| Author |
Message |
gpuhash_me
Status: Cracker
Joined: Sun, 08 Nov 2015
Posts: 530
Team: gpuhash team
Reputation: 1185
Offline
|
Mon, 07 Aug 2017 @ 21:36:16
We starting this thread to bring to public domain some exclusive unpublished default WPA key algorithms that we use in our every day work.
Unpublished means you can't find it anywhere on the Web so (we hope) Hashkiller forum now will be its origin. Lets start with TTNET_ZyXEL_XXXX default WPA key algorithm.
These Turkish ZyXEL routers have very strong default WPA key of 13 mixedcase hex digits uncrackable with ordinary bruteforcing.
Knowing the algo becomes possible to calculate default password from the router serial number.
Unfortunately router S/N not always known but search keyspace could be dramatically reduced to ~10^9 and even smaller size. PoC with some test vectors attached below. The code is not optimal in any way and sometimes can contain (surprise!) MIPS disassembly written in python.
GPUHASH.me team official representative
Support, discounts, free offers for forum members
|
| Attachments: |
Login to view attachments. |
|
|
cryptonite
Status: n/a
Joined: Tue, 27 Jun 2017
Posts: 33
Team:
Reputation: 0
Offline
|
Tue, 08 Aug 2017 @ 05:50:14
First, thank you for publishing this algorithm  Not sure I am ever likely to encounter a router like this, but still very interesting
cryptographically to see some example of convoluted code used to generate passphrases But I am initially puzzled by the junk array The perl seems to use it three characters at a time using an index from the emulated
MIPS assembler part The junk array is 795 characters long, but arranged in lines of 61 for some reason?
Seems like a line length a multiple of 3 would make more sense? I see i0 is effectively var_1a4 multiplied by 3 with line:
i0 = (var_1a4 << 1) + var_1a4 Anyway, the var_1a4 effectively has a range of 795/3 = 265 (0-264)
I would maybe have expected something more a power of 2 here? Is there some reason why that MIPS bit is constrained to generate var_1a4 of only 0-264?
I have not unpicked it enough yet to see why this could be.
|
|
|
gpuhash_me
Status: Cracker
Joined: Sun, 08 Nov 2015
Posts: 530
Team: gpuhash team
Reputation: 1185
Offline
|
Tue, 08 Aug 2017 @ 06:19:09
cryptonite said:
The junk array is 795 characters long, but arranged in lines of 61 for some reason?
Seems like a line length a multiple of 3 would make more sense?
I see i0 is effectively var_1a4 multiplied by 3 with line:
i0 = (var_1a4 << 1) + var_1a4 Anyway, the var_1a4 effectively has a range of 795/3 = 265 (0-264)
I would maybe have expected something more a power of 2 here? Is there some reason why that MIPS bit is constrained to generate var_1a4 of only 0-264?
I have not unpicked it enough yet to see why this could be. Stage 2 is tricky part (probably some floating point math) so we just emulated MIPS asm here and it works. The junk array was simple copied from firmware dump.
Its arranging means nothing it is 1-dimensional array so it arranged in lines just to better fit screen. We warned the code is not optimal in any way (but it works) and we leave its optimization as exercise for the reader
GPUHASH.me team official representative
Support, discounts, free offers for forum members
|
|
|
cryptonite
Status: n/a
Joined: Tue, 27 Jun 2017
Posts: 33
Team:
Reputation: 0
Offline
|
Tue, 08 Aug 2017 @ 06:57:25
gpuhash_me said:
Stage 2 is tricky part (probably some floating point math) so we just emulated MIPS asm here and it works. The junk array was simple copied from firmware dump.
Its arranging means nothing it is 1-dimensional array so it arranged in lines just to better fit screen.
We warned the code is not optimal in any way (but it works) and we leave its optimization as exercise for the reader
OK, so there is more reverse engineering to be done here to understand better
the original design intent The junk length of 265 * 3 instead of something like 256 * 3 is very curious, but those
extra 27 characters do not seem spurious and look to fit into the tri-graph pattern
as 9 additional three character groups? I like a good puzzle
|
|
|
blandyuk
Admin / Owner
Status: Trusted
Joined: Tue, 05 Jul 2011
Posts: 3033
Team: HashKiller
Reputation: 4060
Offline
|
Tue, 08 Aug 2017 @ 08:46:44
Nice work I like it.
Please read the forum rules | Please read the paid section rules
I accept private hash lists, with forum donations only.
