wifi万能钥匙明文密码查询

├── webapp ├── dump.rdb ├── run.txt ├── task.py ├── app.py ├── templates │ └── index.htm └── wifi.py ├── README.md ├── wifi.php └── wifimasterkey_macos.py /webapp/dump.rdb: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/5alt/lianwifi/master/webapp/dump.rdb -------------------------------------------------------------------------------- /webapp/run.txt: -------------------------------------------------------------------------------- 1 | 开三个窗口到当前目录,分别执行 2 | redis-server 3 | celery worker -A task.celery --loglevel=info 4 | python app.py -------------------------------------------------------------------------------- /webapp/task.py: -------------------------------------------------------------------------------- 1 | # -*- coding: utf-8 -*- 2 | #!/usr/bin/env python 3 | #author md5_salt 4 | from celery import Celery 5 | import wifi as wifilib 6 | import json 7 | 8 | # Initialize Celery 9 | config={} 10 | config['CELERY_BROKER_URL'] = 'redis://localhost:6379/0' 11 | config['CELERY_RESULT_BACKEND'] = 'redis://localhost:6379/0' 12 | celery = Celery('wifi', broker=config['CELERY_BROKER_URL']) 13 | celery.conf.update(config) 14 | 15 | @celery.task(bind=True) 16 | def query_task(self, ssid, bssid): 17 | ''' 18 | err:0, data:[{'ssid':xx, 'bssid':xx}, ...] 19 | ''' 20 | w = wifilib.wifi() 21 | data = [] 22 | 23 | total = len(ssid) 24 | for i in xrange(total): 25 | self.update_state(state='REQUEST', 26 | meta={'ssid':ssid[i], 'bssid':bssid[i], 'index':i, 'total':total}) 27 | rsp = w.request(ssid[i], bssid[i]) 28 | if rsp['flag']: 29 | del rsp['flag'] 30 | del rsp['msg'] 31 | data.append(rsp) 32 | return {'err':0,'total':len(data),'data':data, 'index':len(data)} 33 | 34 | @celery.task(bind=True) 35 | def request_task(self, ssid, bssid): 36 | w = wifilib.wifi() 37 | self.update_state(state='REQUEST', 38 | meta={'ssid':ssid, 'bssid':bssid}) 39 | rsp = w.request(ssid, bssid) 40 | if rsp['flag']: 41 | del rsp['flag'] 42 | del rsp['msg'] 43 | return rsp 44 | else: 45 | return rsp 46 | -------------------------------------------------------------------------------- /README.md: -------------------------------------------------------------------------------- 1 | #wifi万能钥匙网页版 2 | 3 | ##简介 4 | 5 | 脚本会开启http服务，模拟mac版wifi万能钥匙进行wifi密码的查询 6 | 7 | 查询页面： 8 | 9 | `http://:/index` 10 | 11 | 提示查询过于频繁，更新认证信息： 12 | 13 | `http://:/refresh` 14 | 15 | 如有侵权，请联系作者删除代码 16 | 17 | 基于WiFi万能钥匙Mac客户端V1.1.0版开发（更新日期：2014-07-22） 18 | 19 | ##依赖的python库 20 | 21 | ``` 22 | sudo pip install flask 23 | sudo pip install requests 24 | sudo pip install pycrypto 25 | sudo pip install celery 26 | sudo pip install redis 27 | sudo pip install celery-with-redis 28 | ``` 29 | 30 | ##依赖的第三方软件 31 | 32 | Redis 33 | 34 | ##说明 35 | 36 | 本程序用flask作为web容器，接到作业后交给celery异步处理，可以通过查询状态获取作业的完成情况。Redis用作celery的broker。前端用了semantic-ui和jQuery库。 37 | 38 | 仅脚本查询的话，只需要安装requests、pycrypto两个python库，将`wifimasterkey_macos.py`稍微改下即可。 39 | 40 | 程序搞这么复杂其实只是想练练手而已，学习下任务队列的使用。 