Keyspace List for WPA on Default Routers devilsadvocate Member Posts: 100 Threads: 34 Joined: Aug 2014 08-17-2017, 01:14 AM (08-15-2017, 02:26 AM)mrfancypants Wrote: I am not sure I even understand your difficulty. Let's take NVG589 specifically. We have an algorithm that takes in a 64-bit integer 'x' and spits out a 12-letter password:  for n in range(0,6):   pw=pw_charset[x%37] + pw   x/=37   pw=chr(50+(x%8)) + pw   x/=37 For whatever reason, AT&T people don't just pull an 'x' out of a RNG or something, instead they pull a 31-bit int and multiply it by a magic number that is approximately 465661287.5245797. (Or possibly do some slightly longer sequence of multiplications and additions which amounts to the same thing, because simply multiplying by that number does not always yield the exact result. But ignore that for now.) Now, where did they get 465661287.5245797? Beats me. All I know is: (1) if they are starting with a 31-bit number, they had to multiply by _something_ (to span the whole range of passwords), since feeding a 31-bit value direct into code above would always result in passwords that start with 2a2a2a..; (2) that exact value reproduces many of the passwords I see in the wild and that can't be a coincidence. (To calculate it, I basically had the computer run through all possible values until it found one that gave lots of hits.) for NVG599, they tweak the number->password conversion algorithm and replace the 465... value with 2^32+2. Again why 2^32+2? Not a clue. Any guesses as to the float number that the 5268AC might be using? Or is the 5268AC using a variation of the 599 scheme? I haven't looked at this in at least a couple weeks, but I got as far as modifying some of the python for the 599 and experimenting with different values for where the pwgen function starts (normally at 2^32+2). Something like this.  I am incrementing "m" in this example.  The first 6 digits were input from an Ebay listing for testing. Code:```pw_charset='abcdefghijkmnpqrstuvwxyz23456789#%+=?' for m in range (0, 2147483648):  def pwgen(x):          x*=2**32+(m)          x=int(float(x))          pw=''          for n in range(0,12):                  rem=x%37                  pw=pw_charset[rem]+pw                  x/=37          return pw  def pw_to_candidate_ints(x):      val=0      l=len(x)      for n in range(0,l):            val+=pw_charset.find(x[n])*(37**(11-n))      cands=range(val/0x100000002, (val+37**(12-l))/0x100000002+1)      val+=37**12      cands+=range(val/0x100000002, (val+37**(12-l))/0x100000002+1)      return [y for y in cands if pwgen(y)[:l]==x]  candidates=pw_to_candidate_ints('9d4c8c')  for x in candidates:      print m, pwgen(x)``` I was aiming to get it to produce output valid for 5268AC devices.  It was worth a shot, but didn't work. I am going to have to go back in this thread and see if there was python for the 589 that can be tested.  Perhaps all that is needed for the 5268AC is a different "magic number", a correct floating point value that produces the correct result. Has anyone had time to experiment? zarabatana Junior Member Posts: 31 Threads: 7 Joined: Jun 2013 08-25-2017, 11:40 PM Here in Brazil we have an ISP called GVT. The default password is the Serial Number of the wireless router. Here is an example: D-Link SSID: GVT-8A8A PASS: N1B9027544 SERIAL: PJ2N1B9027544 MAC: 84:C9:B2:EB:8A:8A Just count 10 chars from right to left, and that is the WPA/WPA2 Key. My question is: there is a way to calculate the Serial Number? D-link was used in this example, but, it can be Arcadyan, Sagemcom, etc. It always will be the Serial Number. Using wireshark, the serial number received isn't the same in the stick on the bottom. Thank you for your time. zarabatana Junior Member Posts: 31 Threads: 7 Joined: Jun 2013 09-07-2017, 08:36 PM (This post was last modified: 09-08-2017, 04:11 AM by zarabatana. Edit Reason: Add link to Firmware ) Hi all. Thanks to a member of the forum, I have good news about the GVT network. The task is not completed yet, but, we have a new informations to share. 