Keyspace List for WPA on Default Routers
#81
(08-09-2017, 03:52 AM)soxrok2212 Wrote: Would like to wait for mrfancypants... and would also like to know where those 'magic' numbers came from.

Well, soxrok2212, I kinda left that question wide open to a multitude of answers, all involving some really complex math called modulus.

Perhaps explaining the theory behind modulus was more than Mrfancypants wanted to take on. I should have narrowed my question down to the root of the problem, the "+ 2" found in the "seed". In any case, it seems Mrfancypants is the only advanced mathemetician amongst us, and it seems that he's too busy to share at the moment.

2^32 (4294967296) is very commonly used as a "seed" value in modulus, but Mrfancypants added another number (2) to that. That extra number (called an "increment") creates a brand new "seed", (4294967298), which dramatically changes the output.

That "2" is the key to the whole thing. Somehow, Mrfancypants calculated that number, and was confident enough with his results to share them with us, in the NVG599 key-gen.

There are simple math formulas to figure these things out, but I can't seem to get them to work.

Basically, you take a known pass phrase and do some simple subtraction to obtain a "key", a little more math to get the modulo, (which we already know is 37), more math and we get the "multiplier", and one last step to find the "seed".

Obviously, at this point, we would just subtract 2^32 from our result to find that mysterios number "2". As simple as it seems, my calculations always come out wrong. Maybe I need more data to start with, or maybe I should be working with bits rather than bytes.
Reply
#82
I am not sure I even understand your difficulty.

Let's take NVG589 specifically. We have an algorithm that takes in a 64-bit integer 'x' and spits out a 12-letter password:

for n in range(0,6):
pw=pw_charset[x%37] + pw
x/=37
pw=chr(50+(x%8)) + pw
x/=37

For whatever reason, AT&T people don't just pull an 'x' out of a RNG or something, instead they pull a 31-bit int and multiply it by a magic number that is approximately 465661287.5245797. (Or possibly do some slightly longer sequence of multiplications and additions which amounts to the same thing, because simply multiplying by that number does not always yield the exact result. But ignore that for now.)

Now, where did they get 465661287.5245797? Beats me. All I know is: (1) if they are starting with a 31-bit number, they had to multiply by _something_ (to span the whole range of passwords), since feeding a 31-bit value direct into code above would always result in passwords that start with 2a2a2a..; (2) that exact value reproduces many of the passwords I see in the wild and that can't be a coincidence. (To calculate it, I basically had the computer run through all possible values until it found one that gave lots of hits.)

for NVG599, they tweak the number->password conversion algorithm and replace the 465... value with 2^32+2. Again why 2^32+2? Not a clue.
Reply
#83
(08-15-2017, 02:26 AM)mrfancypants Wrote: I am not sure I even understand your difficulty.


Thank you, Mrfancypants! That answers all of my questions.

I was not asking where ATT got those numbers. I only wanted to know how you arrived at the conclusion that those numbers were the correct numbers.

"I basically had the computer run through all possible values until it found one that gave lots of hits."

That was the answer I was looking for. Until now, I was under the impression that you had used some "magic" mathematical formula to determine the exact values.

Thank you again for all the hard work you've put into this project!
Reply
#84
(08-15-2017, 02:26 AM)mrfancypants Wrote: I am not sure I even understand your difficulty.

Let's take NVG589 specifically. We have an algorithm that takes in a 64-bit integer 'x' and spits out a 12-letter password:

 for n in range(0,6):
  pw=pw_charset[x%37] + pw
  x/=37
  pw=chr(50+(x%8)) + pw
  x/=37

For whatever reason, AT&T people don't just pull an 'x' out of a RNG or something, instead they pull a 31-bit int and multiply it by a magic number that is approximately 465661287.5245797. (Or possibly do some slightly longer sequence of multiplications and additions which amounts to the same thing, because simply multiplying by that number does not always yield the exact result. But ignore that for now.)

