NOTE: Why not use our List Manager to crack your lists? Its easy and enables better management.

NOTE: When cracking WPA/WPA2 passwords, make sure you check gpuhash.me first incase it's already been processed.

Home - Wireless Cracking - Default Router WPA Keys - Keyspace Used


405 Results - Page 8 of 14 -
1 2 3 4 5 6 7 8 9 10 11 12 13 14
Author Message
Avatar
Gort

Status: Trusted
Joined: Mon, 16 Jan 2017
Posts: 183
Team:
Reputation: 170 Reputation
Offline
Sat, 18 Feb 2017 @ 22:04:19

almondo said:

I don't follow what you are saying here?

Explain each step in more detail if possible for one SSID/passphrase

Edit:
The SSID with the Q (SKYD21QA) must surely be incorrect?
All the others are straight hexadecimal?


BTC: 12QTTgtbSHqxseW2Hnt5qzrngvBRXgTEj4

Avatar
soxrok2212

Status: Cracker
Joined: Sat, 24 Oct 2015
Posts: 455
Team:
Reputation: 421 Reputation
Offline
Sat, 18 Feb 2017 @ 22:27:03

I might have something new, let me confirm then I will post! Stay tuned!

EDIT: I think it was just a fluke



BTC: 1B4ZAbWYQ399p6QJm3VLbywiCWVSBAXYJ1

NVIDIA
1x GTX 1080 Founder’s Edition
1x GTX 980 Reference Design

Avatar
almondo

Status: n/a
Joined: Fri, 17 Feb 2017
Posts: 93
Team:
Reputation: 48 Reputation
Offline
Sat, 18 Feb 2017 @ 22:34:45

Okay I'm working on it I will explain in detail, I hope there is more data to check if this theory is correct.


Avatar
Gort

Status: Trusted
Joined: Mon, 16 Jan 2017
Posts: 183
Team:
Reputation: 170 Reputation
Offline
Sat, 18 Feb 2017 @ 22:38:49

soxrok2212 said:

I might have something new, let me confirm then I will post! Stay tuned!

EDIT: I think it was just a fluke

OK, I am drawing a blank with any more connections at the moment. I think all of this exposes
part of the underlying keystream generating the passphrase and SSID, but I cannot see any
way to derive that keystream from anything else. Tried various combination of MAC and serial
number pushed through MD5 and SHA1 to see if I can replicate it, but there could be an unknown
personalisation string in the mix, which will make it impossible to reverse.

I was hoping almondo would come back and explain his earlier post in more detail, as I can make
no sense of what he was saying at the moment either.

Still an absolutely outstanding breakthrough by Blandy to pull it down to 16^9.

Edit:
Just noticed almondo is still on the case. I will wait for any update


BTC: 12QTTgtbSHqxseW2Hnt5qzrngvBRXgTEj4

Avatar
soxrok2212

Status: Cracker
Joined: Sat, 24 Oct 2015
Posts: 455
Team:
Reputation: 421 Reputation
Offline
Sat, 18 Feb 2017 @ 22:40:54

I will look through the previous sky hub gen and see if I can find any connections, then look through the firmware again



BTC: 1B4ZAbWYQ399p6QJm3VLbywiCWVSBAXYJ1

NVIDIA
1x GTX 1080 Founder’s Edition
1x GTX 980 Reference Design

Avatar
Gort

Status: Trusted
Joined: Mon, 16 Jan 2017
Posts: 183
Team:
Reputation: 170 Reputation
Offline
Sat, 18 Feb 2017 @ 22:44:42

soxrok2212 said:

I will look through the previous sky hub gen and see if I can find any connections, then look through the firmware again

There is some history from the Sagem router of adding in a personalisation string into the hash
inputs for the keystream used in their generator. It can be found in string space of the firmware
quite easily.

You have the Sky Q image? Does is have anything like a CFM binary blob in the filesystem?

Can you run the strings command on the CFM binary, if there is one, to see if there is anything
new in there?


BTC: 12QTTgtbSHqxseW2Hnt5qzrngvBRXgTEj4

Avatar
soxrok2212

Status: Cracker
Joined: Sat, 24 Oct 2015
Posts: 455
Team:
Reputation: 421 Reputation
Offline
Sat, 18 Feb 2017 @ 22:48:20

I don't have any Sky Q firmware, I search online but wasn't able to find it. I was going to check the old SR102 model, see if I could find any correlation between SSID and WPA but I haven't found anything yet. I was then going to look back in the firmware and see what I could find.

