Home - Wireless Cracking - Unpublished WPA key algorithms

We starting this thread to bring to public domain some exclusive unpublished default WPA key algorithms that we use in our every day work.
Unpublished means you can't find it anywhere on the Web so (we hope) Hashkiller forum now will be its origin.

Lets start with TTNET_ZyXEL_XXXX default WPA key algorithm.
These Turkish ZyXEL routers have very strong default WPA key of 13 mixedcase hex digits uncrackable with ordinary bruteforcing.
Knowing the algo becomes possible to calculate default password from the router serial number.
Unfortunately router S/N not always known but search keyspace could be dramatically reduced to ~10^9 and even smaller size.

PoC with some test vectors attached below. The code is not optimal in any way and sometimes can contain (surprise!) MIPS disassembly written in python.

GPUHASH.me team official representative
Support, discounts, free offers for forum members

First, thank you for publishing this algorithm

Not sure I am ever likely to encounter a router like this, but still very interesting
cryptographically to see some example of convoluted code used to generate passphrases

But I am initially puzzled by the junk array

The perl seems to use it three characters at a time using an index from the emulated
MIPS assembler part

The junk array is 795 characters long, but arranged in lines of 61 for some reason?
Seems like a line length a multiple of 3 would make more sense?

I see i0 is effectively var_1a4 multiplied by 3 with line:
i0 = (var_1a4 << 1) + var_1a4

Anyway, the var_1a4 effectively has a range of 795/3 = 265 (0-264)
I would maybe have expected something more a power of 2 here?

Is there some reason why that MIPS bit is constrained to generate var_1a4 of only 0-264?
I have not unpicked it enough yet to see why this could be.

Stage 2 is tricky part (probably some floating point math) so we just emulated MIPS asm here and it works. The junk array was simple copied from firmware dump.
Its arranging means nothing it is 1-dimensional array so it arranged in lines just to better fit screen.

We warned the code is not optimal in any way (but it works) and we leave its optimization as exercise for the reader

GPUHASH.me team official representative
Support, discounts, free offers for forum members

OK, so there is more reverse engineering to be done here to understand better
the original design intent

The junk length of 265 * 3 instead of something like 256 * 3 is very curious, but those
extra 27 characters do not seem spurious and look to fit into the tri-graph pattern
as 9 additional three character groups?

I like a good puzzle

Nice work I like it.

Please read the forum rules | Please read the paid section rules
I accept private hash lists, with forum donations only.
BTC: 15qF9WUeFUD63ishxyAMiEgGqTcYzk4j9b
GPU Power: 9x GTX 1070 + 4x GTX 1080

Oops! I called it perl two posts back
Of course, this is all in python script

I started off thinking I would unpick the stage 2 MIPS part, but then got
sidetracked trying to figure out how they set up the input of var_1a0 to stage 2.

Whoever designed this algorithm deserves some kind of award for the most
obfuscated approach imaginable

It starts of pretty easy by taking the md5 of the serial number

md5("S150Y13068675") = f49ab8d6ce27819152c99e926d1f1372

But then there is a twist where every character at an even offset in the md5
hash is made uppercase (does not affect digits in those positions, obviously)

So the hash ends up looking like this
F49aB8D6Ce27819152C99e926d1f1372

Note the f at offset 0 is now F, but the a at offset 3 is unchanged and so on.
Only even offsets are made uppercase. Odd offsets are left alone.

Finally, the numerical ascii values for all those characters in the modified
hash are summed together to get 0x7d6 or 2006 in decimal

This is the value that ends up in var_1a0 at the input of stage 2 for this
particular serial number

What is also interesting is that they do the same case shifting trick right at
the end of the algorithm

The final md5 hash for the algorithm is 52aec8568b91e1dcbca5142e95fd31f5
This becomes 52AeC8568b91E1DcBcA5142e95Fd31F5, following the case shifting
rule described earlier

Then the actual PSK is taken out at offset 13 with length 13 to give 1DcBcA5142e95

Because of that odd offset of 13 the case shifting moves so that now even offsets
in the PSK are made uppercase and odd offsets are left alone.

However, this completely negates the upper/lower hex case aspect, because it
is entirely predictable.