BTC: 15qF9WUeFUD63ishxyAMiEgGqTcYzk4j9b
GPU Power: 9x GTX 1070 + 4x GTX 1080
|
|
|
cryptonite
Status: n/a
Joined: Tue, 27 Jun 2017
Posts: 33
Team:
Reputation: 0
Offline
|
Tue, 08 Aug 2017 @ 10:04:40
Oops! I called it perl two posts back
Of course, this is all in python script
|
|
|
cryptonite
Status: n/a
Joined: Tue, 27 Jun 2017
Posts: 33
Team:
Reputation: 0
Offline
|
Tue, 08 Aug 2017 @ 17:21:39
I started off thinking I would unpick the stage 2 MIPS part, but then got
sidetracked trying to figure out how they set up the input of var_1a0 to stage 2. Whoever designed this algorithm deserves some kind of award for the most
obfuscated approach imaginable  It starts of pretty easy by taking the md5 of the serial number md5("S150Y13068675") = f49ab8d6ce27819152c99e926d1f1372 But then there is a twist where every character at an even offset in the md5
hash is made uppercase (does not affect digits in those positions, obviously) So the hash ends up looking like this
F49aB8D6Ce27819152C99e926d1f1372 Note the f at offset 0 is now F, but the a at offset 3 is unchanged and so on.
Only even offsets are made uppercase. Odd offsets are left alone. Finally, the numerical ascii values for all those characters in the modified
hash are summed together to get 0x7d6 or 2006 in decimal This is the value that ends up in var_1a0 at the input of stage 2 for this
particular serial number
|
|
|
cryptonite
Status: n/a
Joined: Tue, 27 Jun 2017
Posts: 33
Team:
Reputation: 0
Offline
|
Tue, 08 Aug 2017 @ 18:01:17
What is also interesting is that they do the same case shifting trick right at
the end of the algorithm The final md5 hash for the algorithm is 52aec8568b91e1dcbca5142e95fd31f5
This becomes 52AeC8568b91E1DcBcA5142e95Fd31F5, following the case shifting
rule described earlier Then the actual PSK is taken out at offset 13 with length 13 to give 1DcBcA5142e95 Because of that odd offset of 13 the case shifting moves so that now even offsets
in the PSK are made uppercase and odd offsets are left alone. However, this completely negates the upper/lower hex case aspect, because it
is entirely predictable. For a brute force search, you would be looking for [0-9a-f] at even offsets in the PSK
and [0-9A-F] at odd offsets in the PSK. Still a 16^13 as a brute force search, which means you still need to know the algorithm
to crack it, but the fact that there are upper and lower case hex characters in the PSK
adds nothing to the complexity.
|
|
|
cryptonite
Status: n/a
Joined: Tue, 27 Jun 2017
Posts: 33
Team:
Reputation: 0
Offline
|
Wed, 09 Aug 2017 @ 08:40:14
Sorry for highjacking this thread with my thoughts on this algorithm Got some bad news through another board that purelogic has left here now
So I must leave also
|
|
|
mackinson
Status: n/a
Joined: Sun, 11 Jun 2017
Posts: 109
Team:
Reputation: 106
Offline
|
Wed, 09 Aug 2017 @ 17:12:10
Sad to hear both purelogic and cryptonite are now gone from the board. Both were the most interesting posters on here for me, so I think I am done here as well I was going to leave them both some final farewell rep, but even the rep comments
have been disabled now 
|
|
|
mackinson
Status: n/a
Joined: Sun, 11 Jun 2017
Posts: 109
Team:
Reputation: 106
Offline
|
Thu, 10 Aug 2017 @ 10:34:21
Shit! I thought if I threatened to flounce off like winxp5421, something
would get changed for the better I see now that strategy only works for the chosen few
Just being silently ignored is the best I can manage  Still not happy about the reputation comment change
How the hell are we going to do sneaky PMs on here any more? 
|
|
|
Felis-Sapiens
Status: n/a
Joined: Thu, 07 Jul 2016
Posts: 158
Team:
Reputation: 340
Offline
|
Sun, 13 Aug 2017 @ 14:48:34
gpuhash_me said: Stage 2 is tricky part (probably some floating point math) so we just emulated MIPS asm here and it works.
