5268ac routers
#21
Since this is a hashcat forum let me bring the discussion back to hashcat.

We have two examples of a string appended to the serial number (/usr/lib/librgw_compat.so.0.0.0 and /sbin/sysinit) and one without adding anything at all (/usr/bin/videossid).
There is also one example of using the access code instead. (http://en.techinfodepot.shoutwiki.com/wi...26T_Uverse)

We have two examples of AT&T using MD5 to generate a router unique code (/sbin/sysinit and the techinfodepot link) and one using SHA1 (/usr/bin/videossid)

The AT&T programmer could potentially use the same starting string (e.g. the serial number), add a different suffix string to generate each of the eSSID, videoSSID, video password, access code and wifi password all using the same algorithm. So what I'm trying here is to reverse engineer the AT&T programmers' thinking and determine the suffix string. (if *big IF* this is how it was originally generated)

There are three router dependent data as a starting point to generate a string to feed a hashing algorithm and that can potentially be brute-forced into rainbow tables of passwords (<1e11 possibilities): Serial number, access code and MAC (drunk looking under the street lights for his keys). From there, as exemplified by the videoSSID algo, one can take the modulus of each byte of the digest to the length of the charset. For the WIFI password this would be 37 (with the exception for the first character of the password, which is modulus 8)

So let's presume the charset is the default choice:
abcdefghijkmnpqrstuvwxyz23456789#%+=?

And we'll use the first entry in the table above:
password 2u47nk96b58m with serial number 32161N114933

Hascat has a half MD5 mode 5100, so you could take the first 8 characters of the password and turn those into hashes:
 2  u  4  7  n  k  9  6 (letters of the password)
 0 18 26 29 12 10 31 28 (position in charset)
00 12 1a 1a 0c 0a 1f 1c (converted to hexadecimal)
00121a1d0c0a1f1c (without spaces: first half of the MD5 hash)

So that's the minimum hash to would produce the password, however, all other hashes that also result in the password after each byte modulus 37 will need to be included. You'd just need to keep adding 37 to each byte until it is bigger than 255, than add 37 to the byte prior. Here's a sampling

00121a1d0c0a1f1c
00121a1d0c0a1f41
00121a1d0c0a1f66
00121a1d0c0a1f8b
00121a1d0c0a1fb0
00121a1d0c0a1fd5
00121a1d0c0a1ffa
00121a1d0c0a441c
00121a1d0c0a4441
00121a1d0c0a4466
00121a1d0c0a448b
00121a1d0c0a44b0
00121a1d0c0a44d5
00121a1d0c0a44fa
00121a1d0c0a691c
00121a1d0c0a6941
    ...
f8f0f8fbeae8fdd5
f8f0f8fbeae8fdfa

Again each of these half-hashes after taking modulus 37 and projecting those results onto the charset will result in the first 8 chars of the password. For this example there will be 26 million hash entries per charset that would all turn into the password. But hashcat is only about a 1% slower looking for millions hashes versus a single hash when they are unsalted. So then we can use hashcat's power to try to determine the string appended to the serial number.

hashcat -m 5100 -w 4 -O sorted_half_hashes.hash -a 3 -1 ?u?l?d-_ 32161N114993?1?1?1?1?1?1?1?1

There will be quite a few results so you will have to sort through those. e.g.
32161N114993DaoNBdVa MD5 hash will result in 78F0AE67A0541F1C010FDE275A608A11
Then a mod 8 on the first byte and mod 37 on the rest will give
0 18 26 29 12 10 31 28 1 15 0 2 16 22 27 17
Projecting the first 12 bytes onto the charset will give you
2u47nk96brac while it should be 2u47nk96b58m, so close but no cigar!

So this is how hashcat can potentially help trying to get at the password generating algorithm. If only it had a truncated SHA1 mode....
Reply
#22
(02-14-2022, 12:06 AM)drsnooker Wrote: In the mean time, we found a lot of similarities between the wifi password as well as the ESSIDs, access codes, vSSIDs and its password. They all share the same characteristics hence we feel they must have a very similar algorithm. 

After a little more statistics there is something very weird. I have 80 examples of the password with three letters in a row at position 9, 10, and 11. (e.g. 2#zgj3x?upf8) Every single one of those 80 examples, follows it with a number. Remember symbols were never allowed in the 12th spot.
Now there are two passwords posted on hash killer that have 4 letters in a row. The 12th being also a letter, instead of a number. If it was possible to have a letter in the 12th spot after three letters in front of it, that would be significantly more likely than 0 out of 80. So something is fishy with the ones posted on hashkiller and cracked by Wolfe.
Reply
#23
(01-03-2022, 10:40 PM)fart-box Wrote: First, a correction. That videossid file creates the video SSID, NOT the video password as I incorrectly stated.

