Home - Wireless Cracking - Xfinity HOME-XXXX/HOME-XXXX-2.4/5/XFSETUP-XXXX


24 Results - Page 1 of 1 -
1
Author Message
Avatar
soxrok2212

Status: Cracker
Joined: Sat, 24 Oct 2015
Posts: 350
Team: Division0
Reputation: 296 Reputation
Offline
Fri, 08 Sep 2017 @ 18:19:00

Hi all, building and testing a new dictionary for Xfinity networks with the SSID formats:

HOME-XXXX
HOME-XXXX-2.4
HOME-XXXX-5
XFSETUP-XXXX

If you have any captures of these, could you please share them? Thank you!



BTC: 15NqL1zRSjF28iRZtBis5331Sn4cH19twU



100% free WPA/WPA2 cracking service:
https://www.communitycracking.pw
1x Nvidia GTX 980
2x AMD RX 480
1x AMD RX 570

Avatar
DizzyAdam

Status: n/a
Joined: Wed, 18 May 2016
Posts: 114
Team:
Reputation: 59 Reputation
Offline
Fri, 08 Sep 2017 @ 19:01:25


I don't have any CAP files but I do have a few SSID and default pass with them together with Model numbers. Hope it helps! (Fan of your pixiedust work )
I do notice a pattern with the older models which has a verb+4digits+5/6character words
As for the other models, I think it's [A-Z 0-9] 16 Characters

HOME-ED39-2.4 : cough4073candid - Model: Cisco XB3 DPC3941T
HOME-4900-2.4 : feast2955charge - Model: Technicolor XB3 DPC3941T
XFSETUP-790C : chores1049below - Model: Arris TG1682G
HOME-D0C0 : 15FA178C050D383F - Model: Technicolor TC8305C
HOME-720F : 953F1EF781248AF4 - Model: Technicolor TC8305C
HOME-EE4D : 38DABE42E98AA3D5 - Model: Technicolor TC8305C
HOME-5258 : H211361CB633E794 - Model: SMC SMCD3GNV
HOME-65B8 : H212242D233C2841 - Model: SMC SMCD3GNV
HOME-CD26-2.4 : 4CUDAC9VFDCAC73A - Model: Cisco XB3 DPC3941T


Avatar
soxrok2212

Status: Cracker
Joined: Sat, 24 Oct 2015
Posts: 350
Team: Division0
Reputation: 296 Reputation
Offline
Fri, 08 Sep 2017 @ 19:36:37

Thanks for the input. I believe I have all this words. By the way, the ones containing dictionary words are the new ones.



BTC: 15NqL1zRSjF28iRZtBis5331Sn4cH19twU



100% free WPA/WPA2 cracking service:
https://www.communitycracking.pw
1x Nvidia GTX 980
2x AMD RX 480
1x AMD RX 570

Avatar
DizzyAdam

Status: n/a
Joined: Wed, 18 May 2016
Posts: 114
Team:
Reputation: 59 Reputation
Offline
Fri, 08 Sep 2017 @ 19:56:55

soxrok2212 said:

Thanks for the input. I believe I have all this words. By the way, the ones containing dictionary words are the new ones.

I see. If it were up to me, I would have just stayed with the same old algorithm as it looks to be a lot more secure (would make sense) unless the algo has been cracked by someone. I thought you already have a dictionary for the new router's passphrase? Did you just wanted to make sure?


Avatar
soxrok2212

Status: Cracker
Joined: Sat, 24 Oct 2015
Posts: 350
Team: Division0
Reputation: 296 Reputation
Offline
Fri, 08 Sep 2017 @ 20:07:15

This is a dictionary for the new ones, I just want to test the accuracy. The "old" algorithm is also kinda broken and I have proof as well



BTC: 15NqL1zRSjF28iRZtBis5331Sn4cH19twU



100% free WPA/WPA2 cracking service:
https://www.communitycracking.pw
1x Nvidia GTX 980
2x AMD RX 480
1x AMD RX 570

Avatar
mackinson

Status: n/a
Joined: Sun, 11 Jun 2017
Posts: 74
Team:
Reputation: 86 Reputation
Offline
Fri, 08 Sep 2017 @ 20:47:59

soxrok2212 said:

This is a dictionary for the new ones, I just want to test the accuracy.

Are the four digits in the middle of the new passphrases completely random?

Looks like you would have to try every pair of dictionary words 10000 times?

Guess it is not too bad using GPUs if the dictionaries are less than about
500 words or so....


