Keyspace List for WPA on Default Routers
(04-16-2018, 01:17 AM)fart-box Wrote: For anyone who is interested, or for anyone who would like to dig deeper, here is my complete list of keys with the passwords they produce.

4283457191012690433     2c7p482e7w3=
4286567750714385920     2dsmmcf4=%ya
5431393268271177728     8vvjgyf8a%zs
5438089164362080601     8w%6uk#ypk7a

I see what you're saying. Unfortunately, I am almost certain that it is not how 5268AC passwords are generated.

There are certain features in their passwords that can't arise naturally if they just generate a key in some unknown way and then convert it into a password the way it's done for 599s. Here are three features that I've verified with high confidence:

* There are never more than three letters in a row
* There are never two non-alphanumeric symbols next to each other
* The last character is always alphanumeric

For example, it is statistically impossible to have no four-letter sequences the middle of the password, unless you actively prevent that from happening. Since letters comprise 24 out of 37 possible symbols, there should be about a 18% chance ( (24/37)^4 ) for any four consecutive symbols to be letters at the same time. Even if digits are oversampled, there should be lots of 4 and 5 letter sequences.  I've collected something like 50 passwords in the last few days alone, by going through every eBay listing with a photo, and, by random chance, there should be dozens of 4-letter subsequences among them. There were exactly zero.

You see the same thing with their SSIDs. There, it's even more unlikely: charset size 57 or 58, only 8 of them digits, but you never see more than 3 letters in a row: usually there's a digit at #4 and another at #8.

[Though here's something really strange. I do have two 5268AC passwords which do have 4 letters in a row, in both cases it's at the very end: '7t5c3ws=iqhq' and '9s2vac8?jeqt'. I've even downloaded the caps and personally verified them. Both were reported by Wolfe at hashkiller.]

I suspect that they do some kind of context-switching, changing charsets at each symbol depending on previously generated symbols. (You are assuming in your calculations that the charset is the same 37 characters at every location.) Without knowing the exact rules and the exact charsets, it's tough to figure out what keys are supposed to be. I tried to work out charsets through statistics, but results are confusing.

I'd really like to ping Wolfe and ask him how he did it, but they won't let me use PMs on hashkiller, my reputation's too low..

Messages In This Thread
RE: Keyspace List for WPA on Default Routers - by mrfancypants - 04-20-2018, 10:02 PM