NEW: We have a Discord server now. Click here to go there now!

NOTE: Why not use our List Manager to crack your lists? Its easy and enables better management.

NOTE: When cracking WPA/WPA2 passwords, make sure you check gpuhash.me first incase it's already been processed.

Home - Wireless Cracking - Default Router WPA Keys - Keyspace Used


414 Results - Page 9 of 14 -
1 2 3 4 5 6 7 8 9 10 11 12 13 14
Author Message
Avatar
almondo

Status: n/a
Joined: Fri, 17 Feb 2017
Posts: 93
Team:
Reputation: 48 Reputation
Offline
Sun, 19 Feb 2017 @ 01:29:51

soxrok2212 said:

Are you sure that one is correct? 9 == Y, not J.

https://i.ebayimg.com/00/s/NzY4WDEwMjQ=/z/T8UAAOSw-0xYRUtx/$_86.JPG


Avatar
almondo

Status: n/a
Joined: Fri, 17 Feb 2017
Posts: 93
Team:
Reputation: 48 Reputation
Offline
Sun, 19 Feb 2017 @ 01:32:34

SKY19451 WQTQPBCCXQ


Avatar
Gort

Status: Trusted
Joined: Mon, 16 Jan 2017
Posts: 183
Team:
Reputation: 170 Reputation
Offline
Sun, 19 Feb 2017 @ 01:33:36

almondo said:

Check those again what do you notice?

SKY5CBDC MMTWNDSNWN
SKY54641 XDVNNVTLWN
SKY583B0 NTPNNFBFDN
SKY5381D NLTWPPBRSV

Me I see some close calculation here to identify the pattern.

I thought SKY5381D was corrected to SKY6381D earlier in this thread?


BTC: 12QTTgtbSHqxseW2Hnt5qzrngvBRXgTEj4

Avatar
Gort

Status: Trusted
Joined: Mon, 16 Jan 2017
Posts: 183
Team:
Reputation: 170 Reputation
Offline
Sun, 19 Feb 2017 @ 01:36:06

almondo said:

soxrok2212 said:

Are you sure that one is correct? 9 == Y, not J.

https://i.ebayimg.com/00/s/NzY4WDEwMjQ=/z/T8UAAOSw-0xYRUtx/$_86.JPG

That is a very poor resolution image for me. The information is lost in
pixellation.


BTC: 12QTTgtbSHqxseW2Hnt5qzrngvBRXgTEj4

Avatar
almondo

Status: n/a
Joined: Fri, 17 Feb 2017
Posts: 93
Team:
Reputation: 48 Reputation
Offline
Sun, 19 Feb 2017 @ 01:36:59

Gort said:

almondo said:

Check those again what do you notice?

SKY5CBDC MMTWNDSNWN
SKY54641 XDVNNVTLWN
SKY583B0 NTPNNFBFDN
SKY5381D NLTWPPBRSV

Me I see some close calculation here to identify the pattern.

I thought SKY5381D was corrected to SKY6381D earlier in this thread?

I'm guess it's a six cause it's not close like the one with the five.

So I remove it and fix it on my list


Avatar
almondo

Status: n/a
Joined: Fri, 17 Feb 2017
Posts: 93
Team:
Reputation: 48 Reputation
Offline
Sun, 19 Feb 2017 @ 01:40:36

SKY0F122 YYMXTFSMFP
SKY19451 WQTQPBCCXQ
SKY1F6A6 XNBTVCDYFQ
SKY24AF7 CYBVQDNWNR
SKY3E91F LVMYNNNXPS
SKY499C4 WPWMRRNMDT
SKY54641 XDVNNVTLWN
SKY583B0 NTPNNFBFDN
SKY5CBDC MMTWNDSNWN
SKY6381D NLTWPPBRSV
SKY89F48 QNDXTFMSLX
SKY91505 RNQMYPTFNY
SKY95CCF NYNNLXRWWJ
SKYA2FC2 VFFCMPBXQL
SKYA329E BBCYYBQWBL
SKYAA967 XYLPBXVFNL
SKYB564D VNTDYXBTVB
SKYB5847 PDDVWXPRNB
SKYB8413 TBDCDQBTRB
SKYC2E56 CLNBRRFVXC
SKYD0C62 BCPNWBVLPD
SKYE3C9A PSYLBPMYBM
SKYF1F68 PVCCQWMCFF
SKYF6C6A NTRBNBWNTF


All available data.


