Unpublished WPA key algorithms

[SpaceCowboy]

Hello everyone
i was wondering if someone can find the algo for this router
i uploaded the lib directory from the firmware and the photo contains the default wpa key which is 13 length hex and admin password is [A-Z0-9] 10 characters
thank you

 

[pretorian]

We starting this thread to bring to public domain some exclusive unpublished default WPA key algorithms that we use in our every day work.
Unpublished means you can't find it anywhere on the Web so (we hope) Hashkiller forum now will be its origin.

Lets start with TTNET_ZyXEL_XXXX default WPA key algorithm.
These Turkish ZyXEL routers have very strong default WPA key of 13 mixedcase hex digits uncrackable with ordinary bruteforcing.
Knowing the algo becomes possible to calculate default password from the router serial number.
Unfortunately router S/N not always known but search keyspace could be dramatically reduced to ~10^9 and even smaller size.

PoC with some test vectors attached below. The code is not optimal in any way and sometimes can contain (surprise!) MIPS disassembly written in python.

is thier a wordlist dictinary of these yet ? zyxcel10308 keygens yet avaliable ?
or any short cuts that key space is a beast thanks pal, also any technicolor or aris as well

 

[pretorian]

Release that and perhaps I would share my HOME-XXXX + HOME-XXXX-2.4/5 + XFSETUP-XXXX dictionary :)

id apreciate that share by you that rock

 

[pretorian]

Updated zykgen for Videotron algo and fixed an indexing bug. @soxrok2212 Thanks for the pull request. I ended up removing the gin and juice section. After speaking with drsnooker, screw driver was his early attempts at the algo without the firmware. So it can safely be updated with the correct haystack and charset.

Cleaned code and fixed indexing bug. · PlumLulz/zykgenpy@ca1d43a

Zyxel VMG8823-B50B WPA Keygen. Contribute to PlumLulz/zykgenpy development by creating an account on GitHub.

github.com

love you can you do the same to the zyxel10306 my area's filling up with these thanks pal...

 

[Zor]

This router Arris SBG7400AC2
The wpa password is the serial number
Can someone find how it generate the wps pin

I Found this i think it's the source code https://sourceforge.net/projects/sbg7400.arris/files/

Thanks for all the great work you all do.

 

[drsnooker]

@pretorian Have you tried any of the published algorithms to see if they get close or partial on those? I cannot find any pictures online to verify.

Perhaps the mods can move some of these requests to a new thread, rather than this un-published (and developing) password generating algorithms? May be start a poll on which one people think is the most important. Only so many hours in a day!

I've mentioned this in some of the requests I've gotten by PM.... But it seems like the method to the madness is about the same. I never done any reversing upto a month ago, so I'm just as new as you guys are. It's a bit tricky, but you are the one with the most invested into finding the algo, so roll up those sleeves, read and try some stuff!

1) Try to find the firmware, but most of the time *if the algo is present at all* it is in /usr.
2) Look for MD5/SHA used really anywhere in the firmware to narrow down where to look. "grep -ir md5 ." should do it. And "grep -ir sha . | grep -v share", "default" and "wpapsk" are also good search terms
3) collect data on other modems of that particular make and model: ebay, facebook market place and sold/completed listings. 20 or so would be a good data set to start with
4) store these in text format so you can analyze char frequency and look for patterns.
5) install GHIDRA. It's not that bad! Cutter and IDA-pro all give different interpretation so looking at them side-by-side sometimes helps.
6) start poking around....

 

[drsnooker]

I guess I'll drop this here for future reference. This is the for the centurylink C3000A (actiontech modem) to generate the default key (and SSID), in this case no MD5 or SHA involved. And based on the MAC address (not SN). Haven't reversed the algo yet. But this is where it is if anybody is interested. Add that to the to-do pile!

 

[SpaceCowboy]

Hi ,
Can someone help with this
The function GenerateWpsPinCode use memmove and ComputeChecksum functions

 

[soxrok2212]

Hi ,
Can someone help with this
The function GenerateWpsPinCode use memmove and ComputeChecksum functions
View attachment 24568View attachment 24569

First, we need to know what those parameters (args) are that were passed into the function.

Second, the checksum function means it is indeed calculating the final digit, but more often that not this is a function for generating an random one-time code in the GUI.

Third, memmove is a standard C function to move data from a memory location to somewhere else. This actually looks like it may have been an algorithm at one point, but they’ve since moved to burning the pin into flash at the factory and are copying in the pin from nvram or some other persistent storage.

This is all speculation because I haven’t actually pulled apart the firmware myself, but it’s likely a dead end.