41 | 42 | ###mac osx 43 | 44 | 执行`airport -s`,将结果粘贴进去 45 | 如果提示没有`airport`，先执行 46 | `sudo ln -s /System/Library/PrivateFrameworks/Apple80211.framework/Versions/Current/Resources/airport /usr/sbin/airport` 47 | 48 | ###windows 49 | 50 | powershell或者cmd执行`netsh wlan show network mode=bssid`,将结果粘贴进去 51 | 52 | ## 联系方式 53 | 54 | http://5alt.me 55 | 56 | md5_salt [AT] qq.com 57 | 58 | ##参考资料 59 | 60 | http://drops.wooyun.org/tips/6049 61 | 62 | http://www.wooyun.org/bugs/wooyun-2015-099268 63 | 64 | http://drops.wooyun.org/papers/4976 65 | -------------------------------------------------------------------------------- /webapp/app.py: -------------------------------------------------------------------------------- 1 | # -*- coding: utf-8 -*- 2 | #!/usr/bin/env python 3 | #author md5_salt 4 | 5 | from flask import Flask, request, render_template, session, flash, redirect, \ 6 | url_for, jsonify 7 | from task import * 8 | import wifi as wifilib 9 | import re 10 | import sys 11 | reload(sys) 12 | sys.setdefaultencoding('utf-8') 13 | 14 | app = Flask(__name__) 15 | app.config['SECRET_KEY'] = 'keep_it_secret' 16 | 17 | @app.route('/', methods=['GET', 'POST']) 18 | @app.route('/index', methods=['GET', 'POST']) 19 | def index(): 20 | if request.method == 'POST': 21 | if request.form['ssid'] and request.form['bssid']: 22 | task = request_task.apply_async(request.form['ssid'], request.form['bssid']) 23 | return jsonify({}), 202, {'Location': url_for('taskstatus', 24 | task_id=task.id)} 25 | else: 26 | return redirect(url_for('index')) 27 | else: 28 | return render_template('index.htm') 29 | 30 | @app.route('/text', methods=['GET', 'POST']) 31 | def text(): 32 | if request.method == 'POST': 33 | if request.form['text']: 34 | #for mac: airport -s 35 | pattern1 = r"\s*(.*)\s+(([0-9a-f]{2}:){5}[0-9a-f]{2})" 36 | #for windows: powershell or cmd -- netsh wlan show network mode=bssid 37 | pattern2 = r"SSID \d{1,2} : (.*)\n.*\n.*\n.*\n.*(([0-9a-f]{2}:){5}[0-9a-f]{2})" 38 | #order is very important! 39 | if re.compile(pattern2, re.M).findall(request.form['text']): 40 | pattern = pattern2 41 | else: 42 | pattern = pattern1 43 | 44 | ssid = [] 45 | bssid = [] 46 | for ss, bss, dummy in re.compile(pattern, re.M).findall(request.form['text']): 47 | ssid.append(ss) 48 | bssid.append(bss) 49 | if len(ssid) == 0 or len(bssid) == 0: 50 | return redirect(url_for('index')) 51 | w = wifilib.wifi() 52 | wifi = w.query(ssid, bssid) 53 | if wifi['err']: 54 | return jsonify({'total':0, 'err':wifi['err'], 'msg':wifi['msg']}) 55 | total = len(wifi['ssid']) 56 | if total == 0: 57 | return jsonify({'total':0, 'err':0, 'msg':'not found!'}) 58 | task = query_task.apply_async((wifi['ssid'], wifi['bssid'])) 59 | return jsonify({'total':total, 'err':0, 'msg':'waiting...'}), 202, {'Location': url_for('taskstatus', 60 | task_id=task.id)} 61 | return redirect(url_for('index')) 62 | 63 | @app.route('/status/') 64 | def taskstatus(task_id): 65 | task = query_task.AsyncResult(task_id) 66 | if not task or not task.info: 67 | return jsonify({'state':'WAITING'}) 68 | task.info['state'] = task.state 69 | return jsonify(task.info) 70 | 71 | if __name__ == '__main__': 72 | app.run(debug=True) -------------------------------------------------------------------------------- /wifi.php: -------------------------------------------------------------------------------- 1 | retSn); 11 | $ret = json_decode($ret); 12 | if($ret->retCd == 0){ 13 | if($ret->qryapwd->retCd == 0){ 14 | $list = $ret->qryapwd->psws; 15 | foreach($list as $wifi){ 16 | echo 'SSID: '.