Here is the other SKY data I have (SR102, not Sky Q Hub):

SKY2BBF5 TSDVXAWC
SKY324EA PDRCEATT
SKY344EB ERFFEPRV
SKY58EED TDTDTXCS
SKY6BD98 RTYXVPQU
SKY7CE2E TSRBYTYC
SKY9B7E9 QPVQDAXX
SKYA5EDD XAEFFCQU
SKYAD84C UXVAAAUD
SKYAEA89 WQBUTSSE
SKYAF56A RUYQRSCB
SKYBC692 CYRCTCVS
SKYCF209 QPRAETEP
SKYD66D5 FFAUFAAB
SKYF849B RRUBYDAU
SKYFCC5E SBCSEADT




BTC: 1B4ZAbWYQ399p6QJm3VLbywiCWVSBAXYJ1

NVIDIA
1x GTX 1080 Founder’s Edition
1x GTX 980 Reference Design

Avatar
Gort

Status: Trusted
Joined: Mon, 16 Jan 2017
Posts: 183
Team:
Reputation: 170 Reputation
Offline
Sat, 18 Feb 2017 @ 22:57:04

soxrok2212 said:

I don't have any Sky Q firmware, I search online but wasn't able to find it. I was going to check the old SR102 model, see if I could find any correlation between SSID and WPA but I haven't found anything yet. I was then going to look back in the firmware and see what I could find.

Here is the other SKY data I have (SR102, not Sky Q Hub):


SKY2BBF5 TSDVXAWC
SKY324EA PDRCEATT
SKY344EB ERFFEPRV
SKY58EED TDTDTXCS
SKY6BD98 RTYXVPQU
SKY7CE2E TSRBYTYC
SKY9B7E9 QPVQDAXX
SKYBC692 CYRCTCVS
SKYCF209 QPRAETEP
SKYD66D5 FFAUFAAB
SKYA5EDD XAEFFCQU
SKYAD84C UXVAAAUD
SKYAEA89 WQBUTSSE
SKYAF56A RUYQRSCB
SKYF849B RRUBYDAU
SKYFCC5E SBCSEADT

I think this flaw is going to be unique to Sky Q from the looks of it.

For a SSID/passphrase pair of

SKYB5847 PDDVWXPRNB

I am imagining a keystream of ....0DD678025B5847...
The first 10 of those are indexing the charset table and then there is some kind of bug that
causes an overlap of one character (the B in this case) before the keystream continues with
5847 to generate the hex part of the SSID

This is just complete conjecture, but if correct, those final hex values of 5847 will have no
connection with the rest of the passphrase. The only further break would be to figure out
where this keystream comes from, but that may be out of reach.


BTC: 12QTTgtbSHqxseW2Hnt5qzrngvBRXgTEj4

Avatar
almondo

Status: n/a
Joined: Fri, 17 Feb 2017
Posts: 93
Team:
Reputation: 48 Reputation
Offline
Sat, 18 Feb 2017 @ 23:14:57


SKY82XXX = -----CC--X
SKYA2XXX = -FF-----L
SKYD2XXX = --RR-----D
SKYC2XXX = ----RR---C



Avatar
Gort

Status: Trusted
Joined: Mon, 16 Jan 2017
Posts: 183
Team:
Reputation: 170 Reputation
Offline
Sat, 18 Feb 2017 @ 23:27:07

almondo said:

OK, I see it more clearly now.

The starting point is having a 2 in the second position of the hexadecimal part of SSID.
If the 2 is there, then a double character is expected in the passphrase?
That does seem to work for all SSIDs that have this pattern that have been collated so far.

I think you might be onto something here, but the relationship is still hard to fully unravel.

However, if there is always a double character in the passphrase when a 2 appears in the second position
of SSID, that information can probably be used to reduce the search space.

I will study it some more.

Thanks for taking the time to explain it more clearly. You have done some great work today and I
will give you another +10 for your efforts, because I think you may have found something very
interesting here.

Edit:
The system won't allow me to give you any more rep today.
You are too good at this stuff, man!
I will make a note to give you the rep for this tomorrow.


