Keyspace List for WPA on Default Routers
(07-29-2020, 05:40 PM)frizz Wrote:
(07-08-2020, 05:17 PM)drsnooker Wrote: Looks like ATT has been using a BGW210-700 recently with a similar ESSID as the others. Do we know anything about that default password?
From ebay sales it looks like the default password look similar to those of the NVG599 and uses the same 37 characterset.

Signed up just to share my experience. I was able to generate the correct key for BGW210-700 using the 599 and pipe it through hashcat and a GTX 1080. Worked on multiple devices, average time is ~90 mins at ~350-400 kH/s.

I didn't think these were crackable until doing research, finding this thread and other resources. I have been able to crack 100% of the ATT******* networks I've found which is blowing my mind a little.

I tried several ATT pace routers but not successful.
Reply
I've been working on the 5268's, not gonna clog up this thread with what I've found but if anyone's interested in collaborating please send me a PM.
Reply
Been comparing 5286AC-FXN credentials.

There is a clear correlation between the first six digits of the MAC, and the first five digits of the S/N.

I'll list the pictures I used to deduce this.

MAC F8:18:97:1EBig GrinD:1C , S/N 18151N018859
https://picclick.com/Pace-ATT-Model-5268...id=1&pid=4

MAC F8:18:97:08:A8:64 , S/N 19151N004762
https://picclick.com/Pace-ATT-Model-5268...id=1&pid=4

Same thing with these two
https://picclick.com/ATT-U-VERSE-WI-FI-H...id=1&pid=4

https://picclick.com/ATT-U-Verse-Megabit...id=1&pid=5

And these three

https://picclick.com/ATT-U-VERSE-5268AC-...id=1&pid=1

https://picclick.com/ATT-U-verse-Pace-52...id=1&pid=3

https://picclick.com/ATT-UVerse-5268ACFX...id=1&pid=2

You can definitely see a pattern in the S/Ns.

The last six digits of the S/N are probably a unique ID. not sure if any of this will yield anything, but it is interesting so I thought I'd share.
Reply
Welcome back Fart box! Did somebody remove all your old comments? I was going to re-read all the clues you gave, but they seem to have disappeared. There's a renewed interest in trying to figure this out, so any clues would be super appreciated.
We have recovered the multiplier for 599 from scratch and are now working on recovering how fancy got his multiplier. After that, we'll go after 5268ac.

A specific question for fart-box: Out of the 250 nvg599 passwords listed in the pastebin on page 15 of this thread, the soxrok code only generates 90. (about a third) Does your algorithm produce every single one, or do you have some misses as well?
Reply
Thanks Fart! Perhaps your computer is trying to tell you something LOL
I've been working with Bitwise Bill and Red1337 in the background, hoping may be the three us put together can match your accomplishment. So far we have matched the 589 and 599 algorithms (can explain all keys in a much larger data set than reported earlier on page 15) and are now working on 5268.
Good luck with your next endeavors but please don't forget about us trying to follow in your footsteps!
Reply
(10-16-2020, 09:45 AM)Red1337 Wrote: Been comparing 5286AC-FXN credentials.

There is a clear correlation between the first six digits of the MAC, and the first five digits of the S/N.

Code:
The 2Wire/Pace serial number has the form 'aabbcdeeeeee'. 
Here 'aa' is 2 digits possibly encoding the manufacture date (observed possible first digits include 1,2,3,4, and 9.) 
'bb' is the year ('12' for 2012, etc.), 'c' is almost always 1. 'd' varies, its exact meaning is unclear,but all observed 3801's have a '9' here, all observed 5268AC's have a 'N', and other devices vary.

Source: http://en.techinfodepot.shoutwiki.com/wi...26T_Uverse

For the 589 and 599, (and probably the bgw210s?) the serial is just the mac-1 converted to decimal
Reply
Thanks Fart-box. PM-ed our list!

I built a different version of genpass5268... I'm getting the echos but much more consistent, hence I get keys that are a few points off from yours but they ALL result in the correct answer for example pwd=2aek7%tyw+nt
All these keys give the correct password (it doesn't skip like yours)

557810668266750
1423898784903950054
2847239759139633358
4270580733375316662
5693921707610999966
7117262681846683270
8540603656082366574
9963944630318049878
11387285604553733182
12810626578789416486

Which brings me to the multiplier/divisor/seed. I think I can brute force it, but it'll take years to get to 5 decimal places. With the 589 we can spot the minimum at a 0.1 resolution and can refine it after that to get more decimal places. What is the clever way to do it?
Reply
No offence taken! We actually have a google sheet that we use to keep track of stuff, we all have access to it. I'll add all your keys to it, although I might skip the keys that don't work!
Reply
Hi guy's,

I'm having a ton of fun on this new project I'm working on. It's gonna take a while, which means I wont be around here very often, but "someone" sent me a PM asking for the first digit and the length of the 5268 seed, (to save a lot of work and to speed things up). I wont mention any names but -->You know who you are.<--

These are things I will not share, because doing so would diminish the pride you'll have in yourself, and in your own efforts, when you figure this out on your own.

Instead, I will share the "method" I used to find the proper seed with everyone, so that anyone willing to do the work can learn from their own work, and achieve some well deserved pride in their efforts.

I started with 66 passwords. Then I wrote a python script to calculate the keys to each password. I selected two keys, turned them into three numbers, wrote another python script to find all of the divisors that would divide all three numbers, and finally wrote another python script that would count how many of my 66 keys could be divided by each divisor I had found. It was that "simple", but it was not easy getting the math right. Nineteen digit numbers are hard to wrap your head around, so I'll shrink this down to numbers you can work with in your head.

Let's say the upper limit has been reduced to 100, and the two keys you've selected have been reduced to 28 and 63.

63 - 28 = 35, so now you have three numbers. (You get a bonus point if you know why we do this.)

Write a script to divide all three numbers. This was the hard part for me. If you do it right, you'll have a pretty big list of divisors. If you've only found a few divisors, you haven't done it right. Remember, a decimal point is your friend.

Write another script to test that big list of divisors against all of your keys. The divisor that works is the seed you've all been looking for. In this simplified case, the seed would be '7', which comes up short of our upper limit of 100, but I've explained that in my previous posts.

Good luck guys!
Reply
(11-13-2020, 12:15 AM)drsnooker Wrote: No offence taken! We actually have a google sheet that we use to keep track of stuff, we all have access to it. I'll add all your keys to it, although I might skip the keys that don't work!

Hi,
Would you mind sharing the Google Sheet ? I searched this post but couldn't find the link.
Thanks !
Reply