NOTE: When cracking WPA/WPA2 passwords, make sure you check gpuhash.me first incase it's already been processed.

Home - Wireless Cracking - Thompson, BTHomeHub and BTHomeHub2 Router Algos


43 Results - Page 1 of 2 -
1 2
Author Message
Avatar
blandyuk
Admin / Owner
Status: Trusted
Joined: Tue, 05 Jul 2011
Posts: 3033
Team: HashKiller
Reputation: 4060 Reputation
Offline
Tue, 05 Jul 2011 @ 11:30:56

Been working on this and trying to figure out how the BTHomeHub2 router WPA key algorithm works. Tried numerious ways with available data but no luck so far. Anyway, for a start, here is the Thompson and BTHomeHub router algos:

Ref: http://www.gnucitizen.org/blog/...and-bt-home-hub-routers/

Thompson
S/N: CP0615JT109 (53)
Remove CC and PP values: CP0615109
"XXX" values hex-encoded: CP0615313039
SHA1(CP0615313039): 742da831d2b657fa53d347301ec610e1ebf8a3d0
Default SSID: SpeedTouchF8A3D0
Default encryption key: 742da831d2

BTHomeHub
S/N: CP0647EH6DM(BF)
Remove CC and PP values: CP06476DM
"XXX" values hex-encoded: CP064736444D
SHA1(CP064736444D): 06f48a28eba1ab896a396077d772fd65503b8df3
Default SSID: BTHomeHub-8DF3
Default encryption key: 06f48a28eb

But I hear you say, "But how do you know the CP number?", well based on all possibilities, you can simply loop through them all and search the SHA1 string for the last 4-6 hex chars of the SSID. There is a tool called STKeys but I have found it does no cater for collisions, it displays the first possibility which is not correct, so I have written my own with great success although the BTHomeHub does end up with about 80 possibilities!

Anyway, down to the BTHomeHub2, here is real data which has been provided:

Ref: http://code.google.com/p/androi...olver/issues/detail?id=5

Code:

Code:
SSID - - - - - - - - WPA Key - - - Admin PW - - Wireless Pin - Serial Number - MAC Address - - MAC (WiFi Module)
BTHomeHub2-49C6 - - 63fd6f93d6 - - SM92QWFE - - 9450-5696 - - CP0902JH18M - - 0024170C4DA9 - - 00242B544464
BTHomeHub2-QK3Q - - 5296be96e6 - - A625PKCC - - 9165-7855 - - CP0912JH7N1 - - 00241711E977 - - 00242BE3ACEC
BTHomeHub2-K4MZ - - fe4d828dd5 - - 9A171WN7 - - 4781-9344 - - CP0916PH4FC - - 002417162D40 - - 00242C5F82E2 
BTHomeHub2-MT69 - - 8f3c4ff833 - - H1N1202Z - - 5123-4713 - - CP0827JHRWZ - - 001F9F413C1E - - 001FE29BF67E

<em>edited by blandyuk on 06/07/2011</em>


Please read the forum rules | Please read the paid section rules
I accept private hash lists, with forum donations only.
BTC: 15qF9WUeFUD63ishxyAMiEgGqTcYzk4j9b
GPU Power: 9x GTX 1070 + 4x GTX 1080

Avatar
blandyuk
Admin / Owner
Status: Trusted
Joined: Tue, 05 Jul 2011
Posts: 3033
Team: HashKiller
Reputation: 4060 Reputation
Offline
Tue, 05 Jul 2011 @ 12:01:53

Found something interesting with the BT BusinessHubs, here are the details:

Code:
SSID -              Key -        Serial -         MAC
BTBusinessHub-653 - 6214401462 - 500711028653 R - 00:1e:c7:32:9f:e0
BTFusion-8653 -     2726824018 - 500711028653 R - 00:1e:c7:32:9f:e0

Notice the numbers on the ends of the APs relate to the end of the serial number, just need to figure out how the WEP and WPA keys are generated.