1) the first 3 chars of the password come from OUI. E.g:       OUI         Partial Pass    Router Brand      6c:19:8f    91E             D-Link International      84:c9:b2   N1B             D-Link International      ec:22:80   S1E              D-Link International So, if the router are a D-Link, we can get the 1st, 2nd and 3rd digts from from the OUI. The last 6 chars are only numbers. The 4th position can be number or letter. The mask for hashcat is: ?1?d?d?d?d?d?d -1 ?u?d The serial should be linked to the MAC, but i really lack the skill to analyze the firmware. Any help will be more than welcome here. A few pairs to analyse: MAC                                     ESSID      WPA/WPA2 ec2280d30193:fc15b4365e87:GVT-0193:S1E9051450 6c198f02b804:40786ac94fe1:GVT-B805:91E5007819 6815905da437:a89fba14ad7c:GVT-A436:5067014811 c4a81d7f4054:c06599c2d762:GVT-4056:91DC064046 6c198f027914:7ce9d3d7b853:GVT-7917:91E4019783 6c198f023368:d022bed72ab1:GVT-336B:91E4008101 84c9b2eb327d:5c0a5b1f7cd9:GVT-327C:N1B9006527 84c9b2ebbbff:cc52af6190a4:GVT-BBFE:N1B9033142 ec228045ef13:e006e6d03827:GVT-EF13:S1E8013780 Thank you all! Edit: link to download a firmware http://ryan.com.br/wp/download/Firmware/...com.br.zip (08-25-2017, 11:40 PM)zarabatana Wrote: Here in Brazil we have an ISP called GVT. The default password is the Serial Number of the wireless router. Here is an example: D-Link SSID: GVT-8A8A PASS: N1B9027544 SERIAL: PJ2N1B9027544 MAC: 84:C9:B2:EB:8A:8A Just count 10 chars from right to left, and that is the WPA/WPA2 Key. My question is: there is a way to calculate the Serial Number? D-link was used in this example, but, it can be Arcadyan, Sagemcom, etc. It always will be the Serial Number. Using wireshark, the serial number received isn't the same in the stick on the bottom. Thank you for your time. robertoakira1 Junior Member Posts: 4 Threads: 1 Joined: Oct 2015 09-09-2017, 04:06 AM Hi Zarabatana, thank you for the information. Could you explain how did you get "91E" from "6c:19:8f"? Thanks. (09-07-2017, 08:36 PM)zarabatana Wrote: Hi all. Thanks to a member of the forum, I have good news about the GVT network. The task is not completed yet, but, we have a new informations to share. 1) the first 3 chars of the password come from OUI. E.g:       OUI         Partial Pass    Router Brand      6c:19:8f    91E             D-Link International      84:c9:b2   N1B             D-Link International      ec:22:80   S1E              D-Link International So, if the router are a D-Link, we can get the 1st, 2nd and 3rd digts from from the OUI. The last 6 chars are only numbers. The 4th position can be number or letter. The mask for hashcat is: ?1?d?d?d?d?d?d -1 ?u?d The serial should be linked to the MAC, but i really lack the skill to analyze the firmware. Any help will be more than welcome here. A few pairs to analyse: MAC                                     ESSID      WPA/WPA2 ec2280d30193:fc15b4365e87:GVT-0193:S1E9051450 6c198f02b804:40786ac94fe1:GVT-B805:91E5007819 6815905da437:a89fba14ad7c:GVT-A436:5067014811 c4a81d7f4054:c06599c2d762:GVT-4056:91DC064046 6c198f027914:7ce9d3d7b853:GVT-7917:91E4019783 6c198f023368:d022bed72ab1:GVT-336B:91E4008101 84c9b2eb327d:5c0a5b1f7cd9:GVT-327C:N1B9006527 84c9b2ebbbff:cc52af6190a4:GVT-BBFE:N1B9033142 ec228045ef13:e006e6d03827:GVT-EF13:S1E8013780 Thank you all! Edit: link to download a firmware http://ryan.com.br/wp/download/Firmware/...com.br.zip (08-25-2017, 11:40 PM)zarabatana Wrote: Here in Brazil we have an ISP called GVT. The default password is the Serial Number of the wireless router. Here is an example: D-Link SSID: GVT-8A8A PASS: N1B9027544 SERIAL: PJ2N1B9027544 MAC: 84:C9:B2:EB:8A:8A Just count 10 chars from right to left, and that is the WPA/WPA2 Key. My question is: there is a way to calculate the Serial Number? D-link was used in this example, but, it can be Arcadyan, Sagemcom, etc. It always will be the Serial Number. Using wireshark, the serial number received isn't the same in the stick on the bottom. Thank you for your time. zarabatana Junior Member Posts: 31 Threads: 7 Joined: Jun 2013 09-10-2017, 04:58 PM Hi robertoakira1. It is fixed. Analyzing a few default pair of BSSID:KEY, you can see this relation. E.g: BSSID                                 KEY 6c198f02b804:91E5007819 6c198f027914:91E4019783 6c198f023368:91E4008101 As you can see, every time the OUI is 6c198f the KEY start with 91E That is valid for GVT ISP (Brazil). If I can help with something more, just ask. (09-09-2017, 04:06 AM)robertoakira1 Wrote: Hi Zarabatana, thank you for the information. Could you explain how did you get "91E" from "6c:19:8f"? Thanks. (09-07-2017, 08:36 PM)zarabatana Wrote: Hi all. Thanks to a member of the forum, I have good news about the GVT network. The task is not completed yet, but, we have a new informations to share. 