BTC: 12QTTgtbSHqxseW2Hnt5qzrngvBRXgTEj4

Avatar
almondo

Status: n/a
Joined: Fri, 17 Feb 2017
Posts: 93
Team:
Reputation: 48 Reputation
Offline
Sat, 18 Feb 2017 @ 23:32:39

And check the position of number one in the SSID :

SKY821XX = XXXXXXXBXX
SKYD21XX = XXXXXXXBXX


Avatar
Gort

Status: Trusted
Joined: Mon, 16 Jan 2017
Posts: 183
Team:
Reputation: 170 Reputation
Offline
Sat, 18 Feb 2017 @ 23:37:43

soxrok2212 said:

I don't have any Sky Q firmware, I search online but wasn't able to find it. I was going to check the old SR102 model, see if I could find any correlation between SSID and WPA but I haven't found anything yet. I was then going to look back in the firmware and see what I could find.

I am hitting all the buffers giving people rep today, because I have been so caught up with
all of this and have been trying to reward everyone for their efforts.

You are due a +10 for me and I will rep you when I am next able.
Always a pleasure to collaborate with on on this sort of stuff!


BTC: 12QTTgtbSHqxseW2Hnt5qzrngvBRXgTEj4

Avatar
almondo

Status: n/a
Joined: Fri, 17 Feb 2017
Posts: 93
Team:
Reputation: 48 Reputation
Offline
Sat, 18 Feb 2017 @ 23:39:14

soxrok2212 said:

I don't have any Sky Q firmware, I search online but wasn't able to find it. I was going to check the old SR102 model, see if I could find any correlation between SSID and WPA but I haven't found anything yet. I was then going to look back in the firmware and see what I could find.

Here is the other SKY data I have (SR102, not Sky Q Hub):

SKY2BBF5 TSDVXAWC
SKY324EA PDRCEATT
SKY344EB ERFFEPRV
SKY58EED TDTDTXCS
SKY6BD98 RTYXVPQU
SKY7CE2E TSRBYTYC
SKY9B7E9 QPVQDAXX
SKYA5EDD XAEFFCQU
SKYAD84C UXVAAAUD
SKYAEA89 WQBUTSSE
SKYAF56A RUYQRSCB
SKYBC692 CYRCTCVS
SKYCF209 QPRAETEP
SKYD66D5 FFAUFAAB
SKYF849B RRUBYDAU
SKYFCC5E SBCSEADT


SKY324EA PDRCEATT
SKY344EB ERFFEPRV


Avatar
Gort

Status: Trusted
Joined: Mon, 16 Jan 2017
Posts: 183
Team:
Reputation: 170 Reputation
Offline
Sat, 18 Feb 2017 @ 23:42:18

almondo said:

soxrok2212 said:

I don't have any Sky Q firmware, I search online but wasn't able to find it. I was going to check the old SR102 model, see if I could find any correlation between SSID and WPA but I haven't found anything yet. I was then going to look back in the firmware and see what I could find.

Here is the other SKY data I have (SR102, not Sky Q Hub):

SKY2BBF5 TSDVXAWC
SKY324EA PDRCEATT
SKY344EB ERFFEPRV
SKY58EED TDTDTXCS
SKY6BD98 RTYXVPQU
SKY7CE2E TSRBYTYC
SKY9B7E9 QPVQDAXX
SKYA5EDD XAEFFCQU
SKYAD84C UXVAAAUD
SKYAEA89 WQBUTSSE
SKYAF56A RUYQRSCB
SKYBC692 CYRCTCVS
SKYCF209 QPRAETEP
SKYD66D5 FFAUFAAB
SKYF849B RRUBYDAU
SKYFCC5E SBCSEADT


SKY324EA PDRCEATT
SKY344EB ERFFEPRV

Are you Rainman or something?

You seem to find these correlations so effortlessly!


BTC: 12QTTgtbSHqxseW2Hnt5qzrngvBRXgTEj4

Avatar
almondo

Status: n/a
Joined: Fri, 17 Feb 2017
Posts: 93
Team:
Reputation: 48 Reputation
Offline
Sat, 18 Feb 2017 @ 23:45:40

Gort said:

Are you Rainman or something?

You seem to find these correlations so effortlessly!