Here are 2 more but only have AP names and WEP codes:

Code:
SSID -              Key -        Serial -         MAC
BTBusinessHub-697 - 1308420166
BTBusinessHub-467 - 1450352354

<em>edited by blandyuk on 17/08/2011</em>


Please read the forum rules | Please read the paid section rules
I accept private hash lists, with forum donations only.
BTC: 15qF9WUeFUD63ishxyAMiEgGqTcYzk4j9b
GPU Power: 9x GTX 1070 + 4x GTX 1080

Avatar
Hash-IT

Status: Trusted
Joined: Tue, 02 Aug 2011
Posts: 4598
Team: HashKiller
Reputation: 3003 Reputation
Offline
Tue, 02 Aug 2011 @ 21:50:41

Nice work Blandy.

I love this sort of thing, gradually narrowing down the keyspace !

I can confirm, in my own limited experience, with the routers you mention that your estimates of what characters are used and the wpa key length are correct.


Please read the forum rules. | Please read the paid section rules.

BTC: 1MmWESN5bKZ1YSuHrm5uNwnQYxWyQnEQ6E

Avatar
Hash-IT

Status: Trusted
Joined: Tue, 02 Aug 2011
Posts: 4598
Team: HashKiller
Reputation: 3003 Reputation
Offline
Wed, 10 Aug 2011 @ 16:09:22

Just to add one more...

TalkTalk UK.

WPA Keys are...

13 characters long. lowercase, a-z & 0-9. The first and last characters seem to be the same each time.

Example.

ayr8u2kn7cdka notice "a___a".


Please read the forum rules. | Please read the paid section rules.

BTC: 1MmWESN5bKZ1YSuHrm5uNwnQYxWyQnEQ6E

Avatar
Mullog

Status: n/a
Joined: Tue, 05 Jul 2011
Posts: 101
Team:
Reputation: 22 Reputation
Offline
Wed, 10 Aug 2011 @ 18:28:02

from wardriving-forum.de
very interesting and I can confirm it works
maybe only relevant for European/Germany region
Source: http://www.wardriving-forum.de/wiki/Standardpassw%C3%B6rter#SPEEDPORT

fast translated in english ^^:

SPEEDPORT(miscellaneous modells: 500, 700, ...)

THEORY
: for some Telekom Speedport router with short SSID ("WLAN-ABCDgh") the Standard-Key can be guessed out of SSID and MAC. Also the key can be derived by the MAC+Serialnumber(when knonw).

H = HEXadecimal (0 - 9 ... A - F)
Z = Numerical
U = Uppercase
L = Lowercase

Code:
SSID: WLAN-HHHHZZ   Key: SP-ZZZHHHZZZ   MAC: HH:HH:HH:HH:HH:HH  SN: JZZZZZZZZZ
------------------------------------------------------------------------------
SSID: WLAN-81DD62   Key: SP-692DA7349   MAC: 00:12:BF:81: DD:A7  SN: J619365[color=rgb(0, 102, 0)]49[/color]2
SSID: WLAN-156F55   Key: SP-545FFB404   MAC: 00:1A:2A:15:5F:FB
SSID: WLAN-404571   Key: SP-7715C9447   MAC: 00:1A:2A:40:45:C9
SSID: WLAN-DCCE08   Key: SP-008E32310   MAC: 00:1A:2A: DC:CE:32
SSID: WLAN-A2DA56   Key: SP-566AFA306
SSID: WLAN-0AAD04   Key: SP-034D84443
SSID: WLAN-DF3349   Key: SP-419356361
==============================================================================
SSID: WLAN-abcdGH   KEY: SP-GzHDEFxyz   MAC: 00:##:##:ab:cD:EF  SN: JZZZxGZyzH 

&gt;SP-#########&lt;&lt; KEY beginning with "SP-" for 'Speedport',
&gt;SP-G#H######&lt;&lt; the last 2 digits of the SSID (G,H) are the 1. and 3. char of the KEY
&gt;SP-G#HDEF###&lt;&lt; last 3 "Hex-Ziffern" of the MAC (D,E,F) arr the 4.,5.and 6. char of the KEY
&gt;SP-GzHDEF##z&lt;&lt; first and last unknown (z) are idetical in the KEY. They are numerical [0-9]
&gt;SP-GzHDEFxyz&lt;&lt; the last two unknown (x,y) are numerical [0-9],too.

