Keyspace List for WPA on Default Routers

[landsome]

anyone have the default keyspace for honhaipr routers?

[FelisaLDore]

The password appearing on wireless router is default but seems secure. Due to various reasons, ISPs restrict the password’s keyspace that are present on the routers. Google cache is helpful to you as most of the info was borrowed from the routerkeygenPC github project. One can go for wireless-modem and can get help from key generator sites like allkeysgenerator.com for hassle-free solutions.

[JCas]

Sapphire_XXXXX
[0-9][len8]

Also most users can't seem to figure out how to change the default PSK as the process isn't very intuitive. FYI these are 4G pucks that are popular throughout the middle east.

[soxrok2212]

In regards to the ATT Pace algorithm, I’ve found some leads in the firmware here: https://mirrors.napshome.net/ATTGatewayF....pkgstream

I’ve only had a few minutes to look but do a quick Greg for “default_key” and you may be able to catch onto my drift. I’ll try to look at it more ASAP.

[ZerBea]

Hi soxrok2212.
Did a quick binwalk, unsquashfs and radare2 on some files and noticed that the values are retrieved from the board:
ls /sys/module/board/parameters/*.*
or by debugsys --info

squashfs-root/usr/lib/libwifi.so will use/print that values.
squashfs-root/usr/bin/get_diags_tar.sh retrieve s/n for example.

squashfs-root/etc/rm.conf contains possible dummy values:
[post]
enabled=no
url=http://192.168.2.50/req-new.php
agent=AirTies Remote Monitor/0.01
bootcounter=2134
mac=aa:4d:23:54:cf:16
productID=215322134
serial=at2241507000102
period=60000

There are also some certs inside the pkgstream.

[soxrok2212]

I've finally worked out part of the algorithm for 589/599. Not enough to crack it (in fact, with what I worked out, it's totally possible that it's [effectively] uncrackable because they feed it from a RNG), but enough to understand how passwords are being constructed.

Consider the following. Actual parameters of a NVG599 off eBay:

SSID: ATTn3f64I2
Wireless key: nyrip9=c5bgv
Access key: 18?/72@@<3
Second SSID: vATTvb%g?<&c
Second wireless key: #h,t)0(ZUwI0

Looks random, right? Now watch:

Code:

ssid_charset='23456789ABCDEFGHIJKMNPQRSTUVWXYZabcdefghijkmnpqrstuvwxyz'
pw_charset='abcdefghijkmnpqrstuvwxyz23456789#%+=?'
ext_charset='!"#$%&\'()*+,-./:;<=?@[]_`{|}0123456789ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz'
def intpw(x):
   val=0
   for n in range(0,12):
           val+=pw_charset.find(x[n])*(37**(11-n))
   if (val%8)==7:
           val+=37**12
   return val
def intssid(x):
 val=0
 for n in range(0,7):
  val+=ssid_charset.find(x[n+3])*(56**(6-n))
 return val
def int_ext(x):
   val=0
   for n in range(0,len(x)):
           val+=ext_charset.find(x[n])*(90**(len(x)-1-n))
   return val

>>> '%x' % intssid('ATTn3f64I2')
'13c2a3ea400'
>>> '%x' % intpw('nyrip9=c5bgv')
'7a7b4bbbf4f69800'
>>> '%x' % int_ext("b%g?<&c")
'1f71654cac80'
>>> '%x' % int_ext("#h,t)0")
'3d6180c00'
>>> '%x' % int_ext("(ZUwI0")
'a98a65dc0'

I'll let you meditate on this for now and I'll explain later (hint: consider positions of top and bottom set bits in '7a7b...')

Given that the sha1 of the serial number is used to generate the vATT SSID, there has to be a correllation if mrfancypants was able to recover everything here. The script I found is useful somehow, and sha1 with the serial HAS to be used to generate the keys.

If only we had the serial number from that eBay sticker... I *might* have a way to recover it.

[soxrok2212]

Regarding the 5268ac...

My conclusion was exactly that. However, Soxrok2212 (and nobody else) was ever able to provide a serial number file as requested.

The serial number file is run through sha1, then the hash from that operation is used to generate the password. I've completely reverse engineered the process (except for the sha1 function itself, of course) with great results, but without proper input, (a serial number file), my results are useless.

Knowing the layout and contents of the serial number file is the key to this crack. Knowing what's in that file will result in a proper sha1 output, and thus, the proper keys. And keep in mind, it is the FILE that feeds sha1, NOT just the serial number.

The other bad news is it seems that I've lost my 599... I can't, for the life of me, remember where I put it so for now, it's not likely that I can even examine that file.

[ApJack]

I collected about 40 PACE 5268AC router serials, mac addresses, SSIDs, and passwords from different sources online. I havent been able to come up with any correlation. Following this thread I thought this might help. I have been trying to figure out where the default passwords are coming from. I will keep working on this there has to be some type of algorithm or something that selects the password, this can not be randomly selected. Using only these characters  23456789 abcdefghijkmnpqrstuvwxyz +=%?#

[royce]

See also:

ALU/Nokia GPON Admin and WIFI keygen
https://git.lsd.cat/g/nokia-keygen

Hak5 forums Table of WiFi Password Standards (2016)
https://forums.hak5.org/topic/39403-tabl...standards/

[ZerBea]

...and if you don't have the default ESSID (with the 4 xdigits, required by the WIFI keygen),
$ hcxpsktool --digit10
will calculate the whole key space , based on wpa-sec analyses (known SEEDs):

$ hcxpsktool --digit10 | wc
no hashes loaded
7077888 7077888 77856768

Please notice:
The SEED not identical to the 4 xdigits within the ESSID.

If you need to calculate the SEED:

  calcseed.c.zip (Size: 806 bytes / Downloads: 7)

$ gcc -o calcseed calcseed.c -l crypto
$ ./calcseed xxxx dddddddd

result:
ssss xxxx dddddddddd

ssss = calculated SEED
xxxx = 4 digit of the ESSID
ddddddddddd = valid PSK