NEW: We have a Discord server now. Click here to go there now!

NOTE: Why not use our List Manager to crack your lists? Its easy and enables better management.

NOTE: When cracking WPA/WPA2 passwords, make sure you check gpuhash.me first incase it's already been processed.

Home - General Discussion - SKY Router Keyspace


27 Results - Page 1 of 1 -
1
Author Message
Avatar
mrmike

Status: n/a
Joined: Tue, 05 Apr 2016
Posts: 19
Team:
Reputation: 10 Reputation
Offline
Sat, 25 May 2019 @ 22:38:20

Hi,

I'm new to password cracking and wondered if someone could point me in the right direction regarding cracking the Sky Hub 2 (SR102) in the fastest way possible with a GTX 1080. Now, I've read that the keyspace can be reduced drastically using https://github.com/wpatoolkit/Upper-Alpha-Keyspace-Reducer

I've also read that the character set is not the full alphabet.

I've modified the keyspace reducer and re-compiled so that it skips over any character/s of my choosing, but does anyone actually know exactly which characters are used/not used?

Also I found that piping into hashcat reduces my hash rate from 460kH/s to ~220kH/s so I'm losing quite a lot of time saved by using the reducer in the 1st place. Is there even any point in using pipe? I don't think hashcat supports complex rules that can achieve the same as what the above reducer does.

I was going to run two instances of the reducer (on random) with Hashcat Brain Server/Client to take advantage of parallelization but brain server doesn't work with stdin mode

Any tips or advice would be greatly appreciated, I'd like to crack this PMKID in less than 12 hours, is that even possible with a GTX 1080?


Avatar
pasnger57

Status: Member
Joined: Tue, 11 Sep 2018
Posts: 356
Team:
Reputation: 181 Reputation
Offline
Sat, 25 May 2019 @ 23:53:25

i have to ask because its relevant What CPU are you using to Feed that 1080
as i can see no multi thread support for Upper-Alpha-Keyspace-Reducer but you can try using -t 4 to befor the pipe |


Avatar
mrmike

Status: n/a
Joined: Tue, 05 Apr 2016
Posts: 19
Team:
Reputation: 10 Reputation
Offline
Sun, 26 May 2019 @ 00:03:47

pasnger57 said:

i have to ask because its relevant What CPU are you using to Feed that 1080
as i can see no multi thread support for Upper-Alpha-Keyspace-Reducer but you can try using -t 4 to befor the pipe |

I'm using an i7-9700K which is currently at ~20% utilisation running the reducer, you're right, there's no multi thread, currently generates ~100,000,000 lines in 40 minutes, I've not written much in C++ before but I might try my hand at adding multi thread support. What does -t 4 do?

Perhaps I could run multiple instances of the reducer at the same time using -start -stop flags.


Avatar
mrmike

Status: n/a
Joined: Tue, 05 Apr 2016
Posts: 19
Team:
Reputation: 10 Reputation
Offline
Sun, 26 May 2019 @ 00:09:35

-t 4 didn't seem to have any affect. I can't see any args in the reducer that look for -t


Avatar
pasnger57

Status: Member
Joined: Tue, 11 Sep 2018
Posts: 356
Team:
Reputation: 181 Reputation
Offline
Sun, 26 May 2019 @ 01:47:31

as i was sayin i think it stuck in single threaded operation you you can't feed that gpu at full speeds with a single treed from a pipe |


Avatar
pasnger57

Status: Member
Joined: Tue, 11 Sep 2018
Posts: 356
Team:
Reputation: 181 Reputation
Offline
Sun, 26 May 2019 @ 01:52:40

mrmike said:

-t 4 didn't seem to have any affect. I can't see any args in the reducer that look for -t

sometimes setting the threads is a option for some GETS -t 4 is a Generic flag 4 threads --threads=4 my be another
but as i said i don't see mutual thread support for it


Avatar
dipeperon

Status: Member
Joined: Tue, 03 Apr 2018
Posts: 411
Team:
Reputation: 425 Reputation
Offline
Sun, 26 May 2019 @ 03:01:44

I hope the keyspace reduction method indeed is correct.

