Keyspace List for WPA on Default Routers
(12-13-2017, 12:28 AM)fart-box Wrote: ... It seems people aren't too keen about sharing their personal stash of  information around here.
My personal stash was shared in its entirety a page back or so. If I had more, I'd share. 

Back on topic, I'm following this thread closely, cheering you on from afar!
(12-14-2017, 12:51 AM)fart-box Wrote: The capital 'T', as well as the other six characters that surround it have me puzzled though. If that's supposed to be the password, I'm wondering where the capital 'T' comes from, because it's not in my character set. And if I recall, the video password was thirteen characters long, not seven, or even twelve.


This is the charset... it generates the SSID only which is vATT + 7 characters, not the password. I think there was some statistical/mathematical for even distribution with modulo 37... or maybe it was 17. There was talk of it in a Diffie-Hellman exchange video somewhere online. Would start to make sense why they used it I guess, but it doesn't explain everything yet. I wish mrfancypant's had the serial posted for the sample he shared in the very early pages of this thread with the vATT SSID and PSK.
I don't have a clue but perhaps you could try the code I linked you... I've only ran it on macOS (maybe linux? I don't remember) so I'm positive it works on a Unix system. Also one thing to note is I'm not sure whether there is a newline (or if it has any other information in it) at the end of the file containing the serial on an actual box... whether it has one or not changes the sha1 hash so this is something to consider as well. I would guess that it is possible that sha1 is used somewhere else to generate the keys but it doesn't explain (in some cases) the alternating ?d?1?d?1?d?1....
hey guys that part in my OP where i said i was going to edit the OP with new info...well I lied.
(01-09-2018, 01:42 AM)fart-box Wrote: soxrok2212, if you're still working with that BASH script and wishing for a data base with MAC addresses and SN's this might help you a bit, or perhaps you already know.

NVG-599 - MAC address, converted to decimal, minus 1 = SN.

ex: MAC = 0xD404CDBE1C11 = 233117096746001, SN = 233117096746000

Good to know, if I have time to look some more I'll take this into consideration.
If I remember the script correctly (don't have it on hand ATM), it takes the serial and converts it back to hex which, IMO, is a waste of time since it could most likely just grab the MAC from some hardware ID.

Anyways, this means that the video network is based on the MAC address. I'm convinced the PSK is generated from the MAC address as well.

This post from mrfancypants might be of interest, and is perhaps the thing that convinces me most that the key is not random:

(06-28-2017, 03:19 AM)mrfancypants Wrote: I've finally worked out part of the algorithm for 589/599. Not enough to crack it (in fact, with what I worked out, it's totally possible that it's [effectively] uncrackable because they feed it from a RNG), but enough to understand how passwords are being constructed.

Consider the following. Actual parameters of a NVG599 off eBay:

SSID: ATTn3f64I2 
Wireless key: nyrip9=c5bgv 
Access key: 18?/72@@<3 
Second SSID: vATTvb%g?<&c
Second wireless key: #h,t)0(ZUwI0

Looks random, right? Now watch:

def intpw(x):
   for n in range(0,12):
   if (val%8)==7:
   return val
def intssid(x):
 for n in range(0,7):
 return val
def int_ext(x):
   for n in range(0,len(x)):
   return val

>>> '%x' % intssid('ATTn3f64I2')
>>> '%x' % intpw('nyrip9=c5bgv')
>>> '%x' % int_ext("b%g?<&c")
>>> '%x' % int_ext("#h,t)0")
>>> '%x' % int_ext("(ZUwI0")

I'll let you meditate on this for now and I'll explain later Smile (hint: consider positions of top and bottom set bits in '7a7b...')

The problem here is the generators are a bit different, so I'm sure that the ordering of the 'seeds' are not the same as the sticker.
Pace 5268AC passwords always start from a numeric digit. Assuming the password is base-37 coded long int with unknown range and unknown charset is it possible that charset has numeric digits first?
I mean '23456789abcdefghijkmnpqrstuvwxyz#%+=?' or '23456789#%+=?abcdefghijkmnpqrstuvwxyz'.
Then applying some int ranging we will always have first numeric digit in the password.
(01-26-2018, 04:12 PM)needbmw Wrote: Pace 5268AC passwords always start from a numeric digit. Assuming the password is base-37 coded long int with unknown range and unknown charset is it possible that charset has numeric digits first?
I mean '23456789abcdefghijkmnpqrstuvwxyz#%+=?' or '23456789#%+=?abcdefghijkmnpqrstuvwxyz'.
Then applying some int ranging  we will always have first numeric digit in the password.

Try it and see what happens!

Too bad Wolfe cries that nobody else helps, yet he doesn't say where he gets any of his information. A pace model was just broken.
(01-28-2018, 01:03 AM)fart-box Wrote: I should also point out that there was no response confirming that Mr. Wolfe's password actually worked, so he could have just plucked it right out of the air.

I tested it myself and the key does work. It's likely just a different multiplier being used. I grepped for bits of the key in the nvg599 keygen and every snippet was found (6+ consecutive characters in the 5268 password). What helps is that the first character of the 5268 psk is always a number. This could be used to limit our guessing range.