Avatar
gpuhash_me

Status: Cracker
Joined: Sun, 08 Nov 2015
Posts: 290
Team: gpuhash team
Reputation: 496 Reputation
Offline
Fri, 08 Sep 2017 @ 20:52:44

HOME-4AC2:bagel6709canyon
HOME-14A2:artist9448cream
HOME-A647-2.4:answer3639chase

and 50+ of older known passwords (check PM)


GPUHASH.me team official representative
Support, discounts, free offers for forum members

Avatar
soxrok2212

Status: Cracker
Joined: Sat, 24 Oct 2015
Posts: 350
Team: Division0
Reputation: 296 Reputation
Offline
Fri, 08 Sep 2017 @ 21:15:18

gpuhash_me said:

HOME-4AC2:bagel6709canyon
HOME-14A2:artist9448cream
HOME-A647-2.4:answer3639chase

and 50+ of older known passwords (check PM)

I had 5 out of 6 words listed here. Thank you!


mackinson said:

soxrok2212 said:

This is a dictionary for the new ones, I just want to test the accuracy.

Are the four digits in the middle of the new passphrases completely random?

Looks like you would have to try every pair of dictionary words 10000 times?

Guess it is not too bad using GPUs if the dictionaries are less than about
500 words or so....

Yes, they appear to be random. The dictionary isn't huge, but seems to be rather successful thus far.



BTC: 15NqL1zRSjF28iRZtBis5331Sn4cH19twU



100% free WPA/WPA2 cracking service:
https://www.communitycracking.pw
1x Nvidia GTX 980
2x AMD RX 480
1x AMD RX 570

Avatar
DizzyAdam

Status: n/a
Joined: Wed, 18 May 2016
Posts: 114
Team:
Reputation: 59 Reputation
Offline
Fri, 08 Sep 2017 @ 22:11:54

soxrok2212 said:


Yes, they appear to be random. The dictionary isn't huge, but seems to be rather successful thus far.

Do you plan on releasing the dictionary to the public? No need to answer it just curious


Avatar
soxrok2212

Status: Cracker
Joined: Sat, 24 Oct 2015
Posts: 350
Team: Division0
Reputation: 296 Reputation
Offline
Fri, 08 Sep 2017 @ 22:13:06

DizzyAdam said:

soxrok2212 said:


Yes, they appear to be random. The dictionary isn't huge, but seems to be rather successful thus far.

Do you plan on releasing the dictionary to the public? No need to answer it just curious

Most likely, yes.



BTC: 15NqL1zRSjF28iRZtBis5331Sn4cH19twU



100% free WPA/WPA2 cracking service:
https://www.communitycracking.pw
1x Nvidia GTX 980
2x AMD RX 480
1x AMD RX 570

Avatar
gpuhash_me

Status: Cracker
Joined: Sun, 08 Nov 2015
Posts: 290
Team: gpuhash team
Reputation: 496 Reputation
Offline
Sat, 09 Sep 2017 @ 18:46:12

Looks like they using english words of 5 and 6 letters starting with a..f only, resulting keyspace will be large but workable.
Extracting firmware image probably will lead us to exact wordlist soon.

soxrok2212, it is a shame you asking for help here and don't want to collaborate at the same time!


GPUHASH.me team official representative
Support, discounts, free offers for forum members

Avatar
mackinson

Status: n/a
Joined: Sun, 11 Jun 2017
Posts: 74
Team:
Reputation: 86 Reputation
Offline
Sat, 09 Sep 2017 @ 19:12:15

gpuhash_me said:

Looks like they using english words of 5 and 6 letters starting with a..f only, resulting keyspace will be large but workable.

Cool, that first character restriction reduces the dictionaries dramatically.

It looks like only
[5 letter word][4 digits][6 letter word]
or
[6 letter word][4 digits][5 letter word]
combinations are used?

The main problem will be getting the 6 letter word dictionary down to a manageable size.

What makes you think the dictionaries are in the firmware anyway?

They could surely just be programming the passphrase into some kind of NVRAM
at manufacture time?


Avatar
soxrok2212

Status: Cracker
Joined: Sat, 24 Oct 2015
Posts: 350
Team: Division0
Reputation: 296 Reputation
Offline
Tue, 12 Sep 2017 @ 22:36:10

gpuhash_me said:

Looks like they using english words of 5 and 6 letters starting with a..f only, resulting keyspace will be large but workable.
Extracting firmware image probably will lead us to exact wordlist soon.

soxrok2212, it is a shame you asking for help here and don't want to collaborate at the same time!

I already have 2 firmwares for 2 different models, neither have the dictionary. Also, it is not a-f, there are a few stray ones that start with 'h' and one that starts with 'g'.

