Unpublished WPA key algorithms

drsnooker

Active member
Contributor
Feedback: 0 / 0 / 0
Joined
Aug 1, 2020
Messages
316
Reaction score
501
Credits
2,721
Still haven't found any pictures that include WPA passwords. Seems like this algo was found on units with only WPS pins (under their battery pack)

It definitely has a common ancestor with the DIR-640L algorithm! Probably developed by the same engineer. So it's just for your curiosity at the moment.

Binwalk is still not done, I thought the rust conversion would make it faster.... 1.5 TB of extractions already!
 

Attachments

  • dwr_512.zip
    915 bytes · Views: 6

RealEnder

Member
Feedback: 0 / 0 / 0
Joined
Dec 30, 2019
Messages
18
Reaction score
35
Credits
130
Tried this generator against all wpa-sec uncracked hashes with D-Link OUI (58K+), not a single hit. Also iterated the BSSIDs from -3 to +3, again no hits :(
Attaching my take on python rewrite, based on DIR-640L keygen, maybe @Plum can check it out and publish it. For the reference '001122334455' input, I get the correct output.
 

Attachments

  • dwr512.zip
    1.4 KB · Views: 6

drsnooker

Active member
Contributor
Feedback: 0 / 0 / 0
Joined
Aug 1, 2020
Messages
316
Reaction score
501
Credits
2,721
Great work, didn't realize that the last pwd_mode==5 mash up never actually happens.
But if I read that correctly all the indeces are off by 1. Matlab for a byte vector is 1 (vector(1)) while python equavalent is vector(0).
I think you would need to subtract 1 for each of the indeces in the mash up.... Then again, I don't speak python. Perhaps that return full_hash[i-1] shifts the whole thing over.
 

drsnooker

Active member
Contributor
Feedback: 0 / 0 / 0
Joined
Aug 1, 2020
Messages
316
Reaction score
501
Credits
2,721
Binwalk is finally done, sooo many extracts, I guess I'll start with the older models and work my way up, while grep works through a list of keywords to see if that picks up anything.

@RealEnder The DWR-512 uses the AMITTW interchelation, so probably only Amit Taiwan wireless hotspots, rather than generic d-link models. I'll work on combining dir-640l and this new one and force all variations to see if that gets any hits.
 

drsnooker

Active member
Contributor
Feedback: 0 / 0 / 0
Joined
Aug 1, 2020
Messages
316
Reaction score
501
Credits
2,721
@RealEnder Combined 640L with 512. Three different mac orders, three different fillers, 2 hashes, 6 different mesh ups, and two conversion to ?l?l?l?l?d?d?d?d?d and a partridge and a pear tree. Macs+/- 4 for uncracked caps with --essid-partx=dlink and --essid-partx=dwr just a big fat doughnut for the hex-meshups nor the typical dlink passwords.
Looks like the only way forward it to reverse some firmware, now I need to remember how to did all that!
 

drsnooker

Active member
Contributor
Feedback: 0 / 0 / 0
Joined
Aug 1, 2020
Messages
316
Reaction score
501
Credits
2,721
No obvious WPA keygens in a quick scan. I did find a WPS pin generator in /lib/libputil.so of all places. So I thought at least give you something for now. But then I found that devttys0 (from delink fame) already reversed it in python so nothing for me left to do. Makes me wonder if he already went through to see if he could find anything tasty...
A lot of firmwares have /sbin/mfc that does the factory reset and just pulls data from NVRAM. Still hopeful, some intern left a clue somewhere!
 

RealEnder

Member
Feedback: 0 / 0 / 0
Joined
Dec 30, 2019
Messages
18
Reaction score
35
Credits
130
Some older devices (not exactly D-Link ones) just use the WPS pin as WPA password. That's why I added WPSpin dicts to wpa-sec and we still have hits there. :)
I'm sure we'll hit something interesting, even if we have to bruteforce the hardcoded salt (AMITTW) in DWR-512 keygen. Just have to find pictures or known input values
 

drsnooker

Active member
Contributor
Feedback: 0 / 0 / 0
Joined
Aug 1, 2020
Messages
316
Reaction score
501
Credits
2,721
After studying the probabilities of the charset some more and throwing another infinite set of monkeys typing away at it, came across this combination of input values.
It fits too well, but could still be random as it only works for 1 out of the 19 passwords found for the DIR-605L. I'll try some other mash ups of the SHA1 digest, that haven't been used by d-link before and see if that goes anywhere.
 

Attachments

  • dir_605l_maybe.zip
    874 bytes · Views: 3

drsnooker

Active member
Contributor
Feedback: 0 / 0 / 0
Joined
Aug 1, 2020
Messages
316
Reaction score
501
Credits
2,721
Yeah looks like another case of too many monkeys... I can make pretty much any password when there are enough degrees of freedom.
e.g. MAC3:MAC2:MAC1:MAC6:MAC5:MAC4-WPA\n --> SHA1 --> digest[16]+digest[18]+digest[19]+digest[20]
works for password "bccce01201"
But you need a different combination for each. D-link does some pretty nasty (for hackers) things by implementing a few different variants within the same model based on the mac, but it's only a handful per model so with 19 passwords, there should be a lot in common. With this avenue unsuccessful, now need to see if I can get from the mac to the password without a hash, by just adding, XOR-ing and modulo-ing things together.
 

drsnooker

Active member
Contributor
Feedback: 0 / 0 / 0
Joined
Aug 1, 2020
Messages
316
Reaction score
501
Credits
2,721
Well, I've now got a D-link DIR-605L sitting on my desk, hoping that perhaps there was something on the physical router that isn't in the downloadable firmware. I've got root shell and tracked the factory reset to /lib/apmib where it restores the settings using "apmib_reset_wlan_to_default". So how does it do that? Yeah it just pulls it from NVRAM and stores it in the flash.