Avatar
Gort

Status: Trusted
Joined: Mon, 16 Jan 2017
Posts: 183
Team:
Reputation: 170 Reputation
Offline
Sun, 19 Feb 2017 @ 01:50:05

almondo said:

SKY0F122 YYMXTFSMFP
SKY19451 WQTQPBCCXQ
SKY1F6A6 XNBTVCDYFQ
SKY24AF7 CYBVQDNWNR
SKY3E91F LVMYNNNXPS
SKY499C4 WPWMRRNMDT
SKY54641 XDVNNVTLWN
SKY583B0 NTPNNFBFDN
SKY5CBDC MMTWNDSNWN
SKY6381D NLTWPPBRSV
SKY89F48 QNDXTFMSLX
SKY91505 RNQMYPTFNY
SKY95CCF NYNNLXRWWJ
SKYA2FC2 VFFCMPBXQL
SKYA329E BBCYYBQWBL
SKYAA967 XYLPBXVFNL
SKYB564D VNTDYXBTVB
SKYB5847 PDDVWXPRNB
SKYB8413 TBDCDQBTRB
SKYC2E56 CLNBRRFVXC
SKYD0C62 BCPNWBVLPD
SKYE3C9A PSYLBPMYBM
SKYF1F68 PVCCQWMCFF
SKYF6C6A NTRBNBWNTF


All available data.

That SKY95CCF NYNNLXRWWJ really stands out as the only one that
does not follow the charset mapping.

Are you absolutely sure it is correct?

If that was the one on the link you posted earlier, I could make nothing
out of the image at all. The resolution was far too low when I looked at it.


BTC: 12QTTgtbSHqxseW2Hnt5qzrngvBRXgTEj4

Avatar
almondo

Status: n/a
Joined: Fri, 17 Feb 2017
Posts: 93
Team:
Reputation: 48 Reputation
Offline
Sun, 19 Feb 2017 @ 02:09:50

SKYD210A WFNRPWRBPD

http://i.ebayimg.com/images/g/gboAAOSwxg5XzbnE/s-l1600.jpg

--------------------------------------------------------------------------

Okay I scrap that one.


Avatar
malte333

Status: n/a
Joined: Sat, 11 Feb 2017
Posts: 21
Team:
Reputation: 16 Reputation
Offline
Sun, 19 Feb 2017 @ 09:58:04

nice to see the progress on the Sky Q Hub,
we surely need more sample data

I also searched for Sky Router firmwares and managed to get a firmware for nearly all of the routers used by Sky, except the Sky Q Hub.
This router claims to have a auto recover function and gets their updates pushed (over night).
Anyone owns a Sky Q hub?


Avatar
malte333

Status: n/a
Joined: Sat, 11 Feb 2017
Posts: 21
Team:
Reputation: 16 Reputation
Offline
Sun, 19 Feb 2017 @ 10:05:18

almondo said:

SKY0F122 YYMXTFSMFP
SKY19451 WQTQPBCCXQ
...
SKYF6C6A NTRBNBWNTF

All available data.

SKY76867 CVFTFNBSXW
SKYC9C1F NDWBSYOWWC
SKYB669D YMDWDRYNSB
SKYADA53 NQRYMTRNYL 90210684C880

^you missed these?

