Keyspace List for WPA on Default Routers
#21
(03-22-2017, 11:59 PM)fart-box Wrote: A search on Ebay... <snip>
Wow, good sleuthing and thanks for sharing your findings. Note that if someone can keep a running list of eBay passphrases, this could be narrowed down even more.

Strong work fart-box !
Reply
#22
(03-25-2017, 05:14 AM)calexico Wrote: Strong work fart-box !

Can't even.
Reply
#23
I haven't yet proven it beyond all doubt, but I've got good reason to believe that the default keyspace for BELLXXX SSIDs isn't actually 8 hexadecimal digits (16^8 or 4.29 billion combinations), but actually a reduced keyspace that omits the characters 0, 8 and B (presumably for readability) so it's only 13^8 or 815 million combinations.

I ran the reduced keyspace against 275 BELLXXX WPA handshakes and it cracked 210 of them, so pretty good odds they don't use all 16 hex digits.  Additionally, none of the uncracked handshakes have yet fallen to the full possible keyspace, but I haven't finished my testing yet.
Reply
#24
The following seems to be the format for most Ubee DVW326 routers (SSID DVW326.XXXXXX-2.4G):

-1 ?u?d -2 CDE ?2?H?14M1300?d?d?d?d
Reply
#25
All models I see on eBay have serial numbers ending on 4M1300****. It is possible that models with SNs ending on 3V100**** (as in the example given by the manual) also exist.
Reply
#26
ATTxxxxxxx's bug me, they are up to 20% of all my uncracked handshakes and they seem to be invulnerable to all attacks.

I've collected more passwords from eBay, with associated SSIDs, MACs, SNs and/or manufacture dates.

https://pastebin.com/t62DGi3S

In SSIDs, some of the 'l' are probably 'I' (it's hard to distinguish between them in photos)

These devices used to be manufactured by (at least) two independent suppliers. One line is Motorola NVG589 -> Arris NVG589 -> NVG595 -> NVG599. (Motorola got acquired by Arris in '13.) The other is 2Wire/Pace 5268AC. 2Wire got acquired by Pace back in '10, and Pace got acquired by Arris last year. Most NVG589s went to AT&T but some were diverted to Frontier; those have SSIDs "FrontierXXXX" but the same password keyspace. Makes you wonder how they managed to shared the keyspaces. If you put MACs through vendor lookup, NVGs come back as "Arris" and 5268s come back as "2Wire".

The password keyspace is [2-9 a-z #%+=?] except 'o' and 'l'. Unlike the poster above, I see no incidents of '-' or 'o' and they probably don't occur, at least on these devices (all other characters occur at least 4 times in the set.)

A couple of curious observations (which give me some hope that they are not using a good RNG and some logic can be found in this mess).
* In all but two cases, the 1st character of the password is a digit if and only if the 4th character of the SSID (1st after "ATT") is a digit.
* Nearly all 589's have SSIDs of the form "ATTdcdcdcd" where all 'd's are digits (2-9) and 'c's are usually (but not always) letters. Their passwords are "dcdcdcdcdcdc" where 'd' are again 2-9 and 'c' is full keyspace (letters, digits and special symbols.) Unfortunately, this does not get us too far since it only knocks the number of possibilities from full 37^12=7*10^18 down to 8^6*37^6 = 7*10^14 (50 GPU-years/hash).

I'm trying to collect ATTdcdcdcd SSIDs hoping to deduce some deeper patterns/algorithms. I have about 50 so far (without passwords) in addition to the ones in the paste. If anyone has more, particularly with associated MACs, it would be appreciated.
Reply
#27
Meanwhile I spent an unproductive day trying to reverse engineer the router firmware. It is not uncommon that the WPA key is generated internally by the router from the serial number (https://www.usenix.org/system/files/conf...orente.pdf) All these routers are internally more or less the same architecture "Motopia". Took a while to get my hands on a copy of firmware (it's not offered officially for download), finally found a few versions on some backalley website, then took a while longer to unpack and to find a disassembler that can read MIPS big-endian.
In the end it all comes to nothing. I'm not 100% sure but it looks like these routers come with the 10-char SSID and the non-alphanumeric password burned directly into EEPROM at the factory. I found code that generates SSIDs from the serial number and the SKU, but it only has branches for ATTddd and ATTdddd (and a couple of others for non-AT&T customers).
It's either that or there's a specialized version of firmware for AT&T which I couldn't find yet.

P.S. In case anyone ever wants to pick up where I left off, here are some pointers.
Firmwares are at http://68.250.244.11/firmware/, the web site may be someone's personal Linux PC and it is sporadically on and off, I couldn't find any alternate sources.
Install https://github.com/devttys0/binwalk to unpack the firmware, which gives you a jffs2 file, and then find some way to unpack that.
Inside jffs2 you have a Linux distro. The most interesting bit seems to be the executable "sdb" which is either in /bin or in /sbin depending on firmware. Look for references to the string "ATT" or "ATT%s". There may be other places where relevant code is hiding. For something seemingly as simple as a router, there sure is a lot of stuff inside.
The code is MIPS big-endian and it can be reversed either by Radare2 or by a recent Ida Pro (neither of the two demo/evaluation versions on the developer site works, my old licensed 4.5 does not work either, in the end I had to torrent a 6.85.) If you know x86, MIPS is relatively easy to pick up, just look up registers/instructions and remember that the first instruction after the jump is executed before the jump.
Like I said, the SSID/WPA code for ATTxxxxxxx does not seem to be there, but there is a curious function that does SHA1 on the serial number and on some Jimi Hendrix lyrics and produces a hex string that may be used as a password for ATTdddd.
Arris has a large open-source code repository on Sourceforge but it has been pretty thoroughly scrubbed of anything that might be of use to us. In particular, "sdb" is completely absent. The closest it gets to relevant is, in the "NVG-9.1.1h0" download, there are some headers that were probably left behind by accident.
Reply
#28
I love that people named "fart-box" and "mrfancypants" are the ones dropping the most knowledge on this thread. This is what I live for.
Reply
#29
Said the guy named "epixoip"
Reply
#30
Turn your monitor upside-down!
Reply