Keyspace List for WPA on Default Routers
Updated NETGEAR wordlists are here: https://github.com/soxrok2212/PSKracker/...ts/netgear
AT&T code is in C, if this is what you mean: https://github.com/soxrok2212/PSKracker/.../src/att.c

Are you referring to rewriting your NETGEAR python code in C? There's no much of a point since those models are not very popular...
Reply
(12-02-2017, 01:17 AM)fart-box Wrote: HAPR_apprentice... Great write-up on Netgear! I love it when people take the time to include all the details! Unfortunately those units are getting old, and were few to begin with, but the information you've shared will be useful for years.

calexico and soxrok2212...

I'm no quitter when it comes to solving a puzzle. But I've quit asking for passwords due to the poor response.

In fact, just yesterday I figured out what I hope will be the solution to many (if not all) of the problems I've encountered. I've devised a plan that does not require a seed or an increment at all, and which will eliminate nearly all of the trash passwords the old method generated. So I opened a blank Notepad and re-wrote my key-gen from scratch. Now my lap-top is very busy building a new word list as I type this.

One of my GPU's is about 10 hours from completing my last word list, generated using a seed and an increment, which grew to a 248Gb word list containing 20525805981 passwords, and taking 2 days and 10 hours for a single GPU to process. So far, no cracks.

I haven't got a clue how big the new list will be, but I'll keep you posted on my results.
Like!
Reply
(12-02-2017, 01:17 AM)fart-box Wrote: HAPR_apprentice... Great write-up on Netgear! I love it when people take the time to include all the details! Unfortunately those units are getting old, and were few to begin with, but the information you've shared will be useful for years.

calexico and soxrok2212...

I'm no quitter when it comes to solving a puzzle. But I've quit asking for passwords due to the poor response.

In fact, just yesterday I figured out what I hope will be the solution to many (if not all) of the problems I've encountered. I've devised a plan that does not require a seed or an increment at all, and which will eliminate nearly all of the trash passwords the old method generated. So I opened a blank Notepad and re-wrote my key-gen from scratch. Now my lap-top is very busy building a new word list as I type this.

One of my GPU's is about 10 hours from completing my last word list, generated using a seed and an increment, which grew to a 248Gb word list containing 20525805981 passwords, and taking 2 days and 10 hours for a single GPU to process. So far, no cracks.

I haven't got a clue how big the new list will be, or how many passwords it will contain because I just don't feel like doing the math right now, but one thing's for sure... this is the first word list that has me excited. I'll keep you posted on my results.

If you need some compute power, let me know... I've got one rig at ~215kH/s on WPA and another at ~750kH/s that I *could* use (though it's somewhat unstable so I don't like to touch it).
Reply
(12-02-2017, 09:53 PM)fart-box Wrote: If anyone spots any "trash" or patterns in an ATT password, please let me know so we can reduce the size of the word list to a size we can use. For instance, passwords do not contain three of the same characters in a row, like "aaa". Getting rid of those passwords is what just reduced the word list by 27%.

They always start with a number [0-9].
Reply
The Pskrack output for nvg589 cracked the very first nvg589 I tried it on. Amazing.
Reply
(12-03-2017, 10:35 PM)fart-box Wrote:
(12-03-2017, 06:25 AM)soxrok2212 Wrote: They always start with a number [0-9].

That's not true.

Nearly all 599's and some 589's start with an alpha character. Other models may also start with alpha characters, but I have not confirmed this. Again, with only 80 passwords, it's difficult to establish any definitive patterns.

Also, judging from what I've seen, it seems most 589's alternate between numbers and letters, for example, 4%3=2b5g9p6j, but yet again, Ive only got 80 passwords.

I've also seen passwords that start with a symbol, but they may have been misinterpreted and I don't have copies of them.

But those are all things we need IN the word list. I'm looking for things we can take OUT of the list, like triplicated characters (aaa, bbb, ccc, etc.), or the letters 'l' and 'o', along with the numbers '1' and '0'.

The definitive clue would be an answer to the question "how many passwords are skipped over before selecting the next password to be used?". There are 6582952005840035281 passwords. that's 877726934 passwords for every man, woman and child on this planet. So surely ATT skipped over a few. And I doubt that they bothered to manufacture that many routers.

Sorry, I meant the Pace models seem to, not the others. And yes, you're right about the alternations for the others. Do realize that the proper technique wouldn't be to care about how many passwords each person can get. Even 10 hex is WAY more than the amount of people on Earth. Could you post the list of passwords, sorted by model please?