// edit:
Sky Q Hub
---------

SKY0F122 YYMXTFSMFP
SKY19451 WQTQPBCCXQ
SKY1F6A6 XNBTVCDYFQ
SKY24AF7 CYBVQDNWNR
SKY3E91F LVMYNNNXPS
SKY499C4 WPWMRRNMDT
SKY54641 XDVNNVTLWN
SKY583B0 NTPNNFBFDN C0:3E:0F:F7:F8:E8
SKY5CBDC MMTWNDSNWN
SKY6381D NLTWPPBRSV
SKY76867 CVFTFNBSXW
SKY89F48 QNDXTFMSLX
SKY91505 RNQMYPTFNY
SKY95CCF NYNNLXRWWJ <- false?
SKYA2FC2 VFFCMPBXQL
SKYA329E BBCYYBQWBL
SKYAA967 XYLPBXVFNL
SKYADA53 NQRYMTRNYL 90:21:06:84:C8:80 89991572 <- low quality pic
SKYB564D VNTDYXBTVB
SKYB5847 PDDVWXPRNB C0:3E:0F:F2:11:D8 37280703 AC1015CD020862
SKYB669D YMDWDRYNSB
SKYB8413 TBDCDQBTRB
SKYC2E56 CLNBRRFVXC
SKYC9C1F NDWBSYOWWC
SKYD0C62 BCPNWBVLPD
SKYD210A WFNRPWRBPD
SKYE3C9A PSYLBPMYBM
SKYF1F68 PVCCQWMCFF
SKYF6C6A NTRBNBWNTF


all data so far, please fix


Avatar
Gort

Status: Trusted
Joined: Mon, 16 Jan 2017
Posts: 183
Team:
Reputation: 170 Reputation
Offline
Sun, 19 Feb 2017 @ 10:17:29

malte333 said:

nice to see the progress on the Sky Q Hub,
we surely need more sample data

I also searched for Sky Router firmwares and managed to get a firmware for nearly all of the routers used by Sky, except the Sky Q Hub.
This router claims to have a auto recover function and gets their updates pushed (over night).
Anyone owns a Sky Q hub?

I would just like to thank everyone who participated during those intense few hours when
so many new ideas emerged on Sky Q. I am still recovering from what proved to be an
all-nighter for me, following all the discussions as they happened, and analyzing the data
that was emerging.

Still very interested to get a firmware image for Sky Q, but it is worth bearing in mind that
the days of the router computing the secrets may now be gone and it is all done offline at
the time of manufacture. There may be nothing to find in the firmware now.

The break discovered may remarkably be a bug in an offline passphrase generator that
has left its footprint in the generated passphrases and SSIDs.

Another point I want to make now things have settled down a little. I really appreciate
everyone who collected the SSID and passphrases for Sky Q, but it turned out that some
were coming from such borderline images that errors have been creeping into our data
set and that can be a serious problem when searching for very subtle bias in the keyspace.

Please be very careful that you are working from reliable sources and just ignore anything
where is there any doubt at all about its accuracy.


BTC: 12QTTgtbSHqxseW2Hnt5qzrngvBRXgTEj4

Avatar
almondo

Status: n/a
Joined: Fri, 17 Feb 2017
Posts: 93
Team:
Reputation: 48 Reputation
Offline
Sun, 19 Feb 2017 @ 16:05:27

We start again from the beginning.


Avatar
Gort

Status: Trusted
Joined: Mon, 16 Jan 2017
Posts: 183
Team:
Reputation: 170 Reputation
Offline
Sun, 19 Feb 2017 @ 17:04:03

almondo said:

We start again from the beginning.

FYI, this is my current working list for Sky Q, arranged in strict increasing SSID hex values

Code:
SSID     Passphrase MAC address       AP PIN   Serial Number
------------------------------------------------------------
SKY0F122 YYMXTFSMFP
SKY19451 WQTQPBCCXQ
SKY1F6A6 XNBTVCDYFQ
SKY24AF7 CYBVQDNWNR
SKY3E91F LVMYNNNXPS
SKY499C4 WPWMRRNMDT
SKY54641 XDVNNVTLWN
SKY583B0 NTPNNFBFDN C0:3E:0F:F7:F8:E8 38353659 AC1015CD005391
SKY5CBDC MMTWNDSNWN
SKY6381D NLTWPPBRSV
SKY76867 CVFTFNBSXW
SKY89F48 QNDXTFMSLX
SKY91505 RNQMYPTFNY
SKYA2FC2 VFFCMPBXQL
SKYA329E BBCYYBQWBL
SKYAA967 XYLPBXVFNL
SKYADA53 NQRYMTRNYL 90:21:06:84:C8:80 89991572 AC2016CB004068 <- (B in serial might be 8)
SKYB564D VNTDYXBTVB
SKYB5847 PDDVWXPRNB C0:3E:0F:F2:11:D8 37280703 AC1015CD020862
SKYB669D YMDWDRYNSB
SKYB8413 TBDCDQBTRB
SKYC2E56 CLNBRRFVXC
SKYC9C1F NDWBSYOWWC
SKYD0C62 BCPNWBVLPD
SKYD210A WFNRPWRBPD
SKYE3C9A PSYLBPMYBM
SKYF1F68 PVCCQWMCFF
SKYF6C6A NTRBNBWNTF