Also, I don't like releasing stuff for free that took a lot of my time and resources for people to turn and make money off of it! Also looks like you might be using my ATTXXXXXXX generator



BTC: 15NqL1zRSjF28iRZtBis5331Sn4cH19twU



100% free WPA/WPA2 cracking service:
https://www.communitycracking.pw
1x Nvidia GTX 980
2x AMD RX 480
1x AMD RX 570

Avatar
soxrok2212

Status: Cracker
Joined: Sat, 24 Oct 2015
Posts: 350
Team: Division0
Reputation: 296 Reputation
Offline
Tue, 12 Sep 2017 @ 22:37:21

mackinson said:

gpuhash_me said:

Looks like they using english words of 5 and 6 letters starting with a..f only, resulting keyspace will be large but workable.

Cool, that first character restriction reduces the dictionaries dramatically.

It looks like only
[5 letter word][4 digits][6 letter word]
or
[6 letter word][4 digits][5 letter word]
combinations are used?

The main problem will be getting the 6 letter word dictionary down to a manageable size.

You are right about 5 letter + 4 digits + 6 letter and 6 letter + 4 digits + 5 letter. My dictionaries are nearly complete.



BTC: 15NqL1zRSjF28iRZtBis5331Sn4cH19twU



100% free WPA/WPA2 cracking service:
https://www.communitycracking.pw
1x Nvidia GTX 980
2x AMD RX 480
1x AMD RX 570

Avatar
soxrok2212

Status: Cracker
Joined: Sat, 24 Oct 2015
Posts: 350
Team: Division0
Reputation: 296 Reputation
Offline
Tue, 12 Sep 2017 @ 22:38:34

Here are my lists: https://github.com/soxrok2212/PSKracker/tree/master/dicts/xfinity

If you found them useful, my BTC address is in my signature.



BTC: 15NqL1zRSjF28iRZtBis5331Sn4cH19twU



100% free WPA/WPA2 cracking service:
https://www.communitycracking.pw
1x Nvidia GTX 980
2x AMD RX 480
1x AMD RX 570

Avatar
gpuhash_me

Status: Cracker
Joined: Sun, 08 Nov 2015
Posts: 290
Team: gpuhash team
Reputation: 496 Reputation
Offline
Tue, 12 Sep 2017 @ 22:56:01

soxrok2212 said:

Your lists are incomplete. Below is the diff with proved (real) passwords we already got from handshakes.
Also, first letter limit a..h is very suspicious, looks like they take words based on modem serial number.
Both models still in production now so serials are incrementing and they probably will expand the dictionary later.

$ comm -23 5_my.txt 5_sok.txt
ahead
bread
built
cover
creak
enter
entry
event

$ comm -23 6_my.txt 6_sok.txt
beside
borrow
button
cellar
cities
collar
course
create
design
detail
diesel
garden
hardly


GPUHASH.me team official representative
Support, discounts, free offers for forum members

Avatar
gpuhash_me

Status: Cracker
Joined: Sun, 08 Nov 2015
Posts: 290
Team: gpuhash team
Reputation: 496 Reputation
Offline
Tue, 12 Sep 2017 @ 23:10:53

soxrok2212 said:


Also, I don't like releasing stuff for free that took a lot of my time and resources for people to turn and make money off of it! Also looks like you might be using my ATTXXXXXXX generator

It is complete offtopic here but 'your' generator based on this public algorithm, isn't it? Please be honest.

https://hashcat.net/forum/thread-6170-post-35595.html#pid35595


GPUHASH.me team official representative
Support, discounts, free offers for forum members

Avatar
soxrok2212

Status: Cracker
Joined: Sat, 24 Oct 2015
Posts: 350
Team: Division0
Reputation: 296 Reputation
Offline
Tue, 12 Sep 2017 @ 23:43:24

gpuhash_me said:

soxrok2212 said:

Your lists are incomplete. Below is the diff with proved (real) passwords we already got from handshakes.
Also, first letter limit a..h is very suspicious, looks like they take words based on modem serial number.
Both models still in production now so serials are incrementing and they probably will expand the dictionary later.

Thanks for the additions.. updated and credited. I have looked fairly exhaustively through a DPC3941T firmware. While I found nothing related to the private HOME-* network, I did find CalculatePSKKey as described here: https://nvd.nist.gov/vuln/detail/CVE-2017-9476 but am unable to call the function correctly.


gpuhash_me said:

soxrok2212 said:


Also, I don't like releasing stuff for free that took a lot of my time and resources for people to turn and make money off of it! Also looks like you might be using my ATTXXXXXXX generator

It is complete offtopic here but 'your' generator based on this public algorithm, isn't it? Please be honest.

https://hashcat.net/forum/thread-6170-post-35595.html#pid35595

Yes it is public knowledge, but I am the only one with a functional (yet still semi-complete) tool to generate the keys in a fast language. And the tool is the main part of the repo containing my wordlists: https://github.com/soxrok2212/PSKracker/blob/master/src/att.c


Anyways, glad the list is growing.