1) the first 3 chars of the password come from OUI. E.g:       OUI         Partial Pass    Router Brand      6c:19:8f    91E             D-Link International      84:c9:b2   N1B             D-Link International      ec:22:80   S1E              D-Link International So, if the router are a D-Link, we can get the 1st, 2nd and 3rd digts from from the OUI. The last 6 chars are only numbers. The 4th position can be number or letter. The mask for hashcat is: ?1?d?d?d?d?d?d -1 ?u?d The serial should be linked to the MAC, but i really lack the skill to analyze the firmware. Any help will be more than welcome here. A few pairs to analyse: MAC                                     ESSID      WPA/WPA2 ec2280d30193:fc15b4365e87:GVT-0193:S1E9051450 6c198f02b804:40786ac94fe1:GVT-B805:91E5007819 6815905da437:a89fba14ad7c:GVT-A436:5067014811 c4a81d7f4054:c06599c2d762:GVT-4056:91DC064046 6c198f027914:7ce9d3d7b853:GVT-7917:91E4019783 6c198f023368:d022bed72ab1:GVT-336B:91E4008101 84c9b2eb327d:5c0a5b1f7cd9:GVT-327C:N1B9006527 84c9b2ebbbff:cc52af6190a4:GVT-BBFE:N1B9033142 ec228045ef13:e006e6d03827:GVT-EF13:S1E8013780 Thank you all! Edit: link to download a firmware http://ryan.com.br/wp/download/Firmware/...com.br.zip (08-25-2017, 11:40 PM)zarabatana Wrote: Here in Brazil we have an ISP called GVT. The default password is the Serial Number of the wireless router. Here is an example: D-Link SSID: GVT-8A8A PASS: N1B9027544 SERIAL: PJ2N1B9027544 MAC: 84:C9:B2:EB:8A:8A Just count 10 chars from right to left, and that is the WPA/WPA2 Key. My question is: there is a way to calculate the Serial Number? D-link was used in this example, but, it can be Arcadyan, Sagemcom, etc. It always will be the Serial Number. Using wireshark, the serial number received isn't the same in the stick on the bottom. Thank you for your time. soxrok2212 Member Posts: 194 Threads: 7 Joined: Jul 2015 09-13-2017, 05:11 PM Finally fixed my NVG599 code, took me a while to figure out what I did wrong... my output was 2a2a2a.... and I realized that I hadn't done the exponentiation correctly. Feel free to laugh and drop some nasty comments: https://github.com/soxrok2212/PSKracker/...fbe082c54b soxrok2212 Member Posts: 194 Threads: 7 Joined: Jul 2015 11-04-2017, 03:03 AM (This post was last modified: 11-04-2017, 03:36 AM by soxrok2212.) For what it's worth, I wrote some code (currently as a separate piece of PSKracker) to calculate the seed given the password as an input parameter. Currently only for NVG589 models but I'll work on the rest. Can use this for eBay sticker searches so we can hopefully find where the seeds come from. Usage is: Code:`./pskracker -f ` Will return the seed in decimal if found. https://github.com/soxrok2212/PSKracker/tree/seed calexico Junior Member Posts: 16 Threads: 1 Joined: Mar 2016 11-09-2017, 11:53 PM (11-09-2017, 10:39 PM)fart-box Wrote: (11-04-2017, 03:03 AM)soxrok2212 Wrote: For what it's worth, I wrote some code... So if anyone has any actual 5268AC passwords they could post on this thread, it would sure help.  Do you think searching eBay for 5268AC labels is a good strategy? Also, what do you mean by 'Passwords as close to one another as possible?' Just trying to understand what that means, precisely. TIA, -Cal soxrok2212 Member Posts: 194 Threads: 7 Joined: Jul 2015 11-10-2017, 01:29 AM Hi fart-box... I laugh at that every time, I guess what I am search for in recovering the seeds is some kind of link to another piece of information, i.e. MAC address, serial number, SSID, something. I know there must be something. The seed HAS to be from somewhere. I doubt they made a generator that's easy enough to run through all possibilities in an hour with average hardware yet made the seed completely random. So if you take the code for seed recovery and input known passwords then make a list of MAC addresses, serial numbers, SSIDs, seeds and whatever else, I'm sure we will find the pattern. RealEnder Junior Member Posts: 19 Threads: 1 Joined: Sep 2011 11-10-2017, 03:22 PM Do you have list of default SSIDs for those routers? Or those are just ATT*? « Next Oldest | Next Newest »