For a brute force search, you would be looking for [0-9a-f] at even offsets in the PSK
and [0-9A-F] at odd offsets in the PSK.

Still a 16^13 as a brute force search, which means you still need to know the algorithm
to crack it, but the fact that there are upper and lower case hex characters in the PSK
adds nothing to the complexity.

Sorry for highjacking this thread with my thoughts on this algorithm

Got some bad news through another board that purelogic has left here now
So I must leave also

Sad to hear both purelogic and cryptonite are now gone from the board.

Both were the most interesting posters on here for me, so I think I am done here as well

I was going to leave them both some final farewell rep, but even the rep comments
have been disabled now

Shit! I thought if I threatened to flounce off like winxp5421, something
would get changed for the better

I see now that strategy only works for the chosen few
Just being silently ignored is the best I can manage

Still not happy about the reputation comment change
How the hell are we going to do sneaky PMs on here any more?

I also found this algorithm some time ago.

Hey gpuhash, what about your Videotron algorithm?

BTC: 1B4ZAbWYQ399p6QJm3VLbywiCWVSBAXYJ1

NVIDIA
1x GTX 1080 Founder’s Edition
1x GTX 980 Reference Design

Everything has its time

GPUHASH.me team official representative
Support, discounts, free offers for forum members

Release that and perhaps I would share my HOME-XXXX + HOME-XXXX-2.4/5 + XFSETUP-XXXX dictionary

BTC: 1B4ZAbWYQ399p6QJm3VLbywiCWVSBAXYJ1

NVIDIA
1x GTX 1080 Founder’s Edition
1x GTX 980 Reference Design

Find me 2 Videtron-XXXX with keys and the first digits of their mac need to be the same XX:XX:XX:XX:XX:XX
And if is posible the S/N
and i will publish the algorithm

SSID: VIDEOTRON9364
WAN MAC: 04:BF:6D:5A:2D:CB
Serial: S160A13009364
Password: 4AXCF9CAT7XV3

SSID: VIDEOTRON3104
WAN MAC: 04:BF:6D:5D:2D:3B
Serial: S160A24003104
Password: UNXPKKXRA7HTU

SSID: VIDEOTRON8694
WAN MAC: 04:BF:6D:5D:84:93
Serial: S160A24008694
Password: K3TMPK7943UWY

SSID: VIDEOTRON1586
WAN MAC: 04:BF:6D:5C:77:DB
Serial: S160A22001586
Password: UUTUV43THA943

BTC: 1B4ZAbWYQ399p6QJm3VLbywiCWVSBAXYJ1

NVIDIA
1x GTX 1080 Founder’s Edition
1x GTX 980 Reference Design

Anything on this algorithm?

BTC: 1B4ZAbWYQ399p6QJm3VLbywiCWVSBAXYJ1

NVIDIA
1x GTX 1080 Founder’s Edition
1x GTX 980 Reference Design

SSID: AT-68C5
MAC: 30:74:96:DC:68:C5
Serial: J3N8W17327003052
Password: 5C5FWAEU29

SSID: AT-364F
MAC: 54:25:EA:FD:36:4F
Serial: J3N8W17502003495
Password: YP3ETF2EVS

MODEL: HUAWEI HG659

Hi,

How can I use this ?

Playing with TTNET_ZyXEL algo we accidentally discovered that Canadian ISP Telus use basically the same algo for their ZyXEL routers (with few differences), they generate 10 lower hex string then correct 0 and 1 chars to chars outside a-f region.
Attached PoC offers only partial coverage because of missing final correction but it clearly shows the approach.
To implement correction we need more known SN/key pairs.

