Author |
Message |
almondo
Status: n/a
Joined: Fri, 17 Feb 2017
Posts: 93
Team:
Reputation: 48
Offline
|
Tue, 28 Feb 2017 @ 21:58:22
jHi6az3HB said: Sorry if i have posted in the wrong place. I think no. They are old hashes. Nothing wrong here, we just want to break one of them or both if we can this topic is for both, you just need to specify which one you're talking about, to figure out what important information you add and understand it. By the way what aircrack version did you use when you've got that kind of strange cap's?
|
|
|
kratos
Status: Member
Joined: Sat, 25 Feb 2017
Posts: 157
Team:
Reputation: 126
Offline
|
Tue, 28 Feb 2017 @ 22:14:27
SKY3DE23:CDFSBTDMNS
|
|
|
jHi6az3HB
Status: n/a
Joined: Fri, 24 Feb 2017
Posts: 9
Team:
Reputation: 0
Offline
|
Tue, 28 Feb 2017 @ 22:42:56
almondo said: jHi6az3HB said: Sorry if i have posted in the wrong place. I think no. They are old hashes. Nothing wrong here, we just want to break one of them or both if we can this topic is for both, you just need to specify which one you're talking about, to figure out what important information you add and understand it. By the way what aircrack version did you use when you've got that kind of strange cap's?
aircrack-ng-1.2-rc4-win
|
|
|
kratos
Status: Member
Joined: Sat, 25 Feb 2017
Posts: 157
Team:
Reputation: 126
Offline
|
Wed, 01 Mar 2017 @ 22:25:18
SKY1F326:XLWRCRFMRQ
|
|
|
kratos
Status: Member
Joined: Sat, 25 Feb 2017
Posts: 157
Team:
Reputation: 126
Offline
|
Thu, 02 Mar 2017 @ 21:51:42
SKY5EA85:VPDWTSPQWN
|
|
|
kratos
Status: Member
Joined: Sat, 25 Feb 2017
Posts: 157
Team:
Reputation: 126
Offline
|
Thu, 02 Mar 2017 @ 22:00:31
SKY23B43:YSXMYNYTFR
|
|
|
kratos
Status: Member
Joined: Sat, 25 Feb 2017
Posts: 157
Team:
Reputation: 126
Offline
|
Sun, 05 Mar 2017 @ 22:32:48
SKYA61E7 CLLFYWQSSL
|
|
|
soxrok2212
Status: Cracker
Joined: Sat, 24 Oct 2015
Posts: 455
Team:
Reputation: 421
Offline
|
Mon, 06 Mar 2017 @ 01:07:20
Updated  https://github.com/soxrok2212/Sky/blob/master/SkyQHub_ER100K
BTC: 1B4ZAbWYQ399p6QJm3VLbywiCWVSBAXYJ1 NVIDIA 1x GTX 1080 Founder’s Edition 1x GTX 980 Reference Design
|
|
|
kratos
Status: Member
Joined: Sat, 25 Feb 2017
Posts: 157
Team:
Reputation: 126
Offline
|
Mon, 06 Mar 2017 @ 05:38:08
soxrok2212 said: seem no new idea on data from anyone? just collecting now with no reason?
|
|
|
95AE6B15
Status: Trusted
Joined: Fri, 23 May 2014
Posts: 2482
Team:
Reputation: 3625
Offline
|
Mon, 06 Mar 2017 @ 05:54:32
The keyspace hasnt changed any. I have to look at the char per positions based on the updated list. But there were certain positions in the passphrase that didnt use all 16 chars. But that was based on a week or 2 ago. Ill have to rerun the analysis on it and see if it has changed any. Ill try and do that tomorrow and post up the results.
|
|
|
kratos
Status: Member
Joined: Sat, 25 Feb 2017
Posts: 157
Team:
Reputation: 126
Offline
|
Mon, 06 Mar 2017 @ 06:10:03
cvsi said: But there were certain positions in the passphrase that didnt use all 16 chars. But that was based on a week or 2 ago.
is that the blandyuk pattern of first ssid hex to last pass map? cvsi said: Ill have to rerun the analysis on it and see if it has changed any. Ill try and do that tomorrow and post up the results.