It's just a division (integer).I also found this algorithm some time ago.
|
| Attachments: |
Login to view attachments. |
|
|
soxrok2212
Status: Cracker
Joined: Sat, 24 Oct 2015
Posts: 451
Team:
Reputation: 421
Offline
|
Sat, 26 Aug 2017 @ 20:23:59
Hey gpuhash, what about your Videotron algorithm?
BTC: 1B4ZAbWYQ399p6QJm3VLbywiCWVSBAXYJ1 NVIDIA
1x GTX 1080 Founder’s Edition
1x GTX 980 Reference Design
|
|
|
gpuhash_me
Status: Cracker
Joined: Sun, 08 Nov 2015
Posts: 530
Team: gpuhash team
Reputation: 1185
Offline
|
Sat, 26 Aug 2017 @ 21:03:18
soxrok2212 said: Hey gpuhash, what about your Videotron algorithm? Everything has its time
GPUHASH.me team official representative
Support, discounts, free offers for forum members
|
|
|
soxrok2212
Status: Cracker
Joined: Sat, 24 Oct 2015
Posts: 451
Team:
Reputation: 421
Offline
|
Sat, 26 Aug 2017 @ 22:44:54
Release that and perhaps I would share my HOME-XXXX + HOME-XXXX-2.4/5 + XFSETUP-XXXX dictionary
BTC: 1B4ZAbWYQ399p6QJm3VLbywiCWVSBAXYJ1 NVIDIA
1x GTX 1080 Founder’s Edition
1x GTX 980 Reference Design
|
|
|
dark0
Status: n/a
Joined: Tue, 13 Feb 2018
Posts: 44
Team:
Reputation: 10
Offline
|
Wed, 21 Feb 2018 @ 03:04:48
soxrok2212 said: Hey gpuhash, what about your Videotron algorithm? Find me 2 Videtron-XXXX with keys and the first digits of their mac need to be the same XX:XX:XX:XX:XX:XX
And if is posible the S/N
and i will publish the algorithm
|
|
|
soxrok2212
Status: Cracker
Joined: Sat, 24 Oct 2015
Posts: 451
Team:
Reputation: 421
Offline
|
Wed, 21 Feb 2018 @ 03:44:27
SSID: VIDEOTRON9364
WAN MAC: 04:BF:6D:5A:2D:CB
Serial: S160A13009364
Password: 4AXCF9CAT7XV3
SSID: VIDEOTRON3104
WAN MAC: 04:BF:6D:5D:2D:3B
Serial: S160A24003104
Password: UNXPKKXRA7HTU SSID: VIDEOTRON8694
WAN MAC: 04:BF:6D:5D:84:93
Serial: S160A24008694
Password: K3TMPK7943UWY SSID: VIDEOTRON1586
WAN MAC: 04:BF:6D:5C:77:DB
Serial: S160A22001586
Password: UUTUV43THA943
BTC: 1B4ZAbWYQ399p6QJm3VLbywiCWVSBAXYJ1 NVIDIA
1x GTX 1080 Founder’s Edition
1x GTX 980 Reference Design
|
|
|
soxrok2212
Status: Cracker
Joined: Sat, 24 Oct 2015
Posts: 451
Team:
Reputation: 421
Offline
|
Sun, 06 May 2018 @ 03:46:43
Anything on this algorithm?
BTC: 1B4ZAbWYQ399p6QJm3VLbywiCWVSBAXYJ1 NVIDIA
1x GTX 1080 Founder’s Edition
1x GTX 980 Reference Design
|
|
|
JJ78
Status: n/a
Joined: Mon, 05 Feb 2018
Posts: 5
Team:
Reputation: 0
Offline
|
Fri, 11 May 2018 @ 09:21:42
SSID: AT-68C5
MAC: 30:74:96:DC:68:C5
Serial: J3N8W17327003052
Password: 5C5FWAEU29
SSID: AT-364F
MAC: 54:25:EA:FD:36:4F
Serial: J3N8W17502003495
Password: YP3ETF2EVS
MODEL: HUAWEI HG659
|
|
|
amatuercracker
Status: n/a
Joined: Sun, 19 Aug 2018
Posts: 29
Team: amatuerWPA
Reputation: 70
Offline
|
Sun, 19 Aug 2018 @ 22:28:26
Hi, How can I use this ?
|
|
|
gpuhash_me
Status: Cracker
Joined: Sun, 08 Nov 2015
Posts: 530
Team: gpuhash team
Reputation: 1185
Offline
|
Mon, 17 Sep 2018 @ 09:59:57
Playing with TTNET_ZyXEL algo we accidentally discovered that Canadian ISP Telus use basically the same algo for their ZyXEL routers (with few differences), they generate 10 lower hex string then correct 0 and 1 chars to chars outside a-f region.