This one isn't correct cause the first A in each SSID listed isn't similar to wat SKY Q hub is, the algo on that old router is harder or it uses mac addresses to generate those passphrase.


Avatar
soxrok2212

Status: Cracker
Joined: Sat, 24 Oct 2015
Posts: 455
Team:
Reputation: 421 Reputation
Offline
Sat, 18 Feb 2017 @ 23:46:56

I think that this is just a fluke. From my limited programming adventures, it would not make sense to implement it in such a way as suggested, though I won't draw any conclusions yet as I do not have a good counter example, but what about this?


SKY0F122 YYMXTFSMFP


There is a duplicate and F is the second character in the "random" part of the SSID. I want to agree with Gort that it is generated as part of a keysteam but until I'm proven wrong, I'll keep looking



BTC: 1B4ZAbWYQ399p6QJm3VLbywiCWVSBAXYJ1

NVIDIA
1x GTX 1080 Founder’s Edition
1x GTX 980 Reference Design

Avatar
Gort

Status: Trusted
Joined: Mon, 16 Jan 2017
Posts: 183
Team:
Reputation: 170 Reputation
Offline
Sat, 18 Feb 2017 @ 23:51:57

almondo said:

Gort said:

Are you Rainman or something?

You seem to find these correlations so effortlessly!

This one isn't correct cause the first A in each SSID listed isn't similar to wat SKY Q hub is, the algo on that old router is harder or it uses mac addresses to generate those passphrase.

Yes, I think too that they are completely separate problems.
The Sky Hub keyspace is much more restricted anyway, so the Sky Q is where the focus needs to be.
I am still very impressed with your insights into these problems.

Please keep contributing to the discussions.
There will be many dead ends to explore along the way.
It is not a problem.
We will just eliminate them one by one and find what is left.


BTC: 12QTTgtbSHqxseW2Hnt5qzrngvBRXgTEj4

Avatar
almondo

Status: n/a
Joined: Fri, 17 Feb 2017
Posts: 93
Team:
Reputation: 48 Reputation
Offline
Sat, 18 Feb 2017 @ 23:51:57

soxrok2212 said:

I think that this is just a fluke. From my limited programming adventures, it would not make sense to implement it in such a way as suggested, though I won't draw any conclusions yet as I do not have a good counter example, but what about this?


SKY0F122 YYMXTFSMFP


There is a duplicate and F is the second character in the "random" part of the SSID. I want to agree with Gort that it is generated as part of a keysteam but until I'm proven wrong, I'll keep looking

That's an "F1" so "21"= B

We need another similar SSID to see if the theory fits.


EDIT: Some sort of multiplication going on.

I will look for more data.


Avatar
blandyuk
Admin / Owner
Status: Trusted
Joined: Tue, 05 Jul 2011
Posts: 3195
Team: HashKiller
Reputation: 4152 Reputation
Offline
Sun, 19 Feb 2017 @ 00:17:35

SKY324EA:PDRCEATT
SKY344EB:ERFFEPRV
SKY352A1:PEDRCXXR
SKY3F00B:BFPFYXRF

Not always the case so coincidence I assume.


Please read the forum rules | Please read the paid section rules
I accept private hash lists, with forum donations only.
BTC: 15qF9WUeFUD63ishxyAMiEgGqTcYzk4j9b
GPU Power: 9x GTX 1070 + 4x GTX 1080

Avatar
blandyuk
Admin / Owner
Status: Trusted
Joined: Tue, 05 Jul 2011
Posts: 3195
Team: HashKiller
Reputation: 4152 Reputation
Offline
Sun, 19 Feb 2017 @ 00:22:18

On another note, the key is interesting:

0 = P
1 = Q
2 = R
3 = S
4 = T
5 = N
6 = V
7 = W
8 = X
9 = Y
A = L
B = B
C = C
D = D
E = M
F = F

0, 1, 2, 3, 4 = P Q R S T (alpha in order).
6, 7, 8, 9 = V W X Y (alpha in order).
B, C, D, F = B, C, D, F (alpha in order skip 1).
5, A, E = N, L, M, (alpha next to each other, right shift 1). Also, changing A and E to hex numbers means the sequence is: 5, 10, 14 (edit)

Interesting...