Now, where did they get 465661287.5245797? Beats me. All I know is: (1) if they are starting with a 31-bit number, they had to multiply by _something_ (to span the whole range of passwords), since feeding a 31-bit value direct into code above would always result in passwords that start with 2a2a2a..; (2) that exact value reproduces many of the passwords I see in the wild and that can't be a coincidence. (To calculate it, I basically had the computer run through all possible values until it found one that gave lots of hits.)

for NVG599, they tweak the number->password conversion algorithm and replace the 465... value with 2^32+2. Again why 2^32+2? Not a clue.

Any guesses as to the float number that the 5268AC might be using?

Or is the 5268AC using a variation of the 599 scheme?

I haven't looked at this in at least a couple weeks, but I got as far as modifying some of the python for the 599 and experimenting with different values for where the pwgen function starts (normally at 2^32+2).

Something like this.  I am incrementing "m" in this example.  The first 6 digits were input from an Ebay listing for testing.

Code:
pw_charset='abcdefghijkmnpqrstuvwxyz23456789#%+=?'

for m in range (0, 2147483648):
 def pwgen(x):
         x*=2**32+(m)
         x=int(float(x))
         pw=''
         for n in range(0,12):
                 rem=x%37
                 pw=pw_charset[rem]+pw
                 x/=37
         return pw

 def pw_to_candidate_ints(x):
     val=0
     l=len(x)
     for n in range(0,l):
           val+=pw_charset.find(x[n])*(37**(11-n))
     cands=range(val/0x100000002, (val+37**(12-l))/0x100000002+1)
     val+=37**12
     cands+=range(val/0x100000002, (val+37**(12-l))/0x100000002+1)
     return [y for y in cands if pwgen(y)[:l]==x]

 candidates=pw_to_candidate_ints('9d4c8c')
 for x in candidates:
     print m, pwgen(x)

I was aiming to get it to produce output valid for 5268AC devices.  It was worth a shot, but didn't work.

I am going to have to go back in this thread and see if there was python for the 589 that can be tested.  Perhaps all that is needed for the 5268AC is a different "magic number", a correct floating point value that produces the correct result.

Has anyone had time to experiment?
Reply
#85
(08-17-2017, 01:14 AM)devilsadvocate Wrote: Perhaps all that is needed for the 5268AC is a different "magic number"

Exactly!

I'm not the smartest person on this thread, but in my opinion you're going about this all wrong. As Mrfancypants has already pointed out, the 5268AC uses a whole different method to generate its passwords.

It's just my opinion, but I think the smartest and simplest thing to do would be to reverse engineer a handful of known 5268AC passwords to determine their "keys", then see what they have in common in order to determine the correct master key (like 2^32), and increment (like + 2).

When you add the master seed to the increment, then multiply the result by "x" (x = 0 -> 7fffffff), the result must be equal to the key. To help you understand what that means, here's a simplified version using numbers. Lets say our master key is 2^3, our increment is 7, x = 5, and the key we've reverse engineered is 75.

2^3 + 7 = 8 + 7 = 15 and x = 5 so 5 * 15 = 75

If you change any one of those numbers, the generator will still work perfectly, but the output will be totally wrong.

I should point out that the key generator you're using is doing exactly the same thing. It takes '2^32' and adds '2', then it multiplies the result by 'x' to create a "key" which is then "floated" to remove any "trash". The 'float' function removes any digits to the right of the decimal point, (there's nothing to remove there since we're using whole numbers), but it also modifies the last three digits of the key. The key is then passed on to the rest of the code, to be torn apart by simple mathematics, grabbing a character from the list of characters each step of the way.

So what big number added to what small number, when multiplied by some "x" will equal 41456328912063687...? Find the answer to that question and we'll have our 5268AC generator.

And yes, that is an actual 5268AC key derived from the password list Mrfancypants supplied. The last character of that password is generated using a different, but simple, operation.
Reply
#86
Here in Brazil we have an ISP called GVT.
The default password is the Serial Number of the wireless router.
Here is an example:

D-Link
SSID: GVT-8A8A
PASS: N1B9027544
SERIAL: PJ2N1B9027544
MAC: 84:C9:B2:EB:8A:8A

Just count 10 chars from right to left, and that is the WPA/WPA2 Key.
My question is: there is a way to calculate the Serial Number?
D-link was used in this example, but, it can be Arcadyan, Sagemcom, etc. It always will be the Serial Number.
Using wireshark, the serial number received isn't the same in the stick on the bottom.
Thank you for your time.
Reply
#87
Hi all.