BTC: 15NqL1zRSjF28iRZtBis5331Sn4cH19twU



100% free WPA/WPA2 cracking service:
https://www.communitycracking.pw
1x Nvidia GTX 980
2x AMD RX 480
1x AMD RX 570

Avatar
Felis-Sapiens

Status: n/a
Joined: Thu, 07 Jul 2016
Posts: 36
Team:
Reputation: 86 Reputation
Offline
8 days ago

Code:
00:AC:E0:3C:FA:10 advice5043charm HOME-FA12
78:F2:9E:08:96:B8 event6195celery HOME-5993-2.4
78:F2:9E:98:7D:B8 anyone3114dozed HOME-9912-2.4
84:00:2D:01:47:48 diner3071change Buckingham2.4
84:00:2D:04:46:F8 enter9286always HOME-1F1C-2.4
84:00:2D:52:27:58 around3504about HOME-7D3F-2.4
84:00:2D:5F:C7:D8 bloom8398beside HOME-042F-2.4
88:AD:43:0C:FF:78 chase5906copied HOME-8C66-2.4
88:AD:43:4E:FB:18 eagle2735charge HOME-7A1B-2.4
98:6B:3D:1A:A5:80 cheery6053bonus HOME-A582
C0:7C:D1:DF:A9:E0 chair6223animal HOME-FEDA-2.4
DC:FE:07:B4:5E:80 answer9135apron HOME-3EC4-2.4
DC:FE:07:B6:02:B0 depend1593bring CBCI-AFB9-2.4
DC:FE:07:F5:AB:08 flight3821chase HOME-42D7-2.4
EC:AA:A0:0A:D1:98 banana7510again HOME-A739-2.4
EC:AA:A0:48:XX:XX attic4734harbor HOME-D0CA-2.4
EC:AA:A0:4F:91:F8 favor6421cactus HOME-968B-2.4


Avatar
soxrok2212

Status: Cracker
Joined: Sat, 24 Oct 2015
Posts: 350
Team: Division0
Reputation: 296 Reputation
Offline
7 days ago

Felis-Sapiens said:

Code:
00:AC:E0:3C:FA:10 advice5043charm HOME-FA12
78:F2:9E:08:96:B8 event6195celery HOME-5993-2.4
78:F2:9E:98:7D:B8 anyone3114dozed HOME-9912-2.4
84:00:2D:01:47:48 diner3071change Buckingham2.4
84:00:2D:04:46:F8 enter9286always HOME-1F1C-2.4
84:00:2D:52:27:58 around3504about HOME-7D3F-2.4
84:00:2D:5F:C7:D8 bloom8398beside HOME-042F-2.4
88:AD:43:0C:FF:78 chase5906copied HOME-8C66-2.4
88:AD:43:4E:FB:18 eagle2735charge HOME-7A1B-2.4
98:6B:3D:1A:A5:80 cheery6053bonus HOME-A582
C0:7C:D1:DF:A9:E0 chair6223animal HOME-FEDA-2.4
DC:FE:07:B4:5E:80 answer9135apron HOME-3EC4-2.4
DC:FE:07:B6:02:B0 depend1593bring CBCI-AFB9-2.4
DC:FE:07:F5:AB:08 flight3821chase HOME-42D7-2.4
EC:AA:A0:0A:D1:98 banana7510again HOME-A739-2.4
EC:AA:A0:48:XX:XX attic4734harbor HOME-D0CA-2.4
EC:AA:A0:4F:91:F8 favor6421cactus HOME-968B-2.4

Got 2 new words from here, about and copied. Thank you!



BTC: 15NqL1zRSjF28iRZtBis5331Sn4cH19twU



100% free WPA/WPA2 cracking service:
https://www.communitycracking.pw
1x Nvidia GTX 980
2x AMD RX 480
1x AMD RX 570

Avatar
mackinson

Status: n/a
Joined: Sun, 11 Jun 2017
Posts: 74
Team:
Reputation: 86 Reputation
Offline
7 days ago

All very interesting, but I am not likely to ever encounter any of these as I am
not in the region they are deployed

Still intrigued by this a-f starting character, maybe extending to h in some cases

Maybe it is linked to serial number as gpuhash_me proposed, but no corresponding
serial numbers have been listed so far to even attempt to verify this

Another crazy example where a potentially strong passphrase selection seems to
have been weakened.