If it's correct, there's improvements to be made for sure. A simple python script I just wrote can output 57826669 candidates in 30s (1.9 mil/s) this is straight bruteforce on one thread on my poor ryzen 1400.

Now string operations are slow on CPU that's a fact, hence why hashcat runs rules on the GPU.

Though I do believe with a modern cpu the multithreaded rule "agents" will be able to keep up with the single thread brute force generation queue feeder.

This is also how I would program something like this, 1 thread brutefoce generation --> queue --> threaded agents pick from queue --> if correct candidate --> threadlock stdout

I think it wouldn't be an issue programming this in python, obviously C++ is better but since we're talking WPA cracking it's probably not needed.

It's also a matter of optimizing it by setting the rules that will kick out the most candidates the fastest at the top.

Here's my basic benchmark script: https://pastebin.com/RFeFB0jB


My haschat stuff (rules, scripts): https://github.com/theherp/Hashcat-stuff

Avatar
foud

Status: n/a
Joined: Tue, 26 Feb 2019
Posts: 50
Team:
Reputation: 36 Reputation
Offline
Sun, 26 May 2019 @ 09:59:12

mrmike said:


Any tips or advice would be greatly appreciated, I'd like to crack this PMKID in less than 12 hours, is that even possible with a GTX 1080?

Your 1080 should do about 400kH/s WPA
Use brute force length 8 with charset ABCDEFPQRSTUVWXY
Take you only 3 hours or less


Avatar
mrmike

Status: n/a
Joined: Tue, 05 Apr 2016
Posts: 19
Team:
Reputation: 10 Reputation
Offline
Sun, 26 May 2019 @ 10:26:03

I'm not sure the keyspace or the reduction method is correct, I've just exhausted -1 ABCDEFLMNPQRSTUVWXY ?1?1?1?1?1?1?1?1 with no luck, at least brain server will remember everything.

I just ran your py script and benched 116,413,487 (3.9 mil/s), however writing them out has a catastrophic impact! (31,612 candidates/s). Currently the reducer written in C++ is outputting ~5,000 candidates/s.

I guess for now I will just have to run the full 8 upper alpha which will take ~5 days. Perhaps I could try and collect as many Sky founds as possible and run some analytics.


Avatar
foud

Status: n/a
Joined: Tue, 26 Feb 2019
Posts: 50
Team:
Reputation: 36 Reputation
Offline
Sun, 26 May 2019 @ 10:47:23

mrmike said:

I'm not sure the keyspace or the reduction method is correct

I am not sure your assumption that the passphrase is still default is correct


Avatar
dipeperon

Status: Member
Joined: Tue, 03 Apr 2018
Posts: 411
Team:
Reputation: 425 Reputation
Offline
Sun, 26 May 2019 @ 10:58:14

mrmike said:

I'm not sure the keyspace or the reduction method is correct, I've just exhausted -1 ABCDEFLMNPQRSTUVWXY ?1?1?1?1?1?1?1?1 with no luck, at least brain server will remember everything.

I just ran your py script and benched 116,413,487 (3.9 mil/s), however writing them out has a catastrophic impact! (31,612 candidates/s). Currently the reducer written in C++ is outputting ~5,000 candidates/s.

I guess for now I will just have to run the full 8 upper alpha which will take ~5 days. Perhaps I could try and collect as many Sky founds as possible and run some analytics.

You don't have to write them out. Unless you're okay with making a 700GB wordlist (after rules)?

Pipe also shouldn't be a bottleneck.


My haschat stuff (rules, scripts): https://github.com/theherp/Hashcat-stuff

Avatar
mrmike

Status: n/a
Joined: Tue, 05 Apr 2016
Posts: 19
Team:
Reputation: 10 Reputation
Offline
Sun, 26 May 2019 @ 12:32:33

dipeperon said:

You don't have to write them out.

