NOTE: When cracking WPA/WPA2 passwords, make sure you check gpuhash.me first incase it's already been processed.

Home - Wireless Cracking - Unpublished WPA key algorithms


33 Results - Page 1 of 2 -
1 2
Author Message
Avatar
gpuhash_me

Status: Cracker
Joined: Sun, 08 Nov 2015
Posts: 530
Team: gpuhash team
Reputation: 1185 Reputation
Offline
Mon, 07 Aug 2017 @ 21:36:16

We starting this thread to bring to public domain some exclusive unpublished default WPA key algorithms that we use in our every day work.
Unpublished means you can't find it anywhere on the Web so (we hope) Hashkiller forum now will be its origin.

Lets start with TTNET_ZyXEL_XXXX default WPA key algorithm.
These Turkish ZyXEL routers have very strong default WPA key of 13 mixedcase hex digits uncrackable with ordinary bruteforcing.
Knowing the algo becomes possible to calculate default password from the router serial number.
Unfortunately router S/N not always known but search keyspace could be dramatically reduced to ~10^9 and even smaller size.

PoC with some test vectors attached below. The code is not optimal in any way and sometimes can contain (surprise!) MIPS disassembly written in python.


GPUHASH.me team official representative
Support, discounts, free offers for forum members

Attachments: Login to view attachments.
Avatar
cryptonite

Status: n/a
Joined: Tue, 27 Jun 2017
Posts: 33
Team:
Reputation: 0 Reputation
Offline
Tue, 08 Aug 2017 @ 05:50:14

First, thank you for publishing this algorithm

Not sure I am ever likely to encounter a router like this, but still very interesting
cryptographically to see some example of convoluted code used to generate passphrases

But I am initially puzzled by the junk array

The perl seems to use it three characters at a time using an index from the emulated
MIPS assembler part

The junk array is 795 characters long, but arranged in lines of 61 for some reason?
Seems like a line length a multiple of 3 would make more sense?

I see i0 is effectively var_1a4 multiplied by 3 with line:
i0 = (var_1a4 << 1) + var_1a4

Anyway, the var_1a4 effectively has a range of 795/3 = 265 (0-264)
I would maybe have expected something more a power of 2 here?

Is there some reason why that MIPS bit is constrained to generate var_1a4 of only 0-264?
I have not unpicked it enough yet to see why this could be.


Avatar
gpuhash_me

Status: Cracker
Joined: Sun, 08 Nov 2015
Posts: 530
Team: gpuhash team
Reputation: 1185 Reputation
Offline
Tue, 08 Aug 2017 @ 06:19:09

cryptonite said:


The junk array is 795 characters long, but arranged in lines of 61 for some reason?
Seems like a line length a multiple of 3 would make more sense?

I see i0 is effectively var_1a4 multiplied by 3 with line:
i0 = (var_1a4 << 1) + var_1a4

Anyway, the var_1a4 effectively has a range of 795/3 = 265 (0-264)
I would maybe have expected something more a power of 2 here?

Is there some reason why that MIPS bit is constrained to generate var_1a4 of only 0-264?
I have not unpicked it enough yet to see why this could be.

Stage 2 is tricky part (probably some floating point math) so we just emulated MIPS asm here and it works. The junk array was simple copied from firmware dump.
Its arranging means nothing it is 1-dimensional array so it arranged in lines just to better fit screen.

We warned the code is not optimal in any way (but it works) and we leave its optimization as exercise for the reader


GPUHASH.me team official representative
Support, discounts, free offers for forum members

Avatar
cryptonite

Status: n/a
Joined: Tue, 27 Jun 2017
Posts: 33
Team:
Reputation: 0 Reputation
Offline
Tue, 08 Aug 2017 @ 06:57:25

gpuhash_me said:


Stage 2 is tricky part (probably some floating point math) so we just emulated MIPS asm here and it works. The junk array was simple copied from firmware dump.
Its arranging means nothing it is 1-dimensional array so it arranged in lines just to better fit screen.

We warned the code is not optimal in any way (but it works) and we leave its optimization as exercise for the reader

OK, so there is more reverse engineering to be done here to understand better
the original design intent

The junk length of 265 * 3 instead of something like 256 * 3 is very curious, but those
extra 27 characters do not seem spurious and look to fit into the tri-graph pattern
as 9 additional three character groups?

I like a good puzzle


Avatar
blandyuk
Admin / Owner
Status: Trusted
Joined: Tue, 05 Jul 2011
Posts: 3033
Team: HashKiller
Reputation: 4060 Reputation
Offline
Tue, 08 Aug 2017 @ 08:46:44

Nice work I like it.


