Technicolor PIN Generator

[blandyuk]

Nice xD lots of pics for TNCAP routers although finding the correct algo will be difficult. If you can post all the Serial Numbers, MACs, SSID and WPA Keys in a list it would be a huge help.

 

[PiXEL]

I was having a look at this too but I'm not having any luck with it.

Here's a list of all the info off them pics that unsuns06 posted.

 

[unsuns06]

Thanks for your help !


Routor: TD5130
SSID: TNCAP9388E8
WPA-Key: 580C05A631
WPS-Pin:90467912
Admin-Pass: kcfx
MAC: 0018E79388E8
SN: 1150A1D05173
GW: DSLBE5130MAE1


Routor: TD5130
SSID: TNCAP948BE4
WPA-Key: 079A40DEFB
WPS-Pin: 37017422
Admin-Pass: et3p
MAC: 0018E7948BE4
SN: 1150A1D18433
GW: DSLBE5130MAE1


Routor: TD5130
SSID: TNCAP96C99F
WPA-Key: F3D70D3689
WPS-Pin: 12456789
Admin-Pass: 00jr
MAC: 0018E796C99F
SN: 1201A1D08658
GW: DSLBE5130MAE1


Routor: TD5130
SSID: TNCAPA4CAFF
WPA-Key: 5E00C7B723
WPS-Pin: 71095837
Admin-Pass: efop
MAC: 0018E7A4CAFF
SN: 1211A1D03863
GW: DSLBE5130MAE1


Routor: TD5130
SSID: TNCAP936D45
WPA-Key: 4E35E2A17A
WPS-Pin: 90427145
Admin-Pass: 2ggr
MAC: 0018E7936D45
SN: 1150A1D03750
GW: DSLBE5130MAE1


Routor: TD5130
SSID: TNCAP938028
WPA-Key: 3BC2B03785
WPS-Pin: 15061591
Admin-Pass: x0ym
MAC: 0018E7938028
SN: 1150A1D04725
GW: DSLBE5130MAE1

Routor: TD5130
SSID: TNCAP941A8D
WPA-Key: 842B159901
WPS-Pin: 79489515
Admin-Pass: sthh
MAC: 0018E7941A8D
SN: 1150A1D12630
GW: DSLBE5130MAE1
edited by unsuns06 on 13/06/2013

 

[hash-ire]

I found this on the net. The model is different though.

http://imgur.com/rp6aX0I

Model: TG582n
SSID: TNCAP38A74F
WPA-Key: 273F3492FF
WPS-Pin: 40127576
MAC: A4B1E938A74E
SN: CP1226VFDLL
GW: DSLWBC582PAE7
ACCESS KEY: 64HT6Z8P (login pass?)
edited by hash-ire on 19/08/2013

 

[hash-ire]

I found this topic on a french forum: http://www.crack-wifi.com/forum/topic-9372-technicolor-td5130-0018e7.html

An user says: 'by multiplying the last 6 HEX digits of the BSSID by itself and dividing the result by the serial you'll get a costant (5).'

AP: TD5130
SSID: TNCAP9388E8
WPA-Key: 580C05A631
WPS-Pin:90467912
Admin-Pass: kcfx
MAC: 0018E79388E8
SN: 1150A1D05173
GW: DSLBE5130MAE1

AP: TD5130
SSID: TNCAP948BE4
WPA-Key: 079A40DEFB
WPS-Pin: 37017422
Admin-Pass: et3p
MAC: 0018E7948BE4
SN: 1150A1D18433
GW: DSLBE5130MAE1

First:
9388E8 * 9388E8 = 550683A75240
550683A75240/1150A1D05173 = 5

Second:
948BE4 * 948BE4 = 56320C116310
56320C116310/1150A1D18433 = 5

His conclusion is that with the BSSID you can find the serial number: ESSID² = fct(BSSID) = 5 * S/N.

 

[Hash-IT]

Thank you very much for this hash-ire :) +1

His conclusion is that with the BSSID you can find the serial number: ESSID² = fct(BSSID) = 5 * S/N.

When you say serial number in the quote above do you actually mean PIN ?

 

[hash-ire]

When you say serial number in the quote above do you actually mean PIN ?

I mean the serial number:

SSID: TNCAP9388E8
SN: 1150A1D05173

SSID: TNCAP948BE4
SN: 1150A1D18433

Anyway your type of router is different your serial is something like: CPXXXXXXXXX. That's why I didn't post in the other thread.

 

[Hash-IT]

Aw heck :(

I am sorry, I have removed my last post as I was so desperate to break this damn WPA I didn't read it all properly :(

Desperation can do funny things to a guy :)

Thanks hash-ire

 

[miguelone]

hi guys i have a router TNCAP5CF25D with mac A4:B1:E9:5C:F2:5D
can you found the key with a program ?
thnks

 

[eftecno]

I had a thought.

The password is 10 characters long (0123456789ABCDEF). But every password never contains more than 5 alphabetic characters (ABCDEF).

