Keyspace List for WPA on Default Routers
Maybe you're interested in this (not only ATT):
http://boxnet.servehttp.com/cap/pix/DUMP/

BTW:
You can reduce the key space, if you assume "N0" within every serial number:
dddddN0ddddd
That makes life easier (and faster) to run first tests against some well selected hashes.
Reply
I may get flak for going a bit off-topic, but...
From what i have researched from research papers(and stuff), routers mostly use part of sha1(and derivatives), md5 or base64 hashes for passkey generation(like doing sha1 hash and taking 10 first chars from that hash). I have been tinkering with those hashes and found out that they *may* follow some kind of rules. Maybe not, so here i am asking from professionals.
Example problem(let's say sha1): Is it possible to know the least possible character on 3rd position after knowing first two characters on sha1 hash? Or the least possible character on 4th position after knowing first three characters?
Reply
(06-10-2020, 10:57 PM)hashserious Wrote: Is it possible to know the least possible character on 3rd position after knowing first two characters on sha1 hash? Or the least possible character on 4th position after knowing first three characters?

no.
Reply
That's what I thought and that was the obvious solution. However, that's not the SoxRok code.... I got this running in Paiza.io (still working on learning C++) That Mod 8 is causing the wrong answer (3m5p5s349p3m). So everybody who used SoxRoks version has the wrong dictionary for 589! I had to rewrite all my code to make the results match SoxRok. Oh well, back to return to the original code! That also means it's the same as 5268!




Code:
#include <iostream>
using namespace std;
#define ATT_NVG5XX_PSK_LEN 13

void genpass589(uint64_t key, unsigned char *psk) {
static const char CHARSET[] = "abcdefghijkmnpqrstuvwxyz23456789#%+=?";
int i;

uint64_t two = key;
psk[ATT_NVG5XX_PSK_LEN - 1] = 0;

for (i = 0; i < 6; i++) { // select character from the charset at given position
int key1 = CHARSET[two % 37];
two /= 37;
int key2 = 50 + (two % 8);
two /= 37;
psk[(10 - (i * 2)) + 1] = key1;
psk[(10 - (i * 2))] = key2;
}
}

int main(void){
    uint64_t key=234369665153722384;
    unsigned char psk[ATT_NVG5XX_PSK_LEN];
    genpass589(key, psk);
    cout << psk;
}
Reply
(06-27-2020, 08:53 PM)fart-box Wrote:
Quote:A book can't possibly be 37^11 (times 13 characters), that's probably more storage than atoms in the universe!

That's why we make a word-list (or a key-gen).

And I misspoke a couple of posts ago, referring to "books" containing 37^11 passwords. Please replace the word "books" with the word "chapters" in that post.

Books contain "chapters", (one chapter for each leading character), and each chapter contains 37^11 passwords, so the NVG589 book, for instance, contains 6 chapters, with each chapter containing 37^11 passwords. And don't forget, we have to stack those books until we have 1e19 lines (or passwords), even though we're not going to count every single line because we have to stop somewhere.

That's why we find a "seed", and why that seed must be eight to ten digits in length. The seed allows us to skip over all the stuff we don't want, (useless passwords consuming massive amounts of space) and just keep the good stuff.

As I stated back when Royce re-opened this thread, the proper seeds will create word-lists that each contain just over twelve billion passwords. Each password contains twelve characters, plus a new line byte, so thirteen times twelve billion makes a word-list around 165 Gb in size. If stored as files, you'll need 500 Gb of storage space to store all three word-lists. (The math using these figures comes to around 145 Gb per word-list, but these figures are not exact. The actual size on disk is right around 165 Gb per word-list.)

Twelve billion passwords sounds like a lot, but I use one particular computer with a single GPU card to test everything because it tests about 1,000 hashes per second, which makes doing the math pretty simple. Cracking one single four part handshake using any one of those 165 Gb word-lists can be done in under 24 hours on that machine alone. Naturally, that time is substantially reduced when I fire up the other machines, but 1,000 hashes per second makes it easier for you to calculate the speeds your rig will attain.

And one more thing... I don't know if you've read this entire thread, or if you've paid attention, but Mr. Fancypants is responsible for all of the original work, which was done in Python, and even though he made some mistakes, Soxrok simply took on the task of converting the Python code to C, mistakes included. In his own words, Mr. Fancypants "just got lucky" in finding a seed. I've always put my faith into a more mathematical solution.

