Technicolor PIN Generator

blandyuk

Active member
Trusted
Contributor
VIP Member
Feedback: 0 / 0 / 0
Joined
Jul 6, 2011
Messages
18,606
Reaction score
449
Credits
11,367
Nice xD lots of pics for TNCAP routers although finding the correct algo will be difficult. If you can post all the Serial Numbers, MACs, SSID and WPA Keys in a list it would be a huge help.
 

PiXEL

Active member
Feedback: 0 / 0 / 0
Joined
Dec 30, 2019
Messages
903
Reaction score
4
Credits
38
I was having a look at this too but I'm not having any luck with it.

Here's a list of all the info off them pics that unsuns06 posted.
 

unsuns06

Member
Feedback: 0 / 0 / 0
Joined
Dec 30, 2019
Messages
14
Reaction score
2
Credits
0
Thanks for your help !


Routor: TD5130
SSID: TNCAP9388E8
WPA-Key: 580C05A631
WPS-Pin:90467912
Admin-Pass: kcfx
MAC: 0018E79388E8
SN: 1150A1D05173
GW: DSLBE5130MAE1


Routor: TD5130
SSID: TNCAP948BE4
WPA-Key: 079A40DEFB
WPS-Pin: 37017422
Admin-Pass: et3p
MAC: 0018E7948BE4
SN: 1150A1D18433
GW: DSLBE5130MAE1


Routor: TD5130
SSID: TNCAP96C99F
WPA-Key: F3D70D3689
WPS-Pin: 12456789
Admin-Pass: 00jr
MAC: 0018E796C99F
SN: 1201A1D08658
GW: DSLBE5130MAE1


Routor: TD5130
SSID: TNCAPA4CAFF
WPA-Key: 5E00C7B723
WPS-Pin: 71095837
Admin-Pass: efop
MAC: 0018E7A4CAFF
SN: 1211A1D03863
GW: DSLBE5130MAE1


Routor: TD5130
SSID: TNCAP936D45
WPA-Key: 4E35E2A17A
WPS-Pin: 90427145
Admin-Pass: 2ggr
MAC: 0018E7936D45
SN: 1150A1D03750
GW: DSLBE5130MAE1


Routor: TD5130
SSID: TNCAP938028
WPA-Key: 3BC2B03785
WPS-Pin: 15061591
Admin-Pass: x0ym
MAC: 0018E7938028
SN: 1150A1D04725
GW: DSLBE5130MAE1

Routor: TD5130
SSID: TNCAP941A8D
WPA-Key: 842B159901
WPS-Pin: 79489515
Admin-Pass: sthh
MAC: 0018E7941A8D
SN: 1150A1D12630
GW: DSLBE5130MAE1
edited by unsuns06 on 13/06/2013
 

hash-ire

Active member
Feedback: 0 / 0 / 0
Joined
Dec 30, 2019
Messages
1,452
Reaction score
5
Credits
0
I found this on the net. The model is different though.


Model: TG582n
SSID: TNCAP38A74F
WPA-Key: 273F3492FF
WPS-Pin: 40127576
MAC: A4B1E938A74E
SN: CP1226VFDLL
GW: DSLWBC582PAE7
ACCESS KEY: 64HT6Z8P (login pass?)
edited by hash-ire on 19/08/2013
 

hash-ire

Active member
Feedback: 0 / 0 / 0
Joined
Dec 30, 2019
Messages
1,452
Reaction score
5
Credits
0
I found this topic on a french forum: http://www.crack-wifi.com/forum/topic-9372-technicolor-td5130-0018e7.html

An user says: 'by multiplying the last 6 HEX digits of the BSSID by itself and dividing the result by the serial you'll get a costant (5).'