Now the Key contains only three unknown: x,y,z ( 'z' exist twice ) - [ Also x,y,z are in the serialnumber of the router: "JZZZxGZyzH" ]
With this knownledge you can create a list with all 1000 ! possibilities which are remaining [ x,y,z={0-9} =&gt; = 10³ ] and try them all: "SP-g0hdef000" --&gt; "SP-g9hdef999" !


Why (x,y,z) are Dez not HEX:
all in all its only a assumption but experience show that (x,y,z) are most likley decimal
and the SN's are only numerical


Example of use:

here are the commandline for crunch to create such a list:


./crunch 12 12 -t SP-G%HDEF%%% -o /root/ownd.txt
GH= last two digits of the SSID WLAN-abcdGH (e.g. WLAN-81DD62 GH="6" and "2"
DEF=last 3 digits of the MAC


edited by Mullog on 11/08/2011
<em>edited by Mullog on 11/08/2011</em>


Avatar
Hash-IT

Status: Trusted
Joined: Tue, 02 Aug 2011
Posts: 4598
Team: HashKiller
Reputation: 3003 Reputation
Offline
Tue, 13 Dec 2011 @ 16:10:55

Just a bit of an update for you.

It used to be that Sky UK WPA passwords were 8 uppercase characters, this no longer seems to be the case. I have covered the entire keyspace on 2 of these routers now without success. I doubt they have been changed from default.

Anyone have any idea what the new Sky routers WPA key consistes of now ?


Please read the forum rules. | Please read the paid section rules.

BTC: 1MmWESN5bKZ1YSuHrm5uNwnQYxWyQnEQ6E

Avatar
12345678

Status: n/a
Joined: Sat, 11 Feb 2012
Posts: 3
Team:
Reputation: 0 Reputation
Offline
Sat, 11 Feb 2012 @ 21:26:43

Hello,

The new default WPA key algorithm was documented recently but no recovery tool exists at the moment.
It works for BTHomeHub2 Type A (based on speedtouch model of router from Technicolor/Thomson) but not Type B which is based on Sagem hardware.

BT and Technicolor are already aware and Technicolor is fixing problem found.

See code here:

http://www.mediafire.com/?l2d57it4dkt6hso

The reason no tool exists is because it would take too long to recover a key on normal computer.
edited by 12345678 on 11/02/2012
<em>edited by 12345678 on 12/02/2012</em>


Avatar
Hash-IT

Status: Trusted
Joined: Tue, 02 Aug 2011
Posts: 4598
Team: HashKiller
Reputation: 3003 Reputation
Offline
Wed, 14 Mar 2012 @ 13:41:08

12345678 said:

Hello,

The new default WPA key algorithm was documented recently but no recovery tool exists at the moment.
It works for BTHomeHub2 Type A (based on speedtouch model of router from Technicolor/Thomson) but not Type B which is based on Sagem hardware.

BT and Technicolor are already aware and Technicolor is fixing problem found.

See code here:

http://www.mediafire.com/?l2d57it4dkt6hso

The reason no tool exists is because it would take too long to recover a key on normal computer.
edited by 12345678 on 11/02/2012
edited by 12345678 on 12/02/2012

Link is dead


Please read the forum rules. | Please read the paid section rules.

BTC: 1MmWESN5bKZ1YSuHrm5uNwnQYxWyQnEQ6E

Avatar
12345678

Status: n/a
Joined: Sat, 11 Feb 2012
Posts: 3
Team:
Reputation: 0 Reputation
Offline
Thu, 15 Mar 2012 @ 03:00:13

Sorry, had to remove from mediafire but you can now download from here
If in future it should disappear, you'll find it on packetstormsecurity.org[i]
[/i]
edited by 12345678 on 15/03/2012


Avatar
Hash-IT

Status: Trusted
Joined: Tue, 02 Aug 2011
Posts: 4598
Team: HashKiller
Reputation: 3003 Reputation
Offline
Thu, 15 Mar 2012 @ 14:33:04

12345678 said:

Sorry, had to remove from mediafire but you can now download from here
If in future it should disappear, you'll find it on packetstormsecurity.org[i]
[/i]
edited by 12345678 on 15/03/2012

Thank you very much, very good of you to pop back and update your post

This looks interesting. I have a test to perform on a BT router that has had its ESSID changed so I was wondering what the standard WPA password layout was now ?