Thanks to a member of the forum, I have good news about the GVT network.
The task is not completed yet, but, we have a new informations to share.
1) the first 3 chars of the password come from OUI. E.g:
      OUI         Partial Pass    Router Brand
     6c:19:8f    91E             D-Link International
     84:c9:b2   N1B             D-Link International
     ec:22:80   S1E              D-Link International
So, if the router are a D-Link, we can get the 1st, 2nd and 3rd digts from from the OUI.
The last 6 chars are only numbers.
The 4th position can be number or letter.
The mask for hashcat is: <OUI - info>?1?d?d?d?d?d?d -1 ?u?d
The serial should be linked to the MAC, but i really lack the skill to analyze the firmware.
Any help will be more than welcome here.

A few pairs to analyse:
MAC                                     ESSID      WPA/WPA2
ec2280d30193:fc15b4365e87:GVT-0193:S1E9051450
6c198f02b804:40786ac94fe1:GVT-B805:91E5007819
6815905da437:a89fba14ad7c:GVT-A436:5067014811
c4a81d7f4054:c06599c2d762:GVT-4056:91DC064046
6c198f027914:7ce9d3d7b853:GVT-7917:91E4019783
6c198f023368:d022bed72ab1:GVT-336B:91E4008101
84c9b2eb327d:5c0a5b1f7cd9:GVT-327C:N1B9006527
84c9b2ebbbff:cc52af6190a4:GVT-BBFE:N1B9033142
ec228045ef13:e006e6d03827:GVT-EF13:S1E8013780

Thank you all!

Edit: link to download a firmware
http://ryan.com.br/wp/download/Firmware/...com.br.zip

(08-25-2017, 11:40 PM)zarabatana Wrote: Here in Brazil we have an ISP called GVT.
The default password is the Serial Number of the wireless router.
Here is an example:

D-Link
SSID: GVT-8A8A
PASS: N1B9027544
SERIAL: PJ2N1B9027544
MAC: 84:C9:B2:EB:8A:8A

Just count 10 chars from right to left, and that is the WPA/WPA2 Key.
My question is: there is a way to calculate the Serial Number?
D-link was used in this example, but, it can be Arcadyan, Sagemcom, etc. It always will be the Serial Number.
Using wireshark, the serial number received isn't the same in the stick on the bottom.
Thank you for your time.
Reply
#88
Hi Zarabatana,

thank you for the information.

Could you explain how did you get "91E" from "6c:19:8f"?

Thanks.

(09-07-2017, 08:36 PM)zarabatana Wrote: Hi all.

Thanks to a member of the forum, I have good news about the GVT network.
The task is not completed yet, but, we have a new informations to share.
1) the first 3 chars of the password come from OUI. E.g:
      OUI         Partial Pass    Router Brand
     6c:19:8f    91E             D-Link International
     84:c9:b2   N1B             D-Link International
     ec:22:80   S1E              D-Link International
So, if the router are a D-Link, we can get the 1st, 2nd and 3rd digts from from the OUI.
The last 6 chars are only numbers.
The 4th position can be number or letter.
The mask for hashcat is: <OUI - info>?1?d?d?d?d?d?d -1 ?u?d
The serial should be linked to the MAC, but i really lack the skill to analyze the firmware.
Any help will be more than welcome here.

A few pairs to analyse:
MAC                                     ESSID      WPA/WPA2
ec2280d30193:fc15b4365e87:GVT-0193:S1E9051450
6c198f02b804:40786ac94fe1:GVT-B805:91E5007819
6815905da437:a89fba14ad7c:GVT-A436:5067014811
c4a81d7f4054:c06599c2d762:GVT-4056:91DC064046
6c198f027914:7ce9d3d7b853:GVT-7917:91E4019783
6c198f023368:d022bed72ab1:GVT-336B:91E4008101
84c9b2eb327d:5c0a5b1f7cd9:GVT-327C:N1B9006527
84c9b2ebbbff:cc52af6190a4:GVT-BBFE:N1B9033142
ec228045ef13:e006e6d03827:GVT-EF13:S1E8013780

Thank you all!