GPUHASH.me team official representative
Support, discounts, free offers for forum members

https://www.quotemaster.org/images/45/45ebaa91b713c5b9eba710571018c8de.jpg
https://192-168-1-254.tech/wp-content/uploads/2018/02/know-firmware-version-of-router.png
http://static.telus.com/common/cms/images/get-help/internet/17-00943_Modem_images_Modem-v2-T3200M-03.jpg
http://static.telus.com/common/cms/images/support-content/internet/17-00943_Modem_images_Modem-v2-Actiontec1000-01.jpg
https://www.picclickimg.com/00/s/NTk2WDEyODA=/z/dWAAAOSwEeFVHzJC/$/Actiontec-V1000H-Wireless-N-Vdsl-Modem-Router-For-_1.jpg
https://i.ebayimg.com/images/g/dWAAAOSwEeFVHzJC/s-l1600.jpg

thanks for sharing these algoritm.
I want ask you something. Can you find TurkTelekom_TXXXX TP-link W9970 algoritm? or only use a-z-A-Z-0-9 8 char?

Your links all from Actiontec routers, not ZyXEL

Probably will be released later

GPUHASH.me team official representative
Support, discounts, free offers for forum members

have you try with DJAWEB_XXXXX algo
default key are 13 hex [0-9 A-F] router huawei hg532e

ohh sorry for that. Seem like zyxel system .

Finally I found some telus zyxel

here
https://s3-us-west-2.amazonaws.com/usedphotosna/57922915_934.jpg

script find 1 char different
sn:S140Y12006484
pass:a1ad243694

https://s3-us-west-2.amazonaws.com/usedphotosna/75078354_614.jpg
Yes found true pass
SN:S120Z07008282
pass:6f2344d6b9

I will wait for good news for TurkTelekom_TXXXX. I really bored trying evil twin

Hi all I fount new device for this algoritm

\ttnet_zyxel2.py
S/N ............ ['S17AA42004336', 'S17AA36002767', 'S17AA37008298']
Known PSK ...... ['09041DdB34e39', '7Cc4f868dC749', '4C710DfB4Fd4f']
Our PSK ........ ['09041DdB34e39', '7Cc4f868dC749', '4C710DfB4Fd4f']
SUCCESS!

I test finding images.
https://i0.shbdn.com/photos/31/14/29/x16_597311429t1h.jpg
https://i0.shbdn.com/photos/30/82/35/x16_606308235dbi.jpg
https://i0.shbdn.com/photos/36/20/89/x16_607362089eb3.jpg

MODEL: ZYXEL VMG8324-B10A
SSİD: ZyXEL_HGW_XXXXX
ISS TURKEY - TURKTELEKOM

I am trying to make telus script work and was wondering if you could help, I am brand new to python and scripting but would love to see example to make his work!!
I try to use gen_telus.py as stock from downloading like follows, prob total noob error as I have no idea what I am doing.

C:\Users\yzfr1\Desktop\ttnet_zyxel>py gen_telus.py S140Y12006484
File "gen_telus.py", line 75
print gen_telus(sn)
^
SyntaxError: invalid syntax

I try this one below script and it spits out wrong password so I am totally missing something, but at least the script spits something out without error.

C:\Users\yzfr1\Desktop\ttnet_zyxel>py ttnet_zyxel_key.py S140Y12006484
2B9A05f535470

I have this info below if you could use it for your testing needs or show me example to make it spit out password.

Telus - Zyxel VSG1432
SN: S121K36004868
MAC ID: FCF528424B11
Wireless Network Name - TELUS4868
Wireless Network Key - 38d57f2caa

This script is for python 2.7, for python 3 and above it needs to be modified

$ python --version
Python 2.7.12

$ python gen_telus.py
38d57f2caa

GPUHASH.me team official representative
Support, discounts, free offers for forum members

Telus - Zyxel VSG1432
SN: S130Y13054555
MAC ID: EC43F649ACB3
Wireless Network Name - TELUS4555
Wireless Network Key - 74abce922c

Telus - Zyxel VSG1432
SN: 120Y01005518
MAC ID: CC5D4E7FE4F7
Wireless Network Name - TELUS5518
Wireless Network Key - 8ab2c8ce85

Hopefully these help you to perfect your script.

Is there a way to see the serial number in the .cap file? Just wondering if that is why you are doing this? Or is it that you just want to perfect a narrowed down mask or password file? Thank you, I have the script working well.

The serial number cannot be found in the packet.

My haschat stuff (rules, scripts): https://github.com/theherp/Hashcat-stuff
BTC: 3C2h4xscGRq7XfZLicoVjRVkYrqqJ1Urc5