Unpublished WPA key algorithms

elmasatanzenci

Active member
Feedback: 0 / 0 / 0
Joined
Sep 23, 2020
Messages
35
Reaction score
62
Credits
230
THIS!!!
I was working on this exact project, bur ran out of knowledge. I want to reverse engineer the default password generator. For the Zyxel EMG2926 typically used by videotron in quebec. I want a simple keygen that you feed it's WAN's Mac address and it prints the default password. I have a bunch of zyxel router default ssid/password/wan mac datas if it can help anyone. I ended up bricking a router trying to extract it's firmware. Got stuck there in my project and was hoping this forum thread would get revived.
For turktelekom zyxel modems key algorithm uses the serial number, not the mac. it also could be the case for videotron. maybe even close to tt algo.
 

gurgen

Active member
Feedback: 0 / 0 / 0
Joined
Dec 30, 2019
Messages
107
Reaction score
7
Credits
39
could someone rewrite this code in python?
 

canerkafkef

Member
Feedback: 0 / 0 / 0
Joined
Mar 20, 2021
Messages
5
Reaction score
0
Credits
51
Attached netmaster algo, it is easy and known for years
This did not worked exactly, worked but results was wrong.
For example i have a few fc4ae9 router stock passwords.

mac = 'fc4ae9441327'

I checked fc4ae9441327 on this algo it created this pass = f7a9fae6 but this was wrong because true pass is c2c357a5

I tried 5 or 6 different macs.

Can you help me please where i made a mistake?

Thanks
 

elmasatanzenci

Active member
Feedback: 0 / 0 / 0
Joined
Sep 23, 2020
Messages
35
Reaction score
62
Credits
230
This did not worked exactly, worked but results was wrong.
For example i have a few fc4ae9 router stock passwords.

mac = 'fc4ae9441327'

I checked fc4ae9441327 on this algo it created this pass = f7a9fae6 but this was wrong because true pass is c2c357a5

I tried 5 or 6 different macs.

Can you help me please where i made a mistake?

Thanks
you should use the cm mac. not the wan or wlan mac. it works as it should.
 

canerkafkef

Member
Feedback: 0 / 0 / 0
Joined
Mar 20, 2021
Messages
5
Reaction score
0
Credits
51
you should use the cm mac. not the wan or wlan mac. it works as it should.

Thanks for your reply.
How can calculate CM? What is it?

For example i have some infos:
fc4ae9441327 NetMASTER Uydunet-1324 --- real passes-> c2c357a5
fc4ae971b308 Kablonet Netmaster-B303-G --- real passes-> 4c14a73c
fc4ae9b041d1 TURKSAT-KABLONET-41CC-2.4G --- real passes-> 5592499e

How can i verify theese with that python file?

i found this
But did not understand?


Thanks for your help
 

canerkafkef

Member
Feedback: 0 / 0 / 0
Joined
Mar 20, 2021
Messages
5
Reaction score
0
Credits
51
you should use the cm mac. not the wan or wlan mac. it works as it should.

--------------------------------------------------------------------------------------

I solved the system but i have a problem.

From Wan Mac it worked. fc4ae964f113 mac it gives the true pass. 42a371c5 but when i tried cm mac fc4ae964f111 it gives me wrong pass.
Can you give me info about cmac and wlan mac?
How can i found real wlan mac? in some sites it writes that wlan mac is consecutive.
But in this example Cm mac fc4ae964F111 Wan mac fc4ae964F113

How can i find right wan mac?
And why did you say use Cm mac?

Thanks
 

Attachments

  • 29003b1b1c6607c1d77cc81a7fbea432.jpg
    29003b1b1c6607c1d77cc81a7fbea432.jpg
    177.2 KB · Views: 8

elmasatanzenci

Active member
Feedback: 0 / 0 / 0
Joined
Sep 23, 2020
Messages
35
Reaction score
62
Credits
230
Thanks for your reply.
How can calculate CM? What is it?

For example i have some infos:
fc4ae9441327 NetMASTER Uydunet-1324 --- real passes-> c2c357a5
fc4ae971b308 Kablonet Netmaster-B303-G --- real passes-> 4c14a73c
fc4ae9b041d1 TURKSAT-KABLONET-41CC-2.4G --- real passes-> 5592499e

How can i verify theese with that python file?

i found this
But did not understand?


Thanks for your help
well you cant calculator real cm mac from the wan or wlan mac. best thing you can do is make a wordlist from fc4ae9000000 to fc4ae9ffffff. and use that instead.
 

elmasatanzenci

Active member
Feedback: 0 / 0 / 0
Joined
Sep 23, 2020
Messages
35
Reaction score
62
Credits
230
--------------------------------------------------------------------------------------

I solved the system but i have a problem.

From Wan Mac it worked. fc4ae964f113 mac it gives the true pass. 42a371c5 but when i tried cm mac fc4ae964f111 it gives me wrong pass.
Can you give me info about cmac and wlan mac?
How can i found real wlan mac? in some sites it writes that wlan mac is consecutive.
But in this example Cm mac fc4ae964F111 Wan mac fc4ae964F113

How can i find right wan mac?
And why did you say use Cm mac?

Thanks
sorry my bad. i meant wan mac. cm mac was for the wifi name calculation i wasx confused.. u need to use wan mac but you cant know wan mac from the wlan mac exactly. so u should make a wordlist to make sure you have it all.
 

canerkafkef

Member
Feedback: 0 / 0 / 0
Joined
Mar 20, 2021
Messages
5
Reaction score
0
Credits
51
sorry my bad. i meant wan mac. cm mac was for the wifi name calculation i wasx confused.. u need to use wan mac but you cant know wan mac from the wlan mac exactly. so u should make a wordlist to make sure you have it all.


