NOTE: When cracking WPA/WPA2 passwords, make sure you check gpuhash.me first incase it's already been processed.

Home - Wireless Cracking - Sky Q keyspace investigations


56 Results - Page 1 of 2 -
1 2
Author Message
Avatar
Gort

Status: Trusted
Joined: Mon, 16 Jan 2017
Posts: 183
Team:
Reputation: 170 Reputation
Offline
Sun, 19 Feb 2017 @ 20:22:25

Current working list for Sky Q, arranged in strict increasing SSID hex values

Code:
SSID     Passphrase MAC address       AP PIN   Serial Number
------------------------------------------------------------
SKY0F122 YYMXTFSMFP
SKY19451 WQTQPBCCXQ
SKY1F6A6 XNBTVCDYFQ
SKY24AF7 CYBVQDNWNR
SKY3E91F LVMYNNNXPS
SKY499C4 WPWMRRNMDT
SKY54641 XDVNNVTLWN
SKY583B0 NTPNNFBFDN C0:3E:0F:F7:F8:E8 38353659 AC1015CD005391
SKY5CBDC MMTWNDSNWN
SKY6381D NLTWPPBRSV
SKY76867 CVFTFNBSXW
SKY89F48 QNDXTFMSLX
SKY91505 RNQMYPTFNY
SKYA2FC2 VFFCMPBXQL
SKYA329E BBCYYBQWBL
SKYAA967 XYLPBXVFNL
SKYADA53 NQRYMTRNYL 90:21:06:84:C8:80 89991572 AC2016CB004068 <- (B in serial might be 8)
SKYB564D VNTDYXBTVB
SKYB5847 PDDVWXPRNB C0:3E:0F:F2:11:D8 37280703 AC1015CD020862
SKYB669D YMDWDRYNSB
SKYB8413 TBDCDQBTRB
SKYC2E56 CLNBRRFVXC
SKYC9C1F NDWBSYCWWC
SKYD0C62 BCPNWBVLPD
SKYD210A WFNRPWRBPD
SKYE3C9A PSYLBPMYBM
SKYF1F68 PVCCQWMCFF
SKYF6C6A NTRBNBWNTF
SKY????? ?????????? 90:21:06:89:94:A8          AC10163D009378
SKY????? ?????????? C0:3E:0F:F8:D0:C0          AC1015CD016512
SKY????? ?????????? 90:21:06:FC:6B:D0          BC10166D001722


BTC: 12QTTgtbSHqxseW2Hnt5qzrngvBRXgTEj4

Avatar
malte333

Status: n/a
Joined: Sat, 11 Feb 2017
Posts: 21
Team:
Reputation: 16 Reputation
Offline
Mon, 20 Feb 2017 @ 07:28:24

some new data...

SKYED65F QXFFDMNYYM
SKYF7E78 WBRNXBDMYF (blurry pic of mac: http://imgur.com/a/kj5tk)
SKY16E37 YPSWMCNLQQ 31319980 90:21:06:56:F7:98 AC2016CA000198
SKY1CBDB WSPPNWNBRQ (pic: http://imgur.com/a/0w5IY) (we had this before, with other pic?)


Avatar
soxrok2212

Status: Cracker
Joined: Sat, 24 Oct 2015
Posts: 451
Team:
Reputation: 421 Reputation
Offline
Mon, 20 Feb 2017 @ 07:57:49

Updated https://github.com/soxrok2212/Sky/blob/master/SkyQHub_ER100K



BTC: 1B4ZAbWYQ399p6QJm3VLbywiCWVSBAXYJ1

NVIDIA
1x GTX 1080 Founder’s Edition
1x GTX 980 Reference Design

Avatar
almondo

Status: n/a
Joined: Fri, 17 Feb 2017
Posts: 93
Team:
Reputation: 48 Reputation
Offline
Mon, 20 Feb 2017 @ 14:42:30

This is the closest one to the primal hex calculation:

SKY 0 F122 YYMXTFSMF P

we figure out the correct sequence in this one we can get the keys.