$wifi->ssid."\n"; 17 | echo 'PWD: '.decryptStrin($wifi->pwd)."\n"; 18 | echo 'BSSID: '.$wifi->bssid."\n"; 19 | if($wifi->xUser){ 20 | echo 'xUser: '.$wifi->xUser."\n"; 21 | echo 'xPwd: '.$wifi->xPwd."\n"; 22 | } 23 | } 24 | } 25 | else{ 26 | echo $ret->qryapwd->retMsg; 27 | } 28 | } 29 | 30 | function request($bssid, $ssid, $salt, $dhid = 'ff8080814cc5798a014ccbbdfa375369'){ 31 | $data = array(); 32 | $data['appid'] = '0008'; 33 | $data['bssid'] = $bssid; 34 | $data['chanid'] = 'gw'; 35 | $data['dhid'] = $dhid; 36 | $data['ii'] = '609537f302fc6c32907a935fb4bf7ac9'; 37 | $data['lang'] = 'cn'; 38 | $data['mac'] = '60f81dad28de'; 39 | $data['method'] = 'getDeepSecChkSwitch'; 40 | $data['pid'] = 'qryapwd:commonswitch'; 41 | $data['ssid'] = $ssid; 42 | $data['st'] = 'm'; 43 | $data['uhid'] = 'a0000000000000000000000000000001'; 44 | $data['v'] = '324'; 45 | $data['sign'] = sign($data, $salt); 46 | 47 | $curl = curl_init(); 48 | curl_setopt($curl, CURLOPT_URL, 'http://wifiapi02.51y5.net/wifiapi/fa.cmd'); 49 | curl_setopt($curl, CURLOPT_USERAGENT,'WiFiMasterKey/1.1.0 (Mac OS X Version 10.10.3 (Build 14D136))'); 50 | curl_setopt($curl, CURLOPT_SSL_VERIFYPEER, false); // stop verifying certificate 51 | curl_setopt($curl, CURLOPT_RETURNTRANSFER, true); 52 | curl_setopt($curl, CURLOPT_POST, true); // enable posting 53 | curl_setopt($curl, CURLOPT_POSTFIELDS, http_build_query($data)); // post images 54 | curl_setopt($curl, CURLOPT_FOLLOWLOCATION, true); // if any redirection after upload 55 | $r = curl_exec($curl); 56 | curl_close($curl); 57 | return $r; 58 | } 59 | 60 | function registerNewDevice(){ 61 | $salt = '1Hf%5Yh&7Og$1Wh!6Vr&7Rs!3Nj#1Aa$'; 62 | 63 | $data = array(); 64 | $data['appid'] = '0008'; 65 | $data['chanid'] = 'gw'; 66 | $data['os'] = 'Android'; 67 | $data['osvercd'] = '4.4.0'; 68 | $data['wkver'] = '324'; 69 | $data['ii'] = md5(mt_rand(1, 10000)); 70 | $data['lang'] = 'cn'; 71 | $data['mac'] = substr($data['ii'], 0, 12); 72 | $data['method'] = 'getTouristSwitch'; 73 | $data['pid'] = 'initdev:commonswitch'; 74 | $data['st'] = 'm'; 75 | $data['uhid'] = 'a0000000000000000000000000000001'; 76 | $data['v'] = '324'; 77 | $data['sign'] = sign($data, $salt); 78 | 79 | return $data; 80 | } 81 | 82 | function sign( $array , $salt ){ 83 | // 签名算法 84 | $request_str = ''; 85 | // 对应apk中的 Arrays.sort 数组排序，测试PHP需用 ksort 86 | ksort( $array ); 87 | foreach ($array as $key => $value) { 88 | $request_str .= $value; 89 | } 90 | $sign = md5( $request_str . $salt ); 91 | return strtoupper($sign); 92 | } 93 | 94 | function decryptStrin($str,$keys='k%7Ve#8Ie!5Fb&8E',$iv='y!0Oe#2Wj#6Pw!3V',$cipher_alg=MCRYPT_RIJNDAEL_128){ 95 | //Wi-Fi万能钥匙密码采用 AES/CBC/NoPadding 方式加密 96 | //[length][password][timestamp] 97 | $decrypted_string = mcrypt_decrypt($cipher_alg, $keys, pack("H*",$str),MCRYPT_MODE_CBC, $iv); 98 | return substr(trim($decrypted_string),3,-13); 99 | } -------------------------------------------------------------------------------- /webapp/templates/index.htm: -------------------------------------------------------------------------------- 1 | 2 | 3 | 4 | 5 | 6 | 7 | 8 | 9 | 10 | 11 | wifi万能钥匙明文密码查询 12 | 13 | 14 | 15 | 16 |