 

[drsnooker]

Fascinating way to generate a random number!

function output=checksum(input);

uVar1=input*10;


term1=floor(mod((uVar1/10000000),10)*3);
term3=floor(mod((uVar1/1000000),10));
term5=floor(mod((uVar1/100000),10)*3);
term2=floor(mod((uVar1/10000),10));
term6=floor(mod((uVar1/1000),10)*3);
term4=floor(mod((uVar1/100),10));
term7=floor(mod((uVar1/10),10)*3);

total=term1+term2+term3+term4+term5+term6+term7;
modded_total=mod(total,10);

output=mod(10-modded_total,10);

 

[drsnooker]

Although soxrok is correct, we can potentially leave the variables in:

hex_str=dec2hex(par3*12480+par1+21356);
d_hex=hex_str(1:2);
c_hex=hex_str(3:4);
b_hex=hex_str(5:6);
local_d=hex2dec(d_hex);
local_c=hex2dec(c_hex);
local_b=hex2dec(b_hex);
uVar2=mod(local_d*256+local_c*256+local_b,1000000);

 

[soxrok2212]

Fascinating way to generate a random number!

function output=checksum(input);

uVar1=input*10;


term1=floor(mod((uVar1/10000000),10)*3);
term3=floor(mod((uVar1/1000000),10));
term5=floor(mod((uVar1/100000),10)*3);
term2=floor(mod((uVar1/10000),10));
term6=floor(mod((uVar1/1000),10)*3);
term4=floor(mod((uVar1/100),10));
term7=floor(mod((uVar1/10),10)*3);

total=term1+term2+term3+term4+term5+term6+term7;
modded_total=mod(total,10);

output=mod(10-modded_total,10);

Contrary - this is actually not random at all; it’s completely predictable. See section 7.4.1 of the WPS 2.0 spec: https://www.wi-fi.org/download.php?...otected_Setup_Specification_v2.0.8.pdf#page53 (if it asks you to register just put in fake info). The pin is actually 7 digits long (and also split into two halves). If you know the first 7 digits, 8 is completely predictable.

 

[soxrok2212]

If the above link doesn’t work, check here https://www.wi-fi.org/discover-wi-fi/wi-fi-protected-setup I wish the edit timeout was longer than 1 minute ?

 

[SpaceCowboy]

Here's the file if someone can find wps or wpa key gen function

 

[SpaceCowboy]

i couldn't upload the file so here's a link gofile


- Compressed file & attached.

 

[drsnooker]

The C3510ZX algo is in /lib/private/libzcfg_be.so called zcfgBeWlanGenDefaultKey_CTLK
Matches the other centurylink algo except for a slight tweak to the s2 mixing from p and s1. @pretorian if you really want this algo, all you need to do is figure out line 48 in the python code...

 

[drsnooker]

Alright, waited long enough LOL. @Plum here's the C3510XZ centurylink code. I've left in (but commented out) the old interchelation of s2 so you can compare and contrast, but it's the only change!
Turns out not all 3510 are created equal and the @pretorian model is an EX3510-B0. So doesn't get solved by this algo.

Lastly for @RealEnder we have a few pics of the stickers on the C3510XZ

SN	Password
S210Z04013958	88a6e878d3bxef
S200Z52002911	cffah7c346adxf
S223W08001807	8f8f34aa3b77tc

Note that we have a new letter; the 'W'. Which now brings the known middle letters to the following set 'AEHKSVWYZ'

Also from the tracking spreadsheet, @RealEnder doesn't look like they tried the 'K' for the Telus model, which is a known variant, may be that'll catch you some more hits!

 

[Plum]

Alright, waited long enough LOL. @Plum here's the C3510XZ centurylink code. I've left in (but commented out) the old interchelation of s2 so you can compare and contrast, but it's the only change!
Turns out not all 3510 are created equal and the @pretorian model is an EX3510-B0. So doesn't get solved by this algo.

Lastly for @RealEnder we have a few pics of the stickers on the C3510XZ

SN	Password
S210Z04013958	88a6e878d3bxef
S200Z52002911	cffah7c346adxf
S223W08001807	8f8f34aa3b77tc

Note that we have a new letter; the 'W'. Which now brings the known middle letters to the following set 'AEHKSVWYZ'

Also from the tracking spreadsheet, @RealEnder doesn't look like they tried the 'K' for the Telus model, which is a known variant, may be that'll catch you some more hits!