OK, seeing nothing else here but flat random distribution other patterns claimed in thread were all false
|
|
|
soxrok2212
Status: Cracker
Joined: Sat, 24 Oct 2015
Posts: 455
Team:
Reputation: 421
Offline
|
Mon, 08 May 2017 @ 22:49:59
Finally managed to get a probe response from a Sky Q, this is what it looks like in the WPS tag. Shows the exact model, ER110. SR102 will show Broadcom and 123456 for model name and model number.

BTC: 1B4ZAbWYQ399p6QJm3VLbywiCWVSBAXYJ1 NVIDIA 1x GTX 1080 Founder’s Edition 1x GTX 980 Reference Design
|
|
|
cranky
Status: n/a
Joined: Sat, 16 Sep 2017
Posts: 25
Team:
Reputation: 10
Offline
|
Thu, 21 Sep 2017 @ 19:36:43
Spent ages scraping the bay and looked at known keys here and noticed the 2nd from last char is never (haven’t seen yet) an ‘A’ so maybe using custom char sets -1 (known keyspace) -2 (known omitting ‘A’) -1?1?1?1?1?1?1?1?2?1 should speed thing up a little?
|
|
|
mackinson
Status: Member
Joined: Sun, 11 Jun 2017
Posts: 109
Team:
Reputation: 106
Offline
|
Thu, 21 Sep 2017 @ 19:45:01
cranky said: Spent ages scraping the bay and looked at known keys here and noticed the 2nd from last char is never (haven’t seen yet) an ‘A’ so maybe using custom char sets -1 (known keyspace) -2 (known omitting ‘A’) -1?1?1?1?1?1?1?1?2?1 should speed thing up a little? That discovery is not particularly surprising, considering that A is not even in the Sky Q charset in the first place 
|
|
|
cranky
Status: n/a
Joined: Sat, 16 Sep 2017
Posts: 25
Team:
Reputation: 10
Offline
|
Thu, 21 Sep 2017 @ 19:47:58
Ahh shucks, back to the drawing board!!! I got mixed up with the standard charset and the q one *goes back and sits in the corner quietly*
|
|
|
mackinson
Status: Member
Joined: Sun, 11 Jun 2017
Posts: 109
Team:
Reputation: 106
Offline
|
Thu, 21 Sep 2017 @ 20:08:47
cranky said: Ahh shucks, back to the drawing board!!! I got mixed up with the standard charset and the q one *goes back and sits in the corner quietly* I still commend you for trying to find something new. This thread has gone pretty dead. Noticed something that is quite amusing, but I am not sure there is any more to it If you push the Sky Q charset through the SSID to final character mapping backwards, the isolated LMN group maps to AE5, which immediately made me wonder if someone had buried a hint to AES being used in the algorithm? Anyway, all seems like a very odd coincidence? Code: ABCDEFGHIJKLMNOPQRSTUVWXYZ
BCD F LMN PQRST VWXY Sky Q charset
BCD F AE5 01234 6789 Sky Q charset backwards through mapping
|
|
|
Felis-Sapiens
Status: Member
Joined: Thu, 07 Jul 2016
Posts: 164
Team:
Reputation: 366
Offline
|
Fri, 22 Sep 2017 @ 08:01:14
mackinson said: Noticed something that is quite amusing, but I am not sure there is any more to it If you push the Sky Q charset through the SSID to final character mapping backwards, the isolated LMN group maps to AE5, which immediately made me wonder if someone had buried a hint to AES being used in the algorithm? Anyway, all seems like a very odd coincidence?
