NEW: We have a Discord server now. Click here to go there now!

NOTE: Why not use our List Manager to crack your lists? Its easy and enables better management.

NOTE: When cracking WPA/WPA2 passwords, make sure you check gpuhash.me first incase it's already been processed.

Home - Wireless Cracking - Sky Q keyspace investigations


60 Results - Page 2 of 2 -
1 2
Author Message
Avatar
almondo

Status: n/a
Joined: Fri, 17 Feb 2017
Posts: 93
Team:
Reputation: 48 Reputation
Offline
Tue, 28 Feb 2017 @ 21:58:22

jHi6az3HB said:

Sorry if i have posted in the wrong place.
I think no. They are old hashes.

Nothing wrong here, we just want to break one of them or both if we can this topic is for both, you just need to specify which one you're talking about, to figure out what important information you add and understand it.

By the way what aircrack version did you use when you've got that kind of strange cap's?


Avatar
kratos

Status: Member
Joined: Sat, 25 Feb 2017
Posts: 157
Team:
Reputation: 126 Reputation
Offline
Tue, 28 Feb 2017 @ 22:14:27

SKY3DE23:CDFSBTDMNS



Avatar
jHi6az3HB

Status: n/a
Joined: Fri, 24 Feb 2017
Posts: 9
Team:
Reputation: 0 Reputation
Offline
Tue, 28 Feb 2017 @ 22:42:56

almondo said:

jHi6az3HB said:

Sorry if i have posted in the wrong place.
I think no. They are old hashes.

Nothing wrong here, we just want to break one of them or both if we can this topic is for both, you just need to specify which one you're talking about, to figure out what important information you add and understand it.

By the way what aircrack version did you use when you've got that kind of strange cap's?

aircrack-ng-1.2-rc4-win


Avatar
kratos

Status: Member
Joined: Sat, 25 Feb 2017
Posts: 157
Team:
Reputation: 126 Reputation
Offline
Wed, 01 Mar 2017 @ 22:25:18

SKY1F326:XLWRCRFMRQ



Avatar
kratos

Status: Member
Joined: Sat, 25 Feb 2017
Posts: 157
Team:
Reputation: 126 Reputation
Offline
Thu, 02 Mar 2017 @ 21:51:42

SKY5EA85:VPDWTSPQWN



Avatar
kratos

Status: Member
Joined: Sat, 25 Feb 2017
Posts: 157
Team:
Reputation: 126 Reputation
Offline
Thu, 02 Mar 2017 @ 22:00:31

SKY23B43:YSXMYNYTFR



Avatar
kratos

Status: Member
Joined: Sat, 25 Feb 2017
Posts: 157
Team:
Reputation: 126 Reputation
Offline
Sun, 05 Mar 2017 @ 22:32:48

SKYA61E7 CLLFYWQSSL



Avatar
soxrok2212

Status: Cracker
Joined: Sat, 24 Oct 2015
Posts: 455
Team:
Reputation: 421 Reputation
Offline
Mon, 06 Mar 2017 @ 01:07:20

Updated
https://github.com/soxrok2212/Sky/blob/master/SkyQHub_ER100K



BTC: 1B4ZAbWYQ399p6QJm3VLbywiCWVSBAXYJ1

NVIDIA
1x GTX 1080 Founder’s Edition
1x GTX 980 Reference Design

Avatar
kratos

Status: Member
Joined: Sat, 25 Feb 2017
Posts: 157
Team:
Reputation: 126 Reputation
Offline
Mon, 06 Mar 2017 @ 05:38:08

soxrok2212 said:

seem no new idea on data from anyone?
just collecting now with no reason?




Avatar
95AE6B15

Status: Trusted
Joined: Fri, 23 May 2014
Posts: 2482
Team:
Reputation: 3625 Reputation
Offline
Mon, 06 Mar 2017 @ 05:54:32

The keyspace hasnt changed any. I have to look at the char per positions based on the updated list.
But there were certain positions in the passphrase that didnt use all 16 chars. But that was based on a week or 2 ago.

Ill have to rerun the analysis on it and see if it has changed any. Ill try and do that tomorrow and post up the results.