When I say write out I actually mean sys.stdout.write( x + "\n" )

This is how we would get the candidates into Hashcat right?


Avatar
mrmike

Status: n/a
Joined: Tue, 05 Apr 2016
Posts: 19
Team:
Reputation: 10 Reputation
Offline
Sun, 26 May 2019 @ 12:42:33

foud said:

mrmike said:

I'm not sure the keyspace or the reduction method is correct

I am not sure your assumption that the passphrase is still default is correct

I'm not sure I understand what you mean... assumptions cannot be correct nor incorrect, only 'statements' can be correct or incorrect. I am not sure the password is the default, but probability suggests that it most likely will be.


Avatar
mrmike

Status: n/a
Joined: Tue, 05 Apr 2016
Posts: 19
Team:
Reputation: 10 Reputation
Offline
Sun, 26 May 2019 @ 12:57:44

mrmike said:

dipeperon said:

You don't have to write them out.

When I say write out I actually mean sys.stdout.write( x + "\n" )

This is how we would get the candidates into Hashcat right?

Ohhh, just tried piping in and it runs fast, I guess the time penalty is actually caused by displaying the output?


Avatar
dipeperon

Status: Member
Joined: Tue, 03 Apr 2018
Posts: 411
Team:
Reputation: 425 Reputation
Offline
Sun, 26 May 2019 @ 13:05:38

mrmike said:

mrmike said:

dipeperon said:

You don't have to write them out.

When I say write out I actually mean sys.stdout.write( x + "\n" )

This is how we would get the candidates into Hashcat right?

Ohhh, just tried piping in and it runs fast, I guess the time penalty is actually caused by displaying the output?

Yes and yes

I might be able to whip up the full script with these rules and threads in python, don't look forward to it but everything for science x)

Just not sure how I would go about verifying that the output is exactly the same

Would also be nice if someone could confirm with certainty that this method is in fact correct.... cause I'm doubtfull still


My haschat stuff (rules, scripts): https://github.com/theherp/Hashcat-stuff

Avatar
mrmike

Status: n/a
Joined: Tue, 05 Apr 2016
Posts: 19
Team:
Reputation: 10 Reputation
Offline
Sun, 26 May 2019 @ 14:07:19

foud said:

mrmike said:


Any tips or advice would be greatly appreciated, I'd like to crack this PMKID in less than 12 hours, is that even possible with a GTX 1080?

Your 1080 should do about 400kH/s WPA
Use brute force length 8 with charset ABCDEFPQRSTUVWXY
Take you only 3 hours or less

Sorry completely did not even see this post, thank you for the advice! Is that really how small the charset is!? This combined with the reducer rules will bring the key space down massively.


Avatar
mrmike

Status: n/a
Joined: Tue, 05 Apr 2016
Posts: 19
Team:
Reputation: 10 Reputation
Offline
Sun, 26 May 2019 @ 14:18:20

I also going to try with Python script, although I'm sure it will not be as efficient as yours, I'll paste when done so you can have a laugh I wouldn't worry too much about verifying output, only way I think would be to write out to a file and then write a comparable script. I too am doubtful of the reducer, the fact that it was written with optional flags (-noio) suggests to me that it is not specifically for Sky routers.


Avatar
mrmike

Status: n/a
Joined: Tue, 05 Apr 2016
Posts: 19
Team:
Reputation: 10 Reputation
Offline
Sun, 26 May 2019 @ 15:31:27

I found that some of the rules seem to be invalid, for example these two rules:


character 3 is not equal to character 1
characters 1 and 3, and 2 and 4 are not identical


The 2nd rule is redundant because if characters 1 and 3 are identical then there would never be a reason to check 2 and 4.


