NEW: We have a Discord server now. Click here to go there now!

NOTE: Why not use our List Manager to crack your lists? Its easy and enables better management.

NOTE: When cracking WPA/WPA2 passwords, make sure you check gpuhash.me first incase it's already been processed.

Home - Wireless Cracking - SKY router algos


10 Results - Page 1 of 1 -
1
Author Message
Avatar
blandyuk
Administrator
Status: Trusted
Joined: Tue, 05 Jul 2011
Posts: 3205
Team: HashKiller
Reputation: 7744 Reputation
Offline
Wed, 13 Mar 2013 @ 00:59:59

Found this awhile ago and just revisited it, very interesting with regards to the 8 chat UPPER CASE WPA keys:

http://www.backtrack-linux.org/forums/showthread.php?t=15739&page=4&s=6385e6ea7abc35ac91fc2c38e071462c

I've already create a script which actually confirms this works on v1 and v2 routers


Please read the forum rules | Please read the paid section rules

Avatar
blandyuk
Administrator
Status: Trusted
Joined: Tue, 05 Jul 2011
Posts: 3205
Team: HashKiller
Reputation: 7744 Reputation
Offline
Wed, 13 Mar 2013 @ 08:58:06

noticed that

mac adress starting with :

00:18 is the DG834GT which is v1 (already crackable)
00:1E is the DG934G which is v2 (cracked if we have serial number)
00:25 is the F@ST2504 which is the v3

also, here is code for generating the keys:

http://code.google.com/p/sky-router-tool/source/browse/trunk/Sky%20Router%20Tool%20Web/pHMb.Router/SkyPasswordGen.cs
edited by blandyuk on 13/03/2013


Please read the forum rules | Please read the paid section rules

Avatar
Hash-IT

Status: Trusted
Joined: Tue, 02 Aug 2011
Posts: 4598
Team: HashKiller
Reputation: 2982 Reputation
Offline
Wed, 13 Mar 2013 @ 21:40:30

Thank you Blandy, all useful stuff.

The hard part is getting the serial number for V2

I have never seen a working exploit for V3, not even a hint of one.


Please read the forum rules. | Please read the paid section rules.

BTC: 1MmWESN5bKZ1YSuHrm5uNwnQYxWyQnEQ6E

Avatar
aj

Status: n/a
Joined: Fri, 02 Jan 2015
Posts: 2
Team:
Reputation: 0 Reputation
Offline
Fri, 02 Jan 2015 @ 20:56:45

Agree wholeheartedly with the above post this is possibly the best resource I have ever found for this kind of info.
I wrote a long post but dont wanna clog the place up with what may be irrelevant info so Ill send a pm to the mod and let them decide.
V2 Serial number is easily got and hence the passphrase, and I can give a hint of some relevant info for the V3 as we worked on them for quite a while (Im the "us" mentioned in the remote-exploit forum post above).I havent been involved in this kind of stuff for some time though Im hoping the methodology may be applicable to other routers.
regards
aj


Avatar
yesilyurtomer

Status: n/a
Joined: Thu, 08 Jan 2015
Posts: 1
Team:
Reputation: 0 Reputation
Offline
Thu, 08 Jan 2015 @ 07:57:00

Thank you Blandy


Avatar
c00k1emonster

Status: n/a
Joined: Sun, 19 Oct 2014
Posts: 6
Team:
Reputation: 0 Reputation
Offline
Tue, 20 Jan 2015 @ 18:03:16

how are you guys managing to obtain the serial for the v2 without already being on the lan? is the LAN mac the WiFI with a oclet changed or something?


Avatar
aj

Status: n/a
Joined: Fri, 02 Jan 2015
Posts: 2
Team:
Reputation: 0 Reputation
Offline
Fri, 23 Jan 2015 @ 11:41:02

Basicaly the serial is unobtainable unless you have acess to the routers cfe, so rather than get it we can generate it based upon its relationship to the bssid (mac), ssid and channel, each mac falls into a certain category which we call a "range" (determined by studying the manufacturers method of serial number designation).
The passphrase can be narrowed down to a list of between 100 and a few thousand possibilities, this can be brute forced manualy with a modified version of Adrian Pastors script or any other method of trying keys, or in the case of having a captured handshake in a few seconds/minutes.
The code we worked on isn't the fastest and could realy do with being ported to C++ as it can take anywhere from 5 min to approx 2 hours but hasnt failed when Ive used it.
Post some (genuine) DG934 (v2) details (bssid,ssid & channel) and I will generate a list of passphrases for you as poc.
This atatchment gives a better explanation bearing in mind this info is just about obsolete..!


Attachments: Login to view attachments.
Avatar
HYPN0T04D

Status: n/a
Joined: Sun, 22 Feb 2015
Posts: 1
Team:
Reputation: 0 Reputation
Offline
Sun, 22 Feb 2015 @ 07:07:06

blandyuk said:

noticed that

mac adress starting with :

00:18 is the DG834GT which is v1 (already crackable)
00:1E is the DG934G which is v2 (cracked if we have serial number)
00:25 is the F@ST2504 which is the v3

also, here is code for generating the keys:

http://code.google.com/p/sky-router-tool/source/browse/trunk/Sky%20Router%20Tool%20Web/pHMb.Router/SkyPasswordGen.cs
edited by blandyuk on 13/03/2013

Hi Blandy, great site!
I have a Sky router that I have been trying to crack, and the BSSID starts with 7C - What would this be? Have they released a new model of router? Sorry am new to this side of things!


Avatar
27E8AD74
Administrator
Status: n/a
Joined: Sat, 29 Dec 2012
Posts: 3094
Team:
Reputation: 5065 Reputation
Offline
Sun, 22 Feb 2015 @ 09:40:47

HYPN0T04D said:

blandyuk said:

noticed that

mac adress starting with :

00:18 is the DG834GT which is v1 (already crackable)
00:1E is the DG934G which is v2 (cracked if we have serial number)
00:25 is the F@ST2504 which is the v3

also, here is code for generating the keys:

http://code.google.com/p/sky-router-tool/source/browse/trunk/Sky%20Router%20Tool%20Web/pHMb.Router/SkyPasswordGen.cs
edited by blandyuk on 13/03/2013

Hi Blandy, great site!
I have a Sky router that I have been trying to crack, and the BSSID starts with 7C - What would this be? Have they released a new model of router? Sorry am new to this side of things!

They release a new router quite some time ago, so it's most likley the the SR101(white) or SR102(black).

Default passphrase is the same as older models.


Avatar
cheeseuk1989

Status: n/a
Joined: Sun, 03 May 2015
Posts: 39
Team:
Reputation: 10 Reputation
Offline
Sun, 03 May 2015 @ 19:20:08

I have 2 spare sky routers if this is any help?

SR101
WiFi Name SKYF5262
WiFi password AFUWEDQF
PIN 32867763
MAC 7C 4C A5 AB (cant read the rest as is been rubbed off)
SERIAL A2101 (cant read the rest as is been rubbed off)

SR102
WiFi Name SKY9D9EC
WiFi password STD8DPTQ
PIN 22838766
MAC 7C 4C A5 E9 (cant read the rest as is been rubbed off)
SERIAL A502145 (cant read the rest as is been rubbed off)



10 Results - Page 1 of 1 -
1

We have a total of 210761 messages in 25878 topics.
We have a total of 22930 registered users.
Our newest registered member is xowexo.