Keyspace List for WPA on Default Routers
I've read the whole thread, much of it is over my head. I figured I'd start with the programming as that I understand, and the piece together the rest of the puzzle slowly. When Zerbea started talking SHA1, I got lost and went back to learning C++. HAHAHA
Was Fancy's seed correct for NVG589? He made a lot of changes after that with all the int128 math...
The NVG599 seed seems much easier (based on inverting all that bit shifting) I'd like to understand how to derive the seed, so I can take a stab at 5268. I've plotted all the keys for all the PSK and they form a pretty straight line. I figured the slope was the seed, but that didn't seem to work out. Still too granular.
Reply
(06-27-2020, 08:53 PM)fart-box Wrote:
Quote:A book can't possibly be 37^11 (times 13 characters), that's probably more storage than atoms in the universe!

That's why we make a word-list (or a key-gen).

And I misspoke a couple of posts ago, referring to "books" containing 37^11 passwords. Please replace the word "books" with the word "chapters" in that post.

Books contain "chapters", (one chapter for each leading character), and each chapter contains 37^11 passwords, so the NVG589 book, for instance, contains 6 chapters, with each chapter containing 37^11 passwords. And don't forget, we have to stack those books until we have 1e19 lines (or passwords), even though we're not going to count every single line because we have to stop somewhere.

That's why we find a "seed", and why that seed must be eight to ten digits in length. The seed allows us to skip over all the stuff we don't want, (useless passwords consuming massive amounts of space) and just keep the good stuff.

As I stated back when Royce re-opened this thread, the proper seeds will create word-lists that each contain just over twelve billion passwords. Each password contains twelve characters, plus a new line byte, so thirteen times twelve billion makes a word-list around 165 Gb in size. If stored as files, you'll need 500 Gb of storage space to store all three word-lists. (The math using these figures comes to around 145 Gb per word-list, but these figures are not exact. The actual size on disk is right around 165 Gb per word-list.)

Twelve billion passwords sounds like a lot, but I use one particular computer with a single GPU card to test everything because it tests about 1,000 hashes per second, which makes doing the math pretty simple. Cracking one single four part handshake using any one of those 165 Gb word-lists can be done in under 24 hours on that machine alone. Naturally, that time is substantially reduced when I fire up the other machines, but 1,000 hashes per second makes it easier for you to calculate the speeds your rig will attain.

And one more thing... I don't know if you've read this entire thread, or if you've paid attention, but Mr. Fancypants is responsible for all of the original work, which was done in Python, and even though he made some mistakes, Soxrok simply took on the task of converting the Python code to C, mistakes included. In his own words, Mr. Fancypants "just got lucky" in finding a seed. I've always put my faith into a more mathematical solution.

The point being,  you haven't just generated "the wrong" dictionaries. They will work, sometimes, if you "just get lucky". You've got 2,147,483,647 chances to get lucky, or you can opt for the mathematical solution and have 12 billion chances to get it right every time.

Just curious, have you tried compressing all of those wordlists, compressed into a zip or gzip file, and then loading/using them with Hashcat 6?  I haven't tested this latest feature of Hashcat 6, the ability to use wordlists in a zip of gzip file, but maybe with this latest feature, the amount of required disk space can be reduced by quite a bit.

Plain text files usually compress well, so this might be worth checking.
Reply
Hi can anyone help me with the "Lower Alpha Keyspace Reducer"

I tried cl command to compile after installing Windows 7 and 10 SDK and using the command prompt in the folder.
But keep getting "'cl' is not recognized as an internal or external command"

and i tried using g++ in linux using "g++ la.cpp -ola" but that just made a 31kb file that i cant open so unsure how to make the wordlist program work.

I can run the files to make the words but want them output to .txt so i can use in hashcat.
Any help appreciated i will carry on finding topics on this but cant find much of videos on how to compile .cpp to wordlist.
Reply
(07-02-2020, 03:15 PM)wckd1 Wrote: Any help appreciated i will carry on finding topics on this but cant find much of videos on how to compile .cpp to wordlist.

Hmmm, I only use Windows 10 (dos command), but in it had much luck with the TDM-gcc compiler. 
gcc filename.c
executable <options> >> outputfile.txt
Reply
(07-02-2020, 04:34 PM)drsnooker Wrote:
(07-02-2020, 03:15 PM)wckd1 Wrote: Any help appreciated i will carry on finding topics on this but cant find much of videos on how to compile .cpp to wordlist.

Hmmm, I only use Windows 10 (dos command), but in it had much luck with the TDM-gcc compiler. 
gcc filename.c
executable <options> >> outputfile.txt

I tried this but got alot of errors like "undefined reference to `std::ostream::operator<<(std::ostream& (*)(std::ostream&))'"

can you please make the wordlist and upload to mega.
https://github.com/wpatoolkit/Lower-Alph...ce-Reducer
Reply
why don't you just simple use the .exe file within that repo (yeah, I agree it's very bad to put executable files into source code repositories, but maybe this is a proof that users really have a hard time to compile simple files and even fail to see the .exe files).

The la.exe is listed there: https://github.com/wpatoolkit/Lower-Alph...ce-Reducer

The direct link is: https://github.com/wpatoolkit/Lower-Alph...ter/la.exe

I have no clue what this program does and why you would need this. I think this is getting really off-topic and you should ask questions like this for a 3rd party tool on the pages where you find these tools. This has nothing to do with hashcat.

Normally you would just use "Visual Studio" and the Console Application options to compile .c or .cpp source code on windows. This is for sure not that easy if you have no clue how to create a project in visual studio and how to configure this project... but there are thousands of tutorials/guides/resources out there that explain how to compile some easy console applications on windows with visual studio or similar software.

Any reason why you do not use la.exe from the repository directly ?
Reply
Looks like ATT has been using a BGW210-700 recently with a similar ESSID as the others. Do we know anything about that default password?
From ebay sales it looks like the default password look similar to those of the NVG599 and uses the same 37 characterset.
Reply
(06-28-2020, 09:07 PM)fart-box Wrote: It is, because it only has two books in the stack, and inverting and bit shifting is a waste of time, in my opinion.

The seed is nothing more than a divisor, or a multiplier, depending on which term you prefer. In other words, a key, divided by a seed, equals a number (the 'x' or counter in a key-gen). So that number, times the seed, equals the key.

Thanks Fart-Box and this is where I get stuck. How do I determine that divisor? 
key1/divisor=seed1
key2/divisor=seed2
etc.
The response surface isn't smooth, so I cannot determine it from pure math. I can determine a divisor that works for any two keys, but then it doesn't work for the third, let alone the 60th. 

Another clue please!
Reply
(07-08-2020, 05:17 PM)drsnooker Wrote: Looks like ATT has been using a BGW210-700 recently with a similar ESSID as the others. Do we know anything about that default password?
From ebay sales it looks like the default password look similar to those of the NVG599 and uses the same 37 characterset.

Signed up just to share my experience. I was able to generate the correct key for BGW210-700 using the 599 and pipe it through hashcat and a GTX 1080. Worked on multiple devices, average time is ~90 mins at ~350-400 kH/s.

I didn't think these were crackable until doing research, finding this thread and other resources. I have been able to crack 100% of the ATT******* networks I've found which is blowing my mind a little.
Reply
Thanks Frizz, sadly I've struck out on 5 ATT****** caps, I've extended the pskracker algorithm to 8*INTMAX giving about 160Gb files that I can crank through overnight on a 1080ti, which as Fart sad means the divider is actually wrong so didn't get lucky.
Reply