Avatar
foud

Status: n/a
Joined: Tue, 26 Feb 2019
Posts: 50
Team:
Reputation: 36 Reputation
Offline
Sun, 26 May 2019 @ 16:42:35

mrmike said:


I'm not sure I understand what you mean... assumptions cannot be correct nor incorrect, only 'statements' can be correct or incorrect. I am not sure the password is the default, but probability suggests that it most likely will be.

You claim to have exhausted -1 ABCDEFLMNPQRSTUVWXY ?1?1?1?1?1?1?1?1
This is doing it the hard way, as SR102 charset does not include LMN

But you will have still covered entire default keyspace and if nothing
found then password is not the default for SR102

This is based on my assumption that you have not also used something
like the arbitrary keyspace reducer rules at the same time and missed
some combinations

That assumption may be incorrect


Avatar
mrmike

Status: n/a
Joined: Tue, 05 Apr 2016
Posts: 19
Team:
Reputation: 10 Reputation
Offline
Sun, 26 May 2019 @ 17:17:21

foud said:

mrmike said:


I'm not sure I understand what you mean... assumptions cannot be correct nor incorrect, only 'statements' can be correct or incorrect. I am not sure the password is the default, but probability suggests that it most likely will be.

You claim to have exhausted -1 ABCDEFLMNPQRSTUVWXY ?1?1?1?1?1?1?1?1
This is doing it the hard way, as SR102 charset does not include LMN

But you will have still covered entire default keyspace and if nothing
found then password is not the default for SR102

This is based on my assumption that you have not also used something
like the arbitrary keyspace reducer rules at the same time and missed
some combinations

That assumption may be incorrect

I think you're right. I have missed some combinations, I wasn't using hashcat brain properly (--brain-features 3) and used a combination of different attacks. I will start again using you're suggested charset.


Avatar
foud

Status: n/a
Joined: Tue, 26 Feb 2019
Posts: 50
Team:
Reputation: 36 Reputation
Offline
Sun, 26 May 2019 @ 17:52:00

mrmike said:


I think you're right. I have missed some combinations, I wasn't using hashcat brain properly (--brain-features 3) and used a combination of different attacks. I will start again using you're suggested charset.

It always amuse me that people asking blindly for a crack get a better
response on here than anyone like you prepared to put in some time and
effort to actually learn something for themselves

Good luck
You deserve a result this time


Avatar
mrmike

Status: n/a
Joined: Tue, 05 Apr 2016
Posts: 19
Team:
Reputation: 10 Reputation
Offline
Sun, 26 May 2019 @ 23:36:17

Thanks for the kind words. But unfortunately I have failed again

Upon further inspection, I found that the MAC address (70:50:AF) corresponds to an SR101 router. I should never have assumed, but didn't realise one could learn the router using MAC addresses. So, perhaps one more attempt. Is there a reduced keyspace for SR101? Or is it the full 8 upper?


Avatar
foud

Status: n/a
Joined: Tue, 26 Feb 2019
Posts: 50
Team:
Reputation: 36 Reputation
Offline
Sun, 26 May 2019 @ 23:55:50

mrmike said:

Thanks for the kind words. But unfortunately I have failed again

Upon further inspection, I found that the MAC address (70:50:AF) corresponds to an SR101 router. I should never have assumed, but didn't realise one could learn the router using MAC addresses. So, perhaps one more attempt. Is there a reduced keyspace for SR101? Or is it the full 8 upper?

Your problem here is that 70:50:AF can also be a Sky Q, which has a
different charset with length 10, although last char can be predicted
from SSID. If Sky Q it will be 16 times harder to crack.

Not 100% sure Sky Q uses PMKID, so might rule that out?

Either look at WPS Information Element in Probe Response in cap with
Wireshark and see if you have Sky Q Hub or post the fourth byte of the MAC
address to allow me determine if Sky Hub or Sky Q


Avatar
mrmike

Status: n/a
Joined: Tue, 05 Apr 2016
Posts: 19
Team:
Reputation: 10 Reputation
Offline
Mon, 27 May 2019 @ 00:09:32

Sorry I typed wrong MAC, my head is all over the place at the moment trying to consolidate all this information, I meant to type 7C:4C:A5.