EDIT: if we assume the position of

  • 0 = P 00=PP 000=PPP
  • 1 = Q 11=QQ 111=QQQ
  • 2 = R 22=RR ...
  • 3 = S 33=SS ...
  • 4 = T 44=TT ...
  • 5 = N 55=NN ...
  • 6 = V 66=VV ...
  • 7 = W 77=WW ...
  • 8 = X 88=XX ...
  • 9 = Y 99=YY ...
  • A = L AA=LL ...
  • B = B BB=BB ...
  • C = C CC=CC ...
  • D = D DD=DD ...
  • E = M EE=MM ...
  • F = F FF=FF ...

0F122 = HEX position

061730 = (numerical position of the alphabets in hex sequence)

YYMXTFSMFP = (alphabet positions in the hex sequence)


Can someone check this theory.


Avatar
almondo

Status: n/a
Joined: Fri, 17 Feb 2017
Posts: 93
Team:
Reputation: 48 Reputation
Offline
Mon, 20 Feb 2017 @ 16:23:33

almondo said:

This is the closest one to the primal hex calculation:

SKY 0 F122 YYMXTFSMF P

we figure out the correct sequence in this one we can get the keys.


EDIT: if we assume the position of

  • 0 = P 00=PP 000=PPP
  • 1 = Q 11=QQ 111=QQQ
  • 2 = R 22=RR ...
  • 3 = S 33=SS ...
  • 4 = T 44=TT ...
  • 5 = N 55=NN ...
  • 6 = V 66=VV ...
  • 7 = W 77=WW ...
  • 8 = X 88=XX ...
  • 9 = Y 99=YY ...
  • A = L AA=LL ...
  • B = B BB=BB ...
  • C = C CC=CC ...
  • D = D DD=DD ...
  • E = M EE=MM ...
  • F = F FF=FF ...

0F122 = HEX position

061730 = (numerical position of the alphabets in hex sequence)

YYMXTFSMFP = (alphabet positions in the hex sequence)


Can someone check this theory.


Scrape this this is incorrect.


Avatar
malte333

Status: n/a
Joined: Sat, 11 Feb 2017
Posts: 21
Team:
Reputation: 16 Reputation
Offline
Mon, 20 Feb 2017 @ 16:47:29

fresh data:

SKY3B3E3 XBNCCNYWMS
SKY4AA62 BVSLCMTQWT


Avatar
almondo

Status: n/a
Joined: Fri, 17 Feb 2017
Posts: 93
Team:
Reputation: 48 Reputation
Offline
Mon, 20 Feb 2017 @ 21:55:36

It's based on mac but I need to find the correct calculation.

MAC = SHA1SUM

we need to find how the algo calculate that


Avatar
almondo

Status: n/a
Joined: Fri, 17 Feb 2017
Posts: 93
Team:
Reputation: 48 Reputation
Offline
Mon, 20 Feb 2017 @ 23:32:05

I found this it might help:
http://www.backtrack-linux.org/forums/archive/index.php/t-15739.html

Three routers use the same method maybe it will work on this one.


Avatar
malte333

Status: n/a
Joined: Sat, 11 Feb 2017
Posts: 21
Team:
Reputation: 16 Reputation
Offline
Tue, 21 Feb 2017 @ 07:38:26

almondo said:

I found this it might help:
http://www.backtrack-linux.org/forums/archive/index.php/t-15739.html

Three routers use the same method maybe it will work on this one.

thanks for your efforts and the link.

from the previous discussion:

Gort said:


I have already checked all the algorithms I am aware of and this one stands alone.
There is little to nothing available openly online.

The Sky Hub 1/2 and then the Sky Q were the first routers carrying the BSkyB MAC OUI.

Previously, BSkyB used routers manufactured by Netgear, Sagem and D-Link, with Sagem and
D-Link (now very rare) the only ones still seen in the wild. There may be a little information out
there about those algorithms, but none of them help with these new BSkyB routers.

We are breaking new ground here.