Please read the forum rules | Please read the paid section rules
I accept private hash lists, with forum donations only.
BTC: 15qF9WUeFUD63ishxyAMiEgGqTcYzk4j9b
GPU Power: 9x GTX 1070 + 4x GTX 1080

Avatar
almondo

Status: n/a
Joined: Fri, 17 Feb 2017
Posts: 93
Team:
Reputation: 48 Reputation
Offline
Sun, 19 Feb 2017 @ 00:23:15

blandyuk said:


SKY324EA:PDRCEATT
SKY344EB:ERFFEPRV
SKY352A1:PEDRCXXR
SKY3F00B:BFPFYXRF

Not always the case so coincidence I assume.

SKY324EA:PDRCEATT
SKY344EB:ERFFEPRV


Avatar
Gort

Status: Trusted
Joined: Mon, 16 Jan 2017
Posts: 183
Team:
Reputation: 170 Reputation
Offline
Sun, 19 Feb 2017 @ 00:35:42

I am just thinking about this double character thing in the passphrase.

Not quite sure if my math is right but here it goes.

If you look at the first character it has 1 of 16 possible values. So,
the first question is what is the chance the next character is the same?
Well, I think that chance has to be 1/16, no matter what the first character
is.

Now there are 8 positions in a group of ten characters where you can
have a pair together. So, I am thinking that means that the chance
of having a pair somewhere should be 1/16 * 8 or 0.5 or 50%

Therefore, 50% on average of the passphrases will have a double
character somewhere. That seems pretty close to the distribution in
the sample of passphrases we have collected.

The double characters catch your eye, but there may be no meaning
in them at all. They are just going to be there 50% of the time anyway?

Edit:
There are 9 positions for a double character, not 8, but I don't think
that changes the math or the argument too much! With 9 positions,
the chance of a double goes up to about 56%. Still matches the
small set we have.

I suspect we are seeing nothing that you would not expect arising
naturally from a random keystream when there are only 16 options
for each character position.



BTC: 12QTTgtbSHqxseW2Hnt5qzrngvBRXgTEj4

Avatar
almondo

Status: n/a
Joined: Fri, 17 Feb 2017
Posts: 93
Team:
Reputation: 48 Reputation
Offline
Sun, 19 Feb 2017 @ 00:44:13

SKYF6C6A NTRBNBWNTF no SSID similarity
SKY583B0 NTPNNFBFDN no SSID similarity

SKY54641 XDVNNVTLWN
SKY583B0 NTPNNFBFDN
SKY5CBDC MMTWNDSNWN


Looks like this theory has a lot of flows but some similarities are interesting.

EDIT:

SKYA2FC2 VFFCMPBXQL
SKYA329E BBCYYBQWBL
SKYAA967 XYLPBXVFNL
SKYB564D VNTDYXBTVB
SKYB5847 PDDVWXPRNB
SKYB8413 TBDCDQBTRB
SKYC2E56 CLNBRRFVXC
SKYD0C62 BCPNWBVLPD
SKYF1F68 PVCCQWMCFF
SKYF6C6A NTRBNBWNTF

EDIT 2:

SKY54641 XDVNNVTLWN
SKY1F6A6 XNBTVCDYFQ



Avatar
soxrok2212

Status: Cracker
Joined: Sat, 24 Oct 2015
Posts: 455
Team:
Reputation: 421 Reputation
Offline
Sun, 19 Feb 2017 @ 00:51:10

Another one:

SKYB8413 TBDCDQBTRB




BTC: 1B4ZAbWYQ399p6QJm3VLbywiCWVSBAXYJ1

NVIDIA
1x GTX 1080 Founder’s Edition
1x GTX 980 Reference Design

Avatar
Gort

Status: Trusted
Joined: Mon, 16 Jan 2017
Posts: 183
Team:
Reputation: 170 Reputation
Offline
Sun, 19 Feb 2017 @ 00:55:24

blandyuk said:

On another note, the key is interesting:
0, 1, 2, 3, 4 = P Q R S T (alpha in order).
6, 7, 8, 9 = V W X Y (alpha in order).
B, C, D, F = B, C, D, F (alpha in order skip 1).
5, A, E = N, L, M, (alpha next to each other, right shift 1). Also, changing A and E to hex numbers means the sequence is: 5, 10, 15

Interesting...

Isn't E = 14 not 15?