17 |
18 |

19 |

20 |

21 |

22 | 23 |

24 |

25 |

26 | 包含ssid、mac信息的文本 27 | 28 |

29 |

Submit

30 |

31 |

32 |

33 |

Idle

34 |

35 |

36 |

37 | 38 | 39 |

执行airport -s,将结果粘贴进去
40 | 如果提示没有airport，先执行
41 | sudo ln -s /System/Library/PrivateFrameworks/Apple80211.framework/Versions/Current/Resources/airport /usr/sbin/airport 42 |

43 | 44 |

powershell或者cmd执行netsh wlan show network mode=bssid,将结果粘贴进去

45 | 46 |

ssid和mac之间用空白字符分隔，每组一行

47 | 48 |

49 |

50 |

51 |

52 | 53 |

54 | 119 | 120 | 121 | 122 | -------------------------------------------------------------------------------- /webapp/wifi.py: -------------------------------------------------------------------------------- 1 | # -*- coding: utf-8 -*- 2 | #!/usr/bin/env python 3 | #author md5_salt 4 | 5 | import md5 6 | from Crypto.Cipher import AES 7 | import requests 8 | import random 9 | import re, time 10 | import sys 11 | reload(sys) 12 | sys.setdefaultencoding('utf-8') 13 | 14 | class wifi: 15 | aesKey = 'k%7Ve#8Ie!5Fb&8E' 16 | aesIV = 'y!0Oe#2Wj#6Pw!3V' 17 | aesMode = AES.MODE_CBC 18 | 19 | dhid = '' 20 | mac = '' 21 | ii = '' 22 | 23 | salt = ''#from server 24 | 25 | def __init__(self): 26 | self.RegisterNewDevice() 27 | 28 | def __sign(self, data, salt): 29 | request_str = '' 30 | for key in sorted(data): 31 | request_str += data[key] 32 | return md5.md5(request_str + salt).hexdigest().upper() 33 | 34 | def __decrypt(self, ciphertext): 35 | #[length][password][timestamp] 36 | decryptor = AES.new(self.aesKey, self.aesMode, IV=self.aesIV) 37 | return decryptor.decrypt(ciphertext.decode('hex')).strip()[3:-13] 38 | 39 | def RegisterNewDevice(self): 40 | salt = '1Hf%5Yh&7Og$1Wh!6Vr&7Rs!3Nj#1Aa$' 41 | data = {} 42 | data['appid'] = '0008' 43 | data['chanid'] = 'gw' 44 | data['ii'] = md5.md5(str(random.randint(1,10000))).hexdigest() 45 | data['imei'] = data['ii'] 46 | data['lang'] = 'cn' 47 | data['mac'] = data['ii'][:12]#md5.md5(str(random.randint(1,10000))).hexdigest()[:12] 48 | data['manuf'] = 'Apple' 49 | data['method'] = 'getTouristSwitch' 50 | data['misc'] = 'Mac OS' 51 | data['model'] = '10.10.3' 52 | data['os'] = 'Mac OS' 53 | data['osver'] = '10.10.3' 54 | data['osvercd'] = '10.10.3' 55 | data['pid'] = 'initdev:commonswitch' 56 | data['scrl'] = '813' 57 | data['scrs'] = '1440' 58 | data['wkver'] = '324' 59 | data['st'] = 'm' 60 | data['v'] = '324' 61 | data['sign'] = self.