Please read the forum rules | Please read the paid section rules
I accept private hash lists, with forum donations only.
BTC: 15qF9WUeFUD63ishxyAMiEgGqTcYzk4j9b
GPU Power: 9x GTX 1070 + 4x GTX 1080

Avatar
cryptonite

Status: n/a
Joined: Tue, 27 Jun 2017
Posts: 33
Team:
Reputation: 0 Reputation
Offline
Tue, 08 Aug 2017 @ 10:04:40

Oops! I called it perl two posts back
Of course, this is all in python script


Avatar
cryptonite

Status: n/a
Joined: Tue, 27 Jun 2017
Posts: 33
Team:
Reputation: 0 Reputation
Offline
Tue, 08 Aug 2017 @ 17:21:39

I started off thinking I would unpick the stage 2 MIPS part, but then got
sidetracked trying to figure out how they set up the input of var_1a0 to stage 2.

Whoever designed this algorithm deserves some kind of award for the most
obfuscated approach imaginable

It starts of pretty easy by taking the md5 of the serial number

md5("S150Y13068675") = f49ab8d6ce27819152c99e926d1f1372

But then there is a twist where every character at an even offset in the md5
hash is made uppercase (does not affect digits in those positions, obviously)

So the hash ends up looking like this
F49aB8D6Ce27819152C99e926d1f1372

Note the f at offset 0 is now F, but the a at offset 3 is unchanged and so on.
Only even offsets are made uppercase. Odd offsets are left alone.

Finally, the numerical ascii values for all those characters in the modified
hash are summed together to get 0x7d6 or 2006 in decimal

This is the value that ends up in var_1a0 at the input of stage 2 for this
particular serial number


Avatar
cryptonite

Status: n/a
Joined: Tue, 27 Jun 2017
Posts: 33
Team:
Reputation: 0 Reputation
Offline
Tue, 08 Aug 2017 @ 18:01:17

What is also interesting is that they do the same case shifting trick right at
the end of the algorithm

The final md5 hash for the algorithm is 52aec8568b91e1dcbca5142e95fd31f5
This becomes 52AeC8568b91E1DcBcA5142e95Fd31F5, following the case shifting
rule described earlier

Then the actual PSK is taken out at offset 13 with length 13 to give 1DcBcA5142e95

Because of that odd offset of 13 the case shifting moves so that now even offsets
in the PSK are made uppercase and odd offsets are left alone.

However, this completely negates the upper/lower hex case aspect, because it
is entirely predictable.

For a brute force search, you would be looking for [0-9a-f] at even offsets in the PSK
and [0-9A-F] at odd offsets in the PSK.

Still a 16^13 as a brute force search, which means you still need to know the algorithm
to crack it, but the fact that there are upper and lower case hex characters in the PSK
adds nothing to the complexity.


Avatar
cryptonite

Status: n/a
Joined: Tue, 27 Jun 2017
Posts: 33
Team:
Reputation: 0 Reputation
Offline
Wed, 09 Aug 2017 @ 08:40:14

Sorry for highjacking this thread with my thoughts on this algorithm

Got some bad news through another board that purelogic has left here now
So I must leave also


Avatar
mackinson

Status: n/a
Joined: Sun, 11 Jun 2017
Posts: 109
Team:
Reputation: 106 Reputation
Offline
Wed, 09 Aug 2017 @ 17:12:10

Sad to hear both purelogic and cryptonite are now gone from the board.

Both were the most interesting posters on here for me, so I think I am done here as well

I was going to leave them both some final farewell rep, but even the rep comments
have been disabled now


Avatar
mackinson

Status: n/a
Joined: Sun, 11 Jun 2017
Posts: 109
Team:
Reputation: 106 Reputation
Offline
Thu, 10 Aug 2017 @ 10:34:21

Shit! I thought if I threatened to flounce off like winxp5421, something
would get changed for the better

I see now that strategy only works for the chosen few
Just being silently ignored is the best I can manage

Still not happy about the reputation comment change
How the hell are we going to do sneaky PMs on here any more?


Avatar
Felis-Sapiens

Status: n/a
Joined: Thu, 07 Jul 2016
Posts: 158
Team:
Reputation: 340 Reputation
Offline
Sun, 13 Aug 2017 @ 14:48:34

gpuhash_me said:

Stage 2 is tricky part (probably some floating point math) so we just emulated MIPS asm here and it works.


It's just a division (integer).