Avatar
kratos

Status: Member
Joined: Sat, 25 Feb 2017
Posts: 157
Team:
Reputation: 126 Reputation
Offline
Mon, 06 Mar 2017 @ 06:10:03

cvsi said:


But there were certain positions in the passphrase that didnt use all 16 chars. But that was based on a week or 2 ago.

is that the blandyuk pattern of first ssid hex to last pass map?

cvsi said:


Ill have to rerun the analysis on it and see if it has changed any. Ill try and do that tomorrow and post up the results.

OK, seeing nothing else here but flat random distribution
other patterns claimed in thread were all false



Avatar
soxrok2212

Status: Cracker
Joined: Sat, 24 Oct 2015
Posts: 455
Team:
Reputation: 421 Reputation
Offline
Mon, 08 May 2017 @ 22:49:59


Finally managed to get a probe response from a Sky Q, this is what it looks like in the WPS tag. Shows the exact model, ER110. SR102 will show Broadcom and 123456 for model name and model number.



BTC: 1B4ZAbWYQ399p6QJm3VLbywiCWVSBAXYJ1

NVIDIA
1x GTX 1080 Founder’s Edition
1x GTX 980 Reference Design

Avatar
cranky

Status: n/a
Joined: Sat, 16 Sep 2017
Posts: 25
Team:
Reputation: 10 Reputation
Offline
Thu, 21 Sep 2017 @ 19:36:43

Spent ages scraping the bay and looked at known keys here and noticed the 2nd from last char is never (haven’t seen yet) an ‘A’ so maybe using custom char sets -1 (known keyspace) -2 (known omitting ‘A’) -1?1?1?1?1?1?1?1?2?1 should speed thing up a little?


Avatar
mackinson

Status: Member
Joined: Sun, 11 Jun 2017
Posts: 109
Team:
Reputation: 106 Reputation
Offline
Thu, 21 Sep 2017 @ 19:45:01

cranky said:

Spent ages scraping the bay and looked at known keys here and noticed the 2nd from last char is never (haven’t seen yet) an ‘A’ so maybe using custom char sets -1 (known keyspace) -2 (known omitting ‘A’) -1?1?1?1?1?1?1?1?2?1 should speed thing up a little?

That discovery is not particularly surprising, considering that A is not even in the Sky Q charset
in the first place


Avatar
cranky

Status: n/a
Joined: Sat, 16 Sep 2017
Posts: 25
Team:
Reputation: 10 Reputation
Offline
Thu, 21 Sep 2017 @ 19:47:58

Ahh shucks, back to the drawing board!!! I got mixed up with the standard charset and the q one *goes back and sits in the corner quietly*


Avatar
mackinson

Status: Member
Joined: Sun, 11 Jun 2017
Posts: 109
Team:
Reputation: 106 Reputation
Offline
Thu, 21 Sep 2017 @ 20:08:47

cranky said:

Ahh shucks, back to the drawing board!!! I got mixed up with the standard charset and the q one *goes back and sits in the corner quietly*

I still commend you for trying to find something new.
This thread has gone pretty dead.

Noticed something that is quite amusing, but I am not sure there is any more to it

If you push the Sky Q charset through the SSID to final character mapping backwards,
the isolated LMN group maps to AE5, which immediately made me wonder if someone
had buried a hint to AES being used in the algorithm?

Anyway, all seems like a very odd coincidence?

Code:
ABCDEFGHIJKLMNOPQRSTUVWXYZ
 BCD F     LMN PQRST VWXY  Sky Q charset
 BCD F     AE5 01234 6789  Sky Q charset backwards through mapping


Avatar
Felis-Sapiens

Status: Member
Joined: Thu, 07 Jul 2016
Posts: 164
Team:
Reputation: 366 Reputation
Offline
Fri, 22 Sep 2017 @ 08:01:14

mackinson said:

Noticed something that is quite amusing, but I am not sure there is any more to it

If you push the Sky Q charset through the SSID to final character mapping backwards,
the isolated LMN group maps to AE5, which immediately made me wonder if someone
had buried a hint to AES being used in the algorithm?