BTC: 12QTTgtbSHqxseW2Hnt5qzrngvBRXgTEj4

Avatar
almondo

Status: n/a
Joined: Fri, 17 Feb 2017
Posts: 93
Team:
Reputation: 48 Reputation
Offline
Sun, 19 Feb 2017 @ 17:12:38

Can you point me to any other router broken algorithm to check if they use similar bases.


Avatar
Gort

Status: Trusted
Joined: Mon, 16 Jan 2017
Posts: 183
Team:
Reputation: 170 Reputation
Offline
Sun, 19 Feb 2017 @ 17:31:36

almondo said:

Can you point me to any other router broken algorithm to check if they use similar bases.

I have already checked all the algorithms I am aware of and this one stands alone.
There is little to nothing available openly online.

The Sky Hub 1/2 and then the Sky Q were the first routers carrying the BSkyB MAC OUI.

Previously, BSkyB used routers manufactured by Netgear, Sagem and D-Link, with Sagem and
D-Link (now very rare) the only ones still seen in the wild. There may be a little information out
there about those algorithms, but none of them help with these new BSkyB routers.

We are breaking new ground here.


BTC: 12QTTgtbSHqxseW2Hnt5qzrngvBRXgTEj4

Avatar
soxrok2212

Status: Cracker
Joined: Sat, 24 Oct 2015
Posts: 455
Team:
Reputation: 421 Reputation
Offline
Sun, 19 Feb 2017 @ 17:49:04

I have someone grabbing some caps from Sky routers, I will look through them and find out how to distinguish between Sky Hub and Sky Q Hub (if possible) and try to break them given the findings so far



BTC: 1B4ZAbWYQ399p6QJm3VLbywiCWVSBAXYJ1

NVIDIA
1x GTX 1080 Founder’s Edition
1x GTX 980 Reference Design

Avatar
almondo

Status: n/a
Joined: Fri, 17 Feb 2017
Posts: 93
Team:
Reputation: 48 Reputation
Offline
Sun, 19 Feb 2017 @ 17:51:11

Gort said:

almondo said:

Can you point me to any other router broken algorithm to check if they use similar bases.

I have already checked all the algorithms I am aware of and this one stands alone.
There is little to nothing available openly online.

The Sky Hub 1/2 and then the Sky Q were the first routers carrying the BSkyB MAC OUI.

Previously, BSkyB used routers manufactured by Netgear, Sagem and D-Link, with Sagem and
D-Link (now very rare) the only ones still seen in the wild. There may be a little information out
there about those algorithms, but none of them help with these new BSkyB routers.

We are breaking new ground here.

Problems we face:

- No standalone firmware update or upgrade.
- New and unique algorithm.
- MAC addresses missing for 90% of data.
- No sufficient data to base a theory on.


So our main task is to find more keys.



Avatar
95AE6B15

Status: Trusted
Joined: Fri, 23 May 2014
Posts: 2482
Team:
Reputation: 3625 Reputation
Offline
Sun, 19 Feb 2017 @ 17:55:48

I dont know how many that will be found that contain the MAC address. We might just have to grab some handshakes
from them, and crack them, that way we have the SSID, MAC and Key. If we can base the last char off the SSID, that will help
alot with the cracking. I might be able to get it down to a few hours cracking time running only the Top characters used based
on the Keys that are listed in this thread.


