Muy guenas a tod@s !!
WiFiReaver & upc_keys. WPA2 passphrase recovery tool for UPC%07d devices.
You'd think vendors would stop using weak algorithms that allow people to recover the credentials for a WiFi network based on purely the ESSID. Sadly, these days aren't over yet. We've seen some excellent recent research by Novella/Meijer/Verdult [1][2] lately which illustrates that these issues still exist in recent devices/firmwares. I set out to dig up one of these algorithms and came up with this little tool.
The attack is two-fold; in order to generate the single valid WPA2 phrase for a given network we need to know the serialnumber of the device.. which we don't have. Luckily there's a correlation between the ESSID and serial number as well, so we can generate a list of 'candidate' serial numbers (usually around ~20 or so) for a given ESSID and generate the corresponding WPA2 phrase for each serial. (This should take under a second on a reasonable system).
Use at your own risk and responsibility. Do not complain if it fails to recover some keys, there could very well be variations out there I am not aware of. Do not contact me for support.
blasty
UPDATE 20160108: I added support for 5GHz networks. Specifying network type is mandatory now. But as a bonus you get less candidates. :-)
