Keyspace List for WPA on Default Routers
I've been working on the 5268's, not gonna clog up this thread with what I've found but if anyone's interested in collaborating please send me a PM.
Reply
Been comparing 5286AC-FXN credentials.

There is a clear correlation between the first six digits of the MAC, and the first five digits of the S/N.

I'll list the pictures I used to deduce this.

MAC F8:18:97:1EBig GrinD:1C , S/N 18151N018859
https://picclick.com/Pace-ATT-Model-5268...id=1&pid=4

MAC F8:18:97:08:A8:64 , S/N 19151N004762
https://picclick.com/Pace-ATT-Model-5268...id=1&pid=4

Same thing with these two
https://picclick.com/ATT-U-VERSE-WI-FI-H...id=1&pid=4

https://picclick.com/ATT-U-Verse-Megabit...id=1&pid=5

And these three

https://picclick.com/ATT-U-VERSE-5268AC-...id=1&pid=1

https://picclick.com/ATT-U-verse-Pace-52...id=1&pid=3

https://picclick.com/ATT-UVerse-5268ACFX...id=1&pid=2

You can definitely see a pattern in the S/Ns.

The last six digits of the S/N are probably a unique ID. not sure if any of this will yield anything, but it is interesting so I thought I'd share.
Reply
(10-16-2020, 09:45 AM)Red1337 Wrote: Been comparing 5286AC-FXN credentials.

There is a clear correlation between the first six digits of the MAC, and the first five digits of the S/N.

Code:
The 2Wire/Pace serial number has the form 'aabbcdeeeeee'. 
Here 'aa' is 2 digits possibly encoding the manufacture date (observed possible first digits include 1,2,3,4, and 9.) 
'bb' is the year ('12' for 2012, etc.), 'c' is almost always 1. 'd' varies, its exact meaning is unclear,but all observed 3801's have a '9' here, all observed 5268AC's have a 'N', and other devices vary.

Source: http://en.techinfodepot.shoutwiki.com/wi...26T_Uverse

For the 589 and 599, (and probably the bgw210s?) the serial is just the mac-1 converted to decimal
Reply
Thanks Fart-box. PM-ed our list!

I built a different version of genpass5268... I'm getting the echos but much more consistent, hence I get keys that are a few points off from yours but they ALL result in the correct answer for example pwd=2aek7%tyw+nt
All these keys give the correct password (it doesn't skip like yours)

557810668266750
1423898784903950054
2847239759139633358
4270580733375316662
5693921707610999966
7117262681846683270
8540603656082366574
9963944630318049878
11387285604553733182
12810626578789416486

Which brings me to the multiplier/divisor/seed. I think I can brute force it, but it'll take years to get to 5 decimal places. With the 589 we can spot the minimum at a 0.1 resolution and can refine it after that to get more decimal places. What is the clever way to do it?
Reply
(11-13-2020, 12:15 AM)drsnooker Wrote: No offence taken! We actually have a google sheet that we use to keep track of stuff, we all have access to it. I'll add all your keys to it, although I might skip the keys that don't work!

Hi,
Would you mind sharing the Google Sheet ? I searched this post but couldn't find the link.
Thanks !
Reply
I am trying to identify Huawei and Arris default key spaces. Does anyone have that info?
Reply
No one has the info ?
I was asking for the shared GDrive sheet with keyspaces... Thanks
Reply
(11-28-2020, 02:18 PM)dre Wrote: I am trying to identify Huawei and Arris default key spaces. Does anyone have that info?

Had you taken a moment to read this thread you would have found ATTXXXXXXX-[0-9a-z+][len12]  on the very first page in the very first post. (Yes, ATTXXXXXXX is manufactured by Arris.) Had you read a bit further, you would have discovered that this keyspace was corrected to "abcdefghijkmnpqrstuvwxyz23456789#%+=?"

It's also been pointed out that Huawei uses [0-9A-F][len6].

But somewhere in one of my own posts I pointed out that you only have to add two octets from the MAC address.

Example:
SSID = DG1670AB2
SSID = DG1670A        B2  <- slide last 2 characters to the right
PSK =  DG1670A  XXXX  B2  <- drop in the 4th and 5th octet of the MAC address
        DG1670AXXXXB2      <- squish it all back together

Newer versions (WIFIxxxxxx) use use a 16 character passphrase consisting of A-Z and 1-9, (without 0,o,8,and b)
Reply
or simply take a look at hcxpsktool:
https://github.com/ZerBea/hcxtools/blob/...ol.c#L1282
It covers several algos (based on analysis of wpa-sec submissions).
Most of them are not covered by RouterKeyGen, because hcxpsktool calculate the entire key space, instead of a single hit.
This behavior is wanted due to analysis purpose, especially in combination with hcxdumptool attacks on CLIENTs (we don't have the origin MAC AP on this attack vector).
Reply
Alrighty.... Let's get back to this 5268ac thingy. I've been collecting more passwords and some interesting statistics show up (see pictures) 
After one letter (going right to left) the odds of getting another letter are about half of getting a number or symbol. 
After 2 letters, the odds of getting another letter are about a third of getting a number or symbol. 

After three letters you'll definitely get a number or a symbol (unless the sequence starts with the very last letter, then you can have 4 letters in a row) 
After a symbol it is also forbidden to get another symbol (letter or number only) So a lot of weird statistics going on!

Most of this has been described up thread, so nothing really new, but I'm practically starting over with the analysis.
Based on Farts comments, I'm probably chasing my tail (red herring) and all this falls out automatically when I finally get the correct multiplier. But haven't had any luck with that yet. But I finally have more time, so may be I can get it this summer.

[Image: w0QENdz.jpg]
[Image: lCwB2Fz.jpg]
Reply