Keyspace List for WPA on Default Routers
(01-31-2018, 11:36 PM)fart-box Wrote: Long ago, someone contributing to this thread purchased an NVG router from E-bay to use for testing. Was that you, soxrok2212?

If so, would you (or anybody else who owns an NVG router) please post the entire contents of the serial number file referenced in that BASH script? It's location is at "/sys/module/board/parameters/serialnumber".

If security is a concern, you could just send it to me attached to a private message through this forum.

I've arrived at the conclusion that these passwords are selected at random, so they must be generated from some mystery input. Since the VSSID is generated from the serial number, I feel that's a good place to start looking for the password as well.

I want to be sure I've got the format correct, along with any other information contained in the serial number file, because just throwing a number into that BASH script isn't getting me anywhere close to the correct password.

Also, I've downloaded those binary's soxrok2212 pointed us to a few posts ago, but I haven't been able to unpack them using my normal tools. Any advice would help.

I do have an NVG589 or 599, don’t remember which one. I don’t have time to work with it right now but at the next opportunity I will get that information for you.
Reply
Do you have any info on ASUS routers?
Reply
(02-06-2018, 10:22 AM)Codsworth Wrote: Do you have any info on ASUS routers?

I met one ASUS RT-N11P and it has WPA2-PSK that looks like this: ?l?l?l?d?d?d?l?l?l

(The characters involved are: 8,2,4,k,f,t,s,w and one letter shows up two times in a row). I guess the worst case keyspace is [0-9, a-z], 9 characters long...
Reply
Do you have any info on Pegatron routers?
Reply
Pegatron has 9 (nine) digits.
Reply
Thank You.
Reply
(02-13-2018, 11:23 AM)jurasjo Wrote: Do you have any info on Pegatron routers?

In my experience they are almost always 27?d?d?d?d?d?d?d or 28?d?d?d?d?d?d?d. But they definitely start with number 2, for the second number I've never seen anything but 7 or 8...
Reply
I'm gone for less than a year and you guys have already added 5 more pages!

Let's recap.

* I am easily distracted.
* AT&T firmwares were ridden with holes and backdoors (even I, not a security researcher in any way, found two different holes, which is how I managed to collect enough passwords to work out algorithms for the 589 and the 599 in the first place.)  I had even submitted one CVE report (CVE-2017-10793) but was not sure what to do with it afterwards. 
* About two months later, a real security researcher blew the whistle on this and found both of my holes and several others, which evidently led to some outcry and AT&T promptly got the most glaring holes patched. See https://www.nomotion.net/blog/sharknatto/.
* It does not look like AT&T got wise to the fact that we know how they do passwords (or did they?)
* I gave up before figuring out the remaining rounding-error effects in the 589 and the 599, which is why algorithms only work most of the time.
* I did not work out the 5268 algo at all, but I see that some guy on Hashkiller managed to crack a couple of them. No one seems to know how exactly he did it.

Am I missing anything?
Reply
Nope. You pretty much hit the nail on the head. Glad to see you back!
Reply
I actually just got back to where the box is. I’ll take it with me when I leave and see if I can JATG this thing. Hopefully I’ll get back to you by next week if I can figure it out.
Reply