Attached PoC offers only partial coverage because of missing final correction but it clearly shows the approach.
To implement correction we need more known SN/key pairs.
GPUHASH.me team official representative
Support, discounts, free offers for forum members
|
| Attachments: |
Login to view attachments. |
|
|
amatuercracker
Status: n/a
Joined: Sun, 19 Aug 2018
Posts: 29
Team: amatuerWPA
Reputation: 70
Offline
|
Mon, 17 Sep 2018 @ 11:21:21
https://www.quotemaster.org/images/45/45ebaa91b713c5b9eba710571018c8de.jpg
https://192-168-1-254.tech/wp-content/uploads/2018/02/know-firmware-version-of-router.png
http://static.telus.com/common/cms/images/get-help/internet/17-00943_Modem_images_Modem-v2-T3200M-03.jpg
http://static.telus.com/common/cms/images/support-content/internet/17-00943_Modem_images_Modem-v2-Actiontec1000-01.jpg
https://www.picclickimg.com/00/s/NTk2WDEyODA=/z/dWAAAOSwEeFVHzJC/$/Actiontec-V1000H-Wireless-N-Vdsl-Modem-Router-For-_1.jpg
https://i.ebayimg.com/images/g/dWAAAOSwEeFVHzJC/s-l1600.jpg
thanks for sharing these algoritm.
I want ask you something. Can you find TurkTelekom_TXXXX TP-link W9970 algoritm? or only use a-z-A-Z-0-9 8 char?
|
|
|
gpuhash_me
Status: Cracker
Joined: Sun, 08 Nov 2015
Posts: 530
Team: gpuhash team
Reputation: 1185
Offline
|
Mon, 17 Sep 2018 @ 11:35:36
amatuercracker said: Your links all from Actiontec routers, not ZyXEL amatuercracker said:
thanks for sharing these algoritm.
I want ask you something. Can you find TurkTelekom_TXXXX TP-link W9970 algoritm? or only use a-z-A-Z-0-9 8 char?
Probably will be released later
GPUHASH.me team official representative
Support, discounts, free offers for forum members
|
|
|
SsiD1
Status: n/a
Joined: Wed, 26 Apr 2017
Posts: 20
Team:
Reputation: 20
Offline
|
Mon, 17 Sep 2018 @ 11:51:22
have you try with DJAWEB_XXXXX algo
default key are 13 hex [0-9 A-F] router huawei hg532e
|
|
|
amatuercracker
Status: n/a
Joined: Sun, 19 Aug 2018
Posts: 29
Team: amatuerWPA
Reputation: 70
Offline
|
Mon, 17 Sep 2018 @ 11:57:00
ohh sorry for that. Seem like zyxel system . Finally I found some telus zyxel here
https://s3-us-west-2.amazonaws.com/usedphotosna/57922915_934.jpg script find 1 char different
sn:S140Y12006484
pass:a1ad243694 https://s3-us-west-2.amazonaws.com/usedphotosna/75078354_614.jpg
Yes found true pass
SN:S120Z07008282
pass:6f2344d6b9 I will wait for good news for TurkTelekom_TXXXX. I really bored trying evil twin
|
|
|
amatuercracker
Status: n/a
Joined: Sun, 19 Aug 2018
Posts: 29
Team: amatuerWPA
Reputation: 70
Offline
|
Sat, 06 Oct 2018 @ 22:21:02
Hi all I fount new device for this algoritm \ttnet_zyxel2.py
S/N ............ ['S17AA42004336', 'S17AA36002767', 'S17AA37008298']
Known PSK ...... ['09041DdB34e39', '7Cc4f868dC749', '4C710DfB4Fd4f']
Our PSK ........ ['09041DdB34e39', '7Cc4f868dC749', '4C710DfB4Fd4f']
SUCCESS! I test finding images.
https://i0.shbdn.com/photos/31/14/29/x16_597311429t1h.jpg
https://i0.shbdn.com/photos/30/82/35/x16_606308235dbi.jpg
https://i0.shbdn.com/photos/36/20/89/x16_607362089eb3.jpg MODEL: ZYXEL VMG8324-B10A
SSİD: ZyXEL_HGW_XXXXX
ISS TURKEY - TURKTELEKOM
|
|
|
undersc0re
Status: n/a
Joined: Sat, 15 Apr 2017
Posts: 7
Team:
Reputation: 0
Offline
|
Wed, 24 Oct 2018 @ 10:28:49
I am trying to make telus script work and was wondering if you could help, I am brand new to python and scripting but would love to see example to make his work!!