The DIR-640L /usr/bin/wifi_key_default was an exception where they left the algo in the firmware. I'm still scouring through all the extracts but no other obvious mistakes left in the firmware.
/usr/bin/wifi_default_setting (the AMITTW version) slowly morphs into commander, where it looks like AMIT engineers just keep adding new models/algos to it.

TL:DR I might have nothing to update to this thread for awhile...
 

Sparton

Active member
Feedback: 7 / 0 / 0
Joined
Dec 30, 2019
Messages
562
Reaction score
1,398
Credits
3,411
The 605L using a-j can be brute-forced in less then an hour. Other models using a-z are the real problem. Hopefully the 605L can give clues to the more difficult models.
 

drsnooker

Active member
Contributor
Feedback: 0 / 0 / 0
Joined
Aug 1, 2020
Messages
316
Reaction score
501
Credits
2,721
Yeah that was my hope too. Actually the 605L dictionary from the c-code on hashcat forum runs in 7 minutes. But it doesn't look there's any info on the algo (or other dlink algos) in it.
 

JustGuardian

Active member
Feedback: 0 / 0 / 0
Joined
Feb 2, 2022
Messages
72
Reaction score
39
Credits
492
Hi everyone,
I'm looking for the firmware for the Technicolor TG789vac v2 router, specifically the TIM-branded version. From my research, the file seems to be named "AGTOT_2.1.4_CLOSED.rbi". If anyone has a copy of it, I'd love to experiment with it, particularly to explore if it includes a function for generating the default PSK.

Thanks in advance for your help!
 

drsnooker

Active member
Contributor
Feedback: 0 / 0 / 0
Joined
Aug 1, 2020
Messages
316
Reaction score
501
Credits
2,721
OpenWRT points back to the MST edition:
Torrent file is still up if you want to download it.
 

JustGuardian

Active member
Feedback: 0 / 0 / 0
Joined
Feb 2, 2022
Messages
72
Reaction score
39
Credits
492
OpenWRT points back to the MST edition:
Torrent file is still up if you want to download it.
Do you think that it is the same as the one that I'm searching? Because, as I read, the MST version is for another provider: the one that I am searching should be from TIM while this is from TISCALI or MST and I don't know the differences yet.
 

drsnooker

Active member
Contributor
Feedback: 0 / 0 / 0
Joined
Aug 1, 2020
Messages
316
Reaction score
501
Credits
2,721
You won't know until you look! Perhaps it has a variant of what you are looking for, perhaps there's nothing in there. I'd say start with /lib/libcms_core.so from looking at the technicolor centurylink modems, that's where an algo was. Not the correct one, but at least something.
 

JustGuardian

Active member
Feedback: 0 / 0 / 0
Joined
Feb 2, 2022
Messages
72
Reaction score
39
Credits
492
You won't know until you look! Perhaps it has a variant of what you are looking for, perhaps there's nothing in there. I'd say start with /lib/libcms_core.so from looking at the technicolor centurylink modems, that's where an algo was. Not the correct one, but at least something.
I think I have a better understanding of the process now, but I'm still having trouble decrypting the firmware you provided. To complete the decryption, I need a key, but I'm not sure where to obtain it.
 

drsnooker

Active member
Contributor
Feedback: 0 / 0 / 0
Joined
Aug 1, 2020
Messages
316
Reaction score
501
Credits
2,721
Yeah that's a problem.... Have a look at delink https://github.com/devttys0/delink that does that decryption for the FW of some d-link routers.
Best bet is to get access to physical hardware and trace the FW upgrade algorithm. That'll be were the decryption is hidden. It's unlikely to be a password encrypted zip, but possible.
Zip2john might be your friend if that's the case. But as you can see from delink, it's probably some proprietary encryption algo.

Addition: The first letters of the archive are BLI223SW0
Google than points me to: https://filext.com/file-extension/RBI that tells me it's an Adressmn file, for whatever that means. My bet is you'd need actual hardware to figure this one out.
 

JustGuardian

Active member
Feedback: 0 / 0 / 0
Joined
Feb 2, 2022
Messages
72
Reaction score
39
Credits
492
Yeah that's a problem.... Have a look at delink https://github.com/devttys0/delink that does that decryption for the FW of some d-link routers.
Best bet is to get access to physical hardware and trace the FW upgrade algorithm. That'll be were the decryption is hidden. It's unlikely to be a password encrypted zip, but possible.
Zip2john might be your friend if that's the case. But as you can see from delink, it's probably some proprietary encryption algo.

Addition: The first letters of the archive are BLI223SW0
Google than points me to: https://filext.com/file-extension/RBI that tells me it's an Adressmn file, for whatever that means. My bet is you'd need actual hardware to figure this one out.
I have the actual modem in my hands, but I still don't know how to get the key. I read that you could unpack the firmware file using the modem's terminal, running some commands from it. I still don't know how to obtain a shell since the port 22 is closed and I don't see any interesting opened port.
I might have to do some researches and study more to be able to obtain a shell...
 

Dawbs

Super Moderator
Staff member
Super Moderator
Trusted
Feedback: 3 / 0 / 0
Joined
Dec 30, 2019
Messages
4,122
Reaction score
3,353
Credits
17,959
You probably need to link into the serial / UART port inside.
 
Top