However, I tend not to subscribe to conspiracy theories about deliberate weakening
by government or security services influence where simple incompetence by the
manufacturers or ISP can explain it equally well

After all, BSkyB have a shocking track record after they seem to have taken their
routers in under their own MAC address allocations

It is certainly saying something for BSkyB "inhouse" efforts when Netgear, Sagem
and Dlink did a far better job on their router security for them


Avatar
soxrok2212

Status: Cracker
Joined: Sat, 24 Oct 2015
Posts: 350
Team: Division0
Reputation: 296 Reputation
Offline
7 days ago

mackinson said:

All very interesting, but I am not likely to ever encounter any of these as I am
not in the region they are deployed

Still intrigued by this a-f starting character, maybe extending to h in some cases

Maybe it is linked to serial number as gpuhash_me proposed, but no corresponding
serial numbers have been listed so far to even attempt to verify this

Another crazy example where a potentially strong passphrase selection seems to
have been weakened.

However, I tend not to subscribe to conspiracy theories about deliberate weakening
by government or security services influence where simple incompetence by the
manufacturers or ISP can explain it equally well

After all, BSkyB have a shocking track record after they seem to have taken their
routers in under their own MAC address allocations

It is certainly saying something for BSkyB "inhouse" efforts when Netgear, Sagem
and Dlink did a far better job on their router security for them

Their devices are still flawed, all XB3 models (DPC3939, DPC3941, and TG1682G) broadcast a hidden Home Security Network... dubbed XHS-XXXXXXXX where XXXXXXXX are the last 8 of the CM_MAC. There is a binary "CalculatePSKKey" that generates the default key for this network. The scariest part is that when you're on this XHS network, you're completely hidden from anything in the web GUI and IIRC, you're put on a different IP range. You also have full internet access at full speeds purchased by the user (granted only 2.4GHz).

Every single ISP/vendor puts in a backdoor. Sky has no reason to make the last character predictable and restrict the keyspace from 10^26 to 9^16. New Comcast/Xfinity gateways have dictionary words that are clearly weak, Netgear does the same, Belkin used a mapping technique, ATT uses a truly weird generator but it is also broken ( https://github.com/soxrok2212/PSKracker/blob/master/src/att.c )... the list goes on and on. It is just a matter of finding the backdoor. They will always be there. I'm not sure if it a regulated government thing or if ISPs are just really stupid and the engineers just do it for themselves, but whatever it is, it is certainly a very popular idea.


The reason I publish all this is to expose how untrustworthy capital vendors really are, and that people really need to protect themselves instead of letting other people do it for them. In publishing all this, I mean no illegal/blackhat activity. I just wish to show people what is wrong with these companies.



BTC: 15NqL1zRSjF28iRZtBis5331Sn4cH19twU



100% free WPA/WPA2 cracking service:
https://www.communitycracking.pw
1x Nvidia GTX 980
2x AMD RX 480
1x AMD RX 570

Avatar
mackinson

Status: n/a
Joined: Sun, 11 Jun 2017
Posts: 74
Team:
Reputation: 86 Reputation
Offline
7 days ago

soxrok2212 said:


Every single ISP/vendor puts in a backdoor. Sky has no reason to make the last character predictable and restrict the keyspace from 10^26 to 9^16.

I think you mean 26^10 and 16^9

Yes, I had not considered the possibility of the engineers putting in plausibly deniable
weaknesses for their own purposes. That is maybe quite a likely scenario the more I
think about it

But let's face it, if the government or security services want access to your communications,
they can probably quite easily tap it inside the ISP or network already.....


Avatar
soxrok2212

Status: Cracker
Joined: Sat, 24 Oct 2015
Posts: 350
Team: Division0
Reputation: 296 Reputation
Offline
7 days ago

mackinson said:

soxrok2212 said:


Every single ISP/vendor puts in a backdoor. Sky has no reason to make the last character predictable and restrict the keyspace from 10^26 to 9^16.


I think you mean 26^10 and 16^9

Early morning.



BTC: 15NqL1zRSjF28iRZtBis5331Sn4cH19twU



100% free WPA/WPA2 cracking service:
https://www.communitycracking.pw
1x Nvidia GTX 980
2x AMD RX 480
1x AMD RX 570


24 Results - Page 1 of 1 -
1

We have a total of 123240 messages in 14826 topics.
We have a total of 15696 registered users.
Our newest registered member is c35.