Unpublished WPA key algorithms

[drsnooker]

In some cases the serial number is actually captured with the handshake. You can open the cap in a text editor and scroll around and perhaps spot the SN in plain text. strings filename.cap would work, or you could use wireshark.
If the SN is not in the cap, you have still reduced the parameter space from all possible passwords to all possible serial numbers. You'll just need to generate the table of passwords that correspond to each possible serial number. It's not as daunting as you might think, as we think the SN has a production year and week in it, and thus there are only 100million or so possible. This is much less than 36^10.
But that last step requires you to read the discussion in this thread regarding SN ranges and learn a little python.

 

[john1]

@drsnooker
Hashcat doesn't support cracking 13-character passwords, or at least I can't do it; even if it could, it would take too long.

 

[drsnooker]

You use python and the algorithm to create a dictionary of passwords using the range of serial numbers. Then hashcat will crack it in minutes. (unless the user changed the password and it is no longer default)

 

[john1]

@drsnooker
I would have loved to do it, but I didn't know how to code.

 

[drsnooker]

If you want to be a hacker, you will need to learn how to code eventually! Although with the AI boom going on, perhaps learning to code is overrated and you can simply ask chatGPT to write the code for you.
If that is a bridge too far, perhaps just post your cap in https://forum.hashkiller.io/index.php?forums/wpa-packet-cracking.16/
and have the experts there crack it for you.

 

[john1]

@drsnooker
Is there any algorithm for ZTE routers?

 

[drsnooker]

@drsnooker
Is there any algorithm for ZTE routers?

Not yet... (we found the algo for the admin password, but no obvious variant would generate the WIFI password)

 

[john1]

@drsnooker
You know better than me, but I want to ask something: isn't there an algorithm in the firmware?

 

[drsnooker]

If you find it let us know! Most passwords are calculated in the factory and burnt into NVRAM. When you factory reset, it just pulls the data from NVRAM. It does not re-calculate the password.

 

[john1]

@drsnooker
Does that mean ZTE doesn't have an algorithm?

 

[drsnooker]

There is an algorithm, we just have not found it yet. ZTE's algorithm has not left the factory. No intern has forgotten to delete it from the firmware...

 

[wizardhat]

Finally managed to get into the Eircom P-660HN-T1A the admin password was "broadband1" not 1234 or admin or the wifi password.
Again /userfs/bin/md5 performed the factory reset but how to get that file off. No USB port, no xxd, hexdump, not even printf. No netscan or busybox nc
ftpput was using a hard coded IP. Really bare OS!
Eventually managed to get tftp to work. After all that work, like the D1000 before, it just pulls the WPA password from NVRAM.
Only the Eircom F1000 left, but hope is dwindling fast.

Yeah seems they all pull it from the NVRAM. Even tried the D2000 before. Really strange compared to all the other zyxel models from that era.

 

[drsnooker]

@wizardhat thanks for the update. Yeah you can see the vestigial remains of the agnahaak algorithm, but sadly any likely combination of Zyxel tricks does not result in the password. Eircom designed something new.

I'll also give an update on the LC-RNG investigation....
What seems critical for the sequence is the multiplier. While there are many (many) increments that will all result in the same (but shifted) sequence of digits.
There is some sort of pattern in the increments. If you look at the difference between increments, they are only 1436, 20484, 63884 or 84368 apart. I'm sure there is some modular maths that will explain that and I'm sure they are dependent on the multiplier. But it does mean that you can try each possible multiplier but only have to scan through a small-ish range of increment, limiting the search space.