I also found this algorithm some time ago.


Attachments: Login to view attachments.
Avatar
soxrok2212

Status: Cracker
Joined: Sat, 24 Oct 2015
Posts: 451
Team:
Reputation: 421 Reputation
Offline
Sat, 26 Aug 2017 @ 20:23:59

Hey gpuhash, what about your Videotron algorithm?



BTC: 1B4ZAbWYQ399p6QJm3VLbywiCWVSBAXYJ1

NVIDIA
1x GTX 1080 Founder’s Edition
1x GTX 980 Reference Design

Avatar
gpuhash_me

Status: Cracker
Joined: Sun, 08 Nov 2015
Posts: 530
Team: gpuhash team
Reputation: 1185 Reputation
Offline
Sat, 26 Aug 2017 @ 21:03:18

soxrok2212 said:

Hey gpuhash, what about your Videotron algorithm?

Everything has its time


GPUHASH.me team official representative
Support, discounts, free offers for forum members

Avatar
soxrok2212

Status: Cracker
Joined: Sat, 24 Oct 2015
Posts: 451
Team:
Reputation: 421 Reputation
Offline
Sat, 26 Aug 2017 @ 22:44:54

Release that and perhaps I would share my HOME-XXXX + HOME-XXXX-2.4/5 + XFSETUP-XXXX dictionary



BTC: 1B4ZAbWYQ399p6QJm3VLbywiCWVSBAXYJ1

NVIDIA
1x GTX 1080 Founder’s Edition
1x GTX 980 Reference Design

Avatar
dark0

Status: n/a
Joined: Tue, 13 Feb 2018
Posts: 44
Team:
Reputation: 10 Reputation
Offline
Wed, 21 Feb 2018 @ 03:04:48

soxrok2212 said:

Hey gpuhash, what about your Videotron algorithm?

Find me 2 Videtron-XXXX with keys and the first digits of their mac need to be the same XX:XX:XX:XX:XX:XX
And if is posible the S/N
and i will publish the algorithm


Avatar
soxrok2212

Status: Cracker
Joined: Sat, 24 Oct 2015
Posts: 451
Team:
Reputation: 421 Reputation
Offline
Wed, 21 Feb 2018 @ 03:44:27


SSID: VIDEOTRON9364
WAN MAC: 04:BF:6D:5A:2D:CB
Serial: S160A13009364
Password: 4AXCF9CAT7XV3

SSID: VIDEOTRON3104
WAN MAC: 04:BF:6D:5D:2D:3B
Serial: S160A24003104
Password: UNXPKKXRA7HTU

SSID: VIDEOTRON8694
WAN MAC: 04:BF:6D:5D:84:93
Serial: S160A24008694
Password: K3TMPK7943UWY

SSID: VIDEOTRON1586
WAN MAC: 04:BF:6D:5C:77:DB
Serial: S160A22001586
Password: UUTUV43THA943



BTC: 1B4ZAbWYQ399p6QJm3VLbywiCWVSBAXYJ1

NVIDIA
1x GTX 1080 Founder’s Edition
1x GTX 980 Reference Design

Avatar
soxrok2212

Status: Cracker
Joined: Sat, 24 Oct 2015
Posts: 451
Team:
Reputation: 421 Reputation
Offline
Sun, 06 May 2018 @ 03:46:43

Anything on this algorithm?



BTC: 1B4ZAbWYQ399p6QJm3VLbywiCWVSBAXYJ1

NVIDIA
1x GTX 1080 Founder’s Edition
1x GTX 980 Reference Design

Avatar
JJ78

Status: n/a
Joined: Mon, 05 Feb 2018
Posts: 5
Team:
Reputation: 0 Reputation
Offline
Fri, 11 May 2018 @ 09:21:42

SSID: AT-68C5
MAC: 30:74:96:DC:68:C5
Serial: J3N8W17327003052
Password: 5C5FWAEU29


SSID: AT-364F
MAC: 54:25:EA:FD:36:4F
Serial: J3N8W17502003495
Password: YP3ETF2EVS


MODEL: HUAWEI HG659


Avatar
amatuercracker

Status: n/a
Joined: Sun, 19 Aug 2018
Posts: 29
Team: amatuerWPA
Reputation: 70 Reputation
Offline
Sun, 19 Aug 2018 @ 22:28:26

Hi,

How can I use this ?