__sign(data, salt) 62 | 63 | url = 'http://wifiapi02.51y5.net/wifiapi/fa.cmd' 64 | 65 | useragent = 'WiFiMasterKey/1.1.0 (Mac OS X Version 10.10.3 (Build 14D136))' 66 | headers = {'User-Agent': useragent} 67 | 68 | r = requests.post(url, data=data, headers=headers).json() 69 | 70 | if r['retCd'] == '0' and r['initdev']['retCd'] == '0': 71 | self.imei = data['imei'] 72 | self.ii = data['ii'] 73 | self.mac = data['mac'] 74 | self.dhid = r['initdev']['dhid'] 75 | self.salt = salt 76 | return True 77 | else: 78 | return False 79 | 80 | def query(self, ssid, bssid): 81 | data = {} 82 | data['appid'] = '0008' 83 | data['bssid'] = ','.join(bssid) 84 | data['chanid'] = 'gw' 85 | data['dhid'] = self.dhid 86 | data['ii'] = self.ii 87 | data['lang'] = 'cn' 88 | data['mac'] = self.mac 89 | data['method'] = 'getSecurityCheckSwitch' 90 | data['pid'] = 'qryapwithoutpwd:commonswitch' 91 | data['ssid'] = ','.join(ssid) 92 | data['st'] = 'm' 93 | data['uhid'] = 'a0000000000000000000000000000001' 94 | data['v'] = '324' 95 | data['sign'] = self.__sign(data, self.salt) 96 | 97 | url = 'http://wifiapi02.51y5.net/wifiapi/fa.cmd' 98 | 99 | useragent = 'WiFiMasterKey/1.1.0 (Mac OS X Version 10.10.3 (Build 14D136))' 100 | headers = {'User-Agent': useragent} 101 | 102 | r = requests.post(url, data=data, headers=headers).json() 103 | 104 | self.salt = r['retSn'] 105 | 106 | if r['retCd'] == '-1111': 107 | return self.query(ssid, bssid)#maybe some problem 108 | 109 | ret = {} 110 | ret['err'] = 1 111 | ret['ssid'] = [] 112 | ret['bssid'] = [] 113 | ret['msg'] = '' 114 | ret['total'] = 0 115 | 116 | if r['retCd'] == '0': 117 | if r['qryapwithoutpwd']['retCd'] == '0': 118 | for d in r['qryapwithoutpwd']['psws']: 119 | wifi = r['qryapwithoutpwd']['psws'][d] 120 | if wifi['bssid'] in bssid: 121 | ret['ssid'].append(wifi['ssid']) 122 | ret['bssid'].append(wifi['bssid']) 123 | ret['total'] += 1 124 | ret['err'] = 0 125 | else: 126 | ret['msg'] = r['qryapwithoutpwd']['retMsg'] 127 | else: 128 | ret['msg'] = r['retMsg'] 129 | 130 | return ret 131 | 132 | def request(self, ssid, bssid): 133 | data = {} 134 | data['appid'] = '0008' 135 | data['bssid'] = bssid 136 | data['chanid'] = 'gw' 137 | data['dhid'] = self.dhid 138 | data['ii'] = self.ii 139 | data['lang'] = 'cn' 140 | data['mac'] = self.mac 141 | data['method'] = 'getDeepSecChkSwitch' 142 | data['pid'] = 'qryapwd:commonswitch' 143 | data['ssid'] = ssid 144 | data['st'] = 'm' 145 | data['uhid'] = 'a0000000000000000000000000000001' 146 | data['v'] = '324' 147 | data['sign'] = self.__sign(data, self.salt) 148 | 149 | url = 'http://wifiapi02.51y5.net/wifiapi/fa.cmd' 150 | 151 | useragent = 'WiFiMasterKey/1.1.0 (Mac OS X Version 10.10.3 (Build 14D136))' 152 | headers = {'User-Agent': useragent} 153 | 154 | r = requests.post(url, data=data, headers=headers).json() 155 | 156 | self.salt = r['retSn'] 157 | 158 | if r['retCd'] == '-1111': 159 | return self.request(ssid, bssid)#maybe some problem 160 | 161 | ret = {} 162 | ret['flag'] = False 163 | ret['msg'] = 'empty' 164 | ret['ssid'] = ssid 165 | ret['bssid'] = bssid 166 | if r['retCd'] == '0': 167 | if r['qryapwd']['retCd'] == '0': 168 | for d in r['qryapwd']['psws']: 169 | wifi = r['qryapwd']['psws'][d] 170 | if wifi['pwd']: 171 | ret['pwd'] = self.