The point being,  you haven't just generated "the wrong" dictionaries. They will work, sometimes, if you "just get lucky". You've got 2,147,483,647 chances to get lucky, or you can opt for the mathematical solution and have 12 billion chances to get it right every time.

Just curious, have you tried compressing all of those wordlists, compressed into a zip or gzip file, and then loading/using them with Hashcat 6?  I haven't tested this latest feature of Hashcat 6, the ability to use wordlists in a zip of gzip file, but maybe with this latest feature, the amount of required disk space can be reduced by quite a bit.

Plain text files usually compress well, so this might be worth checking.
Reply
Hi can anyone help me with the "Lower Alpha Keyspace Reducer"

I tried cl command to compile after installing Windows 7 and 10 SDK and using the command prompt in the folder.
But keep getting "'cl' is not recognized as an internal or external command"

and i tried using g++ in linux using "g++ la.cpp -ola" but that just made a 31kb file that i cant open so unsure how to make the wordlist program work.

I can run the files to make the words but want them output to .txt so i can use in hashcat.
Any help appreciated i will carry on finding topics on this but cant find much of videos on how to compile .cpp to wordlist.
Reply
(07-02-2020, 04:34 PM)drsnooker Wrote:
(07-02-2020, 03:15 PM)wckd1 Wrote: Any help appreciated i will carry on finding topics on this but cant find much of videos on how to compile .cpp to wordlist.

Hmmm, I only use Windows 10 (dos command), but in it had much luck with the TDM-gcc compiler. 
gcc filename.c
executable <options> >> outputfile.txt

I tried this but got alot of errors like "undefined reference to `std::ostream::operator<<(std::ostream& (*)(std::ostream&))'"

can you please make the wordlist and upload to mega.
https://github.com/wpatoolkit/Lower-Alph...ce-Reducer
Reply
why don't you just simple use the .exe file within that repo (yeah, I agree it's very bad to put executable files into source code repositories, but maybe this is a proof that users really have a hard time to compile simple files and even fail to see the .exe files).

The la.exe is listed there: https://github.com/wpatoolkit/Lower-Alph...ce-Reducer

The direct link is: https://github.com/wpatoolkit/Lower-Alph...ter/la.exe

I have no clue what this program does and why you would need this. I think this is getting really off-topic and you should ask questions like this for a 3rd party tool on the pages where you find these tools. This has nothing to do with hashcat.

Normally you would just use "Visual Studio" and the Console Application options to compile .c or .cpp source code on windows. This is for sure not that easy if you have no clue how to create a project in visual studio and how to configure this project... but there are thousands of tutorials/guides/resources out there that explain how to compile some easy console applications on windows with visual studio or similar software.

Any reason why you do not use la.exe from the repository directly ?
Reply
(07-08-2020, 05:17 PM)drsnooker Wrote: Looks like ATT has been using a BGW210-700 recently with a similar ESSID as the others. Do we know anything about that default password?
From ebay sales it looks like the default password look similar to those of the NVG599 and uses the same 37 characterset.

Signed up just to share my experience. I was able to generate the correct key for BGW210-700 using the 599 and pipe it through hashcat and a GTX 1080. Worked on multiple devices, average time is ~90 mins at ~350-400 kH/s.

I didn't think these were crackable until doing research, finding this thread and other resources. I have been able to crack 100% of the ATT******* networks I've found which is blowing my mind a little.
Reply
(07-29-2020, 05:40 PM)frizz Wrote:
(07-08-2020, 05:17 PM)drsnooker Wrote: Looks like ATT has been using a BGW210-700 recently with a similar ESSID as the others. Do we know anything about that default password?
From ebay sales it looks like the default password look similar to those of the NVG599 and uses the same 37 characterset.

Signed up just to share my experience. I was able to generate the correct key for BGW210-700 using the 599 and pipe it through hashcat and a GTX 1080. Worked on multiple devices, average time is ~90 mins at ~350-400 kH/s.

I didn't think these were crackable until doing research, finding this thread and other resources. I have been able to crack 100% of the ATT******* networks I've found which is blowing my mind a little.

I tried several ATT pace routers but not successful.
Reply