Avatar
Gort

Status: Trusted
Joined: Mon, 16 Jan 2017
Posts: 183
Team:
Reputation: 170 Reputation
Offline
Sun, 19 Feb 2017 @ 17:56:05

soxrok2212 said:

I have someone grabbing some caps from Sky routers, I will look through them and find out how to distinguish between Sky Hub and Sky Q Hub (if possible) and try to break them given the findings so far

This is one of the key open questions about the Sky routers:

How do we determine if it is a Sky Hub 1/2 or Sky Q?

The MAC OUI does not help, because there are overlapping allocations between them.

Until this can be done reliably, there will be a problem knowing which approach to apply, other than
applying the approaches sequentially, which is clearly non-optimal.

Edit:
Maybe the non-OUI part of the MAC address has been allocated sequentially by BSkyB and the Sky Q
have the higher values, compared to Sky Hub 1/2? That would be worth some investigation if we have
enough Sky Q MACs.


BTC: 12QTTgtbSHqxseW2Hnt5qzrngvBRXgTEj4

Avatar
95AE6B15

Status: Trusted
Joined: Fri, 23 May 2014
Posts: 2482
Team:
Reputation: 3625 Reputation
Offline
Sun, 19 Feb 2017 @ 18:05:13

Gort said:

soxrok2212 said:

I have someone grabbing some caps from Sky routers, I will look through them and find out how to distinguish between Sky Hub and Sky Q Hub (if possible) and try to break them given the findings so far

This is one of the key open questions about the Sky routers:

How do we determine if it is a Sky Hub 1/2 or Sky Q?

The MAC OUI does not help, because there are overlapping allocations between them.

Until this can be done reliably, there will be a problem knowing which approach to apply, other than
applying the approaches sequentially, which is clearly non-optimal.

Edit:
Maybe the non-OUI part of the MAC address has been allocated sequentially by BSkyB and the Sky Q
have the higher values, compared to Sky Hub 1/2. That would be worth some investigation

If we can get a hold of a bunch of handshakes, i can knock out a chunk of them, assuming they are still the old Sky routers relatively quickly.
Then store the MAC addresses to them to help determine in the future which version is which.


Avatar
Gort

Status: Trusted
Joined: Mon, 16 Jan 2017
Posts: 183
Team:
Reputation: 170 Reputation
Offline
Sun, 19 Feb 2017 @ 18:11:45

cvsi said:


If we can get a hold of a bunch of handshakes, i can knock out a chunk of them, assuming they are still the old Sky routers relatively quickly.
Then store the MAC addresses to them to help determine in the future which version is which.

That may be the best we can do at this stage.

The main problem is finding more examples of Sky Q MACs. This is why I hope people will still keep
watching places like Ebay for more images of the bottom of the Sky Q router.

To select off MAC address somehow would be the ideal solution.

Edit:
Actually, there is another good alternative, because the HCCAP and HCCAPX carries the EAPOL
frame from handshake message 2 which reflects beacon information from the AP. It might be
possible to fingerprint off that if the eapol data is different between Sky Hub 1/2 and Sky Q?


BTC: 12QTTgtbSHqxseW2Hnt5qzrngvBRXgTEj4

Avatar
soxrok2212

Status: Cracker
Joined: Sat, 24 Oct 2015
Posts: 455
Team:
Reputation: 421 Reputation
Offline
Sun, 19 Feb 2017 @ 18:55:06

Check probe responses. They contain every last bit of information you would ever need. I have a buddy grabbing me some handshakes and I will look for any difference between them.



BTC: 1B4ZAbWYQ399p6QJm3VLbywiCWVSBAXYJ1

NVIDIA
1x GTX 1080 Founder’s Edition
1x GTX 980 Reference Design

Avatar
almondo

Status: n/a
Joined: Fri, 17 Feb 2017
Posts: 93
Team:
Reputation: 48 Reputation
Offline
Sun, 19 Feb 2017 @ 19:05:59

Does alphabets are not listed when a key is generated: A E G H I J K O U Z


Avatar
Gort

Status: Trusted
Joined: Mon, 16 Jan 2017
Posts: 183
Team:
Reputation: 170 Reputation
Offline
Sun, 19 Feb 2017 @ 19:08:47

soxrok2212 said:

Check probe responses. They contain every last bit of information you would ever need. I have a buddy grabbing me some handshakes and I will look for any difference between them.

