06-05-2017, 12:06 AM
ATTxxxxxxx's bug me, they are up to 20% of all my uncracked handshakes and they seem to be invulnerable to all attacks.
I've collected more passwords from eBay, with associated SSIDs, MACs, SNs and/or manufacture dates.
https://pastebin.com/t62DGi3S
In SSIDs, some of the 'l' are probably 'I' (it's hard to distinguish between them in photos)
These devices used to be manufactured by (at least) two independent suppliers. One line is Motorola NVG589 -> Arris NVG589 -> NVG595 -> NVG599. (Motorola got acquired by Arris in '13.) The other is 2Wire/Pace 5268AC. 2Wire got acquired by Pace back in '10, and Pace got acquired by Arris last year. Most NVG589s went to AT&T but some were diverted to Frontier; those have SSIDs "FrontierXXXX" but the same password keyspace. Makes you wonder how they managed to shared the keyspaces. If you put MACs through vendor lookup, NVGs come back as "Arris" and 5268s come back as "2Wire".
The password keyspace is [2-9 a-z #%+=?] except 'o' and 'l'. Unlike the poster above, I see no incidents of '-' or 'o' and they probably don't occur, at least on these devices (all other characters occur at least 4 times in the set.)
A couple of curious observations (which give me some hope that they are not using a good RNG and some logic can be found in this mess).
* In all but two cases, the 1st character of the password is a digit if and only if the 4th character of the SSID (1st after "ATT") is a digit.
* Nearly all 589's have SSIDs of the form "ATTdcdcdcd" where all 'd's are digits (2-9) and 'c's are usually (but not always) letters. Their passwords are "dcdcdcdcdcdc" where 'd' are again 2-9 and 'c' is full keyspace (letters, digits and special symbols.) Unfortunately, this does not get us too far since it only knocks the number of possibilities from full 37^12=7*10^18 down to 8^6*37^6 = 7*10^14 (50 GPU-years/hash).
I'm trying to collect ATTdcdcdcd SSIDs hoping to deduce some deeper patterns/algorithms. I have about 50 so far (without passwords) in addition to the ones in the paste. If anyone has more, particularly with associated MACs, it would be appreciated.
I've collected more passwords from eBay, with associated SSIDs, MACs, SNs and/or manufacture dates.
https://pastebin.com/t62DGi3S
In SSIDs, some of the 'l' are probably 'I' (it's hard to distinguish between them in photos)
These devices used to be manufactured by (at least) two independent suppliers. One line is Motorola NVG589 -> Arris NVG589 -> NVG595 -> NVG599. (Motorola got acquired by Arris in '13.) The other is 2Wire/Pace 5268AC. 2Wire got acquired by Pace back in '10, and Pace got acquired by Arris last year. Most NVG589s went to AT&T but some were diverted to Frontier; those have SSIDs "FrontierXXXX" but the same password keyspace. Makes you wonder how they managed to shared the keyspaces. If you put MACs through vendor lookup, NVGs come back as "Arris" and 5268s come back as "2Wire".
The password keyspace is [2-9 a-z #%+=?] except 'o' and 'l'. Unlike the poster above, I see no incidents of '-' or 'o' and they probably don't occur, at least on these devices (all other characters occur at least 4 times in the set.)
A couple of curious observations (which give me some hope that they are not using a good RNG and some logic can be found in this mess).
* In all but two cases, the 1st character of the password is a digit if and only if the 4th character of the SSID (1st after "ATT") is a digit.
* Nearly all 589's have SSIDs of the form "ATTdcdcdcd" where all 'd's are digits (2-9) and 'c's are usually (but not always) letters. Their passwords are "dcdcdcdcdcdc" where 'd' are again 2-9 and 'c' is full keyspace (letters, digits and special symbols.) Unfortunately, this does not get us too far since it only knocks the number of possibilities from full 37^12=7*10^18 down to 8^6*37^6 = 7*10^14 (50 GPU-years/hash).
I'm trying to collect ATTdcdcdcd SSIDs hoping to deduce some deeper patterns/algorithms. I have about 50 so far (without passwords) in addition to the ones in the paste. If anyone has more, particularly with associated MACs, it would be appreciated.