Author |
Message |
gpuhash_me
Status: Trusted
Joined: Sun, 08 Nov 2015
Posts: 571
Team: gpuhash team
Reputation: 1270
Online
|
Mon, 07 Aug 2017 @ 21:36:16
We starting this thread to bring to public domain some exclusive unpublished default WPA key algorithms that we use in our every day work. Unpublished means you can't find it anywhere on the Web so (we hope) Hashkiller forum now will be its origin. Lets start with TTNET_ZyXEL_XXXX default WPA key algorithm. These Turkish ZyXEL routers have very strong default WPA key of 13 mixedcase hex digits uncrackable with ordinary bruteforcing. Knowing the algo becomes possible to calculate default password from the router serial number. Unfortunately router S/N not always known but search keyspace could be dramatically reduced to ~10^9 and even smaller size. PoC with some test vectors attached below. The code is not optimal in any way and sometimes can contain (surprise!) MIPS disassembly written in python.
GPUHASH.me team official representative Support, discounts, free offers for forum members
|
Attachments: |
Login to view attachments. |
|
|
cryptonite
Status: n/a
Joined: Tue, 27 Jun 2017
Posts: 33
Team:
Reputation: 0
Offline
|
Tue, 08 Aug 2017 @ 05:50:14
First, thank you for publishing this algorithm  Not sure I am ever likely to encounter a router like this, but still very interesting cryptographically to see some example of convoluted code used to generate passphrases But I am initially puzzled by the junk array The perl seems to use it three characters at a time using an index from the emulated MIPS assembler part The junk array is 795 characters long, but arranged in lines of 61 for some reason? Seems like a line length a multiple of 3 would make more sense? I see i0 is effectively var_1a4 multiplied by 3 with line: i0 = (var_1a4 << 1) + var_1a4 Anyway, the var_1a4 effectively has a range of 795/3 = 265 (0-264) I would maybe have expected something more a power of 2 here? Is there some reason why that MIPS bit is constrained to generate var_1a4 of only 0-264? I have not unpicked it enough yet to see why this could be.
|
|
|
gpuhash_me
Status: Trusted
Joined: Sun, 08 Nov 2015
Posts: 571
Team: gpuhash team
Reputation: 1270
Online
|
Tue, 08 Aug 2017 @ 06:19:09
cryptonite said: The junk array is 795 characters long, but arranged in lines of 61 for some reason? Seems like a line length a multiple of 3 would make more sense?
I see i0 is effectively var_1a4 multiplied by 3 with line: i0 = (var_1a4 << 1) + var_1a4 Anyway, the var_1a4 effectively has a range of 795/3 = 265 (0-264) I would maybe have expected something more a power of 2 here? Is there some reason why that MIPS bit is constrained to generate var_1a4 of only 0-264? I have not unpicked it enough yet to see why this could be. Stage 2 is tricky part (probably some floating point math) so we just emulated MIPS asm here and it works. The junk array was simple copied from firmware dump. Its arranging means nothing it is 1-dimensional array so it arranged in lines just to better fit screen. We warned the code is not optimal in any way (but it works) and we leave its optimization as exercise for the reader 
GPUHASH.me team official representative Support, discounts, free offers for forum members
|
|
|
cryptonite
Status: n/a
Joined: Tue, 27 Jun 2017
Posts: 33
Team:
Reputation: 0
Offline
|
Tue, 08 Aug 2017 @ 06:57:25
gpuhash_me said: Stage 2 is tricky part (probably some floating point math) so we just emulated MIPS asm here and it works. The junk array was simple copied from firmware dump. Its arranging means nothing it is 1-dimensional array so it arranged in lines just to better fit screen.
We warned the code is not optimal in any way (but it works) and we leave its optimization as exercise for the reader 
OK, so there is more reverse engineering to be done here to understand better the original design intent The junk length of 265 * 3 instead of something like 256 * 3 is very curious, but those extra 27 characters do not seem spurious and look to fit into the tri-graph pattern as 9 additional three character groups? I like a good puzzle 
|
|
|
blandyuk
Admin / Owner
Status: Trusted
Joined: Tue, 05 Jul 2011
Posts: 3093
Team: HashKiller
Reputation: 4140
Online
|
Tue, 08 Aug 2017 @ 08:46:44
Nice work I like it.