Anyway, all seems like a very odd coincidence?

Nice finding, but nope.

Character mapping is:
0123456789ABCDEF
PQRSTNVWXYLBCDMF

Or in hex:
30 31 32 33 34 35 36 37 38 39 41 42 43 44 45 46
50 51 52 53 54 4E 56 57 58 59 4C 42 43 44 4D 46

So, they add 0x20 to digits and replace vowels AEU with LMN


Avatar
mackinson

Status: Member
Joined: Sun, 11 Jun 2017
Posts: 109
Team:
Reputation: 106 Reputation
Offline
Fri, 22 Sep 2017 @ 11:02:41

Felis-Sapiens said:


So, they add 0x20 to digits and replace vowels AEU with LMN

Well, OK, I guess that is more plausible than my AES conspiracy theory

I wonder if they replaced the vowels AEU with LMN to prevent potentially
offensive words from appearing randomly in the passphrases?


Avatar
mackinson

Status: Member
Joined: Sun, 11 Jun 2017
Posts: 109
Team:
Reputation: 106 Reputation
Offline
Fri, 22 Sep 2017 @ 12:28:34

mackinson said:


I wonder if they replaced the vowels AEU with LMN to prevent potentially
offensive words from appearing randomly in the passphrases?

Spending a bit too much time finding out how many rude words I can
make from the Sky Q charset using AEU instead of LMN

I can certainly see why they took those vowels out of the charset now


Avatar
migolando

Status: n/a
Joined: Wed, 27 Dec 2017
Posts: 4
Team:
Reputation: 0 Reputation
Offline
Thu, 28 Dec 2017 @ 12:12:56

Sorry for asking a newbie question, but what happened to https://github.com/soxrok2212/Sky/blob/master/SkyQHub_ER100K ?


Avatar
migolando

Status: n/a
Joined: Wed, 27 Dec 2017
Posts: 4
Team:
Reputation: 0 Reputation
Offline
Fri, 29 Dec 2017 @ 21:18:09

If anyone is still interested, here are my findings:

SKY###2#
SKY3DE23:CDFSBTDmNS
SKY1F326:XLWRCRFmRQ
SKY0F122:YYMXTFSmFP

SKY0F###
SKY0F122:YYMXTFsMFP
SKY0F091:XRPPWFsDLP
SKY0FA58:YFWWSCsCYP

SKY1F###
SKY1F6A6:xNBTVCDYFQ
SKY1F326:xLWRCRFMRQ

SKY##C6#
SKYD0C62 BCPNWbVLPD
SKYF6C6A NTRBNbWNTF
SKYE3C9A PSYLBPMYbM (b position is +3 to the right, hence c9-c6=3)


Avatar
John2222

Status: n/a
Joined: Mon, 09 Apr 2018
Posts: 54
Team:
Reputation: 20 Reputation
Offline
Mon, 09 Apr 2018 @ 01:08:08

Is this still ongoing? any progress with any of the keyspace?


Avatar
##Labster##

Status: n/a
Joined: Sat, 20 Jan 2018
Posts: 16
Team:
Reputation: 1 Reputation
Offline
Tue, 10 Apr 2018 @ 19:21:41

SSID PSK MAC
SKY43C92 PBPTCYMLLT 7050AF833328
SKYD1117 TDXQLNDVXD 24A7DC448EF8


Avatar
$cI$$0r$

Status: Elite
Joined: Thu, 24 Aug 2017
Posts: 596
Team:
Reputation: 6996 Reputation
Offline
Wed, 09 May 2018 @ 06:55:41

migolando said:

If anyone is still interested, here are my findings:

SKY0F###
SKY0F122:YYMXTFsMFP
SKY0F091:XRPPWFsDLP
SKY0FA58:YFWWSCsCYP

SKY0F058:XLNCDNQDYP

No s as you have. :|



BTC: 1QFsUY54JQDGpJf1UPV2YdcpQgcYKnyrpN
XMPP: WW1GamEyUnZiM0pBWTNKbFpYQXVhVzA9

Avatar
dipeperon

Status: Member
Joined: Tue, 03 Apr 2018
Posts: 431
Team:
Reputation: 431 Reputation
Online
Wed, 22 Aug 2018 @ 18:47:03

From 28 combinations in the OP.

