Keyspace List for WPA on Default Routers
#42
Pardon me if I sound ignorant, but looking through the source code will get you nowhere. Any half decent manufacturer will remove code used to generate "secret" values. This is where disassembling compiled firmware wins, because they have to include that code for the product to work, granted you can't just "decompile" and get the C code. I have an NVG589 on the way and some tools I can use to pull a live, unedited firmware (I've never actually tried before so let's hope I don't royally mess up). I'm lead to believe that the firmwares hosted online were intentionally stripped.

If you look hard enough, EVERY manufacturer keeps a backdoor hidden. I was recently looking at a SKY (U.K. ISP) router and someone pointed out that the last character of the passphrase (length 10) was predictable, and furthermore there were a set of 16 characters used instead of a full 26, reducing the keyspace MASSIVELY, yet making it look much larger.

Belkin broadcasted the serial number in the probe responses, which was used ((in some models) to generate the WPS pin. While the serial number doesn't seem to be broadcast in probe responses from the newer ATT gateways, they are used in the SSID. I doubt it will be as simple as taking those 7 characters and running some algorithm and getting a password/wps pin, but it very well may be a part of it... we won't know until we look.

The moral of the story is manufacturers (or governments?) always want a way in, so they just have to get more creative with the ways they hide it. Also, I could be completely wrong and it could just be burned into the NVRAM at the factory but we will just have to wait and see Smile


Messages In This Thread
RE: Keyspace List for WPA on Default Routers - by soxrok2212 - 06-21-2017, 01:00 AM