"We did find this interesting bit of code:"

That's very similar to what goes on in the videossid file. Which file contains that code? I never seem to have much luck with grep for some reason, but it might be wise to grep for portions of the character set, like '23456789' or 'abcdefg'. Do not grep the entire character set, because you can't be sure that ATT uses the exact same ordering of the character set that we use.

It might also be wise to post links to any files you find containing interesting code, (or attach those files to your posts), since most of us do not have access to a 5268 router or access to its code. I've posted many requests on the original thread for that serial number file before eventually moving on without it. Sharing what you find will give others who read this thread a chance to participate, and to contribute their own theories, successes, and failures.

"Just to clarify in your key-gen are you using integer*multiplier = key then {key modulus 37 key/37}"

Pretty much, yes, but there may (or may not) be fractions involved, depending on the model.

So you realize that the videossid file is completely irrelevant and was likely some leftover reference code or used in old old models? Because we've ran this script many, many times on various permutations of the serial file and get output wildly different. It's just a keymap which is not the case here. I actually don't think you have a clue at all what you're talking about, especially since you've never actually proved you've broken it.

Please if you have something to contribute then do it, but don't leave cryptic and meaningless rabbit holes for people to fall into because it's really evident you're just wasting people's time. Prove me wrong -- show us your source.
Reply
#24
I figured I'd add to this now evolving howto guide into attacking (and fail so far) a default password document for those of you using windows. I spend a lot of time getting openSSL to work in visual studio C++ so you won't have to make the same mistakes.
First the installation and compilation is described in this youtube video. 
install youtube guide for openSSL
But you'll see he has a hard time at the end of the video finding a working example of the implementation compatible with the latest revision.

#include <cstdio>
#include <string>
#include <iostream>
#include <stdio.h>

#include <openssl/md5.h>
#pragma warning(disable : 4996)

void main{
unsigned char digest[MD5_DIGEST_LENGTH];
string md5_text="hello world";
test_string = md5_text.c_str();
MD5((unsigned char*)test_string, strlen(test_string), (unsigned char*)&digest);
cout << int(digest[0]) << ' ' << int(digest[1]) << endl;
}

*note to lack of "&" in front of the test_string in the MD5 call. The &test_string shows up in a lot of examples and really screws things up, so don't do it!
Also this implementation allows you to change the length of MD5_text without the compiler yelling at you which is helpful to try different guesses.


#include <openssl/sha.h>

void main {
unsigned char digest[SHA_DIGEST_LENGTH];
string sha1_text="hello world";
test_string = sha1_text.c_str();
SHA1((unsigned char*)test_string, strlen(test_string), (unsigned char*)&digest);
cout << int(digest[0]) << ' ' << int(digest[1]) << endl;
}

That still won't work without the windows SDK installed and you'll have to link additional libraries from the SDK.
linker/input/additional dependencies (for the x64 debug and release)
Program Files\Microsoft SDKs\Windows\v7.1\Lib\x64\Crypt32.Lib
Program Files\Microsoft SDKs\Windows\v7.1\Lib\x64\WS2_32.Lib


Although the openSSL MD5 implementation is faster than anything I found online, I did find a faster SHA1 version
So it took a lot of work to get openSSL SHA1 to actually work, I was better of with the stand alone version. Live and learn.
Reply
#25
DrSnooker said:

"it needs at least 7 decimal places to get the last character"
"It needs to flag x.9999 as well as x.0001"
"assuming the first digit is base8 not base37"
"Note that these are the lowest entropy passwords in the collection"

You are definitely on the right track. I'm not sure if it matters, but I used x.9999999 and x.0000000, and I got similar results using either base8 or base37 on the first digit. I also used the "decimal" functions in Python, rather than floating the decimals. I'm not sure what that translates to in C++.



soxrok2212 said:

"I actually don't think you have a clue at all what you're talking about, especially since you've never actually proved you've broken it."

"Please if you have something to contribute then do it, but don't leave cryptic and meaningless rabbit holes for people to fall into because it's really evident you're just wasting people's time. Prove me wrong -- show us your source."