I pulled the hex part from the SSID -> decimal.

Converted the passprase -> hex -> decimal.

Dropped them in excel. Calculated the pearson correlation between them: r = -0.155326556

i.e. The only relationship between those 2 is that one is always smaller than the other (obviously)

If anyone has more ideas to analyze relationships between I'll gladly do so



My haschat stuff (rules, scripts): https://github.com/theherp/Hashcat-stuff

Avatar
dipeperon

Status: Member
Joined: Tue, 03 Apr 2018
Posts: 431
Team:
Reputation: 431 Reputation
Online
Wed, 22 Aug 2018 @ 19:12:49

We need more data



My haschat stuff (rules, scripts): https://github.com/theherp/Hashcat-stuff

Avatar
SillyOtter

Status: n/a
Joined: Wed, 04 Jul 2018
Posts: 11
Team:
Reputation: 0 Reputation
Offline
Sun, 03 Mar 2019 @ 20:21:53

Given the information above and also using the Default Algo post is this still the correct attack to run against a SKYQ handshake

crunch 10 10 NBPYVLMRXTCFWDSQ

or am i missing letters or rule sets for crunch.


Avatar
Redpreast

Status: n/a
Joined: Wed, 01 May 2019
Posts: 5
Team:
Reputation: 6 Reputation
Offline
Thu, 02 May 2019 @ 11:54:48

SillyOtter said:

Given the information above and also using the Default Algo post is this still the correct attack to run against a SKYQ handshake

crunch 10 10 NBPYVLMRXTCFWDSQ

or am i missing letters or rule sets for crunch.

That should work but you could perhaps use maskprocessor --seq-max=NUM Maximum number of multiple sequential characters, --occurrence-max=NUM Maximum occurrence of a character. Currently going through all the keyspace using --seq-max=2 and --occurrence-max=3. Will report if i manage to crack my test hash.


Avatar
payknight

Status: Cracker
Joined: Wed, 13 Apr 2016
Posts: 668
Team: just4fun
Reputation: 372 Reputation
Offline
Sat, 04 May 2019 @ 16:29:35

Redpreast said:

SillyOtter said:

Given the information above and also using the Default Algo post is this still the correct attack to run against a SKYQ handshake

crunch 10 10 NBPYVLMRXTCFWDSQ

or am i missing letters or rule sets for crunch.

That should work but you could perhaps use maskprocessor --seq-max=NUM Maximum number of multiple sequential characters, --occurrence-max=NUM Maximum occurrence of a character. Currently going through all the keyspace using --seq-max=2 and --occurrence-max=3. Will report if i manage to crack my test hash.

any news?


+rep if i helped
BTC : 1PAyKniGHt7yyCb8HdsziTHBEFX6zkGSHz

Avatar
Redpreast

Status: n/a
Joined: Wed, 01 May 2019
Posts: 5
Team:
Reputation: 6 Reputation
Offline
Sun, 05 May 2019 @ 11:49:41

payknight said:

Redpreast said:

SillyOtter said:

Given the information above and also using the Default Algo post is this still the correct attack to run against a SKYQ handshake

crunch 10 10 NBPYVLMRXTCFWDSQ

or am i missing letters or rule sets for crunch.

That should work but you could perhaps use maskprocessor --seq-max=NUM Maximum number of multiple sequential characters, --occurrence-max=NUM Maximum occurrence of a character. Currently going through all the keyspace using --seq-max=2 and --occurrence-max=3. Will report if i manage to crack my test hash.

any news?


Not really, left it running for 2 days with no luck (300KH/s). Because hashcat does not have --seq-max or --occurrence-max builtin that means i had to use maskprocessor as stdin which in turn means no time estimate. I might have to generate a dictionary first using MP, don't want to run it for weeks.



60 Results - Page 2 of 2 -
1 2

We have a total of 216331 messages in 26451 topics.
We have a total of 23313 registered users.
Our newest registered member is Gho$t.