Hacker News new | past | comments | ask | show | jobs | submit login

Fun stuff. classes.dex in the apk has some interesting strings:

    select * from js_injection where name=?
    select * from pwd where hid>=? and hid<? order by hid

    CREATE TABLE IF NOT EXISTS local_ap_info ( hid integer primary key autoincrement, ssid text, bssid text, security_level text,
     pwd text, x_user text, x_pwd text, stat text, lati text, longi text, type text, html text, create_dt text, last_update_dt text)
	
    CREATE TABLE IF NOT EXISTS private_ap_info(ID integer primary key autoincrement,ssid text,bssid text,security_level text,
     pwd text,hid text,create_dt text,last_update_dt text,last_update_opr text,wkflg char(8))
	
    CREATE TABLE IF NOT EXISTS unlock_ap(id integer primary key autoincrement,ssid text,bssid text,security_level text,
     pwd text,uploaded integer(1))
Cleaned up your sqlite commands:

    sqlite> .tables
    pwd
    sqlite> .schema pwd
    CREATE TABLE "pwd" ("password" TEXT NOT NULL );
    sqlite> SELECT * FROM pwd;
    a30e502c125899a41cb562a7a36b4bd0 c58675db0ba9266fb5307982e4368ab0 5631e619f6e280c0740704a25a8298f6 ...
Looks like it may not be fully seeded on install?

Edit:

Getting a different result for the database in the apk:

    $ sqlite3 ap8.db 
    SQLite version 3.8.10.1 2015-05-09 12:14:55
    Enter ".help" for usage hints.
    sqlite> .tables
    android_metadata  ap_info           js_injection      pwd             
    sqlite> .schema pwd
    CREATE TABLE pwd(hid integer primary key autoincrement,pwd text);
    sqlite> select * from pwd;
    1|df5b74fb19b8b150bcf07bbb4e43456d
    2|a1b574f8cf46c461f1e15fa52e3b2110
    3|c8c28c03de3e02d7814d86b14dfcf1f5
    4|7635726149e6d0f0e8f3e9224b8109dc
Most "pwd" are 32 chars long, some are 64 chars, and a few are 96 chars for some odd reason.

ap_info, and js_injection tables are empty so you'd have to get at it after syncing to their servers.




Dumped - http://pastebin.com/YnKkA4DA

This from the ap8.db from the Android download. I didn't want to install this piece of shit on a real phone, the source does update and get a newer version.

This was an easy CTF.


They change depending on the auth type (WEP vs WPA vs WPA2-PSK vs WPA2-Enterprise). It'll be a day or two before someone manages to decrypt the DB. I'd have a crack at it if I had more time.


My money's on AES256 ECB mode.


    aload 0    // this
    LDC "AES/CBC/NoPadding"
    invokestatic javax/crypto/Cipher.getInstance(java/lang/String) : javax/crypto/Cipher
    putfield com/snda/wifilocating/support/c.c : javax/crypto/Cipher
Nope.


CBC sizes would go 32, 48, 64


[deleted]


I'm obviously talking about 128, since I can't see 32 bytes happening with AES256 CBC.


    LDC AES/CBC/NoPadding
#nopadding

The fact that they had #nopadding in there makes it obvious that they copy pasted this code and has literally no idea what they are doing.


What does padding have to do with the IV?


You think they randomly generate a IV for every single password? Did you think they were competent or something? :)

https://i.imgur.com/b6kfN7y.png

Anyways, it is 128 bit CBC. I incorrectly assumed 256 bit because I forgot the hex representation of a char is twice the length. Since they don't have a padding block, the shortest possible output is one block. Thus 16 bytes or a hex string of 32 characters in length.


Jesus Christ that's incompetent. I see what you mean, it's 32 hex chars, not binary chars. Since we have the IV and key, we can just decrypt all the passwords.




Consider applying for YC's Spring batch! Applications are open till Feb 11.

Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: