decoding passwords sent over http

2016-09-25 18:02:18 +00:00 · 2016-09-25 18:02:18 +00:00 · a48cec0de4
commit a48cec0de4
parent 3dd7b04e9e
1 changed files with 41 additions and 0 deletions
--- a/mifi/reverse-adpassword.rb
+++ b/mifi/reverse-adpassword.rb
@ -0,0 +1,41 @@
+#/usr/bin/ruby
+## reverse-adpassword.rb - Virgin Mobile Mifi login passwords are encoded, not encrypted
+
+require 'digest/sha1'
+
+PWTOKEN='tcqowykwoejwlgvj' # magic number from index.html inline js
+
+## mirroring js method names
+def rstr2hex(input)
+  # iterate over each character
+  # get it's character code (a = 97, o = 111).. so ASCII value
+  # append this value shifted 4 times & 15 + the character again & 15
+  ## in js: a = c.charCodeAt(i); b+=f.charAt((a>>>4)&15)+f.charAt(a&15), where f = '0123456789abcdef'
+  # so .. isn't this just hexing?
+  input.each_byte.map { |b| b.to_s(16) }.join
+end
+
+def rstr_sha1(input)
+  # technically we can do all of the encoding with .hexdigest here, but hey, completeness
+  Digest::SHA1.digest(input)
+end
+
+# TODO actually implement this, for now assuming input is ASCII anyway
+def str2rstr_utf8(input)
+  input
+end
+
+## main()
+password = ARGV.first
+if password.nil?
+  p sprintf('USAGE: %s <password>', File.basename(__FILE__))
+  exit 1
+end
+
+# TODO first we mimic the encoding, then we can decode
+encoded = rstr2hex(rstr_sha1(str2rstr_utf8(password)))
+
+puts sprintf('%s %s', decoded, "\n")
+
+
+