Keyspace List for WPA on Default Routers
(07-12-2017, 03:54 AM)soxrok2212 Wrote: Did you test the python or C code?

I tested the C code.
I've been testing the python code for the 599 generator.

So far, the hit rate is 100 percent.  The one code that wasn't calculated correctly with the generator for the 589 was correctly calculated with the python code for the 599.

Between the python for the 599 and the C for the 589, every passphrase that I have tested has been calculated correctly.

Will the python for the 599 gen be ported to C?

Also, bravo, sir.  Well done.

Is it possible that a similar method is being used for ATTXXXX devices? [0-9,A-Z] len 10
I will work on the 599 code when I get more time. Not sure of ATTxxxx
(07-12-2017, 02:52 AM)devilsadvocate Wrote: Regarding the 2 that were almost correctly calculated, the passphrase with the exception of the last 2 characters were guessed correctly, but the last 2 characters were wrong.  A workaround is to come up with a rule that can truncate the last 2 characters and brute force positions 11 and 12.  Either that or adjust the code as necessary.

But this is remarkable.  Good work.


The following should calculate the 2 which were "almost" correct:

def pwgen589_alt(x):
  if hibit>=52:
  for n in range(0,6):
   pw=pw_charset[x%37] + pw
   pw=chr(50+(x%8)) + pw
  return pw

I haven't seen any actual ATTxxxx passwords. I'm not even sure if they are associated with Arris or Pace hardware. If they are from Arris, the method should be similar.
gcc att.c to build, then ./a.out to run. Will take a good amount of time to generate all possibilities but you should be able to pipe directly into hashcat if I'm not mistaken. Haven't actually tested though.
Might be something with your PC, perhaps it can't handle the output? Try changing INT_MAX on line 30 to a smaller number like 50, recompile, and see if the output changes. Having no issues on my end, though I am using a more fully featured version that I will push tonight Smile

Simply run gcc att.c -o att to compile, then run with ./att -m nvg589

I'll do my best to port the 599 code as soon as I can. Any bugs or comments please let me know! It is still very unfinished so I'm sure there will be issues.
(07-14-2017, 09:25 PM)fart-box Wrote: Soxrok2212, I hope you will impliment the NVG599 code into your keygen as soon as possible, and when you do, I think you should give Mrfancypants a very special acknowledgement for all the hard work he's done locating these "magic numbers" and providing us with the Python code which made your keygen possible!

I will implement the 599 code when I have some time. And yes, I will credit mrfancypants and link to this thread. It is already in the next push but I haven't done it yet Smile

EDIT: Updated acknowledgements and cleaned up code a bit. I will wait for mrfancypants' final Python code before I start on the C code to get the cleanest product possible. And sorry for my less than adequate coding skills, it's new to me too Smile
(07-16-2017, 12:58 AM)fart-box Wrote: Thank you, Soxrok2212! And you first attempt at 'C' worked perfectly for me the second time around. I'm sure I messed something up on my first attempt.

I've ordered four (hard copy) books on-line which I hope will bring me back up to speed with my programming skills. They should be here in about a week.

While I'm waiting on books, is there anybody out there who could explain what I need to do to get Mrfancypant's NVG589 or NVG599 Python code working? I'm still struggling with both.

Thank you in advance, and sorry to be such a nuisance!

At this time, the code that exists is:

The source for the 589 (written in C).
The source for the 599 (written in Python).

The python code for the 599 is functional, but it is very memory hungry.  One of the workarounds is to give it at least one character on the line that says "candidates=pw_to_candidate_ints" (this is line 24).


This will generate all passwords that start with '2'.  If the python for the 599 code was hanging and not executing, I experienced the same behavior and this workaround enabled the generation of the desired passwords.

For the 599 python code, you will have to increment that line, line 24, in order to get the equivalent dictionary file.  You will have to do that 37 times (the characters that can be seen on line 1) in order to get all of the possible passwords.

This will soon become unnecessary.  The C code for the 599 is coming.

If you need more basic assistance, then you should know that a .py file has to be executed like: python

The C code should be compiled with gcc like: gcc nvg589.c -o nvg589.bin

Hope this helps.
(07-16-2017, 03:11 AM)devilsadvocate Wrote: The python code for the 599 is functional, but it is very memory hungry.

You can probably fix that by replacing
return [y for y in cands if pwgen(y)[:l]==x]
return (y for y in cands if pwgen(y)[:l]==x)