for handshakes.
With the handshake successfully intercepted, use the aircrack-ng forcing or the pyrit forcing utility to find a collision. For this, you will need to specify your dictionary file (q.v.).
Please note: I researched, discovered, and publicized this hack because I have abundant respect for the MIFI equipment marketed by the Broadband2Go service by Virgin Media. Although I won't admit to making a clandestine audit of their resources, at the least I feel comfortable saying that I was impressed by their security setup, and will continue to proudly be a Virgin customer, publicizing only a minor bug. Along these lines, security enthusiasts should recognize that minor to moderate security bugs in technology products and services are no more egregious an error than when you order (patriot) fries from McDonalds and they don't have enough salt on them. In essence, security bugs should be accepted as a fact of life, and any security professional who gets publicly bent out of shape about them is likely insincere and is in most cases either a blowhard, a profiteer, or a gloryhound. If you're successful, you may have temporarily granted yourself free anonymous Internet access.
Also note: I've worked professionally as an authorized pen tester for the past five years, a job coveted by many of the younger security professionals that I meet. However, I'd like to be the first to disclose that among the many jobs I've held in my life, being a pen tester is among the