Keyspace List for WPA on Default Routers
If I remember the script correctly (don't have it on hand ATM), it takes the serial and converts it back to hex which, IMO, is a waste of time since it could most likely just grab the MAC from some hardware ID.

Anyways, this means that the video network is based on the MAC address. I'm convinced the PSK is generated from the MAC address as well.


This post from mrfancypants might be of interest, and is perhaps the thing that convinces me most that the key is not random:

(06-28-2017, 03:19 AM)mrfancypants Wrote: I've finally worked out part of the algorithm for 589/599. Not enough to crack it (in fact, with what I worked out, it's totally possible that it's [effectively] uncrackable because they feed it from a RNG), but enough to understand how passwords are being constructed.

Consider the following. Actual parameters of a NVG599 off eBay:

SSID: ATTn3f64I2 
Wireless key: nyrip9=c5bgv 
Access key: 18?/72@@<3 
Second SSID: vATTvb%g?<&c
Second wireless key: #h,t)0(ZUwI0

Looks random, right? Now watch:

Code:
ssid_charset='23456789ABCDEFGHIJKMNPQRSTUVWXYZabcdefghijkmnpqrstuvwxyz'
pw_charset='abcdefghijkmnpqrstuvwxyz23456789#%+=?'
ext_charset='!"#$%&\'()*+,-./:;<=?@[]_`{|}0123456789ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz'
def intpw(x):
   val=0
   for n in range(0,12):
           val+=pw_charset.find(x[n])*(37**(11-n))
   if (val%8)==7:
           val+=37**12
   return val
def intssid(x):
 val=0
 for n in range(0,7):
  val+=ssid_charset.find(x[n+3])*(56**(6-n))
 return val
def int_ext(x):
   val=0
   for n in range(0,len(x)):
           val+=ext_charset.find(x[n])*(90**(len(x)-1-n))
   return val

>>> '%x' % intssid('ATTn3f64I2')
'13c2a3ea400'
>>> '%x' % intpw('nyrip9=c5bgv')
'7a7b4bbbf4f69800'
>>> '%x' % int_ext("b%g?<&c")
'1f71654cac80'
>>> '%x' % int_ext("#h,t)0")
'3d6180c00'
>>> '%x' % int_ext("(ZUwI0")
'a98a65dc0'

I'll let you meditate on this for now and I'll explain later Smile (hint: consider positions of top and bottom set bits in '7a7b...')

The problem here is the generators are a bit different, so I'm sure that the ordering of the 'seeds' are not the same as the sticker.
Reply


Messages In This Thread
RE: Keyspace List for WPA on Default Routers - by soxrok2212 - 01-20-2018, 08:38 PM