So from what I have gathered:

70:50:AF - SR101 & SR102

90:21:06, C0:3E:0F, 70:50:AF - Sky Q

- SkyQ keyspace: [BCDFLMNPQRSTVWXY] Len 10 (Last letter can be calculated using SSID)
- SR101 keyspace: [ ? ] Len 8 (No confirmed tricks)
- SR102 keyspace: [ABCDEFPQRSTUVWXY] Len 8 (No confirmed tricks)


Avatar
foud

Status: n/a
Joined: Tue, 26 Feb 2019
Posts: 50
Team:
Reputation: 36 Reputation
Offline
Mon, 27 May 2019 @ 00:18:34

mrmike said:

Sorry I typed wrong MAC, my head is all over the place at the moment trying to consolidate all this information, I meant to type 7C:4C:A5.

Not such good news, as 7C:4C:A5 is exclusive Sky Hub 1/2 with
default [ABCDEFPQRSTUVWXY] Len 8

If you cannot crack with this it look like it has been changed from default
and you into the rabbit hole of trying dictionary attack

Very unlikely changed from default to [A-Z] len 8, IMHO

BTW, 90:21:06, C0:3E:0F, 70:50:AF MAC addresss are all split between
Sky Hub 1/2 and Sky Q


Avatar
mrmike

Status: n/a
Joined: Tue, 05 Apr 2016
Posts: 19
Team:
Reputation: 10 Reputation
Offline
Mon, 27 May 2019 @ 15:20:49

Drat. Indeed a rabit hole seems like the right choice of words. I was going to attempt this, with the rockyou dictionary combined with the 'OneRuleToRuleThemAll' rule set. But the keyspace is quite large and would take ~30 days to exhaust! Perhaps this combination is more suitable for fast hashes.

Using wordlists/rules certainly is a different kettle of fish, I guess the only 'tricks' we can use here are data analytics from previous founds, and understanding the flaws of the human mind when choosing a password. I would imagine most folk will not choose a long password for WiFi due to inconvenience, unless it's easy to type, like a short phrase.

I am looking forward to this challenge, I think there's somewhat an amount of creativity involved with rule sets.


Avatar
kevtheskin

Status: Member
Joined: Wed, 21 Feb 2018
Posts: 327
Team:
Reputation: 199 Reputation
Offline
Wed, 07 Aug 2019 @ 19:03:26

mrmike said:

Hi,

I'm new to password cracking and wondered if someone could point me in the right direction regarding cracking the Sky Hub 2 (SR102) in the fastest way possible with a GTX 1080. Now, I've read that the keyspace can be reduced drastically using https://github.com/wpatoolkit/Upper-Alpha-Keyspace-Reducer

I've also read that the character set is not the full alphabet.

I've modified the keyspace reducer and re-compiled so that it skips over any character/s of my choosing, but does anyone actually know exactly which characters are used/not used?

Also I found that piping into hashcat reduces my hash rate from 460kH/s to ~220kH/s so I'm losing quite a lot of time saved by using the reducer in the 1st place. Is there even any point in using pipe? I don't think hashcat supports complex rules that can achieve the same as what the above reducer does.

I was going to run two instances of the reducer (on random) with Hashcat Brain Server/Client to take advantage of parallelization but brain server doesn't work with stdin mode

Any tips or advice would be greatly appreciated, I'd like to crack this PMKID in less than 12 hours, is that even possible with a GTX 1080?


Hello Mr Mike, Have you or anyone managed to up the speed using the keyspace reducer. I only get 220kh as well? 1080 card in use with i7 gen 8. Cheers Kev



27 Results - Page 1 of 1 -
1

We have a total of 197685 messages in 24451 topics.
We have a total of 21732 registered users.
Our newest registered member is jess4340.