Avatar
almondo

Status: n/a
Joined: Fri, 17 Feb 2017
Posts: 93
Team:
Reputation: 48 Reputation
Offline
Tue, 21 Feb 2017 @ 11:45:08

SKYD97CC PVYFCFBWVD
SKY6E3FA XCFCRMDCNV


Avatar
malte333

Status: n/a
Joined: Sat, 11 Feb 2017
Posts: 21
Team:
Reputation: 16 Reputation
Offline
Tue, 21 Feb 2017 @ 18:17:18

SKYFF4E8 FLFTLBXQLF

dunno, if it's worth, to collect these, maybe we should try to find only new data including mac?!


Avatar
almondo

Status: n/a
Joined: Fri, 17 Feb 2017
Posts: 93
Team:
Reputation: 48 Reputation
Offline
Tue, 21 Feb 2017 @ 20:16:00

SKY0F091 XRPPWFSDLP


Avatar
malte333

Status: n/a
Joined: Sat, 11 Feb 2017
Posts: 21
Team:
Reputation: 16 Reputation
Offline
Tue, 21 Feb 2017 @ 21:35:32

almondo said:

SKY0F091 XRPPWFSDLP

pretty close to SKY0F122


Avatar
almondo

Status: n/a
Joined: Fri, 17 Feb 2017
Posts: 93
Team:
Reputation: 48 Reputation
Offline
Wed, 22 Feb 2017 @ 08:49:52

SKY0FA58 YFWWSCSCYP
SKY3633C LRQCQQYYPS
SKY69747 WNFYCVNBLV


Good information on this image but the quality is bad.

http://i.imgur.com/qDkSbb8.jpg


Avatar
almondo

Status: n/a
Joined: Fri, 17 Feb 2017
Posts: 93
Team:
Reputation: 48 Reputation
Offline
Thu, 23 Feb 2017 @ 13:06:36

SKY6BF08 NYVLDYQXXV 90:21:06:7E:7A:18 90428791 AC10165B007278
SKY7D0A7 XLNYWNXYQW 90:21:06:E4:34:F0 18029444 B200167B009876
SKYBF408 WBTYMSMQDB
SKY33CA3 CPLCBDXYFS
SKYFA558 MLMCNBYQDF
SKYBAD7C NNLDCXBNPB


Avatar
almondo

Status: n/a
Joined: Fri, 17 Feb 2017
Posts: 93
Team:
Reputation: 48 Reputation
Offline
Fri, 24 Feb 2017 @ 22:36:57

SKY7F271 SLDNXRBBFW


Avatar
soxrok2212

Status: Cracker
Joined: Sat, 24 Oct 2015
Posts: 451
Team:
Reputation: 421 Reputation
Offline
Sun, 26 Feb 2017 @ 01:00:43

Updated: https://github.com/soxrok2212/Sky/blob/master/SkyQHub_ER100K



BTC: 1B4ZAbWYQ399p6QJm3VLbywiCWVSBAXYJ1

NVIDIA
1x GTX 1080 Founder’s Edition
1x GTX 980 Reference Design

Avatar
kratos

Status: n/a
Joined: Sat, 25 Feb 2017
Posts: 157
Team:
Reputation: 126 Reputation
Offline
Sun, 26 Feb 2017 @ 04:57:00

SKYC4FF6 MYFXDRRMSC

Why u collect these??



Avatar
almondo

Status: n/a
Joined: Fri, 17 Feb 2017
Posts: 93
Team:
Reputation: 48 Reputation
Offline
Sun, 26 Feb 2017 @ 16:59:57

kratos said:

SKYC4FF6 MYFXDRRMSC

Why u collect these??

This model of routers has an autoupdate firmware system, there is no place to find the standalone firmware updates to download and reverse them.

So we collect as much as we can of these keys to understand how they've been generated, we try to find a pattern to how those keys being generated, and thanks for the key.

Rep +1


Avatar
kratos

Status: n/a
Joined: Sat, 25 Feb 2017
Posts: 157
Team:
Reputation: 126 Reputation
Offline
Sun, 26 Feb 2017 @ 17:08:41

almondo said:


This model of routers has an autoupdate firmware system, there is no place to find the standalone firmware updates to download and reverse them.

So we collect as much as we can of these keys to understand how they've been generated, we try to find a pattern to how those keys being generated, and thanks for the key.