__decrypt(wifi['pwd']) 172 | ret['flag'] = True 173 | if wifi['xUser']: 174 | ret['xUser'] = wifi['xUser'] 175 | ret['xPwd'] = ['xPwd'] 176 | ret['flag'] = True 177 | elif r['qryapwd']['retCd'] == '-9998': 178 | time.sleep(5) 179 | return self.request(ssid, bssid)#maybe some problem 180 | else: 181 | ret['msg'] = r['qryapwd']['retCd'] + ': ' + r['qryapwd']['retMsg'] 182 | else: 183 | ret['msg'] = r['retCd'] + ': ' + r['retMsg'] 184 | 185 | return ret 186 | -------------------------------------------------------------------------------- /wifimasterkey_macos.py: -------------------------------------------------------------------------------- 1 | # -*- coding: utf-8 -*- 2 | #!/usr/bin/env python 3 | #author md5_salt 4 | #this script may get password of the wifi nearby, run it directly, mac os only 5 | #before run, make a soft link of airport 6 | #sudo ln -s /System/Library/PrivateFrameworks/Apple80211.framework/Versions/Current/Resources/airport /usr/sbin/airport 7 | 8 | import md5 9 | from Crypto.Cipher import AES 10 | import requests 11 | import random 12 | import re 13 | import commands 14 | import time 15 | import sys 16 | reload(sys) 17 | sys.setdefaultencoding('utf-8') 18 | 19 | class wifi: 20 | aesKey = 'k%7Ve#8Ie!5Fb&8E' 21 | aesIV = 'y!0Oe#2Wj#6Pw!3V' 22 | aesMode = AES.MODE_CBC 23 | 24 | dhid = '' 25 | mac = '' 26 | ii = '' 27 | 28 | salt = ''#from server 29 | 30 | def __init__(self): 31 | self.RegisterNewDevice() 32 | 33 | def __sign(self, data, salt): 34 | request_str = '' 35 | for key in sorted(data): 36 | request_str += data[key] 37 | return md5.md5(request_str + salt).hexdigest().upper() 38 | 39 | def __decrypt(self, ciphertext): 40 | #[length][password][timestamp] 41 | decryptor = AES.new(self.aesKey, self.aesMode, IV=self.aesIV) 42 | return decryptor.decrypt(ciphertext.decode('hex')).strip()[3:-13] 43 | 44 | def RegisterNewDevice(self): 45 | salt = '1Hf%5Yh&7Og$1Wh!6Vr&7Rs!3Nj#1Aa$' 46 | data = {} 47 | data['appid'] = '0008' 48 | data['chanid'] = 'gw' 49 | data['ii'] = md5.md5(str(random.randint(1,10000))).hexdigest() 50 | data['imei'] = data['ii'] 51 | data['lang'] = 'cn' 52 | data['mac'] = data['ii'][:12]#md5.md5(str(random.randint(1,10000))).hexdigest()[:12] 53 | data['manuf'] = 'Apple' 54 | data['method'] = 'getTouristSwitch' 55 | data['misc'] = 'Mac OS' 56 | data['model'] = '10.10.3' 57 | data['os'] = 'Mac OS' 58 | data['osver'] = '10.10.3' 59 | data['osvercd'] = '10.10.3' 60 | data['pid'] = 'initdev:commonswitch' 61 | data['scrl'] = '813' 62 | data['scrs'] = '1440' 63 | data['wkver'] = '324' 64 | data['st'] = 'm' 65 | data['v'] = '324' 66 | data['sign'] = self.