Please read the forum rules | Please read the paid section rules I accept private hash lists, with forum donations only. BTC: 15qF9WUeFUD63ishxyAMiEgGqTcYzk4j9b GPU Power: 9x GTX 1070 + 4x GTX 1080

|
|
|
cryptonite
Status: n/a
Joined: Tue, 27 Jun 2017
Posts: 33
Team:
Reputation: 0
Offline
|
Tue, 08 Aug 2017 @ 10:04:40
Oops! I called it perl two posts back Of course, this is all in python script 
|
|
|
cryptonite
Status: n/a
Joined: Tue, 27 Jun 2017
Posts: 33
Team:
Reputation: 0
Offline
|
Tue, 08 Aug 2017 @ 17:21:39
I started off thinking I would unpick the stage 2 MIPS part, but then got sidetracked trying to figure out how they set up the input of var_1a0 to stage 2. Whoever designed this algorithm deserves some kind of award for the most obfuscated approach imaginable  It starts of pretty easy by taking the md5 of the serial number md5("S150Y13068675") = f49ab8d6ce27819152c99e926d1f1372 But then there is a twist where every character at an even offset in the md5 hash is made uppercase (does not affect digits in those positions, obviously) So the hash ends up looking like this F49aB8D6Ce27819152C99e926d1f1372 Note the f at offset 0 is now F, but the a at offset 3 is unchanged and so on. Only even offsets are made uppercase. Odd offsets are left alone. Finally, the numerical ascii values for all those characters in the modified hash are summed together to get 0x7d6 or 2006 in decimal This is the value that ends up in var_1a0 at the input of stage 2 for this particular serial number 
|
|
|
cryptonite
Status: n/a
Joined: Tue, 27 Jun 2017
Posts: 33
Team:
Reputation: 0
Offline
|
Tue, 08 Aug 2017 @ 18:01:17
What is also interesting is that they do the same case shifting trick right at the end of the algorithm The final md5 hash for the algorithm is 52aec8568b91e1dcbca5142e95fd31f5 This becomes 52AeC8568b91E1DcBcA5142e95Fd31F5, following the case shifting rule described earlier Then the actual PSK is taken out at offset 13 with length 13 to give 1DcBcA5142e95 Because of that odd offset of 13 the case shifting moves so that now even offsets in the PSK are made uppercase and odd offsets are left alone. However, this completely negates the upper/lower hex case aspect, because it is entirely predictable. For a brute force search, you would be looking for [0-9a-f] at even offsets in the PSK and [0-9A-F] at odd offsets in the PSK. Still a 16^13 as a brute force search, which means you still need to know the algorithm to crack it, but the fact that there are upper and lower case hex characters in the PSK adds nothing to the complexity.
|
|
|
cryptonite
Status: n/a
Joined: Tue, 27 Jun 2017
Posts: 33
Team:
Reputation: 0
Offline
|
Wed, 09 Aug 2017 @ 08:40:14
Sorry for highjacking this thread with my thoughts on this algorithm Got some bad news through another board that purelogic has left here now So I must leave also
|
|
|
mackinson
Status: n/a
Joined: Sun, 11 Jun 2017
Posts: 109
Team:
Reputation: 106
Offline
|
Wed, 09 Aug 2017 @ 17:12:10
Sad to hear both purelogic and cryptonite are now gone from the board. Both were the most interesting posters on here for me, so I think I am done here as well I was going to leave them both some final farewell rep, but even the rep comments have been disabled now 
|
|
|
mackinson
Status: n/a
Joined: Sun, 11 Jun 2017
Posts: 109
Team:
Reputation: 106
Offline
|
Thu, 10 Aug 2017 @ 10:34:21
Shit! I thought if I threatened to flounce off like winxp5421, something would get changed for the better  I see now that strategy only works for the chosen few Just being silently ignored is the best I can manage  Still not happy about the reputation comment change How the hell are we going to do sneaky PMs on here any more? 
|
|
|
Felis-Sapiens
Status: n/a
Joined: Thu, 07 Jul 2016
Posts: 159
Team:
Reputation: 350
Offline
|
Sun, 13 Aug 2017 @ 14:48:34
gpuhash_me said: Stage 2 is tricky part (probably some floating point math) so we just emulated MIPS asm here and it works. It's just a division (integer).I also found this algorithm some time ago.
|
Attachments: |
Login to view attachments. |
|
|
soxrok2212
Status: Cracker
Joined: Sat, 24 Oct 2015
Posts: 451
Team:
Reputation: 421
Offline
|
Sat, 26 Aug 2017 @ 20:23:59
Hey gpuhash, what about your Videotron algorithm? 