I am sure Probe Response would be a mine of information, but I was thinking more about if there
was a way to split Sky Hub 1/2 and Sky Q when all you have is a hccap or hccapx to work from?

But finding any method of doing it at this point is obviously useful


BTC: 12QTTgtbSHqxseW2Hnt5qzrngvBRXgTEj4

Avatar
95AE6B15

Status: Trusted
Joined: Fri, 23 May 2014
Posts: 2482
Team:
Reputation: 3625 Reputation
Offline
Sun, 19 Feb 2017 @ 19:09:51

O is in there, but its only 1 time.


Avatar
95AE6B15

Status: Trusted
Joined: Fri, 23 May 2014
Posts: 2482
Team:
Reputation: 3625 Reputation
Offline
Sun, 19 Feb 2017 @ 19:11:17

@soxrok2212, does it have to be in the cap format? or can it be hccap?
I have 26 Sky handshakes, 21 of which are cracked. but they are in hccap format. I dont have the cap files.


Edit: I should clairify that its the old SKY routers that are cracked. not new.


Avatar
Gort

Status: Trusted
Joined: Mon, 16 Jan 2017
Posts: 183
Team:
Reputation: 170 Reputation
Offline
Sun, 19 Feb 2017 @ 19:14:37

almondo said:

Does alphabets are not listed when a key is generated: A E G H I J K O U Z

The working assumption is that these are excluded characters. That is only based on the fact
that they have never been seen used in Sky Q passphrases.

We have no clue why BSkyB has done this with Sky Q, but they must have thought it was
a good idea at the time!


BTC: 12QTTgtbSHqxseW2Hnt5qzrngvBRXgTEj4

Avatar
Gort

Status: Trusted
Joined: Mon, 16 Jan 2017
Posts: 183
Team:
Reputation: 170 Reputation
Offline
Sun, 19 Feb 2017 @ 19:17:44

cvsi said:

O is in there, but its only 1 time.

Good catch! Probably a misread of Q?

I am taking that one out of the list, until there is a confirmed sighting.

Ignore from the previous list:

Code:
SKYC9C1F NDWBSYOWWC



BTC: 12QTTgtbSHqxseW2Hnt5qzrngvBRXgTEj4

Avatar
95AE6B15

Status: Trusted
Joined: Fri, 23 May 2014
Posts: 2482
Team:
Reputation: 3625 Reputation
Offline
Sun, 19 Feb 2017 @ 19:18:51

Only reason i noticed it was because i ran an analysis with ULM.

I guess it could have been a Q if the picture it was taken from was misread yes.


Avatar
95AE6B15

Status: Trusted
Joined: Fri, 23 May 2014
Posts: 2482
Team:
Reputation: 3625 Reputation
Offline
Sun, 19 Feb 2017 @ 19:26:14

Here are some old with mac address, for filtering out the old.

Code:

SKY01011:c03e0f360a35
SKY11DCC:7c4ca58d81d9
SKY15702:7c4ca530b429
SKY1D199:7c4ca5e6c859
SKY2C9E5:7c4ca519b3e1
SKY2D6FD:182861e204d3
SKY4EA6D:7c4ca5bc8541
SKY52EF1:7c4ca579afdd
SKY6955C:c03e0f7e2729
SKY6F115:7c4ca5e15511
SKY7D2B5:c03e0f76c219
SKYA1596:7c4ca5bb6991
SKYA2053:9021060f6a01
SKYB2BFE:9021061627a1
SKYB540B:9021061c1835
SKYBCBF8:c03e0fc8aa0d
SKYBE25F:902106b55311
SKYC282B:902106b2dc51
SKYC4E6A:7c4ca56fcf59
SKYC74A3:7c4ca5c664bd
SKYE6308:c03e0f798569




414 Results - Page 9 of 14 -
1 2 3 4 5 6 7 8 9 10 11 12 13 14

We have a total of 211914 messages in 25990 topics.
We have a total of 22996 registered users.
Our newest registered member is tekatak.