Nice finding, but nope. Character mapping is: 0123456789ABCDEF PQRSTNVWXYLBCDMF Or in hex: 30 31 32 33 34 35 36 37 38 39 41 42 43 44 45 46 50 51 52 53 54 4E 56 57 58 59 4C 42 43 44 4D 46 So, they add 0x20 to digits and replace vowels AEU with LMN
|
|
|
mackinson
Status: Member
Joined: Sun, 11 Jun 2017
Posts: 109
Team:
Reputation: 106
Offline
|
Fri, 22 Sep 2017 @ 11:02:41
Felis-Sapiens said: So, they add 0x20 to digits and replace vowels AEU with LMN
Well, OK, I guess that is more plausible than my AES conspiracy theory  I wonder if they replaced the vowels AEU with LMN to prevent potentially offensive words from appearing randomly in the passphrases?
|
|
|
mackinson
Status: Member
Joined: Sun, 11 Jun 2017
Posts: 109
Team:
Reputation: 106
Offline
|
Fri, 22 Sep 2017 @ 12:28:34
mackinson said: I wonder if they replaced the vowels AEU with LMN to prevent potentially offensive words from appearing randomly in the passphrases?
Spending a bit too much time finding out how many rude words I can make from the Sky Q charset using AEU instead of LMN I can certainly see why they took those vowels out of the charset now 
|
|
|
migolando
Status: n/a
Joined: Wed, 27 Dec 2017
Posts: 4
Team:
Reputation: 0
Offline
|
Thu, 28 Dec 2017 @ 12:12:56
Sorry for asking a newbie question, but what happened to https://github.com/soxrok2212/Sky/blob/master/SkyQHub_ER100K ?
|
|
|
migolando
Status: n/a
Joined: Wed, 27 Dec 2017
Posts: 4
Team:
Reputation: 0
Offline
|
Fri, 29 Dec 2017 @ 21:18:09
If anyone is still interested, here are my findings: SKY###2# SKY3DE23:CDFSBTDmNS SKY1F326:XLWRCRFmRQ SKY0F122:YYMXTFSmFP SKY0F### SKY0F122:YYMXTFsMFP SKY0F091:XRPPWFsDLP SKY0FA58:YFWWSCsCYP SKY1F### SKY1F6A6:xNBTVCDYFQ SKY1F326:xLWRCRFMRQ SKY##C6# SKYD0C62 BCPNWbVLPD SKYF6C6A NTRBNbWNTF SKYE3C9A PSYLBPMYbM (b position is +3 to the right, hence c9-c6=3)
|
|
|
John2222
Status: n/a
Joined: Mon, 09 Apr 2018
Posts: 54
Team:
Reputation: 20
Offline
|
Mon, 09 Apr 2018 @ 01:08:08
Is this still ongoing? any progress with any of the keyspace?