There is pattern
Found by soxrok2212 on GitHub



Avatar
almondo

Status: n/a
Joined: Fri, 17 Feb 2017
Posts: 93
Team:
Reputation: 48 Reputation
Offline
Sun, 26 Feb 2017 @ 17:23:49

kratos said:

almondo said:


This model of routers has an autoupdate firmware system, there is no place to find the standalone firmware updates to download and reverse them.

So we collect as much as we can of these keys to understand how they've been generated, we try to find a pattern to how those keys being generated, and thanks for the key.

There is pattern
Found by soxrok2212 on GitHub

Lol! that was me and blandyuk who found it.

That pattern isn't that complex it's easy to find, the problem is with the nine upper alphas that left to us to find out how they've been generated which is hard at the moment.

But thanks to soxrox2212 for keeping the list updated.

Go back to https://forum.hashkiller.co.uk/topic-view.aspx?t=2715&m=122775#122775 for more information.


Avatar
kratos

Status: n/a
Joined: Sat, 25 Feb 2017
Posts: 157
Team:
Reputation: 126 Reputation
Offline
Sun, 26 Feb 2017 @ 22:00:26

almondo said:


Lol! that was me and blandyuk who found it.

That pattern isn't that complex it's easy to find, the problem is with the nine upper alphas that left to us to find out how they've been generated which is hard at the moment.

But thanks to soxrox2212 for keeping the list updated.

Go back to https://forum.hashkiller.co.uk/topic-view.aspx?t=2715&m=122775#122775 for more information.

Thank for link all is readed now
Now see blandyuk found pattern
Why this no say on GitHub?
Pattern easy to find only after know



Avatar
kratos

Status: n/a
Joined: Sat, 25 Feb 2017
Posts: 157
Team:
Reputation: 126 Reputation
Offline
Mon, 27 Feb 2017 @ 13:43:11

SKY7FE55:YFSTVYWXPW



Avatar
jHi6az3HB

Status: n/a
Joined: Fri, 24 Feb 2017
Posts: 9
Team:
Reputation: 0 Reputation
Offline
Tue, 28 Feb 2017 @ 15:50:46

Hello guys!

I have exported 836 SKYXXXXX hashes from Darkircop for my research and I was just wonder.
Is it normal to different SSIDs and BSSIDs have the same anonce, snonce, Key MIC and eapol?


Avatar
kratos

Status: n/a
Joined: Sat, 25 Feb 2017
Posts: 157
Team:
Reputation: 126 Reputation
Offline
Tue, 28 Feb 2017 @ 15:53:09

jHi6az3HB said:

Hello guys!

I have exported 836 SKYXXXXX hashes from Darkircop for my research and I was just wonder.
Is it normal to different SSIDs and BSSIDs have the same anonce, snonce, Key MIC and eapol?

No
close to impossible



Avatar
jHi6az3HB

Status: n/a
Joined: Fri, 24 Feb 2017
Posts: 9
Team:
Reputation: 0 Reputation
Offline
Tue, 28 Feb 2017 @ 16:37:49

kratos said:

jHi6az3HB said:

Hello guys!

I have exported 836 SKYXXXXX hashes from Darkircop for my research and I was just wonder.
Is it normal to different SSIDs and BSSIDs have the same anonce, snonce, Key MIC and eapol?

No
close to impossible

I think same, however:


  • ESSID (length: 11): SKY11832
  • Key version: 2
  • BSSID: B6:D3:0F:68:90:9B
  • STA: 2A:E3:7C:AA:A6:2D
  • anonce: 07BC92EA2F5A1EE254F6B1B7E0AAD353F45B0AACF9C9902F90D87880B7030A20
  • snonce: 9530D1C7C355B9ABE683D6F37ECB7802751F53CCB581D1523BB4BAAD23AB0107
  • Key MIC: 2E98E88369399BB815AB6C129D731233
  • eapol: 0103007502010A000000000000000000119530D1C7C355B9ABE683D6F37ECB7802751F53CCB581D1523BB4BAAD23AB0107000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000001630140100000FAC020100000FAC040100000FAC020000

