Keyspace List for WPA on Default Routers
(08-01-2020, 08:38 PM)drsnooker Wrote: Thanks Frizz...

Sorry for not being here for a while, guy's. My log-in hasn't been working on this site for some reason. Today, I got lucky on my 4th attempt to log in.

You're both right about the BGW210-700. I've been saving this as "bonus information" for anyone brave enough to to use their brains, but drsnooker found it on his own and spilled the beans.

I've been cracking BGW210-700 passwords for well over a year now, without fail, using my NVG-599 key-gen.

And to answer drsnookers other question, you've got to put ALL of your keys into one pot and find ONE divisor that divides all of the keys.

It's worth noting that, in the NVG-599 key-gen, MrFancypants multiplies '2^32+2' by 'x', then floats the result, thus preserving and maintaining any fractions that might be produced. Yet, in the NVG-589 key-gen, MrFancypants multiplies '465661287.5245797' by 'x', then uses the resulting integer (ignoring the fraction) as the key to build the password.
Reply
(07-29-2020, 05:40 PM)frizz Wrote:
(07-08-2020, 05:17 PM)drsnooker Wrote: Looks like ATT has been using a BGW210-700 recently with a similar ESSID as the others. Do we know anything about that default password?
From ebay sales it looks like the default password look similar to those of the NVG599 and uses the same 37 characterset.

Signed up just to share my experience. I was able to generate the correct key for BGW210-700 using the 599 and pipe it through hashcat and a GTX 1080. Worked on multiple devices, average time is ~90 mins at ~350-400 kH/s.

I didn't think these were crackable until doing research, finding this thread and other resources. I have been able to crack 100% of the ATT******* networks I've found which is blowing my mind a little.

I tried several ATT pace routers but not successful.
Reply
(10-04-2020, 02:30 AM)samlak Wrote: I tried several ATT pace routers but not successful.


That's because ARRIS makes the BGW210-700 routers, not Pace.
Reply
I've been working on the 5268's, not gonna clog up this thread with what I've found but if anyone's interested in collaborating please send me a PM.
Reply
Been comparing 5286AC-FXN credentials.

There is a clear correlation between the first six digits of the MAC, and the first five digits of the S/N.

I'll list the pictures I used to deduce this.

MAC F8:18:97:1EBig GrinD:1C , S/N 18151N018859
https://picclick.com/Pace-ATT-Model-5268...id=1&pid=4

MAC F8:18:97:08:A8:64 , S/N 19151N004762
https://picclick.com/Pace-ATT-Model-5268...id=1&pid=4

Same thing with these two
https://picclick.com/ATT-U-VERSE-WI-FI-H...id=1&pid=4

https://picclick.com/ATT-U-Verse-Megabit...id=1&pid=5

And these three

https://picclick.com/ATT-U-VERSE-5268AC-...id=1&pid=1

https://picclick.com/ATT-U-verse-Pace-52...id=1&pid=3

https://picclick.com/ATT-UVerse-5268ACFX...id=1&pid=2

You can definitely see a pattern in the S/Ns.

The last six digits of the S/N are probably a unique ID. not sure if any of this will yield anything, but it is interesting so I thought I'd share.
Reply
Welcome back Fart box! Did somebody remove all your old comments? I was going to re-read all the clues you gave, but they seem to have disappeared. There's a renewed interest in trying to figure this out, so any clues would be super appreciated.
We have recovered the multiplier for 599 from scratch and are now working on recovering how fancy got his multiplier. After that, we'll go after 5268ac.

A specific question for fart-box: Out of the 250 nvg599 passwords listed in the pastebin on page 15 of this thread, the soxrok code only generates 90. (about a third) Does your algorithm produce every single one, or do you have some misses as well?
Reply