BTC: 1B4ZAbWYQ399p6QJm3VLbywiCWVSBAXYJ1 NVIDIA 1x GTX 1080 Founder’s Edition 1x GTX 980 Reference Design
|
|
|
gpuhash_me
Status: Trusted
Joined: Sun, 08 Nov 2015
Posts: 571
Team: gpuhash team
Reputation: 1270
Online
|
Sat, 26 Aug 2017 @ 21:03:18
soxrok2212 said: Hey gpuhash, what about your Videotron algorithm?  Everything has its time
GPUHASH.me team official representative Support, discounts, free offers for forum members
|
|
|
soxrok2212
Status: Cracker
Joined: Sat, 24 Oct 2015
Posts: 451
Team:
Reputation: 421
Offline
|
Sat, 26 Aug 2017 @ 22:44:54
Release that and perhaps I would share my HOME-XXXX + HOME-XXXX-2.4/5 + XFSETUP-XXXX dictionary 
BTC: 1B4ZAbWYQ399p6QJm3VLbywiCWVSBAXYJ1 NVIDIA 1x GTX 1080 Founder’s Edition 1x GTX 980 Reference Design
|
|
|
dark0
Status: n/a
Joined: Tue, 13 Feb 2018
Posts: 44
Team:
Reputation: 10
Offline
|
Wed, 21 Feb 2018 @ 03:04:48
soxrok2212 said: Hey gpuhash, what about your Videotron algorithm?  Find me 2 Videtron-XXXX with keys and the first digits of their mac need to be the same XX:XX:XX:XX:XX:XX And if is posible the S/N and i will publish the algorithm
|
|
|
soxrok2212
Status: Cracker
Joined: Sat, 24 Oct 2015
Posts: 451
Team:
Reputation: 421
Offline
|
Wed, 21 Feb 2018 @ 03:44:27
SSID: VIDEOTRON9364 WAN MAC: 04:BF:6D:5A:2D:CB Serial: S160A13009364 Password: 4AXCF9CAT7XV3
SSID: VIDEOTRON3104 WAN MAC: 04:BF:6D:5D:2D:3B Serial: S160A24003104 Password: UNXPKKXRA7HTU SSID: VIDEOTRON8694 WAN MAC: 04:BF:6D:5D:84:93 Serial: S160A24008694 Password: K3TMPK7943UWY SSID: VIDEOTRON1586 WAN MAC: 04:BF:6D:5C:77:DB Serial: S160A22001586 Password: UUTUV43THA943
BTC: 1B4ZAbWYQ399p6QJm3VLbywiCWVSBAXYJ1 NVIDIA 1x GTX 1080 Founder’s Edition 1x GTX 980 Reference Design
|
|
|
soxrok2212
Status: Cracker
Joined: Sat, 24 Oct 2015
Posts: 451
Team:
Reputation: 421
Offline
|
Sun, 06 May 2018 @ 03:46:43
Anything on this algorithm?
BTC: 1B4ZAbWYQ399p6QJm3VLbywiCWVSBAXYJ1 NVIDIA 1x GTX 1080 Founder’s Edition 1x GTX 980 Reference Design
|
|
|
JJ78
Status: n/a
Joined: Mon, 05 Feb 2018
Posts: 5
Team:
Reputation: 0
Offline
|
Fri, 11 May 2018 @ 09:21:42
SSID: AT-68C5 MAC: 30:74:96:DC:68:C5 Serial: J3N8W17327003052 Password: 5C5FWAEU29 SSID: AT-364F MAC: 54:25:EA:FD:36:4F Serial: J3N8W17502003495 Password: YP3ETF2EVS
MODEL: HUAWEI HG659
|
|
|
amatuercracker
Status: n/a
Joined: Sun, 19 Aug 2018
Posts: 29
Team: amatuerWPA
Reputation: 70
Offline
|
Sun, 19 Aug 2018 @ 22:28:26
Hi, How can I use this ?
|
|
|
gpuhash_me
Status: Trusted
Joined: Sun, 08 Nov 2015
Posts: 571
Team: gpuhash team
Reputation: 1270
Online
|
Mon, 17 Sep 2018 @ 09:59:57
Playing with TTNET_ZyXEL algo we accidentally discovered that Canadian ISP Telus use basically the same algo for their ZyXEL routers (with few differences), they generate 10 lower hex string then correct 0 and 1 chars to chars outside a-f region. Attached PoC offers only partial coverage because of missing final correction but it clearly shows the approach. To implement correction we need more known SN/key pairs.
