Keyspace List for WPA on Default Routers
(06-28-2017, 03:19 AM)mrfancypants Wrote: I've finally worked out part of the algorithm for 589/599. Not enough to crack it (in fact, with what I worked out, it's totally possible that it's [effectively] uncrackable because they feed it from a RNG), but enough to understand how passwords are being constructed.

Consider the following. Actual parameters of a NVG599 off eBay:

SSID: ATTn3f64I2
Wireless key: nyrip9=c5bgv
Access key: 18?/72@@<3
Second SSID: vATTvb%g?<&c
Second wireless key: #h,t)0(ZUwI0

Looks random, right? Now watch:

def intpw(x):
   for n in range(0,12):
   if (val%8)==7:
   return val
def intssid(x):
 for n in range(0,7):
 return val
def int_ext(x):
   for n in range(0,len(x)):
   return val

>>> '%x' % intssid('ATTn3f64I2')
>>> '%x' % intpw('nyrip9=c5bgv')
>>> '%x' % int_ext("b%g?<&c")
>>> '%x' % int_ext("#h,t)0")
>>> '%x' % int_ext("(ZUwI0")

I'll let you meditate on this for now and I'll explain later Smile (hint: consider positions of top and bottom set bits in '7a7b...')

Given that the sha1 of the serial number is used to generate the vATT SSID, there has to be a correllation if mrfancypants was able to recover everything here. The script I found is useful somehow, and sha1 with the serial HAS to be used to generate the keys.

If only we had the serial number from that eBay sticker... I *might* have a way to recover it.

Messages In This Thread
RE: Keyspace List for WPA on Default Routers - by soxrok2212 - 08-24-2018, 07:39 PM