Please note, this is a STATIC archive of website hashcat.net from October 2020, cach3.com does not collect or store any user information, there is no "phishing" involved.
hashcat Forum
Keyspace List for WPA on Default Routers - Printable Version

+- hashcat Forum (https://hashcat.net/forum)
+-- Forum: Misc (https://hashcat.net/forum/forum-15.html)
+--- Forum: User Contributions (https://hashcat.net/forum/forum-25.html)
+--- Thread: Keyspace List for WPA on Default Routers (/thread-6170.html)

Pages: 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19


RE: Keyspace List for WPA on Default Routers - soxrok2212 - 07-07-2017

(07-06-2017, 10:50 PM)fart-box Wrote: I agree about the 'l'. It seems to be too seldom used.

I've been trying to convert those magic numbers your code generates into some form of seed to build a proper pass phrase but I've had no luck.

I wonder how soxrok2212 is doing with his firmware extraction...?

I got caught up in work, sorry. Was also trying to figure out which of the two possible points of interest may be UART but I ran out of time, don't have a day off until next week but I'll try to figure it out in any spare time


RE: Keyspace List for WPA on Default Routers - mrfancypants - 07-09-2017

Alpha version of the keygen for NVG589:

Code:
pw_charset='abcdefghijkmnpqrstuvwxyz23456789#%+=?'
def pwgen589(x):
  x=int(x*465661287.5245797)
  pw=''
  for n in range(0,6):
   pw=pw_charset[x%37] + pw
   x/=37
   pw=chr(50+(x%8)) + pw
   x/=37
  return pw

Example:

[attachment=506] 


Code:
>>> pwgen589(0x57c5d9ab)

'596p7=6y6r2a'


As before, 'x' is integer 0 to 0x7FFFFFFF (2 billion options). I'm not yet clear how (or if) 'x' relates to other device attributes.

This only works about 70% of the time because of the rounding during the float multiplication step. The magic number is approximately equal to 1e18/2^31 + 111/2^9 + 2923/2^25 (not certain about the last term.) Depending on the order of operations, sometimes the result ends up slightly off.


RE: Keyspace List for WPA on Default Routers - soxrok2212 - 07-09-2017

(07-09-2017, 10:40 AM)mrfancypants Wrote: Alpha version of the keygen for NVG589:

Code:
pw_charset='abcdefghijkmnpqrstuvwxyz23456789#%+=?'
def pwgen589(x):
  x=int(x*465661287.5245797)
  pw=''
  for n in range(0,6):
   pw=pw_charset[x%37] + pw
   x/=37
   pw=chr(50+(x%8)) + pw
   x/=37
  return pw

Example:

 


Code:
>>> pwgen589(0x57c5d9ab)

'596p7=6y6r2a'


As before, 'x' is integer 0 to 0x7FFFFFFF (2 billion options). I'm not yet clear how (or if) 'x' relates to other device attributes.

This only works about 70% of the time because of the rounding during the float multiplication step. The magic number is approximately equal to 1e18/2^31 + 111/2^9 + 2923/2^25 (not certain about the last term.) Depending on the order of operations, sometimes the result ends up slightly off.

I will modify this code a bit and see if a friend of mine can use his 2.6MH/s and see if it works on my 589.


RE: Keyspace List for WPA on Default Routers - mrfancypants - 07-10-2017

Give me the first 8 letters of the key from your 589.


RE: Keyspace List for WPA on Default Routers - soxrok2212 - 07-10-2017

b=+#gc5q


RE: Keyspace List for WPA on Default Routers - mrfancypants - 07-10-2017

That's a 599-type password (my previous code snippet) (some 589s have these) and the complete password should be b=+#gc5qr9gt

https://repl.it/JMbi/4


RE: Keyspace List for WPA on Default Routers - soxrok2212 - 07-10-2017

(07-10-2017, 02:37 AM)mrfancypants Wrote: That's a 599-type password (my previous code snippet) (some 589s have these) and the complete password should be b=+#gc5qr9gt

https://repl.it/JMbi/4

You are correct sir! Fantastic work! I know absolutely no C but from my understanding, if there are only 2.1 billion possibilities, then a full bruteforce is possible. I know a few people who could help me write this in C in order to pipe faster, but it may take some time.


RE: Keyspace List for WPA on Default Routers - soxrok2212 - 07-11-2017

I have written the NVG589 code in C with help from a friend. I have not tested performance with hashcat yet, but you should be able to pipe directly in. https://github.com/soxrok2212/PSKracker/blob/master/att.c


RE: Keyspace List for WPA on Default Routers - devilsadvocate - 07-12-2017

Initial tests are interesting.  Between a combination of some pictures I had archived of NVG589's and some listings that can be seen on ebay, I tested a total of 7 devices.

In every case, I could see what the default wifi password was in a picture of the back of the unit.

Of the 7 I tested the results were the following:

4 - password correctly calculated
2 - password almost correctly calculated
1 - not even close

Regarding the 2 that were almost correctly calculated, the passphrase with the exception of the last 2 characters were guessed correctly, but the last 2 characters were wrong.  A workaround is to come up with a rule that can truncate the last 2 characters and brute force positions 11 and 12.  Either that or adjust the code as necessary.

But this is remarkable.  Good work.

Cheers.


RE: Keyspace List for WPA on Default Routers - soxrok2212 - 07-12-2017

Did you test the python or C code?