It was 10 characters using abcdef0123456789, anyone know if that is still the case ?


Please read the forum rules. | Please read the paid section rules.

BTC: 1MmWESN5bKZ1YSuHrm5uNwnQYxWyQnEQ6E

Avatar
12345678

Status: n/a
Joined: Sat, 11 Feb 2012
Posts: 3
Team:
Reputation: 0 Reputation
Offline
Fri, 16 Mar 2012 @ 23:24:38

Hash-IT said:


Thank you very much, very good of you to pop back and update your post

This looks interesting. I have a test to perform on a BT router that has had its ESSID changed so I was wondering what the standard WPA password layout was now ?

It was 10 characters using abcdef0123456789, anyone know if that is still the case ?

If you've changed the default key on Type A but not the SSID and someone hypothetically had a recovery tool to discover the WPA key, the key recovered would be useless.

It would take millions of keys to try so an attacker would need to capture authentication packets between supplicant and router in order to speed it up.

Even though there is a vulnerability, it's unlikely anyone would be desperate enough to write tool and execute it right now..maybe that will change in future but the HH2 will in time get replaced by HH3 or HH4..etc so it's unlikely any crack will surface.

Type B based on Sagem has the key stored in hostapd.conf and it's not known how these are generated.
edited by 12345678 on 16/03/2012


Avatar
marslander

Status: n/a
Joined: Sun, 10 Jun 2012
Posts: 59
Team:
Reputation: 0 Reputation
Offline
Sun, 11 Nov 2012 @ 06:36:51

Blandy .. I find the first post very interesting and I have in range i believe a thompson router wich I want to try out .. but how I do i get the default encryption key and how do I use it after ?


Avatar
blandyuk
Admin / Owner
Status: Trusted
Joined: Tue, 05 Jul 2011
Posts: 3033
Team: HashKiller
Reputation: 4060 Reputation
Offline
Sun, 11 Nov 2012 @ 11:19:40

You'll need to post the SSID and I'll run it thru my code and get the key(s) depending on how many collisions, (usually none with 6 char hex but sometimes there can be).


Please read the forum rules | Please read the paid section rules
I accept private hash lists, with forum donations only.
BTC: 15qF9WUeFUD63ishxyAMiEgGqTcYzk4j9b
GPU Power: 9x GTX 1070 + 4x GTX 1080

Avatar
marslander

Status: n/a
Joined: Sun, 10 Jun 2012
Posts: 59
Team:
Reputation: 0 Reputation
Offline
Sun, 11 Nov 2012 @ 19:56:02

TNCAP5E7473


Avatar
blandyuk
Admin / Owner
Status: Trusted
Joined: Tue, 05 Jul 2011
Posts: 3033
Team: HashKiller
Reputation: 4060 Reputation
Offline
Mon, 12 Nov 2012 @ 09:01:01

Found 3:

Found: CP0877443150, 46a324a7e9ddfea293a7200c777c354f9d5e7473
Found: CP0896585559, 81d0c20252e58ab5703794a13b9e63cce05e7473
Found: CP0910424244, 19b40ca48a5f87daeccd59d4dfea25c5af5e7473

Possible keys are in yellow but I dont recognise the SSID so might not work.

-
edited by blandyuk on 12/11/2012


Please read the forum rules | Please read the paid section rules
I accept private hash lists, with forum donations only.
BTC: 15qF9WUeFUD63ishxyAMiEgGqTcYzk4j9b
GPU Power: 9x GTX 1070 + 4x GTX 1080

Avatar
fred64

Status: n/a
Joined: Sun, 14 Apr 2013
Posts: 1
Team:
Reputation: 0 Reputation
Offline
Sun, 14 Apr 2013 @ 20:41:43

Hi,

I am a bit of a newbie to all of this and have messed about with Backtrack with some 'limited' success! What i was curious to know 'blandyuk' was could you elaborate on the 'But I hear you say, &quotBut how do you know the CP number?'


I am somewhat stumped!