|
|
|
##Labster##
Status: n/a
Joined: Sat, 20 Jan 2018
Posts: 16
Team:
Reputation: 1
Offline
|
Tue, 10 Apr 2018 @ 19:21:41
SSID PSK MAC SKY43C92 PBPTCYMLLT 7050AF833328 SKYD1117 TDXQLNDVXD 24A7DC448EF8
|
|
|
$cI$$0r$
Status: Elite
Joined: Thu, 24 Aug 2017
Posts: 596
Team:
Reputation: 6996
Offline
|
Wed, 09 May 2018 @ 06:55:41
migolando said: If anyone is still interested, here are my findings: SKY0F### SKY0F122:YYMXTFsMFP SKY0F091:XRPPWFsDLP SKY0FA58:YFWWSCsCYP SKY0F058:XLNCDNQDYP No s as you have. :| 
BTC: 1QFsUY54JQDGpJf1UPV2YdcpQgcYKnyrpN XMPP: WW1GamEyUnZiM0pBWTNKbFpYQXVhVzA9
|
|
|
dipeperon
Status: Member
Joined: Tue, 03 Apr 2018
Posts: 431
Team:
Reputation: 431
Online
|
Wed, 22 Aug 2018 @ 18:47:03
From 28 combinations in the OP. I pulled the hex part from the SSID -> decimal. Converted the passprase -> hex -> decimal. Dropped them in excel. Calculated the pearson correlation between them: r = -0.155326556 i.e. The only relationship between those 2 is that one is always smaller than the other (obviously) If anyone has more ideas to analyze relationships between I'll gladly do so
My haschat stuff (rules, scripts): https://github.com/theherp/Hashcat-stuff
|
|
|
dipeperon
Status: Member
Joined: Tue, 03 Apr 2018
Posts: 431
Team:
Reputation: 431
Online
|
Wed, 22 Aug 2018 @ 19:12:49
We need more data
My haschat stuff (rules, scripts): https://github.com/theherp/Hashcat-stuff
|
|
|
SillyOtter
Status: n/a
Joined: Wed, 04 Jul 2018
Posts: 11
Team:
Reputation: 0
Offline
|
Sun, 03 Mar 2019 @ 20:21:53
Given the information above and also using the Default Algo post is this still the correct attack to run against a SKYQ handshake crunch 10 10 NBPYVLMRXTCFWDSQ or am i missing letters or rule sets for crunch.
|
|
|
Redpreast
Status: n/a
Joined: Wed, 01 May 2019
Posts: 5
Team:
Reputation: 6
Offline
|
Thu, 02 May 2019 @ 11:54:48
SillyOtter said: Given the information above and also using the Default Algo post is this still the correct attack to run against a SKYQ handshake crunch 10 10 NBPYVLMRXTCFWDSQ or am i missing letters or rule sets for crunch. That should work but you could perhaps use maskprocessor --seq-max=NUM Maximum number of multiple sequential characters, --occurrence-max=NUM Maximum occurrence of a character. Currently going through all the keyspace using --seq-max=2 and --occurrence-max=3. Will report if i manage to crack my test hash.
|
|
|
payknight
Status: Cracker
Joined: Wed, 13 Apr 2016
Posts: 668
Team: just4fun
Reputation: 372
Offline
|
Sat, 04 May 2019 @ 16:29:35
Redpreast said: SillyOtter said: Given the information above and also using the Default Algo post is this still the correct attack to run against a SKYQ handshake crunch 10 10 NBPYVLMRXTCFWDSQ or am i missing letters or rule sets for crunch. That should work but you could perhaps use maskprocessor --seq-max=NUM Maximum number of multiple sequential characters, --occurrence-max=NUM Maximum occurrence of a character. Currently going through all the keyspace using --seq-max=2 and --occurrence-max=3. Will report if i manage to crack my test hash. any news?
+rep if i helped BTC : 1PAyKniGHt7yyCb8HdsziTHBEFX6zkGSHz
|
|
|
Redpreast
Status: n/a
Joined: Wed, 01 May 2019
Posts: 5
Team:
Reputation: 6
Offline
|
Sun, 05 May 2019 @ 11:49:41
payknight said: Redpreast said: SillyOtter said: Given the information above and also using the Default Algo post is this still the correct attack to run against a SKYQ handshake crunch 10 10 NBPYVLMRXTCFWDSQ or am i missing letters or rule sets for crunch. That should work but you could perhaps use maskprocessor --seq-max=NUM Maximum number of multiple sequential characters, --occurrence-max=NUM Maximum occurrence of a character. Currently going through all the keyspace using --seq-max=2 and --occurrence-max=3. Will report if i manage to crack my test hash. any news? Not really, left it running for 2 days with no luck (300KH/s). Because hashcat does not have --seq-max or --occurrence-max builtin that means i had to use maskprocessor as stdin which in turn means no time estimate. I might have to generate a dictionary first using MP, don't want to run it for weeks.
|
|
|