Avatar
gpuhash_me

Status: Cracker
Joined: Sun, 08 Nov 2015
Posts: 530
Team: gpuhash team
Reputation: 1185 Reputation
Offline
Mon, 17 Sep 2018 @ 09:59:57

Playing with TTNET_ZyXEL algo we accidentally discovered that Canadian ISP Telus use basically the same algo for their ZyXEL routers (with few differences), they generate 10 lower hex string then correct 0 and 1 chars to chars outside a-f region.
Attached PoC offers only partial coverage because of missing final correction but it clearly shows the approach.
To implement correction we need more known SN/key pairs.


GPUHASH.me team official representative
Support, discounts, free offers for forum members

Attachments: Login to view attachments.
Avatar
amatuercracker

Status: n/a
Joined: Sun, 19 Aug 2018
Posts: 29
Team: amatuerWPA
Reputation: 70 Reputation
Offline
Mon, 17 Sep 2018 @ 11:21:21

https://www.quotemaster.org/images/45/45ebaa91b713c5b9eba710571018c8de.jpg
https://192-168-1-254.tech/wp-content/uploads/2018/02/know-firmware-version-of-router.png
http://static.telus.com/common/cms/images/get-help/internet/17-00943_Modem_images_Modem-v2-T3200M-03.jpg
http://static.telus.com/common/cms/images/support-content/internet/17-00943_Modem_images_Modem-v2-Actiontec1000-01.jpg
https://www.picclickimg.com/00/s/NTk2WDEyODA=/z/dWAAAOSwEeFVHzJC/$/Actiontec-V1000H-Wireless-N-Vdsl-Modem-Router-For-_1.jpg
https://i.ebayimg.com/images/g/dWAAAOSwEeFVHzJC/s-l1600.jpg


thanks for sharing these algoritm.
I want ask you something. Can you find TurkTelekom_TXXXX TP-link W9970 algoritm? or only use a-z-A-Z-0-9 8 char?


Avatar
gpuhash_me

Status: Cracker
Joined: Sun, 08 Nov 2015
Posts: 530
Team: gpuhash team
Reputation: 1185 Reputation
Offline
Mon, 17 Sep 2018 @ 11:35:36

amatuercracker said:

Your links all from Actiontec routers, not ZyXEL

amatuercracker said:


thanks for sharing these algoritm.
I want ask you something. Can you find TurkTelekom_TXXXX TP-link W9970 algoritm? or only use a-z-A-Z-0-9 8 char?

Probably will be released later


GPUHASH.me team official representative
Support, discounts, free offers for forum members

Avatar
SsiD1

Status: n/a
Joined: Wed, 26 Apr 2017
Posts: 20
Team:
Reputation: 20 Reputation
Offline
Mon, 17 Sep 2018 @ 11:51:22

have you try with DJAWEB_XXXXX algo
default key are 13 hex [0-9 A-F] router huawei hg532e


Avatar
amatuercracker

Status: n/a
Joined: Sun, 19 Aug 2018
Posts: 29
Team: amatuerWPA
Reputation: 70 Reputation
Offline
Mon, 17 Sep 2018 @ 11:57:00

ohh sorry for that. Seem like zyxel system .

Finally I found some telus zyxel

here
https://s3-us-west-2.amazonaws.com/usedphotosna/57922915_934.jpg

script find 1 char different
sn:S140Y12006484
pass:a1ad243694

https://s3-us-west-2.amazonaws.com/usedphotosna/75078354_614.jpg
Yes found true pass
SN:S120Z07008282
pass:6f2344d6b9

I will wait for good news for TurkTelekom_TXXXX. I really bored trying evil twin


Avatar
amatuercracker

Status: n/a
Joined: Sun, 19 Aug 2018
Posts: 29
Team: amatuerWPA
Reputation: 70 Reputation
Offline
Sat, 06 Oct 2018 @ 22:21:02

Hi all I fount new device for this algoritm

\ttnet_zyxel2.py
S/N ............ ['S17AA42004336', 'S17AA36002767', 'S17AA37008298']
Known PSK ...... ['09041DdB34e39', '7Cc4f868dC749', '4C710DfB4Fd4f']
Our PSK ........ ['09041DdB34e39', '7Cc4f868dC749', '4C710DfB4Fd4f']
SUCCESS!