AP: TD5130
SSID: TNCAP9388E8
WPA-Key: 580C05A631
WPS-Pin:90467912
Admin-Pass: kcfx
MAC: 0018E79388E8
SN: 1150A1D05173
GW: DSLBE5130MAE1

AP: TD5130
SSID: TNCAP948BE4
WPA-Key: 079A40DEFB
WPS-Pin: 37017422
Admin-Pass: et3p
MAC: 0018E7948BE4
SN: 1150A1D18433
GW: DSLBE5130MAE1

First:
9388E8 * 9388E8 = 550683A75240
550683A75240/1150A1D05173 = 5

Second:
948BE4 * 948BE4 = 56320C116310
56320C116310/1150A1D18433 = 5

His conclusion is that with the BSSID you can find the serial number: ESSID² = fct(BSSID) = 5 * S/N.
 

Hash-IT

Active member
Feedback: 0 / 0 / 0
Joined
Dec 30, 2019
Messages
25,389
Reaction score
27
Credits
250
Thank you very much for this hash-ire :) +1

hash-ire said:
His conclusion is that with the BSSID you can find the serial number: ESSID² = fct(BSSID) = 5 * S/N.

When you say serial number in the quote above do you actually mean PIN ?
 

hash-ire

Active member
Feedback: 0 / 0 / 0
Joined
Dec 30, 2019
Messages
1,452
Reaction score
5
Credits
0
Hash-IT said:
When you say serial number in the quote above do you actually mean PIN ?
I mean the serial number:

SSID: TNCAP9388E8
SN: 1150A1D05173

SSID: TNCAP948BE4
SN: 1150A1D18433

Anyway your type of router is different your serial is something like: CPXXXXXXXXX. That's why I didn't post in the other thread.
 

Hash-IT

Active member
Feedback: 0 / 0 / 0
Joined
Dec 30, 2019
Messages
25,389
Reaction score
27
Credits
250
Aw heck :(

I am sorry, I have removed my last post as I was so desperate to break this damn WPA I didn't read it all properly :(

Desperation can do funny things to a guy :)

Thanks hash-ire
 

miguelone

Member
Feedback: 0 / 0 / 0
Joined
Dec 30, 2019
Messages
6
Reaction score
1
Credits
0
hi guys i have a router TNCAP5CF25D with mac A4:B1:E9:5C:F2:5D
can you found the key with a program ?
thnks
 

eftecno

Active member
Feedback: 0 / 0 / 0
Joined
Dec 30, 2019
Messages
826
Reaction score
15
Credits
0
I had a thought.

The password is 10 characters long (0123456789ABCDEF). But every password never contains more than 5 alphabetic characters (ABCDEF).

How can I create a dictionary with words 10 letters long (0123456789ABCDEF) and a maximum of 5 alpha characters?
 

Hash-IT

Active member
Feedback: 0 / 0 / 0
Joined
Dec 30, 2019
Messages
25,389
Reaction score
27
Credits
250
eftecno said:
I had a thought.

The password is 10 characters long (0123456789ABCDEF). But every password never contains more than 5 alphabetic characters (ABCDEF).

How can I create a dictionary with words 10 letters long (0123456789ABCDEF) and a maximum of 5 alpha characters?

You would not normally make a dictionary as it would be enormous :)

Use this command with oclhashcat

-1 ABCDEF0123456789 ?1?1?1?1?1?1?1?1?1?1

It will takes months or years :)
 

eftecno

Active member
Feedback: 0 / 0 / 0
Joined
Dec 30, 2019
Messages
826
Reaction score
15
Credits
0
I'm sorry, I think I wasn't clear. Your command is good to generate a COMPLETE dictionary, with password like 1234567890 or AAAAAAAABB. I suppose that this password doesn't exist in the TNCAP range!

mp64.exe -2 ABCDEF --output-file 10carhex.txt ?d?d?d?2?d?d?2?2?2?2 --combinations

the result is 777600000, at 30000 k/s I can try it in 7 hours!

I'd like to know how generate *all the password with max 5 ABCDEF*, not all the password with 6-7-8-9-10 alpha.
 

eftecno

Active member
Feedback: 0 / 0 / 0
Joined
Dec 30, 2019
Messages
826
Reaction score
15
Credits
0
mp64.bin -2 ABCDEF --output-file 10carhex.txt ?d?2?d?d?2?d?2?d?d?d -q 3

this command is correct to limit to 2 (two) sequential chars?