(12-03-2017, 02:44 PM)ee10 Wrote: The Pskrack output for nvg589 cracked the very first nvg589 I tried it on. Amazing.

Glad it worked for you Smile
Reply
FWIW, I found this link: http://www.dslreports.com/forum/r3146635...5-6-529454

Has firmwares for a lot of devices on it Smile

Grabbed 589, 599, and 5268AC Smile

vATT (video ssid) is generated from serial number... that's one mystery solved. This very well could be the key to the rest of the mystery!

Code:
#!/bin/sh

# Generate a unique video SSID from the box's serial number

charset="abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789!\"#\$%&'()*+,-./:;<=>?@[]_\`{|}~\\"

cat /sys/module/board/parameters/serialnumber | openssl sha1 | awk '
{
    hash = $2;

    sizeof_charset=split( chars, charset, "" );

    hex[0] = "0";
    hex[1] = "1";
    hex[2] = "2";
    hex[3] = "3";
    hex[4] = "4";
    hex[5] = "5";
    hex[6] = "6";
    hex[7] = "7";
    hex[8] = "8";
    hex[9] = "9";
    hex[10] = "a";
    hex[11] = "b";
    hex[12] = "c";
    hex[13] = "d";
    hex[14] = "e";
    hex[15] = "f";

    for(a=0; a<16; a++)
    {
        for(b=0; b<16; b++)
        {
            idx = 16*a + b;
            str = sprintf( "%s%s", hex[a], hex[b] );
            bighex[ str ] = idx;
        }
    }

    resultstr = "";

    for(i=1; i<= length(hash) && i <= 14; i += 2)
    {
        str = substr(hash, i, 2);
        idx = bighex[ str ];
        idx = idx % sizeof_charset;
        resultstr = resultstr charset[idx];
    }

    print "vATT" resultstr;
}' chars=$charset

Here is some data from an NVG599:
Code:
Serial: 233117095338288
WPA: xhq#aeeg3qte
SSID: ATT7sCun6a
MAC: D4:04:CD:A8:A1:31
Access Code: 07<0//9762 // might be 0 or O, not sure

Makes me wonder if they are at all related...
Reply
The more I tinker with the script I found, the more I think it may also be used to generate the wpa keys... will report back if I find anything more. (based on serial number btw)
Reply
(12-08-2017, 12:59 AM)fart-box Wrote:
(12-04-2017, 07:54 PM)soxrok2212 Wrote: ... will report back if I find anything more.

I'm anxiously waiting for your results. Using my method, and just generating all passwords that begin with the letter 'a', and using all the filters I've mentioned in my previous posts, fills up my 500Gb external hard drive long before all passwords are generated.

I would need to write a ton of code to even check what I think might be it, and even then with the information I have now, there's no guarantee I'd find it. I'm also super short on time for the next few weeks so I'll pass on the current task to someone else for a bit. Would Ben helpful to have a database set with serial, MAC, ATT SSID, vATT SSID, and both keys.
Reply
(12-13-2017, 12:28 AM)fart-box Wrote:
(12-12-2017, 09:14 AM)soxrok2212 Wrote: I would need to write a ton of code...

I quit coding long ago but I do have a basic understanding of BASH and, thanks to Mrfancypants, Python as well, so I'll take a closer look at that script you posted. In my opinion, they only left the script in that source code to confuse those of us brave enough to attempt cracking the WPA pass word. If the WPA pass word used the same method, they would have removed that script. And that script works totally differently from the key-gen I wrote. Still, it's worth a closer look.

The closest thing we have to a database is that list Mrfancypants left us. It seems people aren't too keen about sharing their personal stash of  information around here.

[later...]

The script looks pretty simple. I thought it was a BASH script, but it doesn't want to run on my machine. Is it C?

I think if you just make a serial number file and change the character set it should run and produce some kind of a pass word. If the output matches the pass word you supplied, we have our answer. If not, I can tinker with the code a bit to see what I can get.

By the way... Thanks for the new password that came with that post. I forgot to add it to my list.

It is pure bash. The thing is, mrfancypants' code could also generate the vATT network name so they much be somehow related. It probably won't execute because the path to the serial is not available on your system. Try hard coding a serial in. It is just a SHA1 of the serial then it picks characters from the charset base do on the hash.
Reply