I try to use gen_telus.py as stock from downloading like follows, prob total noob error as I have no idea what I am doing.
C:\Users\yzfr1\Desktop\ttnet_zyxel>py gen_telus.py S140Y12006484
File "gen_telus.py", line 75
print gen_telus(sn)
^
SyntaxError: invalid syntax
I try this one below script and it spits out wrong password so I am totally missing something, but at least the script spits something out without error.
C:\Users\yzfr1\Desktop\ttnet_zyxel>py ttnet_zyxel_key.py S140Y12006484
2B9A05f535470
I have this info below if you could use it for your testing needs or show me example to make it spit out password. Telus - Zyxel VSG1432
SN: S121K36004868
MAC ID: FCF528424B11
Wireless Network Name - TELUS4868
Wireless Network Key - 38d57f2caa
|
|
|
gpuhash_me
Status: Cracker
Joined: Sun, 08 Nov 2015
Posts: 530
Team: gpuhash team
Reputation: 1185
Offline
|
Wed, 24 Oct 2018 @ 12:43:30
undersc0re said: I am trying to make telus script work and was wondering if you could help, I am brand new to python and scripting but would love to see example to make his work!!
I try to use gen_telus.py as stock from downloading like follows, prob total noob error as I have no idea what I am doing.
C:\Users\yzfr1\Desktop\ttnet_zyxel>py gen_telus.py S140Y12006484
File "gen_telus.py", line 75
print gen_telus(sn)
^
SyntaxError: invalid syntax
I try this one below script and it spits out wrong password so I am totally missing something, but at least the script spits something out without error.
C:\Users\yzfr1\Desktop\ttnet_zyxel>py ttnet_zyxel_key.py S140Y12006484
2B9A05f535470
I have this info below if you could use it for your testing needs or show me example to make it spit out password. Telus - Zyxel VSG1432
SN: S121K36004868
MAC ID: FCF528424B11
Wireless Network Name - TELUS4868
Wireless Network Key - 38d57f2caa
This script is for python 2.7, for python 3 and above it needs to be modified $ python --version
Python 2.7.12 $ python gen_telus.py
38d57f2caa
GPUHASH.me team official representative
Support, discounts, free offers for forum members
|
|
|
undersc0re
Status: n/a
Joined: Sat, 15 Apr 2017
Posts: 7
Team:
Reputation: 0
Offline
|
Wed, 24 Oct 2018 @ 17:57:48
Telus - Zyxel VSG1432
SN: S130Y13054555
MAC ID: EC43F649ACB3
Wireless Network Name - TELUS4555
Wireless Network Key - 74abce922c
Telus - Zyxel VSG1432
SN: 120Y01005518
MAC ID: CC5D4E7FE4F7
Wireless Network Name - TELUS5518
Wireless Network Key - 8ab2c8ce85
Hopefully these help you to perfect your script.
Is there a way to see the serial number in the .cap file? Just wondering if that is why you are doing this? Or is it that you just want to perfect a narrowed down mask or password file? Thank you, I have the script working well.
|
|
|
dipeperon
Status: n/a
Joined: Tue, 03 Apr 2018
Posts: 188
Team:
Reputation: 281
Online
|
Wed, 24 Oct 2018 @ 23:09:30
undersc0re said: Telus - Zyxel VSG1432
SN: S130Y13054555
MAC ID: EC43F649ACB3
Wireless Network Name - TELUS4555
Wireless Network Key - 74abce922c
Telus - Zyxel VSG1432
SN: 120Y01005518
MAC ID: CC5D4E7FE4F7
Wireless Network Name - TELUS5518
Wireless Network Key - 8ab2c8ce85
Hopefully these help you to perfect your script.
Is there a way to see the serial number in the .cap file? Just wondering if that is why you are doing this? Or is it that you just want to perfect a narrowed down mask or password file? Thank you, I have the script working well.
The serial number cannot be found in the packet.
My haschat stuff (rules, scripts): https://github.com/theherp/Hashcat-stuff
|
|
|