I have nothing but the deepest respect and admiration for all of the people here on the hashcat forum, with only one exception.

You, soxrok, and you alone, are the sole reason I have not released the 5268 seed. When Mrfancypants released his NVG-599 key-gen, you immediately jumped on it and re-released it in the form of your PSKracker, giving Mrfancypants absolutely no credit at all, and giving the impression that "you" were the original great creator. There is nothing I need to prove to you.

As some of you know, my crack station took a direct hit from a lightning bolt a year or two ago, and I haven't replaced it. Since then I've been dropping by from time to time just to help guide people down the right path in their attempts to crack the 5268 seed. I've been "teaching" people by "guiding" them for over twenty years. That's how people learn. If you just give them the answer, they've learned nothing.

But now it seems "it's really evident [I'm] just wasting people's time", so this time, I'll just stay gone. It's been a pleasure helping those who have actually put in a little effort.
Reply
#26
(04-07-2022, 10:59 PM)fart-box Wrote: DrSnooker said:

"it needs at least 7 decimal places to get the last character"
"It needs to flag x.9999 as well as x.0001"
"assuming the first digit is base8 not base37"
"Note that these are the lowest entropy passwords in the collection"

You are definitely on the right track. I'm not sure if it matters, but I used x.9999999 and x.0000000, and I got similar results using either base8 or base37 on the first digit. I also used the "decimal" functions in Python, rather than floating the decimals. I'm not sure what that translates to in C++.

But now it seems "it's really evident [I'm] just wasting people's time", so this time, I'll just stay gone. It's been a pleasure helping those who have actually put in a little effort.

Don't go yet! At least give me one more clue! 
Seems like Wolfe on hashkiller was probably faking his cracks of the 5268AC so you are the only person that has the answer to the 5268ac.

Yeah the flagging x.9999 was just the example. The statement above it implies it needs to be 7 digits long. Just didn't feel like typing all those 9's (and 0's)
Reply
#27
(04-07-2022, 10:59 PM)fart-box Wrote: I have nothing but the deepest respect and admiration for all of the people here on the hashcat forum, with only one exception.

You, soxrok, and you alone, are the sole reason I have not released the 5268 seed. When Mrfancypants released his NVG-599 key-gen, you immediately jumped on it and re-released it in the form of your PSKracker, giving Mrfancypants absolutely no credit at all, and giving the impression that "you" were the original great creator. There is nothing I need to prove to you.

Awe man see now that's just completely wrong.
https://github.com/soxrok2212/PSKracker/....c#L21-L23
https://github.com/soxrok2212/PSKracker#references

Yes, my apologies. I rewrote it in C so that it could be used to generate keys on the fly and not be a bottleneck and I appropriately referenced my sources and very clearly gave credit where it's due. 

There's nothing you need to prove because you have nothing to prove (not to mention you never even did prove it). GG clearing all your posts though, really shows you're a fake spewing BS everywhere...
Reply
#28
As long time lurker, I am disappointed to see such disrespect allowed on this forum

Disagree by all means, but do not put people down just to boost your own ego
I found the fart-box posts on the 5268AC interesting and I am sorry to see fart-box has been left with no
option but to stop posting, but fully understand why in the face of this abuse
Reply
#29
(04-09-2022, 04:08 PM)MrMiller Wrote: As long time lurker, I am disappointed to see such disrespect allowed on this forum

https://hashcat.net/forum/user-12068.html you have less than 20 minutes online.
Reply
#30
Everybody take a breath and step away from your keyboard!
SoxRok2212 did give MrFancyPants credit, and what's more, MrFancyPants himself doesn't have any grievances with SoxRok2212. Moreover, Fart-Box has indeed never actually shown a 5268AC cap that he cracked.
That said, if Fart-Box doesn't want to share his complete algo that's his right and if he wants to defend MrFancyPants' honor, he may do so at his leisure. Nobody here is obligated to do anything, but be excellent or risk being banned.

Of course I'd love to see positive confirmation that Fart-box does in fact have the 5268AC nailed, but he says his rig got fried, so we probably will never have that luxury. So until then, I'm following whatever breadcrumbs I get from everybody who has travelled this path before me to hopefully get to the finish line. I'm trying to document as much as I can here, in case I run out of ideas and in a few years time somebody new comes along to try it again.

In summary: So far all I have proven is that I am not smart enough to crack the default key of the 5268AC *YET* and really wish somebody smarter than I would step up, jump in and help out!
Reply