10-11-2020, 12:00 AM
I've been working on the 5268's, not gonna clog up this thread with what I've found but if anyone's interested in collaborating please send me a PM.
|
Keyspace List for WPA on Default Routers
|
Been comparing 5286AC-FXN credentials.
There is a clear correlation between the first six digits of the MAC, and the first five digits of the S/N. I'll list the pictures I used to deduce this. MAC F8:18:97:1E  D:1C , S/N 18151N018859https://picclick.com/Pace-ATT-Model-5268...id=1&pid=4 MAC F8:18:97:08:A8:64 , S/N 19151N004762 https://picclick.com/Pace-ATT-Model-5268...id=1&pid=4 Same thing with these two https://picclick.com/ATT-U-VERSE-WI-FI-H...id=1&pid=4 https://picclick.com/ATT-U-Verse-Megabit...id=1&pid=5 And these three https://picclick.com/ATT-U-VERSE-5268AC-...id=1&pid=1 https://picclick.com/ATT-U-verse-Pace-52...id=1&pid=3 https://picclick.com/ATT-UVerse-5268ACFX...id=1&pid=2 You can definitely see a pattern in the S/Ns. The last six digits of the S/N are probably a unique ID. not sure if any of this will yield anything, but it is interesting so I thought I'd share.
11-03-2020, 10:46 AM
(This post was last modified: 11-03-2020, 10:49 AM by soxrok2212.)
(10-16-2020, 09:45 AM)Red1337 Wrote: Been comparing 5286AC-FXN credentials. Code: The 2Wire/Pace serial number has the form 'aabbcdeeeeee'. Source: http://en.techinfodepot.shoutwiki.com/wi...26T_Uverse For the 589 and 599, (and probably the bgw210s?) the serial is just the mac-1 converted to decimal
Thanks Fart-box. PM-ed our list!
I built a different version of genpass5268... I'm getting the echos but much more consistent, hence I get keys that are a few points off from yours but they ALL result in the correct answer for example pwd=2aek7%tyw+nt All these keys give the correct password (it doesn't skip like yours) 557810668266750 1423898784903950054 2847239759139633358 4270580733375316662 5693921707610999966 7117262681846683270 8540603656082366574 9963944630318049878 11387285604553733182 12810626578789416486 Which brings me to the multiplier/divisor/seed. I think I can brute force it, but it'll take years to get to 5 decimal places. With the 589 we can spot the minimum at a 0.1 resolution and can refine it after that to get more decimal places. What is the clever way to do it?
11-27-2020, 01:51 PM
(11-13-2020, 12:15 AM)drsnooker Wrote: No offence taken! We actually have a google sheet that we use to keep track of stuff, we all have access to it. I'll add all your keys to it, although I might skip the keys that don't work! Hi, Would you mind sharing the Google Sheet ? I searched this post but couldn't find the link. Thanks !
11-28-2020, 02:18 PM
I am trying to identify Huawei and Arris default key spaces. Does anyone have that info?
12-07-2020, 05:00 PM
No one has the info ?
I was asking for the shared GDrive sheet with keyspaces... Thanks 
or simply take a look at hcxpsktool:
https://github.com/ZerBea/hcxtools/blob/...ol.c#L1282 It covers several algos (based on analysis of wpa-sec submissions). Most of them are not covered by RouterKeyGen, because hcxpsktool calculate the entire key space, instead of a single hit. This behavior is wanted due to analysis purpose, especially in combination with hcxdumptool attacks on CLIENTs (we don't have the origin MAC AP on this attack vector).
Alrighty.... Let's get back to this 5268ac thingy. I've been collecting more passwords and some interesting statistics show up (see pictures)
After one letter (going right to left) the odds of getting another letter are about half of getting a number or symbol. After 2 letters, the odds of getting another letter are about a third of getting a number or symbol. After three letters you'll definitely get a number or a symbol (unless the sequence starts with the very last letter, then you can have 4 letters in a row) After a symbol it is also forbidden to get another symbol (letter or number only) So a lot of weird statistics going on! Most of this has been described up thread, so nothing really new, but I'm practically starting over with the analysis. Based on Farts comments, I'm probably chasing my tail (red herring) and all this falls out automatically when I finally get the correct multiplier. But haven't had any luck with that yet. But I finally have more time, so may be I can get it this summer. ![[Image: w0QENdz.jpg]](https://imgur.com/w0QENdz.jpg) ![[Image: lCwB2Fz.jpg]](https://imgur.com/lCwB2Fz.jpg)
|
|
« Next Oldest | Next Newest »
|