WiFi万能钥匙Python查询脚本

刚听说WiFi万能钥匙的时候已经接触过无线安全的东西,而且也用过神器aircrack-ng,所以对WiFi万能钥匙就没信任过,后来终于被各种讨伐。
此脚本以TheCjw的脚本为基础(博客文章:Lost and Found - WIFI万能钥匙Python查询脚本),增加了更新dhid的功能,相关原理参照了WIFI万能钥匙协议分析,虽说初学Python不过至少代码能用……

截止北京时间2015年6月22日,23点51分,脚本依然能够正常使用。使用方法,修改代码wifi.add_ssid(“aa:bb:cc:dd:ee:ff”, “SSID”)为自己/要查询的BSSID和SSID组合。

2015-06-25更新:解决了添加中文SSID时编码不一致报错的问题,统一了处理时的编码,现在支援中文SSID。

#!/usr/bin/env python
# -*- encoding: utf-8 -*-
# Author: TheCjw<[email protected]>
# Created on 22:26 2015/2/11

# Editer: Hamster<[email protected]>
# Automatically change dhid to prevent block
# So that enable to query unlimitedly
# Edited on 23:26 2015/6/22

# Editer: Hamster<[email protected]>
# Add Chinese SSID support
# Update on 11:12 2015/6/25

__author__ = "TheCjw, Hamster"

import collections
import hashlib
import json

import requests
from Crypto.Cipher import AES

class Initdhid(object):
    def __init__(self):
        self.salt = "LQ9$ne@gH*Jq%KOL"
        self.request_params = {}

        self.request_url = "http://wifiapi02.51y5.net/wifiapi/fa.cmd"
        self.request_params["capbssid"] = "d8:86:e6:6f:a8:7c"
        self.request_params["model"] = "Nexus+4"
        self.request_params["och"] = "wandoujia"
        self.request_params["appid"] = "0001"
        self.request_params["mac"] = "d8:86:e6:6f:a8:7c"
        self.request_params["wkver"] = "2.9.38"
        self.request_params["lang"] = "cn"
        self.request_params["capbssid"] = "test"
        self.request_params["uhid"] = ""
        self.request_params["st"] = "m"
        self.request_params["chanid"] = "guanwang"
        self.request_params["dhid"] = ""
        self.request_params["os"] = "android"
        self.request_params["scrs"] = "768"
        self.request_params["imei"] = "355136052333516"
        self.request_params["manuf"] = "LGE"
        self.request_params["osvercd"] = "19"
        self.request_params["ii"] = "355136052391516"
        self.request_params["osver"] = "5.0.2"
        self.request_params["pid"] = "initdev:commonswitch"
        self.request_params["misc"] = "google/occam/mako:4.4.4/KTU84P/1227136:user/release-keys"

        # "sign" to be computed
        self.request_params["sign"] = ""

        self.request_params["v"] = "633"
        self.request_params["sim"] = ""
        self.request_params["method"] = "getTouristSwitch"# Method: Get new dhid
        self.request_params["scrl"] = "1184"

        self.headers = {
            "Content-type": "application/x-www-form-urlencoded",
            "Host": "wifiapi02.51y5.net",
            "Accept": "text/plain"
        }

    def __sign__(self, data):
        return hashlib.md5(data.encode("utf-8")).hexdigest().upper()

    def __post__(self):
        r = requests.post(self.request_url, data=self.request_params, headers=self.headers)
        return r.text

    def __sign_data__(self):
        self.request_params["sign"] = ""
        value = ""
        for key in collections.OrderedDict(sorted(self.request_params.items())):
            value += self.request_params[key]
        value += self.salt
        return self.__sign__(value)

    def request(self):
        self.request_params["sign"] = self.__sign_data__()
        ret_data = json.loads(self.__post__())
        return ret_data["initdev"]["dhid"]

class WifiDemo(object):
    def __init__(self):
        self.salt = "LQ9$ne@gH*Jq%KOL"
        self.request_url = "http://wifiapi02.51y5.net/wifiapi/fa.cmd"