AAA --> NO
ABA --> YES
BBA --> YES
 

Hash-IT

Active member
Feedback: 0 / 0 / 0
Joined
Dec 30, 2019
Messages
25,389
Reaction score
27
Credits
250
Yes thats right the -q option. This however does not solve your problem.

In fact I have wanted an intelligent brute force generator for quite sometime.

I haven't forgotten your posts, I am just looking for a way to do it :)

I do know someone who is very clever with this sort of thing, I will beg and plead with him to perhaps help us out. :)
 

eftecno

Active member
Feedback: 0 / 0 / 0
Joined
Dec 30, 2019
Messages
826
Reaction score
15
Credits
0
A few more info:

length: 10 characters from UPPER HEX (0123456789ABCDEF)
no more than 5 alpha chars in the password (yes ABCDE01234 no ABCDEF0123)
no more than 2 consecutive chars (yes AABCDEF012 no AAABCDEF01)
no more than 2 equal numbers in the password (yes A1A123456 no A1A123451)
no more than 3 equal alpha chars in the password (yes 8017C24CCF, no C017C24CCF)
 

PiXEL

Active member
Feedback: 0 / 0 / 0
Joined
Dec 30, 2019
Messages
903
Reaction score
4
Credits
38
eftecno said:
A few more info:

length: 10 characters from UPPER HEX (0123456789ABCDEF)
no more than 5 alpha chars in the password (yes ABCDE01234 no ABCDEF0123)
no more than 2 consecutive chars (yes AABCDEF012 no AAABCDEF01)
no more than 2 equal numbers in the password (yes A1A123456 no A1A123451)
no more than 3 equal alpha chars in the password (yes 8017C24CCF, no C017C24CCF)



I think you may find this Perl script helpful.

USAGE: perl wg.pl options

options are:
-a string: prefix
-c number: max consecutive letters (how many consecutive 'a' do you want?)
-e : submit the output string to the operating system
-h : help
-l number: min length of the word
-o number: max number of occurrencies of a letter
-n number: max number of n-ple (AA, BBB, CCC, DDDD)
-r number: max number of repeatitions (ABCABABBCDBCD has 5 repeatitions: 3 reps of AB and 2 of BCD)
-t : trace on
-u number: max length of the word
-v string: list of valid characters (es, "01" "abcdef")
-z string: postfix


ftp://ftp.mut.ac.th/pub/Security/wg.pl
 

eftecno

Active member
Feedback: 0 / 0 / 0
Joined
Dec 30, 2019
Messages
826
Reaction score
15
Credits
0
PiXEL said:
eftecno said:
A few more info:

length: 10 characters from UPPER HEX (0123456789ABCDEF)
no more than 5 alpha chars in the password (yes ABCDE01234 no ABCDEF0123)
no more than 2 consecutive chars (yes AABCDEF012 no AAABCDEF01)
no more than 2 equal numbers in the password (yes A1A123456 no A1A123451)
no more than 3 equal alpha chars in the password (yes 8017C24CCF, no C017C24CCF)



I think you may find this Perl script helpful.

USAGE: perl wg.pl options

options are:
-a string: prefix
-c number: max consecutive letters (how many consecutive 'a' do you want?)
-e : submit the output string to the operating system
-h : help
-l number: min length of the word
-o number: max number of occurrencies of a letter
-n number: max number of n-ple (AA, BBB, CCC, DDDD)
-r number: max number of repeatitions (ABCABABBCDBCD has 5 repeatitions: 3 reps of AB and 2 of BCD)
-t : trace on
-u number: max length of the word
-v string: list of valid characters (es, "01" "abcdef")
-z string: postfix


ftp://ftp.mut.ac.th/pub/Security/wg.pl

Nice, nice I'll give it a try! Many thanks!
 

eftecno

Active member
Feedback: 0 / 0 / 0
Joined
Dec 30, 2019
Messages
826
Reaction score
15
Credits
0
Works fine, thanks!

perl wg.pl -c 2 -l 10 -o 3 -n 1 -r 1 -u 10 -v "0123456789ABCDEF" | split -l 10000000 - diz-

creates

diz-aa
diz-ab
 
Top