__sign(data, salt) 67 | 68 | url = 'http://wifiapi02.51y5.net/wifiapi/fa.cmd' 69 | 70 | useragent = 'WiFiMasterKey/1.1.0 (Mac OS X Version 10.10.3 (Build 14D136))' 71 | headers = {'User-Agent': useragent} 72 | 73 | r = requests.post(url, data=data, headers=headers).json() 74 | 75 | if r['retCd'] == '0' and r['initdev']['retCd'] == '0': 76 | self.imei = data['imei'] 77 | self.ii = data['ii'] 78 | self.mac = data['mac'] 79 | self.dhid = r['initdev']['dhid'] 80 | self.salt = salt 81 | return True 82 | else: 83 | return False 84 | 85 | def __query(self, ssid, bssid): 86 | data = {} 87 | data['appid'] = '0008' 88 | data['bssid'] = ','.join(bssid) 89 | data['chanid'] = 'gw' 90 | data['dhid'] = self.dhid 91 | data['ii'] = self.ii 92 | data['lang'] = 'cn' 93 | data['mac'] = self.mac 94 | data['method'] = 'getSecurityCheckSwitch' 95 | data['pid'] = 'qryapwithoutpwd:commonswitch' 96 | data['ssid'] = ','.join(ssid) 97 | data['st'] = 'm' 98 | data['uhid'] = 'a0000000000000000000000000000001' 99 | data['v'] = '324' 100 | data['sign'] = self.__sign(data, self.salt) 101 | 102 | url = 'http://wifiapi02.51y5.net/wifiapi/fa.cmd' 103 | 104 | useragent = 'WiFiMasterKey/1.1.0 (Mac OS X Version 10.10.3 (Build 14D136))' 105 | headers = {'User-Agent': useragent} 106 | 107 | r = requests.post(url, data=data, headers=headers).json() 108 | 109 | self.salt = r['retSn'] 110 | 111 | if r['retCd'] == '-1111': 112 | return self.__request(ssid, bssid)#maybe some problem 113 | 114 | ret = {} 115 | ret['flag'] = False 116 | ret['ssid'] = [] 117 | ret['bssid'] = [] 118 | 119 | if r['retCd'] == '0': 120 | if r['qryapwithoutpwd']['retCd'] == '0': 121 | for d in r['qryapwithoutpwd']['psws']: 122 | wifi = r['qryapwithoutpwd']['psws'][d] 123 | if wifi['bssid'] in bssid: 124 | ret['ssid'].append(wifi['ssid']) 125 | ret['bssid'].append(wifi['bssid']) 126 | ret['flag'] = True 127 | else: 128 | ret['msg'] = r['qryapwithoutpwd']['retMsg'] 129 | else: 130 | ret['msg'] = r['retMsg'] 131 | return ret 132 | 133 | 134 | def query(self, ssid, bssid): 135 | wifi = self.__query(ssid, bssid) 136 | if wifi['flag']: 137 | ret = '='*10 + '\n' 138 | for i in xrange(len(wifi['ssid'])): 139 | time.sleep(2) 140 | rsp = self.__request(wifi['ssid'][i], wifi['bssid'][i]) 141 | if rsp['flag']: 142 | del rsp['flag'] 143 | del rsp['msg'] 144 | ret += '\n'.join([x + ' : ' + str(rsp[x]) for x in rsp]) 145 | ret += '\n' + '='*10 + '\n' 146 | print ret 147 | else: 148 | print wifi['msg'] 149 | 150 | def queryall(self, ssid, bssid): 151 | wifi = self.__query(ssid, bssid) 152 | if wifi['flag']: 153 | ret = '='*10 + '\n' 154 | for i in xrange(len(wifi['ssid'])): 155 | time.sleep(2) 156 | rsp = self.