GitHub - PlumLulz/centurylink3510py: Zyxel C3510ZX Keygen

Zyxel C3510ZX Keygen. Contribute to PlumLulz/centurylink3510py development by creating an account on GitHub.

github.com

 

[StrongWind]

Using the wonderful Centurylink keygen written by drsnooker and converted by Plum, I was able to modify it a bit to generate possible passwords based on all possible serials. I recovered the following list from my collection of hashes. I still have a decent chunk that I have not cracked in the CenturyLinkXXXX format. (Yes I made sure to filter for the Zyxel OUI as well)

Serial	ESSID	Password
S170Y48000019	CenturyLink0019	33f4ba4ffd6ufc
S150Y21030131	CenturyLink0131	3cd3ec64acceca
S140Y19081176	CenturyLink1176	c37346radd467k
S130Y05043010	CenturyLink3010	e43dc6d76ab8c6
S130Y05043186	CenturyLink3186	v8f88d7f64e68f
S170Y26005549	CenturyLink5549	67dfmc6me4r8de
S140Y35085621	CenturyLink5621	e338bfaca4ad6a
S140Y22076542	CenturyLink6542	tf7fa8443rdeaf
S140Y16048459	CenturyLink8459	a68n88ub67ucbd
S170Y51018743	CenturyLink8743	4fxfd6a8344c8c
C1100ZS150Y32010017	CenturyLink0017	73d3ubffh33baf
C1100ZS160Y22000122	CenturyLink0122	e3874467ea6cuc
C1100ZS170Y11010236	CenturyLink0236	pa63da746dp77k
C1100ZS160Y03010300	CenturyLink0300	a76a46w46bbf47
C1100ZS150Y51020660	CenturyLink0660	8cd647ude6fpbe
C1100ZS160Y49000876	CenturyLink0876	c7k47cnfaaa6aa
C1100ZS160Y51010979	CenturyLink0979	eaxw63ccdb3df3
C1100ZS160Y48001079	CenturyLink1079	bb688bc3a4ceyv
C1100ZS160Y50011195	CenturyLink1195	df8cbmb67aadac
C1100ZS150Y36011515	CenturyLink1515	afectw8dff6x7a
C1100ZS150Y43031565	CenturyLink1565	ebdda344dedxrd
C1100ZS170Y02011603	CenturyLink1603	ed8e77eeef867a
C1100ZS170Y16032180	CenturyLink2180	afe86868d7dafc
C1100ZS150Y42022307	CenturyLink2307	u74udbmb64cca6
C1100ZS170Y23002350	CenturyLink2350	87d3c3ce64edfd
C1100ZS170Y23002352	CenturyLink2352	bd4n8dbb7btrbf
C1100ZS170Y21042414	CenturyLink2414	4meb8df637b6f6
C1100ZS160Y14002419	CenturyLink2419	3hd4er6bb77e7d
C1100ZS170Y21012432	CenturyLink2432	33cne744b7a4bc
C1100ZS160Y49002534	CenturyLink2534	dd6ac7daadk7fk
C1100ZS170Y02002588	CenturyLink2588	cefuaad76r3umv
C1100ZS160Y10022628	CenturyLink2628	b73n4kfay6bv88
C1100ZS160Y50002671	CenturyLink2671	7ee7erufcb76f6
C1100ZS170Y02012688	CenturyLink2688	477af6u3e4a473
C1100ZS150Y52042790	CenturyLink2790	h68f688468eec8
C1100ZS160Y50002793	CenturyLink2793	a77fdd8837cd37
C1100ZS150Y44022918	CenturyLink2918	fda86xffap8add
C1100ZS160Y33002978	CenturyLink2978	pb8uab487y84vd
C1100ZS150Y47003049	CenturyLink3049	88hcc3pe74df4d
C1100ZS160Y02003082	CenturyLink3082	ab433efe7efa6b
C1100ZS150Y29033093	CenturyLink3093	fadc37b3aafdf6
C1100ZS160Y50013127	CenturyLink3127	b3au87ea46467d
C1100ZS160Y32003140	CenturyLink3140	7ee3e6f4e4ecd8
C1100ZS160Y49003342	CenturyLink3342	a6fcd4666kacm8
C1100ZS150Y36003620	CenturyLink3620	73838m6364y6fb
C1100ZS160Y15003638	CenturyLink3638	afcc6fc6cbva8d
C1100ZS160Y10023884	CenturyLink3884	f3bw8b8ac676ac
C1100ZS160Y49003893	CenturyLink3893	a83fbtdebkfffb
C1100ZS150Y46024013	CenturyLink4013	63bbb7c8344ecx
C1100ZS150Y29014030	CenturyLink4030	ba3a68dfdfc4f8
C1100ZS160Y51004039	CenturyLink4039	a63cm6caak4t4c
C1100ZS150Y23004173	CenturyLink4173	af88fcdb4eaff4
C1100ZS160Y46014272	CenturyLink4272	df3f4eaae7dtax
C1100ZS170Y12014310	CenturyLink4310	6c8db388d7eex3
C1100ZS150Y37004521	CenturyLink4521	4ad7e3t8f3e4ae
C1100ZS160Y03014551	CenturyLink4551	4bdfc7aauhm4f3
C1100ZS170Y33004584	CenturyLink4584	aca7c4t76eecc4
C1100ZS160Y02034749	CenturyLink4749	dah3d37medr336
C1100ZS170Y16015333	CenturyLink5333	4h4w44bb34dv8a
C1100ZS150Y43005700	CenturyLink5700	67ffd44dbb4uaf
C1100ZS160Y03015840	CenturyLink5840	ddxb7fr6f7eeea
C1100ZS160Y51006058	CenturyLink6058	dfab7fc7cbdbcx
C1100ZS150Y32026318	CenturyLink6318	6dab8acbnfeadc
C1100ZS160Y34016440	CenturyLink6440	6xcef7m66c6ya6
C1100ZS160Y18016517	CenturyLink6517	b87736nma4afe8
C1100ZS150Y44016753	CenturyLink6753	433e7687b74368
C1100ZS150Y37016857	CenturyLink6857	acc8d4aa68exfd
C1100ZS150Y32027000	CenturyLink7000	773e4c3477aac6
C1100ZS160Y34017086	CenturyLink7086	pfdcaa4b683ufk
C1100ZS170Y21027155	CenturyLink7155	fecerdff884bdd
C1100ZS170Y41017838	CenturyLink7838	8e4abb4f68fa46
C1100ZS170Y26008058	CenturyLink8058	c6fdcfee3da8ce
C1100ZS170Y25008501	CenturyLink8501	ycc86ebmfde6fb
C1100ZS170Y21038528	CenturyLink8528	ked4fe4b87k3bb
C1100ZS160Y34018714	CenturyLink8714	av647cnf64688v
C1100ZS160Y34018719	CenturyLink8719	bbde44a7ffe8fd
C1100ZS170Y19008756	CenturyLink8756	fbbccdn4y8e4fd
C1100ZS170Y20019008	CenturyLink9008	4cccaf43bvd8ed
C1100ZS150Y44019559	CenturyLink9559	bffeadc4eedx3c
C1100ZS160Y49009648	CenturyLink9648	db3ca78a4p44c3