        self.request_params = {}
        self.request_params["och"] = "wandoujia"
        self.request_params["ii"] = ""
        self.request_params["appid"] = "0001"
        # self.request_params["pid"] = "qryapwithoutpwd:commonswitch"
        self.request_params["pid"] = "qryapwd:commonswitch"
        self.request_params["lang"] = "cn"
        self.request_params["v"] = "633"
        self.request_params["uhid"] = "a0000000000000000000000000000001"
        # self.request_params["method"] = "getSecurityCheckSwitch"
        self.request_params["method"] = "getDeepSecChkSwitch"
        self.request_params["st"] = "m"
        self.request_params["chanid"] = "guanwang"

        # Fill these shit.
        self.request_params["sign"] = ""
        self.request_params["bssid"] = ""
        self.request_params["ssid"] = ""

        # device id.
        self.request_params["dhid"] = "4028b2964e01aa00014e1a8641aa4675"
        # device mac.
        self.request_params["mac"] = "d8:86:e6:6f:a8:7c"

        self.headers = {
            "Content-type": "application/x-www-form-urlencoded",
            "Host": "wifiapi02.51y5.net",
            "Accept": "text/plain"
        }

    def __sign__(self, data):
        return hashlib.md5(data.encode("utf-8")).hexdigest().upper()


    def __post__(self):
        r = requests.post(self.request_url, data=self.request_params, headers=self.headers)
        return r.text

    def __add_bssid__(self, bssid):
        self.request_params["bssid"] += bssid + ","

    def __add_ssid__(self, ssid):
        self.request_params["ssid"] += ssid + ","

    def __sign_data__(self):
        self.request_params["sign"] = ""
        value = unicode("",'utf-8')
        for key in collections.OrderedDict(sorted(self.request_params.items())):
            value += self.request_params[key].decode('utf-8')
        #    print type(value)
        #    print type(self.request_params[key])
        value += self.salt
        return self.__sign__(value)

    def add_ssid(self, bssid, ssid):
        self.__add_bssid__(bssid)
        self.__add_ssid__(ssid)

    def request(self):
        tmp = Initdhid()
        self.request_params["dhid"] = tmp.request()
        self.request_params["sign"] = self.__sign_data__()
        ret_data = json.loads(self.__post__())
        if ret_data["retCd"] == "-1111":
            # update key and retry.
            self.salt = ret_data["retSn"]
            return self.request()
        elif ret_data["retCd"] == "0":
            self.salt = ret_data["retSn"]
            return ret_data

def main():
    wifi = WifiDemo()

    # Add BSSID & SSID
    wifi.add_ssid("aa:bb:cc:dd:ee:ff", "SSID")
    wifi.add_ssid("ab:bc:cd:de:ef:fa", "中文SSID")

    result = wifi.request()

    if len(result["qryapwd"]["psws"]) == 0:
        print "Not found."
        return

    for info in result["qryapwd"]["psws"]:
        ssid = result["qryapwd"]["psws"][info]["ssid"]
        bssid = result["qryapwd"]["psws"][info]["bssid"]
        encrypt_data = result["qryapwd"]["psws"][info]["pwd"]

        cipher = AES.new(b"jh16@\`~78vLsvpos", AES.MODE_CBC, b"j#bd0@vp0sj!3jnv")
        decrypt_data = cipher.decrypt(encrypt_data.decode("hex"))
        length = int(decrypt_data[:3])
        password = decrypt_data[3:][:length]

        print "ssid", ssid
        print "bssid", bssid
        print "password", password
        print


if __name__ == "__main__":
    main()

查询结果如图,这是家里附近的随机选取的几个WiFi:

要正常运行需要requests库和Crypto.Cipher库



blog comments powered by Disqus
本作品采用知识共享署名-相同方式共享 3.0 未本地化版本许可协议进行许可。
Theme by [Codepiano], First Modified Version by [pengx17], Latest Modified Version by [iHamsterball]