Crypto-Anarchist84
New member
Is it time yet?
I've been really patient.
Unpublished WPA key algorithms
- Thread starter gpuhash_me
- Start date
I've been really patient.
elmasatanzenci
Active member
For turktelekom zyxel modems key algorithm uses the serial number, not the mac. it also could be the case for videotron. maybe even close to tt algo.
gurgen
Active member
could someone rewrite this code in python?
medium.com
github.com
Reversing Zyxel VMG8823-B50B WPA algorithm generation for fun
After some issues with my old ISP, few months ago, I decided to switch to ********** which gave me a Zyxel VMG8823-B50B router and…
medium.com
luc10/zykgen
Zyxel VMG8823-B50B default WPA keygen. Contribute to luc10/zykgen development by creating an account on GitHub.
github.com
This did not worked exactly, worked but results was wrong.
For example i have a few fc4ae9 router stock passwords.
mac = 'fc4ae9441327'
I checked fc4ae9441327 on this algo it created this pass = f7a9fae6 but this was wrong because true pass is c2c357a5
I tried 5 or 6 different macs.
Can you help me please where i made a mistake?
Thanks
elmasatanzenci
Active member
you should use the cm mac. not the wan or wlan mac. it works as it should.
Thanks for your reply.
How can calculate CM? What is it?
For example i have some infos:
fc4ae9441327 NetMASTER Uydunet-1324 --- real passes-> c2c357a5
fc4ae971b308 Kablonet Netmaster-B303-G --- real passes-> 4c14a73c
fc4ae9b041d1 TURKSAT-KABLONET-41CC-2.4G --- real passes-> 5592499e
How can i verify theese with that python file?
i found this
Thanks for your help
--------------------------------------------------------------------------------------
I solved the system but i have a problem.
From Wan Mac it worked. fc4ae964f113 mac it gives the true pass. 42a371c5 but when i tried cm mac fc4ae964f111 it gives me wrong pass.
Can you give me info about cmac and wlan mac?
How can i found real wlan mac? in some sites it writes that wlan mac is consecutive.
But in this example Cm mac fc4ae964F111 Wan mac fc4ae964F113
How can i find right wan mac?
And why did you say use Cm mac?
Thanks
Attachments
-
29003b1b1c6607c1d77cc81a7fbea432.jpg
elmasatanzenci
Active member
well you cant calculator real cm mac from the wan or wlan mac. best thing you can do is make a wordlist from fc4ae9000000 to fc4ae9ffffff. and use that instead.Thanks for your reply.
How can calculate CM? What is it?
For example i have some infos:
fc4ae9441327 NetMASTER Uydunet-1324 --- real passes-> c2c357a5
fc4ae971b308 Kablonet Netmaster-B303-G --- real passes-> 4c14a73c
fc4ae9b041d1 TURKSAT-KABLONET-41CC-2.4G --- real passes-> 5592499e
How can i verify theese with that python file?
i found this
But did not understand?
Thanks for your help
elmasatanzenci
Active member
sorry my bad. i meant wan mac. cm mac was for the wifi name calculation i wasx confused.. u need to use wan mac but you cant know wan mac from the wlan mac exactly. so u should make a wordlist to make sure you have it all.
Thanks for your all replies.
My english is not so good but I want to follow the rules that i want to write in english.
I want to share this and i have a question
First of all in these examples
fc4ae9441327 NetMASTER Uydunet-1324 --- real passes-> c2c357a5
fc4ae971b308 Kablonet Netmaster-B303-G --- real passes-> 4c14a73c
only last digit changes! in the first example wireless name is 1324 and also last 4 digit of mac is 1327 so first 3 digits are same. In this example WAN MAC is between 24-27 i tested a few time in different wirelesses
But in third example fc4ae9b041d1 TURKSAT-KABLONET-41CC-2.4G last 2 digits are different. How can i solve this you said that i shold make a list but how?
In the quete the writer says 256 possibilites.
fc4ae9b041?h?h like this? I wonder this. And how can edit netmaster-psk.py? For example I need fc4ae9b041?h?h how can extract passes in an out.txt file? We need the modify netmaster-psk.py
Thanks for all
SubZero5
Active member
Nowadays I see some NetMaster modems with changed MAC addresses...
I think a new firmware is pushed and the announced MacIDs are somehow shifted. I have some sample data but I am unavailable to analyze a firmware for an exact change methodology.
FC:4A:E9:xx:xx:xx became 18:48:59:yy:yy:yy
I think a new firmware is pushed and the announced MacIDs are somehow shifted. I have some sample data but I am unavailable to analyze a firmware for an exact change methodology.
FC:4A:E9:xx:xx:xx became 18:48:59:yy:yy:yy
Hi i have a problem and i hope someone can help me.
I tried this method.
gen_ttnet_zyxel gcc -Ofast -o gen_ttnet_zyxel gen_ttnet_zyxel.c md5-fast-x8664.S
I have kali linux's lastest version.
I tried to create only 160Y! so i used this line static char* prefixes[] = {"160Y"};
chmod +x gen_ttnet_zyxel
then
./gen_ttnet_zyxel > zyxelwordlist.dic
I created a dictionary which was about 750 MB
But this list does not have all keys. I checked 10 times! i compiled 10 times to find what the problem is.
5D5276a1f1332 and 08134838433Ff passes must be in it but the created dictionary does not have them!
because 5D5276a1f1332 and 08134838433Ff passes are S160Y router's keys!
What is the problem do you think? Why the dict does not have right passwords?
I used this file
Unpublished WPA key algorithms
Playing with TTNET_ZyXEL algo we accidentally discovered that Canadian ISP Telus use basically the same algo for their ZyXEL routers (with few differences), they generate 10 lower hex string then correct 0 and 1 chars to chars outside a-f region. Attached PoC offers only partial coverage because...
forum.hashkiller.io
Thanks for your answers.