 

[StrongWind]

Given the list of serial numbers (all 10065 of them) posted in this thread or provided in links (Thanks @drsnooker, @RealEnder, @Plum, and @Sparton!!!) the following consensus matrix was made:

   [,1]  [,2] [,3] [,4] [,5] [,6] [,7] [,8] [,9] [,10] [,11] [,12] [,13]
0     0     0   38 4304  134 1434  798 9946 5047  1261  1045   985   979
1     0 10028    6  432 2176 2099  917  118 1960  1187  1062  1096   984
2     0    37   21 2327  234 1262 1018    0  799  1124   997  1089   992
3     0     0   49  383  173 1386  976    0  679  1116  1107   978  1056
4     0     0  762 2446  107 1222  567    0  381  1111  1017   961   997
5     0     0 1600  170  144  502  869    1  339  1029   988  1039   989
6     0     0 2525    0  179    0  591    0  285   976   990   941  1029
7     0     0 1488    0  257    0  539    0  185   893   943   944  1027
8     0     0 2304    0  441    0  894    0  241   726   971  1049  1020
9     0     0 1272    0  356    0  736    0  149   642   945   983   992
A     0     0    0    3  779    0    0    0    0     0     0     0     0
E     0     0    0    0 1380    0    0    0    0     0     0     0     0
F     0     0    0    0    2    0  224    0    0     0     0     0     0
K     0     0    0    0    7    0    0    0    0     0     0     0     0
N     0     0    0    0    0 1936    0    0    0     0     0     0     0
S 10065     0    0    0    0    0 1936    0    0     0     0     0     0
V     0     0    0    0  638    0    0    0    0     0     0     0     0
W     0     0    0    0    0  224    0    0    0     0     0     0     0
Y     0     0    0    0 2972    0    0    0    0     0     0     0     0
Z     0     0    0    0   86    0    0    0    0     0     0     0     0

Removing the 1936 N and S letters in positions 6 and 7
Removing the 224 W and F letters in positions 6 and 7
Removing the 3 A letters in position 4
Removing the 1 5 number in position 8
the following mask can be created:

-1 12 -2 012345 -3 ?dAEFKVYZ -4 01 S?1?d?2?3?2?d?4?d?d?d?d?d (24,480,000,000 combinations)

The last 4 digits can be removed from the mask and replaced with the 4 digits in the ESSID if available. (2,448,000 combinations)

If you want to include the removed letters/numbers in their positions a script will need to be made or modify maskprocessor to have additional character set options.