Edit: link to download a firmware
http://ryan.com.br/wp/download/Firmware/...com.br.zip

(08-25-2017, 11:40 PM)zarabatana Wrote: Here in Brazil we have an ISP called GVT.
The default password is the Serial Number of the wireless router.
Here is an example:

D-Link
SSID: GVT-8A8A
PASS: N1B9027544
SERIAL: PJ2N1B9027544
MAC: 84:C9:B2:EB:8A:8A

Just count 10 chars from right to left, and that is the WPA/WPA2 Key.
My question is: there is a way to calculate the Serial Number?
D-link was used in this example, but, it can be Arcadyan, Sagemcom, etc. It always will be the Serial Number.
Using wireshark, the serial number received isn't the same in the stick on the bottom.
Thank you for your time.
Reply
#89
Hi robertoakira1.

It is fixed.
Analyzing a few default pair of BSSID:KEY, you can see this relation. E.g:
BSSID                                 KEY
6c198f02b804:91E5007819
6c198f027914:91E4019783
6c198f023368:91E4008101

As you can see, every time the OUI is 6c198f the KEY start with 91E
That is valid for GVT ISP (Brazil).
If I can help with something more, just ask.

(09-09-2017, 04:06 AM)robertoakira1 Wrote: Hi Zarabatana,

thank you for the information.

Could you explain how did you get "91E" from "6c:19:8f"?

Thanks.

(09-07-2017, 08:36 PM)zarabatana Wrote: Hi all.

Thanks to a member of the forum, I have good news about the GVT network.
The task is not completed yet, but, we have a new informations to share.
1) the first 3 chars of the password come from OUI. E.g:
      OUI         Partial Pass    Router Brand
     6c:19:8f    91E             D-Link International
     84:c9:b2   N1B             D-Link International
     ec:22:80   S1E              D-Link International
So, if the router are a D-Link, we can get the 1st, 2nd and 3rd digts from from the OUI.
The last 6 chars are only numbers.
The 4th position can be number or letter.
The mask for hashcat is: <OUI - info>?1?d?d?d?d?d?d -1 ?u?d
The serial should be linked to the MAC, but i really lack the skill to analyze the firmware.
Any help will be more than welcome here.

A few pairs to analyse:
MAC                                     ESSID      WPA/WPA2
ec2280d30193:fc15b4365e87:GVT-0193:S1E9051450
6c198f02b804:40786ac94fe1:GVT-B805:91E5007819
6815905da437:a89fba14ad7c:GVT-A436:5067014811
c4a81d7f4054:c06599c2d762:GVT-4056:91DC064046
6c198f027914:7ce9d3d7b853:GVT-7917:91E4019783
6c198f023368:d022bed72ab1:GVT-336B:91E4008101
84c9b2eb327d:5c0a5b1f7cd9:GVT-327C:N1B9006527
84c9b2ebbbff:cc52af6190a4:GVT-BBFE:N1B9033142
ec228045ef13:e006e6d03827:GVT-EF13:S1E8013780

Thank you all!

Edit: link to download a firmware
http://ryan.com.br/wp/download/Firmware/...com.br.zip

(08-25-2017, 11:40 PM)zarabatana Wrote: Here in Brazil we have an ISP called GVT.
The default password is the Serial Number of the wireless router.
Here is an example:

D-Link
SSID: GVT-8A8A
PASS: N1B9027544
SERIAL: PJ2N1B9027544
MAC: 84:C9:B2:EB:8A:8A

Just count 10 chars from right to left, and that is the WPA/WPA2 Key.
My question is: there is a way to calculate the Serial Number?
D-link was used in this example, but, it can be Arcadyan, Sagemcom, etc. It always will be the Serial Number.
Using wireshark, the serial number received isn't the same in the stick on the bottom.
Thank you for your time.
Reply
#90
Finally fixed my NVG599 code, took me a while to figure out what I did wrong... my output was 2a2a2a.... and I realized that I hadn't done the exponentiation correctly. Feel free to laugh and drop some nasty comments: https://github.com/soxrok2212/PSKracker/...fbe082c54b
Reply