I test finding images.
https://i0.shbdn.com/photos/31/14/29/x16_597311429t1h.jpg
https://i0.shbdn.com/photos/30/82/35/x16_606308235dbi.jpg
https://i0.shbdn.com/photos/36/20/89/x16_607362089eb3.jpg

MODEL: ZYXEL VMG8324-B10A
SSİD: ZyXEL_HGW_XXXXX
ISS TURKEY - TURKTELEKOM


Avatar
undersc0re

Status: n/a
Joined: Sat, 15 Apr 2017
Posts: 7
Team:
Reputation: 0 Reputation
Offline
Wed, 24 Oct 2018 @ 10:28:49

I am trying to make telus script work and was wondering if you could help, I am brand new to python and scripting but would love to see example to make his work!!
I try to use gen_telus.py as stock from downloading like follows, prob total noob error as I have no idea what I am doing.


C:\Users\yzfr1\Desktop\ttnet_zyxel>py gen_telus.py S140Y12006484
File "gen_telus.py", line 75
print gen_telus(sn)
^
SyntaxError: invalid syntax


I try this one below script and it spits out wrong password so I am totally missing something, but at least the script spits something out without error.


C:\Users\yzfr1\Desktop\ttnet_zyxel>py ttnet_zyxel_key.py S140Y12006484
2B9A05f535470

I have this info below if you could use it for your testing needs or show me example to make it spit out password.

Telus - Zyxel VSG1432
SN: S121K36004868
MAC ID: FCF528424B11
Wireless Network Name - TELUS4868
Wireless Network Key - 38d57f2caa


Avatar
gpuhash_me

Status: Cracker
Joined: Sun, 08 Nov 2015
Posts: 530
Team: gpuhash team
Reputation: 1185 Reputation
Offline
Wed, 24 Oct 2018 @ 12:43:30

undersc0re said:

I am trying to make telus script work and was wondering if you could help, I am brand new to python and scripting but would love to see example to make his work!!
I try to use gen_telus.py as stock from downloading like follows, prob total noob error as I have no idea what I am doing.


C:\Users\yzfr1\Desktop\ttnet_zyxel>py gen_telus.py S140Y12006484
File "gen_telus.py", line 75
print gen_telus(sn)
^
SyntaxError: invalid syntax


I try this one below script and it spits out wrong password so I am totally missing something, but at least the script spits something out without error.


C:\Users\yzfr1\Desktop\ttnet_zyxel>py ttnet_zyxel_key.py S140Y12006484
2B9A05f535470

I have this info below if you could use it for your testing needs or show me example to make it spit out password.

Telus - Zyxel VSG1432
SN: S121K36004868
MAC ID: FCF528424B11
Wireless Network Name - TELUS4868
Wireless Network Key - 38d57f2caa

This script is for python 2.7, for python 3 and above it needs to be modified

$ python --version
Python 2.7.12

$ python gen_telus.py
38d57f2caa


GPUHASH.me team official representative
Support, discounts, free offers for forum members

Avatar
undersc0re

Status: n/a
Joined: Sat, 15 Apr 2017
Posts: 7
Team:
Reputation: 0 Reputation
Offline
Wed, 24 Oct 2018 @ 17:57:48

Telus - Zyxel VSG1432
SN: S130Y13054555
MAC ID: EC43F649ACB3
Wireless Network Name - TELUS4555
Wireless Network Key - 74abce922c


Telus - Zyxel VSG1432
SN: 120Y01005518
MAC ID: CC5D4E7FE4F7
Wireless Network Name - TELUS5518
Wireless Network Key - 8ab2c8ce85

Hopefully these help you to perfect your script.


Is there a way to see the serial number in the .cap file? Just wondering if that is why you are doing this? Or is it that you just want to perfect a narrowed down mask or password file? Thank you, I have the script working well.


Avatar
dipeperon

Status: n/a
Joined: Tue, 03 Apr 2018
Posts: 188
Team:
Reputation: 281 Reputation
Online
Wed, 24 Oct 2018 @ 23:09:30

undersc0re said:

Telus - Zyxel VSG1432
SN: S130Y13054555
MAC ID: EC43F649ACB3
Wireless Network Name - TELUS4555
Wireless Network Key - 74abce922c


Telus - Zyxel VSG1432
SN: 120Y01005518
MAC ID: CC5D4E7FE4F7
Wireless Network Name - TELUS5518
Wireless Network Key - 8ab2c8ce85

Hopefully these help you to perfect your script.


Is there a way to see the serial number in the .cap file? Just wondering if that is why you are doing this? Or is it that you just want to perfect a narrowed down mask or password file? Thank you, I have the script working well.

The serial number cannot be found in the packet.


My haschat stuff (rules, scripts): https://github.com/theherp/Hashcat-stuff


33 Results - Page 1 of 2 -
1 2

We have a total of 163292 messages in 20499 topics.
We have a total of 19267 registered users.
Our newest registered member is johnbranches.