How can I create a dictionary with words 10 letters long (0123456789ABCDEF) and a maximum of 5 alpha characters?

 

[Hash-IT]

I had a thought.

The password is 10 characters long (0123456789ABCDEF). But every password never contains more than 5 alphabetic characters (ABCDEF).

How can I create a dictionary with words 10 letters long (0123456789ABCDEF) and a maximum of 5 alpha characters?

You would not normally make a dictionary as it would be enormous :)

Use this command with oclhashcat

-1 ABCDEF0123456789 ?1?1?1?1?1?1?1?1?1?1

It will takes months or years :)

 

[eftecno]

I'm sorry, I think I wasn't clear. Your command is good to generate a COMPLETE dictionary, with password like 1234567890 or AAAAAAAABB. I suppose that this password doesn't exist in the TNCAP range!

mp64.exe -2 ABCDEF --output-file 10carhex.txt ?d?d?d?2?d?d?2?2?2?2 --combinations

the result is 777600000, at 30000 k/s I can try it in 7 hours!

I'd like to know how generate *all the password with max 5 ABCDEF*, not all the password with 6-7-8-9-10 alpha.

 

[eftecno]

mp64.bin -2 ABCDEF --output-file 10carhex.txt ?d?2?d?d?2?d?2?d?d?d -q 3

this command is correct to limit to 2 (two) sequential chars?

AAA --> NO
ABA --> YES
BBA --> YES

 

[Hash-IT]

Yes thats right the -q option. This however does not solve your problem.

In fact I have wanted an intelligent brute force generator for quite sometime.

I haven't forgotten your posts, I am just looking for a way to do it :)

I do know someone who is very clever with this sort of thing, I will beg and plead with him to perhaps help us out. :)

 

[eftecno]

Ok, many thanks for your effort! :)

 

[eftecno]

A few more info:

length: 10 characters from UPPER HEX (0123456789ABCDEF)
no more than 5 alpha chars in the password (yes ABCDE01234 no ABCDEF0123)
no more than 2 consecutive chars (yes AABCDEF012 no AAABCDEF01)
no more than 2 equal numbers in the password (yes A1A123456 no A1A123451)
no more than 3 equal alpha chars in the password (yes 8017C24CCF, no C017C24CCF)

 

[PiXEL]

A few more info:

length: 10 characters from UPPER HEX (0123456789ABCDEF)
no more than 5 alpha chars in the password (yes ABCDE01234 no ABCDEF0123)
no more than 2 consecutive chars (yes AABCDEF012 no AAABCDEF01)
no more than 2 equal numbers in the password (yes A1A123456 no A1A123451)
no more than 3 equal alpha chars in the password (yes 8017C24CCF, no C017C24CCF)

I think you may find this Perl script helpful.

USAGE: perl wg.pl options

options are:
-a string: prefix
-c number: max consecutive letters (how many consecutive 'a' do you want?)
-e : submit the output string to the operating system
-h : help
-l number: min length of the word
-o number: max number of occurrencies of a letter
-n number: max number of n-ple (AA, BBB, CCC, DDDD)
-r number: max number of repeatitions (ABCABABBCDBCD has 5 repeatitions: 3 reps of AB and 2 of BCD)
-t : trace on
-u number: max length of the word
-v string: list of valid characters (es, "01" "abcdef")
-z string: postfix


ftp://ftp.mut.ac.th/pub/Security/wg.pl

 

[Hash-IT]

Nice find PiXEL

 

[eftecno]

A few more info:

length: 10 characters from UPPER HEX (0123456789ABCDEF)
no more than 5 alpha chars in the password (yes ABCDE01234 no ABCDEF0123)
no more than 2 consecutive chars (yes AABCDEF012 no AAABCDEF01)
no more than 2 equal numbers in the password (yes A1A123456 no A1A123451)
no more than 3 equal alpha chars in the password (yes 8017C24CCF, no C017C24CCF)

I think you may find this Perl script helpful.

USAGE: perl wg.pl options

options are:
-a string: prefix
-c number: max consecutive letters (how many consecutive 'a' do you want?)
-e : submit the output string to the operating system
-h : help
-l number: min length of the word
-o number: max number of occurrencies of a letter
-n number: max number of n-ple (AA, BBB, CCC, DDDD)
-r number: max number of repeatitions (ABCABABBCDBCD has 5 repeatitions: 3 reps of AB and 2 of BCD)
-t : trace on
-u number: max length of the word
-v string: list of valid characters (es, "01" "abcdef")
-z string: postfix


ftp://ftp.mut.ac.th/pub/Security/wg.pl

Nice, nice I'll give it a try! Many thanks!

 

[eftecno]

Works fine, thanks!

perl wg.pl -c 2 -l 10 -o 3 -n 1 -r 1 -u 10 -v "0123456789ABCDEF" | split -l 10000000 - diz-

creates

diz-aa
diz-ab