GPUHASH.me team official representative Support, discounts, free offers for forum members
|
Attachments: |
Login to view attachments. |
|
|
amatuercracker
Status: n/a
Joined: Sun, 19 Aug 2018
Posts: 29
Team: amatuerWPA
Reputation: 70
Offline
|
Mon, 17 Sep 2018 @ 11:21:21
https://www.quotemaster.org/images/45/45ebaa91b713c5b9eba710571018c8de.jpg https://192-168-1-254.tech/wp-content/uploads/2018/02/know-firmware-version-of-router.png http://static.telus.com/common/cms/images/get-help/internet/17-00943_Modem_images_Modem-v2-T3200M-03.jpg http://static.telus.com/common/cms/images/support-content/internet/17-00943_Modem_images_Modem-v2-Actiontec1000-01.jpg https://www.picclickimg.com/00/s/NTk2WDEyODA=/z/dWAAAOSwEeFVHzJC/$/Actiontec-V1000H-Wireless-N-Vdsl-Modem-Router-For-_1.jpg https://i.ebayimg.com/images/g/dWAAAOSwEeFVHzJC/s-l1600.jpg thanks for sharing these algoritm. I want ask you something. Can you find TurkTelekom_TXXXX TP-link W9970 algoritm? or only use a-z-A-Z-0-9 8 char?
|
|
|
gpuhash_me
Status: Trusted
Joined: Sun, 08 Nov 2015
Posts: 571
Team: gpuhash team
Reputation: 1270
Online
|
Mon, 17 Sep 2018 @ 11:35:36
amatuercracker said: Your links all from Actiontec routers, not ZyXEL amatuercracker said: thanks for sharing these algoritm. I want ask you something. Can you find TurkTelekom_TXXXX TP-link W9970 algoritm? or only use a-z-A-Z-0-9 8 char?
Probably will be released later
GPUHASH.me team official representative Support, discounts, free offers for forum members
|
|
|
SsiD1
Status: n/a
Joined: Wed, 26 Apr 2017
Posts: 20
Team:
Reputation: 20
Offline
|
Mon, 17 Sep 2018 @ 11:51:22
have you try with DJAWEB_XXXXX algo default key are 13 hex [0-9 A-F] router huawei hg532e
|
|
|
amatuercracker
Status: n/a
Joined: Sun, 19 Aug 2018
Posts: 29
Team: amatuerWPA
Reputation: 70
Offline
|
Mon, 17 Sep 2018 @ 11:57:00
ohh sorry for that. Seem like zyxel system . Finally I found some telus zyxel here https://s3-us-west-2.amazonaws.com/usedphotosna/57922915_934.jpg script find 1 char different sn:S140Y12006484 pass:a1ad243694 https://s3-us-west-2.amazonaws.com/usedphotosna/75078354_614.jpg Yes found true pass SN:S120Z07008282 pass:6f2344d6b9 I will wait for good news for TurkTelekom_TXXXX. I really bored trying evil twin 
|
|
|
amatuercracker
Status: n/a
Joined: Sun, 19 Aug 2018
Posts: 29
Team: amatuerWPA
Reputation: 70
Offline
|
Sat, 06 Oct 2018 @ 22:21:02
Hi all I fount new device for this algoritm \ttnet_zyxel2.py S/N ............ ['S17AA42004336', 'S17AA36002767', 'S17AA37008298'] Known PSK ...... ['09041DdB34e39', '7Cc4f868dC749', '4C710DfB4Fd4f'] Our PSK ........ ['09041DdB34e39', '7Cc4f868dC749', '4C710DfB4Fd4f'] SUCCESS! I test finding images. https://i0.shbdn.com/photos/31/14/29/x16_597311429t1h.jpg https://i0.shbdn.com/photos/30/82/35/x16_606308235dbi.jpg https://i0.shbdn.com/photos/36/20/89/x16_607362089eb3.jpg MODEL: ZYXEL VMG8324-B10A SSİD: ZyXEL_HGW_XXXXX ISS TURKEY - TURKTELEKOM
|
|
|
undersc0re
Status: n/a
Joined: Sat, 15 Apr 2017
Posts: 7
Team:
Reputation: 0
Offline
|
Wed, 24 Oct 2018 @ 10:28:49
I am trying to make telus script work and was wondering if you could help, I am brand new to python and scripting but would love to see example to make his work!! I try to use gen_telus.py as stock from downloading like follows, prob total noob error as I have no idea what I am doing. C:\Users\yzfr1\Desktop\ttnet_zyxel>py gen_telus.py S140Y12006484 File "gen_telus.py", line 75 print gen_telus(sn) ^ SyntaxError: invalid syntax
I try this one below script and it spits out wrong password so I am totally missing something, but at least the script spits something out without error.