BTC: 12QTTgtbSHqxseW2Hnt5qzrngvBRXgTEj4

Avatar
soxrok2212

Status: Cracker
Joined: Sat, 24 Oct 2015
Posts: 455
Team:
Reputation: 421 Reputation
Offline
Sun, 19 Feb 2017 @ 00:57:30

Gort said:

blandyuk said:

On another note, the key is interesting:
0, 1, 2, 3, 4 = P Q R S T (alpha in order).
6, 7, 8, 9 = V W X Y (alpha in order).
B, C, D, F = B, C, D, F (alpha in order skip 1).
5, A, E = N, L, M, (alpha next to each other, right shift 1). Also, changing A and E to hex numbers means the sequence is: 5, 10, 15

Interesting...

Isn't E = 14 not 15?

Correct, E = 14 in decimal.

Binary : Decimal : Hex
0000 : 0 : 0
0001 : 1 : 1
0010 : 2 : 2
0011 : 3 : 3
0100 : 4 : 4
0101 : 5 : 5
0110 : 6 : 6
0111 : 7 : 7
1000 : 8 : 8
1001 : 9 : 9
1010 : 10 : A
1011 : 11 : B
1100 : 12 : C
1101 : 13 : D
1110 : 14 : E
1111 : 15 : F



BTC: 1B4ZAbWYQ399p6QJm3VLbywiCWVSBAXYJ1

NVIDIA
1x GTX 1080 Founder’s Edition
1x GTX 980 Reference Design

Avatar
Gort

Status: Trusted
Joined: Mon, 16 Jan 2017
Posts: 183
Team:
Reputation: 170 Reputation
Offline
Sun, 19 Feb 2017 @ 01:14:47

almondo said:

SKYF6C6A NTRBNBWNTF no SSID similarity
SKY583B0 NTPNNFBFDN no SSID similarity

SKY54641 XDVNNVTLWN
SKY583B0 NTPNNFBFDN
SKY5CBDC MMTWNDSNWN


Looks like this theory has a lot of flows but some similarities are interesting.

EDIT:

SKYA2FC2 VFFCMPBXQL
SKYA329E BBCYYBQWBL
SKYAA967 XYLPBXVFNL
SKYB564D VNTDYXBTVB
SKYB5847 PDDVWXPRNB
SKYB8413 TBDCDQBTRB
SKYC2E56 CLNBRRFVXC
SKYD0C62 BCPNWBVLPD
SKYF1F68 PVCCQWMCFF
SKYF6C6A NTRBNBWNTF

My questions would be if there are exceptions to any of the patterns and
how likely these patterns could just emerge from a random distribution
anyway?

I find the math hard. It is stretching my knowledge of probability to build
an argument either way at the moment. I recognize there appear to be
patterns, but how real are they when subjected to statistical analysis?



BTC: 12QTTgtbSHqxseW2Hnt5qzrngvBRXgTEj4

Avatar
almondo

Status: n/a
Joined: Fri, 17 Feb 2017
Posts: 93
Team:
Reputation: 48 Reputation
Offline
Sun, 19 Feb 2017 @ 01:24:58

The big problem is we need dozen more of those data to see if we're on the right path.

SKY95CCF NYNNLXRWWJ

One more key.


Avatar
soxrok2212

Status: Cracker
Joined: Sat, 24 Oct 2015
Posts: 455
Team:
Reputation: 421 Reputation
Offline
Sun, 19 Feb 2017 @ 01:26:43

Are you sure that one is correct? 9 == Y, not J.



BTC: 1B4ZAbWYQ399p6QJm3VLbywiCWVSBAXYJ1

NVIDIA
1x GTX 1080 Founder’s Edition
1x GTX 980 Reference Design

Avatar
almondo

Status: n/a
Joined: Fri, 17 Feb 2017
Posts: 93
Team:
Reputation: 48 Reputation
Offline
Sun, 19 Feb 2017 @ 01:26:57

EDIT:

Check those again what do you notice?

SKY5CBDC MMTWNDSNWN
SKY54641 XDVNNVTLWN
SKY583B0 NTPNNFBFDN


Me I see some close calculation here to identify the pattern.




405 Results - Page 8 of 14 -
1 2 3 4 5 6 7 8 9 10 11 12 13 14

We have a total of 187844 messages in 23288 topics.
We have a total of 21123 registered users.
Our newest registered member is billdiggy.