__request(wifi['ssid'][i], wifi['bssid'][i]) 157 | if rsp['flag']: 158 | del rsp['flag'] 159 | del rsp['msg'] 160 | ret += '\n'.join([x + ' : ' + str(rsp[x]) for x in rsp]) 161 | ret += '\n' + '='*10 + '\n' 162 | else: 163 | del rsp['flag'] 164 | ret += '\n'.join([x + ' : ' + str(rsp[x]) for x in rsp]) 165 | ret += '\n' + '='*10 + '\n' 166 | print ret 167 | else: 168 | print wifi['msg'] 169 | 170 | 171 | def __request(self, ssid, bssid): 172 | data = {} 173 | data['appid'] = '0008' 174 | data['bssid'] = bssid 175 | data['chanid'] = 'gw' 176 | data['dhid'] = self.dhid 177 | data['ii'] = self.ii 178 | data['lang'] = 'cn' 179 | data['mac'] = self.mac 180 | data['method'] = 'getDeepSecChkSwitch' 181 | data['pid'] = 'qryapwd:commonswitch' 182 | data['ssid'] = ssid 183 | data['st'] = 'm' 184 | data['uhid'] = 'a0000000000000000000000000000001' 185 | data['v'] = '324' 186 | data['sign'] = self.__sign(data, self.salt) 187 | 188 | url = 'http://wifiapi02.51y5.net/wifiapi/fa.cmd' 189 | 190 | useragent = 'WiFiMasterKey/1.1.0 (Mac OS X Version 10.10.3 (Build 14D136))' 191 | headers = {'User-Agent': useragent} 192 | 193 | r = requests.post(url, data=data, headers=headers).json() 194 | 195 | self.salt = r['retSn'] 196 | 197 | if r['retCd'] == '-1111': 198 | return self.__request(ssid, bssid)#maybe some problem 199 | 200 | ret = {} 201 | ret['flag'] = False 202 | ret['msg'] = 'empty' 203 | ret['ssid'] = ssid 204 | ret['bssid'] = bssid 205 | if r['retCd'] == '0': 206 | if r['qryapwd']['retCd'] == '0': 207 | for d in r['qryapwd']['psws']: 208 | wifi = r['qryapwd']['psws'][d] 209 | if wifi['pwd']: 210 | ret['pwd'] = self.__decrypt(wifi['pwd']) 211 | ret['flag'] = True 212 | if wifi['xUser']: 213 | ret['xUser'] = wifi['xUser'] 214 | ret['xPwd'] = ['xPwd'] 215 | ret['flag'] = True 216 | elif r['qryapwd']['retCd'] == '-9998': 217 | time.sleep(5) 218 | return self.__request(ssid, bssid)#maybe some problem 219 | else: 220 | ret['msg'] = r['qryapwd']['retCd'] + ': ' + r['qryapwd']['retMsg'] 221 | else: 222 | ret['msg'] = r['retCd'] + ': ' + r['retMsg'] 223 | 224 | return ret 225 | 226 | def request(self, ssid, bssid): 227 | wifi = self.__request(ssid, bssid) 228 | if wifi['flag']: 229 | del wifi['flag'] 230 | del wifi['msg'] 231 | ret = '='*10 + '\n' 232 | ret += '\n'.join([x + ' : ' + str(wifi[x]) for x in wifi]) 233 | ret += '\n' + '='*10 + '\n' 234 | print ret 235 | else: 236 | print wifi['msg'] 237 | 238 | if __name__ == '__main__': 239 | pattern = r"\s*(.*)\s+(([0-9a-f]{2}:){5}[0-9a-f]{2})" 240 | status, output = commands.getstatusoutput('airport -s') 241 | ssid = [] 242 | bssid = [] 243 | for ss, bss, dummy in re.compile(pattern, re.M).findall(output): 244 | ssid.append(ss) 245 | bssid.append(bss) 246 | wifi().query(ssid, bssid) 247 | --------------------------------------------------------------------------------

wifi万能钥匙明文密码查询 v0.1

说明：

mac用户

windows用户

其他用户