Avatar
Shift

Status: n/a
Joined: Mon, 19 Aug 2013
Posts: 11
Team:
Reputation: 3 Reputation
Offline
Sat, 01 Feb 2014 @ 08:57:43

blandyuk said:

You'll need to post the SSID and I'll run it thru my code and get the key(s) depending on how many collisions, (usually none with 6 char hex but sometimes there can be).

hi blandy can these two ssids be done? thanks
BTHomeHub2-4FH7 (Thomson)
TNCAP36A08B (Technicolor)


Avatar
blandyuk
Admin / Owner
Status: Trusted
Joined: Tue, 05 Jul 2011
Posts: 3033
Team: HashKiller
Reputation: 4060 Reputation
Offline
Sun, 02 Feb 2014 @ 23:04:33

fred64 and Shift, if u read the beginning of this thread, it will answer your questions


Please read the forum rules | Please read the paid section rules
I accept private hash lists, with forum donations only.
BTC: 15qF9WUeFUD63ishxyAMiEgGqTcYzk4j9b
GPU Power: 9x GTX 1070 + 4x GTX 1080

Avatar
braincrash

Status: n/a
Joined: Thu, 22 May 2014
Posts: 1
Team:
Reputation: 0 Reputation
Offline
Thu, 22 May 2014 @ 11:56:34

Hi,

Sorry to bring this topic again, but is there anyway to retrieve the wireless-pin??

Thanks,


Avatar
amanewbie

Status: n/a
Joined: Tue, 15 Jul 2014
Posts: 1
Team:
Reputation: 0 Reputation
Offline
Tue, 15 Jul 2014 @ 17:50:03

hi blandy can these two ssids be done? thanks


BTHomeHub2-59FQ


BTHomeHub2-W3FJ


BTHUB5-r76x


TALKTALK-6A5754


TALKTALK-B73384


TALKTALK-75DC90


SKY65321


SKYCEBDO


SKY7B064


Avatar
Xor32h

Status: n/a
Joined: Wed, 13 Aug 2014
Posts: 10
Team:
Reputation: 0 Reputation
Offline
Wed, 13 Aug 2014 @ 13:35:59

I'm new here so just to say a quick hello to you folks and to say thank you for all the time & effort you put into this community.

The task at hand:

Elsewhere in this thread, someone provided a link to a keygen wriitten in C (stkeygen.c) which works with BTHomeHub2 Type A with which I am currently working - BTHomeHub2-GNQ3

My exposure to C / C++ was back in Uni so am a bit rusty and can't get it to compile without umpteen crazy errors - admittedly I d/loaded a free compiler and am having no joy at all.

I wondered if anyone could provide some helpful pointers as to how I can get it to work, and / or which compiler is best to use.

Many thanks in advance


Avatar
Xor32h

Status: n/a
Joined: Wed, 13 Aug 2014
Posts: 10
Team:
Reputation: 0 Reputation
Offline
Thu, 14 Aug 2014 @ 12:20:10

Scratch that, I figured it out.

Thx.


Avatar
russ81

Status: n/a
Joined: Fri, 05 Sep 2014
Posts: 1
Team:
Reputation: 0 Reputation
Offline
Fri, 05 Sep 2014 @ 18:05:17

Hi Blandy,

I have just come across your post & I want to try testing my SSID. I am not sure how to generate it? Can you help? the SSID is: BTHomeHub2-2W97

Thx.


Avatar
Birdy_UK

Status: Banned
Joined: Fri, 13 Mar 2015
Posts: 5
Team:
Reputation: 0 Reputation
Offline
Fri, 13 Mar 2015 @ 17:40:24

WARNING! User is BANNED and maybe a SCAMMER.

Hey blandy,

I am new to the whole cracking thing and been learning as i plod along.

i have been using reaver and airmon in my local area, i know several people down my street and have had airodump running in kali, I have found about 20 AP's all with WPS turned ON, however reaver seems to take ages and always get problems no matter what router i choose.

Majority are SKY and some are BTHomeHub 3,4 and 5.

My first WPA handshake was done today on a sky AP so i have converted this to hccap.
I would be willing to donate say £100, if you can help me crack the closest 3/4 WPA keys
Look forward to hearing from you. Thanks.

