Keyspace List for WPA on Default Routers - Printable Version +- hashcat Forum (https://hashcat.net/forum) +-- Forum: Misc (https://hashcat.net/forum/forum-15.html) +--- Forum: User Contributions (https://hashcat.net/forum/forum-25.html) +--- Thread: Keyspace List for WPA on Default Routers (/thread-6170.html) |
RE: Keyspace List for WPA on Default Routers - devilsadvocate - 08-17-2017 (08-15-2017, 02:26 AM)mrfancypants Wrote: I am not sure I even understand your difficulty. Any guesses as to the float number that the 5268AC might be using? Or is the 5268AC using a variation of the 599 scheme? I haven't looked at this in at least a couple weeks, but I got as far as modifying some of the python for the 599 and experimenting with different values for where the pwgen function starts (normally at 2^32+2). Something like this. I am incrementing "m" in this example. The first 6 digits were input from an Ebay listing for testing. Code: pw_charset='abcdefghijkmnpqrstuvwxyz23456789#%+=?' I was aiming to get it to produce output valid for 5268AC devices. It was worth a shot, but didn't work. I am going to have to go back in this thread and see if there was python for the 589 that can be tested. Perhaps all that is needed for the 5268AC is a different "magic number", a correct floating point value that produces the correct result. Has anyone had time to experiment? RE: Keyspace List for WPA on Default Routers - zarabatana - 08-25-2017 Here in Brazil we have an ISP called GVT. The default password is the Serial Number of the wireless router. Here is an example: D-Link SSID: GVT-8A8A PASS: N1B9027544 SERIAL: PJ2N1B9027544 MAC: 84:C9:B2:EB:8A:8A Just count 10 chars from right to left, and that is the WPA/WPA2 Key. My question is: there is a way to calculate the Serial Number? D-link was used in this example, but, it can be Arcadyan, Sagemcom, etc. It always will be the Serial Number. Using wireshark, the serial number received isn't the same in the stick on the bottom. Thank you for your time. RE: Keyspace List for WPA on Default Routers - zarabatana - 09-07-2017 Hi all. Thanks to a member of the forum, I have good news about the GVT network. The task is not completed yet, but, we have a new informations to share. 1) the first 3 chars of the password come from OUI. E.g: OUI Partial Pass Router Brand 6c:19:8f 91E D-Link International 84:c9:b2 N1B D-Link International ec:22:80 S1E D-Link International So, if the router are a D-Link, we can get the 1st, 2nd and 3rd digts from from the OUI. The last 6 chars are only numbers. The 4th position can be number or letter. The mask for hashcat is: <OUI - info>?1?d?d?d?d?d?d -1 ?u?d The serial should be linked to the MAC, but i really lack the skill to analyze the firmware. Any help will be more than welcome here. A few pairs to analyse: MAC ESSID WPA/WPA2 ec2280d30193:fc15b4365e87:GVT-0193:S1E9051450 6c198f02b804:40786ac94fe1:GVT-B805:91E5007819 6815905da437:a89fba14ad7c:GVT-A436:5067014811 c4a81d7f4054:c06599c2d762:GVT-4056:91DC064046 6c198f027914:7ce9d3d7b853:GVT-7917:91E4019783 6c198f023368:d022bed72ab1:GVT-336B:91E4008101 84c9b2eb327d:5c0a5b1f7cd9:GVT-327C:N1B9006527 84c9b2ebbbff:cc52af6190a4:GVT-BBFE:N1B9033142 ec228045ef13:e006e6d03827:GVT-EF13:S1E8013780 Thank you all! Edit: link to download a firmware https://ryan.com.br/wp/download/Firmware/FirmwareOriginal_D-Link_DSL-2740e_GVT.ryan.com.br.zip (08-25-2017, 11:40 PM)zarabatana Wrote: Here in Brazil we have an ISP called GVT. RE: Keyspace List for WPA on Default Routers - robertoakira1 - 09-09-2017 Hi Zarabatana, thank you for the information. Could you explain how did you get "91E" from "6c:19:8f"? Thanks. (09-07-2017, 08:36 PM)zarabatana Wrote: Hi all. RE: Keyspace List for WPA on Default Routers - zarabatana - 09-10-2017 Hi robertoakira1. It is fixed. Analyzing a few default pair of BSSID:KEY, you can see this relation. E.g: BSSID KEY 6c198f02b804:91E5007819 6c198f027914:91E4019783 6c198f023368:91E4008101 As you can see, every time the OUI is 6c198f the KEY start with 91E That is valid for GVT ISP (Brazil). If I can help with something more, just ask. (09-09-2017, 04:06 AM)robertoakira1 Wrote: Hi Zarabatana, RE: Keyspace List for WPA on Default Routers - soxrok2212 - 09-13-2017 Finally fixed my NVG599 code, took me a while to figure out what I did wrong... my output was 2a2a2a.... and I realized that I hadn't done the exponentiation correctly. Feel free to laugh and drop some nasty comments: https://github.com/soxrok2212/PSKracker/commit/e5d9570482dc7ee8d5a4f169ad8c85fbe082c54b RE: Keyspace List for WPA on Default Routers - soxrok2212 - 11-04-2017 For what it's worth, I wrote some code (currently as a separate piece of PSKracker) to calculate the seed given the password as an input parameter. Currently only for NVG589 models but I'll work on the rest. Can use this for eBay sticker searches so we can hopefully find where the seeds come from. Usage is: Code: ./pskracker -f <psk_here> Will return the seed in decimal if found. https://github.com/soxrok2212/PSKracker/tree/seed RE: Keyspace List for WPA on Default Routers - calexico - 11-09-2017 (11-09-2017, 10:39 PM)fart-box Wrote:(11-04-2017, 03:03 AM)soxrok2212 Wrote: For what it's worth, I wrote some code... Do you think searching eBay for 5268AC labels is a good strategy? Also, what do you mean by 'Passwords as close to one another as possible?' Just trying to understand what that means, precisely. TIA, -Cal RE: Keyspace List for WPA on Default Routers - soxrok2212 - 11-10-2017 Hi fart-box... I laugh at that every time, I guess what I am search for in recovering the seeds is some kind of link to another piece of information, i.e. MAC address, serial number, SSID, something. I know there must be something. The seed HAS to be from somewhere. I doubt they made a generator that's easy enough to run through all possibilities in an hour with average hardware yet made the seed completely random. So if you take the code for seed recovery and input known passwords then make a list of MAC addresses, serial numbers, SSIDs, seeds and whatever else, I'm sure we will find the pattern. RE: Keyspace List for WPA on Default Routers - RealEnder - 11-10-2017 Do you have list of default SSIDs for those routers? Or those are just ATT*? |