  • ESSID (length: 11): SKY38697
  • Key version: 2
  • BSSID: B7:AE:4C:3E:15:B0
  • STA: 9C:6F:22:84:2C:68
  • anonce: 07BC92EA2F5A1EE254F6B1B7E0AAD353F45B0AACF9C9902F90D87880B7030A20
  • snonce: 9530D1C7C355B9ABE683D6F37ECB7802751F53CCB581D1523BB4BAAD23AB0107
  • KeyMIC: 2E98E88369399BB815AB6C129D731233
  • eapol: 0103007502010A000000000000000000119530D1C7C355B9ABE683D6F37ECB7802751F53CCB581D1523BB4BAAD23AB0107000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000001630140100000FAC020100000FAC040100000FAC020000

    So, maybe is it a bug?

    PS.: 374 hccaps are the same.


  • Avatar
    kratos

    Status: n/a
    Joined: Sat, 25 Feb 2017
    Posts: 157
    Team:
    Reputation: 126 Reputation
    Offline
    Tue, 28 Feb 2017 @ 16:44:13

    jHi6az3HB said:

    kratos said:

    jHi6az3HB said:

    Hello guys!

    I have exported 836 SKYXXXXX hashes from Darkircop for my research and I was just wonder.
    Is it normal to different SSIDs and BSSIDs have the same anonce, snonce, Key MIC and eapol?

    No
    close to impossible

    I think same, however:


  • ESSID (length: 11): SKY11832
  • Key version: 2
  • BSSID: B6:D3:0F:68:90:9B
  • STA: 2A:E3:7C:AA:A6:2D
  • anonce: 07BC92EA2F5A1EE254F6B1B7E0AAD353F45B0AACF9C9902F90D87880B7030A20
  • snonce: 9530D1C7C355B9ABE683D6F37ECB7802751F53CCB581D1523BB4BAAD23AB0107
  • Key MIC: 2E98E88369399BB815AB6C129D731233
  • eapol: 0103007502010A000000000000000000119530D1C7C355B9ABE683D6F37ECB7802751F53CCB581D1523BB4BAAD23AB0107000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000001630140100000FAC020100000FAC040100000FAC020000

  • ESSID (length: 11): SKY38697
  • Key version: 2
  • BSSID: B7:AE:4C:3E:15:B0
  • STA: 9C:6F:22:84:2C:68
  • anonce: 07BC92EA2F5A1EE254F6B1B7E0AAD353F45B0AACF9C9902F90D87880B7030A20
  • snonce: 9530D1C7C355B9ABE683D6F37ECB7802751F53CCB581D1523BB4BAAD23AB0107
  • KeyMIC: 2E98E88369399BB815AB6C129D731233
  • eapol: 0103007502010A000000000000000000119530D1C7C355B9ABE683D6F37ECB7802751F53CCB581D1523BB4BAAD23AB0107000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000001630140100000FAC020100000FAC040100000FAC020000

    So, maybe is it a bug?

  • OK I correct myself...

    not close to impossible
    absolutely impossible!

    a MIC collision like this in HMAC-SHA1 would be bigger news than collision in SHA1

    has to be a bug



    Avatar
    jHi6az3HB

    Status: n/a
    Joined: Fri, 24 Feb 2017
    Posts: 9
    Team:
    Reputation: 0 Reputation
    Offline
    Tue, 28 Feb 2017 @ 17:01:06

    It was just a doubt, maybe I have a lot of corrupted hccaps. :3

    Thanks kratos!


    Avatar
    almondo

    Status: n/a
    Joined: Fri, 17 Feb 2017
    Posts: 93
    Team:
    Reputation: 48 Reputation
    Offline
    Tue, 28 Feb 2017 @ 21:21:44

    @jHi6az3HB are those for Sky Q or SKY Hub?


    Avatar
    jHi6az3HB

    Status: n/a
    Joined: Fri, 24 Feb 2017
    Posts: 9
    Team:
    Reputation: 0 Reputation
    Offline
    Tue, 28 Feb 2017 @ 21:46:37

    Sorry if i have posted in the wrong place.
    I think no. They are old hashes.



    56 Results - Page 1 of 2 -
    1 2

    We have a total of 163285 messages in 20499 topics.
    We have a total of 19265 registered users.
    Our newest registered member is Bohemian.