SKY725CA |L¥pT±0Y· ¨‚tŒÖH=Y¯<àšâbN¸.7Ð`†_ bQd{Zµ÷3ᾸŸïaa]ÚR!’L~â¡7·#™OÃç u
tŒÖH=Y¯<àšâbN¸.7Ð`†_ bQd{Zµ 0 ¬ ¬ ¬( y  ûSI_o͹ê=çÊ £â(«


Avatar
Hash-IT

Status: Trusted
Joined: Tue, 02 Aug 2011
Posts: 4598
Team: HashKiller
Reputation: 3003 Reputation
Offline
Fri, 13 Mar 2015 @ 17:49:24

OK firstly hashkiller.co.uk is not a hacking site. I / we hope you have permission to test these networks.

You will also find many SKY and particularly BT routers are not vulnerable to reaver even though wash claims they are.

This LINK will take you to the page you need for your .hccaps to be cracked. The money paid to that page goes to Blandy.



Please read the forum rules. | Please read the paid section rules.

BTC: 1MmWESN5bKZ1YSuHrm5uNwnQYxWyQnEQ6E

Avatar
Birdy_UK

Status: Banned
Joined: Fri, 13 Mar 2015
Posts: 5
Team:
Reputation: 0 Reputation
Offline
Fri, 13 Mar 2015 @ 17:57:35

WARNING! User is BANNED and maybe a SCAMMER.

Hi Hash-IT,

I have a very good job and most definitely would not want to get into trouble for (hacking) and invading someone’s privacy, This is ultimate test.. Infact to put the truth out there, me and a few friends in the area have had a bet that should i provide the passwords a few pints from each neighbour is on the table!

I am doing this to learn the basics and also provide evidence it is possible to them.

It has got to the point now where they ask me every single day, have i cracked them!! so i am starting to look stupid now haha. I explained that someone can access there internet and perform a MITM attack to steal personal information.
Cheers.


Avatar
Hash-IT

Status: Trusted
Joined: Tue, 02 Aug 2011
Posts: 4598
Team: HashKiller
Reputation: 3003 Reputation
Offline
Fri, 13 Mar 2015 @ 18:02:17

That's good.

I suggest you try the service Blandy provides on the link I sent you. He has awesome cracking power, which he is in the process of upgrading. Also payments made to that page do at least go to Blandy and towards the running of the site.


Please read the forum rules. | Please read the paid section rules.

BTC: 1MmWESN5bKZ1YSuHrm5uNwnQYxWyQnEQ6E

Avatar
mariust5

Status: n/a
Joined: Tue, 26 Mar 2013
Posts: 52
Team:
Reputation: 1 Reputation
Offline
Sat, 14 Mar 2015 @ 10:18:42

Hello guys , can anyone run the algorithm on BTHomeHub2-WCZM please .

Thanks in advance .


Avatar
Milzo
Administrator
Status: Elite
Joined: Sat, 29 Dec 2012
Posts: 3104
Team:
Reputation: 4843 Reputation
Offline
Sat, 14 Mar 2015 @ 12:33:38

mariust5 said:

Hello guys , can anyone run the algorithm on BTHomeHub2-WCZM please .

Thanks in advance .

These routers are as old as the hills but enter this key : 2fd817eb9b


1CrqbgYU63zfLjwKVagyiTYP9XGMgyFAVm

Forum Rules
Scammer Tracker - https://i-disclose.net/o/scamtracker.php
XMPP - milzo@xmpp.jp

Avatar
Birdy_UK

Status: Banned
Joined: Fri, 13 Mar 2015
Posts: 5
Team:
Reputation: 0 Reputation
Offline
Sat, 14 Mar 2015 @ 17:14:04

WARNING! User is BANNED and maybe a SCAMMER.

Hi Milzo,

Could you run this one please: BTHomeHub2-QG72

That is actually my own old router and i have no idea of any credentials for this, I would like to use this in the garage as a testing environment.

Thanks
Birdy.



43 Results - Page 1 of 2 -
1 2

We have a total of 163285 messages in 20499 topics.
We have a total of 19265 registered users.
Our newest registered member is Bohemian.