Thanks for your all replies.
My english is not so good but I want to follow the rules that i want to write in english.

I want to share this and i have a question

  • Kablonet a─č ad─▒, modemin CM MAC adresinin son 4 hanesini kullan─▒yor. Mesela modemin CM MAC adresi 11:22:33:44:55:66 ise, WiFi a─č ad─▒ NetMASTER Uydunet-5566 ┼čeklinde hesaplan─▒yor. Bu bilgi ├Ânemsiz g├Âr├╝nebilir ama bir sonraki bilgi i├žin ├žok ├Ânemli bir bilgi a├ž─▒─č─▒.
  • WiFi ┼čifre algoritmas─▒ cihaz─▒n WAN MAC adresi kullan─▒larak hesaplan─▒yor. ├ço─ču cihazda WAN ve WLAN adresleri birbirini takip etti─či i├žin, WiFi MAC adresi ve a─č isminden WAN adresini hesaplamak m├╝mk├╝n. WiFi MAC adresini ve a─č ismini ba─članmadan da g├Ârebilece─činiz i├žin, etraftaki ┼čifresini de─či┼čtirmemi┼č b├╝t├╝n yeni model NetMASTER modemlerinin WiFi ┼čifreleri hesaplanabiliyor. Modellere g├Âre tehlike seviyesi ┼ču ┼čekildedir:
    • NetMASTER CBW-383ZN, NetMASTER Infinity 401 modelleri sadece WiFi Mac adresi ve a─č isminden hesaplanabiliyor. ├ç├╝nk├╝ WiFi MAC ile WAN MAC adresi ard─▒┼č─▒k
    • NetMASTER CBW-383Z4 modeli i├žin 256 ihtimal var. ├ç├╝nk├╝ MAC adresi ard─▒┼č─▒k de─čil. Fakat a─č isminden geriye kalan 6 hanenin 4 hanesi hesaplanabiliyor. Bize denemek i├žin 0x00-0xFF aras─▒ndaki ihtimaller kal─▒yor.
    • NetMASTER CBW-700V modelinde WiFi MAC ve WAN MAC adresleri tamamen farkl─▒. Onlar─▒n aras─▒nda bir ard─▒┼č─▒k say─▒ bulamad─▒m. Bu y├╝zden bu modemler nispeten g├╝venli diyebiliriz.

First of all in these examples


fc4ae9441327 NetMASTER Uydunet-1324 --- real passes-> c2c357a5
fc4ae971b308 Kablonet Netmaster-B303-G --- real passes-> 4c14a73c

only last digit changes! in the first example wireless name is 1324 and also last 4 digit of mac is 1327 so first 3 digits are same. In this example WAN MAC is between 24-27 i tested a few time in different wirelesses

But in third example fc4ae9b041d1 TURKSAT-KABLONET-41CC-2.4G last 2 digits are different. How can i solve this you said that i shold make a list but how?
In the quete the writer says 256 possibilites.
fc4ae9b041?h?h like this? I wonder this. And how can edit netmaster-psk.py? For example I need fc4ae9b041?h?h how can extract passes in an out.txt file? We need the modify netmaster-psk.py

Thanks for all
 

SubZero5

Active member
Feedback: 0 / 0 / 0
Joined
Apr 23, 2020
Messages
142
Reaction score
15
Credits
1,356
Nowadays I see some NetMaster modems with changed MAC addresses...

I think a new firmware is pushed and the announced MacIDs are somehow shifted. I have some sample data but I am unavailable to analyze a firmware for an exact change methodology.

FC:4A:E9:xx:xx:xx became 18:48:59:yy:yy:yy
 

canerkafkef

Member
Feedback: 0 / 0 / 0
Joined
Mar 20, 2021
Messages
5
Reaction score
0
Credits
51
Nice, but you do know that GitHub exists for source code and projects alike :)
nice,

but i done that just for people to pipe it into hashcat instead of downloading the files, note that they are some users who
1, dont know how to pipe into hashcat
2, dont know how to compile
3, dont even use hashcat , and uses other programs , and those other programs do accept wordlists.


by the way, are u planing to release TurkTelekom for T versions ? aka tplink
Just use the pipe command |

gen.py | hashcat -m 2500 -a 0 cpature.hccapx


Hi i have a problem and i hope someone can help me.
I tried this method.
gen_ttnet_zyxel gcc -Ofast -o gen_ttnet_zyxel gen_ttnet_zyxel.c md5-fast-x8664.S

I have kali linux's lastest version.
I tried to create only 160Y! so i used this line static char* prefixes[] = {"160Y"};

chmod +x gen_ttnet_zyxel
then
./gen_ttnet_zyxel > zyxelwordlist.dic

I created a dictionary which was about 750 MB

But this list does not have all keys. I checked 10 times! i compiled 10 times to find what the problem is.
5D5276a1f1332 and 08134838433Ff passes must be in it but the created dictionary does not have them!
because 5D5276a1f1332 and 08134838433Ff passes are S160Y router's keys!

What is the problem do you think? Why the dict does not have right passwords?
I used this file

Thanks for your answers.
 

sevcan34

Active member
Feedback: 0 / 0 / 0
Joined
Dec 30, 2019
Messages
137
Reaction score
71
Credits
888
Attached netmaster algo, it is easy and known for years
It needs to be edited to read from a wanmac.txt and give the password candidates because there are now too many possibilities for the correct wanmac.
 
Top