C:\Users\yzfr1\Desktop\ttnet_zyxel>py ttnet_zyxel_key.py S140Y12006484 2B9A05f535470
I have this info below if you could use it for your testing needs or show me example to make it spit out password. Telus - Zyxel VSG1432 SN: S121K36004868 MAC ID: FCF528424B11 Wireless Network Name - TELUS4868 Wireless Network Key - 38d57f2caa
|
|
|
gpuhash_me
Status: Trusted
Joined: Sun, 08 Nov 2015
Posts: 571
Team: gpuhash team
Reputation: 1270
Online
|
Wed, 24 Oct 2018 @ 12:43:30
undersc0re said: I am trying to make telus script work and was wondering if you could help, I am brand new to python and scripting but would love to see example to make his work!! I try to use gen_telus.py as stock from downloading like follows, prob total noob error as I have no idea what I am doing. C:\Users\yzfr1\Desktop\ttnet_zyxel>py gen_telus.py S140Y12006484 File "gen_telus.py", line 75 print gen_telus(sn) ^ SyntaxError: invalid syntax
I try this one below script and it spits out wrong password so I am totally missing something, but at least the script spits something out without error.
C:\Users\yzfr1\Desktop\ttnet_zyxel>py ttnet_zyxel_key.py S140Y12006484 2B9A05f535470
I have this info below if you could use it for your testing needs or show me example to make it spit out password. Telus - Zyxel VSG1432 SN: S121K36004868 MAC ID: FCF528424B11 Wireless Network Name - TELUS4868 Wireless Network Key - 38d57f2caa
This script is for python 2.7, for python 3 and above it needs to be modified $ python --version Python 2.7.12 $ python gen_telus.py 38d57f2caa
GPUHASH.me team official representative Support, discounts, free offers for forum members
|
|
|
undersc0re
Status: n/a
Joined: Sat, 15 Apr 2017
Posts: 7
Team:
Reputation: 0
Offline
|
Wed, 24 Oct 2018 @ 17:57:48
Telus - Zyxel VSG1432 SN: S130Y13054555 MAC ID: EC43F649ACB3 Wireless Network Name - TELUS4555 Wireless Network Key - 74abce922c Telus - Zyxel VSG1432 SN: 120Y01005518 MAC ID: CC5D4E7FE4F7 Wireless Network Name - TELUS5518 Wireless Network Key - 8ab2c8ce85
Hopefully these help you to perfect your script. Is there a way to see the serial number in the .cap file? Just wondering if that is why you are doing this? Or is it that you just want to perfect a narrowed down mask or password file? Thank you, I have the script working well.
|
|
|
dipeperon
Status: n/a
Joined: Tue, 03 Apr 2018
Posts: 285
Team:
Reputation: 380
Online
|
Wed, 24 Oct 2018 @ 23:09:30
undersc0re said: Telus - Zyxel VSG1432 SN: S130Y13054555 MAC ID: EC43F649ACB3 Wireless Network Name - TELUS4555 Wireless Network Key - 74abce922c Telus - Zyxel VSG1432 SN: 120Y01005518 MAC ID: CC5D4E7FE4F7 Wireless Network Name - TELUS5518 Wireless Network Key - 8ab2c8ce85
Hopefully these help you to perfect your script. Is there a way to see the serial number in the .cap file? Just wondering if that is why you are doing this? Or is it that you just want to perfect a narrowed down mask or password file? Thank you, I have the script working well.
The serial number cannot be found in the packet.
My haschat stuff (rules, scripts): https://github.com/theherp/Hashcat-stuff BTC: 3C2h4xscGRq7XfZLicoVjRVkYrqqJ1Urc5
|
|
|