Unpublished WPA key algorithms

kopppo1

Active member
Feedback: 0 / 0 / 0
Joined
Apr 27, 2022
Messages
46
Reaction score
13
Credits
320
Hello everyone
i was wondering if someone can find the algo for this router
i uploaded the lib directory from the firmware and the photo contains the default wpa key which is 13 length hex and admin password is [A-Z0-9] 10 characters
thank you
 

Attachments

  • hg532e.jpg
    hg532e.jpg
    132.9 KB · Views: 25
  • libhg532e.zip
    955.8 KB · Views: 8

pretorian

Active member
Feedback: 0 / 0 / 0
Joined
Dec 30, 2019
Messages
128
Reaction score
10
Credits
398
We starting this thread to bring to public domain some exclusive unpublished default WPA key algorithms that we use in our every day work.
Unpublished means you can't find it anywhere on the Web so (we hope) Hashkiller forum now will be its origin.

Lets start with TTNET_ZyXEL_XXXX default WPA key algorithm.
These Turkish ZyXEL routers have very strong default WPA key of 13 mixedcase hex digits uncrackable with ordinary bruteforcing.
Knowing the algo becomes possible to calculate default password from the router serial number.
Unfortunately router S/N not always known but search keyspace could be dramatically reduced to ~10^9 and even smaller size.

PoC with some test vectors attached below. The code is not optimal in any way and sometimes can contain (surprise!) MIPS disassembly written in python.
is thier a wordlist dictinary of these yet ? zyxcel10308 keygens yet avaliable ?
or any short cuts that key space is a beast thanks pal, also any technicolor or aris as well
 

pretorian

Active member
Feedback: 0 / 0 / 0
Joined
Dec 30, 2019
Messages
128
Reaction score
10
Credits
398
Updated zykgen for Videotron algo and fixed an indexing bug. @soxrok2212 Thanks for the pull request. I ended up removing the gin and juice section. After speaking with drsnooker, screw driver was his early attempts at the algo without the firmware. So it can safely be updated with the correct haystack and charset.

love you can you do the same to the zyxel10306 my area's filling up with these thanks pal...
 

drsnooker

Active member
Contributor
Feedback: 0 / 0 / 0
Joined
Aug 1, 2020
Messages
79
Reaction score
116
Credits
627
@pretorian Have you tried any of the published algorithms to see if they get close or partial on those? I cannot find any pictures online to verify.

Perhaps the mods can move some of these requests to a new thread, rather than this un-published (and developing) password generating algorithms? May be start a poll on which one people think is the most important. Only so many hours in a day!

I've mentioned this in some of the requests I've gotten by PM.... But it seems like the method to the madness is about the same. I never done any reversing upto a month ago, so I'm just as new as you guys are. It's a bit tricky, but you are the one with the most invested into finding the algo, so roll up those sleeves, read and try some stuff!

1) Try to find the firmware, but most of the time *if the algo is present at all* it is in /usr.
2) Look for MD5/SHA used really anywhere in the firmware to narrow down where to look. "grep -ir md5 ." should do it. And "grep -ir sha . | grep -v share", "default" and "wpapsk" are also good search terms
3) collect data on other modems of that particular make and model: ebay, facebook market place and sold/completed listings. 20 or so would be a good data set to start with
4) store these in text format so you can analyze char frequency and look for patterns.
5) install GHIDRA. It's not that bad! Cutter and IDA-pro all give different interpretation so looking at them side-by-side sometimes helps.
6) start poking around....
 

drsnooker

Active member
Contributor
Feedback: 0 / 0 / 0
Joined
Aug 1, 2020
Messages
79
Reaction score
116
Credits
627
I guess I'll drop this here for future reference. This is the for the centurylink C3000A (actiontech modem) to generate the default key (and SSID), in this case no MD5 or SHA involved. And based on the MAC address (not SN). Haven't reversed the algo yet. But this is where it is if anybody is interested. Add that to the to-do pile!

C3000A.jpg
 

kopppo1

Active member
Feedback: 0 / 0 / 0
Joined
Apr 27, 2022
Messages
46
Reaction score
13
Credits
320
Hi ,
Can someone help with this
The function GenerateWpsPinCode use memmove and ComputeChecksum functions
wpsgen.pngcomput.png
 

soxrok2212

Active member
Contributor
Feedback: 0 / 0 / 0
Joined
Dec 30, 2019
Messages
2,627
Reaction score
60
Credits
424
Hi ,
Can someone help with this
The function GenerateWpsPinCode use memmove and ComputeChecksum functions
View attachment 24568View attachment 24569
First, we need to know what those parameters (args) are that were passed into the function.

Second, the checksum function means it is indeed calculating the final digit, but more often that not this is a function for generating an random one-time code in the GUI.

Third, memmove is a standard C function to move data from a memory location to somewhere else. This actually looks like it may have been an algorithm at one point, but they’ve since moved to burning the pin into flash at the factory and are copying in the pin from nvram or some other persistent storage.

This is all speculation because I haven’t actually pulled apart the firmware myself, but it’s likely a dead end.
 

drsnooker

Active member
Contributor
Feedback: 0 / 0 / 0
Joined
Aug 1, 2020
Messages
79
Reaction score
116
Credits
627
Fascinating way to generate a random number!

Code:
function output=checksum(input);

uVar1=input*10;


term1=floor(mod((uVar1/10000000),10)*3);
term3=floor(mod((uVar1/1000000),10));
term5=floor(mod((uVar1/100000),10)*3);
term2=floor(mod((uVar1/10000),10));
term6=floor(mod((uVar1/1000),10)*3);
term4=floor(mod((uVar1/100),10));
term7=floor(mod((uVar1/10),10)*3);

total=term1+term2+term3+term4+term5+term6+term7;
modded_total=mod(total,10);

output=mod(10-modded_total,10);
 

drsnooker

Active member
Contributor
Feedback: 0 / 0 / 0
Joined
Aug 1, 2020
Messages
79
Reaction score
116
Credits
627
Although soxrok is correct, we can potentially leave the variables in:
Code:
hex_str=dec2hex(par3*12480+par1+21356);
d_hex=hex_str(1:2);
c_hex=hex_str(3:4);
b_hex=hex_str(5:6);
local_d=hex2dec(d_hex);
local_c=hex2dec(c_hex);
local_b=hex2dec(b_hex);
uVar2=mod(local_d*256+local_c*256+local_b,1000000);
 

soxrok2212

Active member
Contributor
Feedback: 0 / 0 / 0
Joined
Dec 30, 2019
Messages
2,627
Reaction score
60
Credits
424
Fascinating way to generate a random number!

Code:
function output=checksum(input);

uVar1=input*10;


term1=floor(mod((uVar1/10000000),10)*3);
term3=floor(mod((uVar1/1000000),10));
term5=floor(mod((uVar1/100000),10)*3);
term2=floor(mod((uVar1/10000),10));
term6=floor(mod((uVar1/1000),10)*3);
term4=floor(mod((uVar1/100),10));
term7=floor(mod((uVar1/10),10)*3);

total=term1+term2+term3+term4+term5+term6+term7;
modded_total=mod(total,10);

output=mod(10-modded_total,10);
Contrary - this is actually not random at all; it’s completely predictable. See section 7.4.1 of the WPS 2.0 spec: https://www.wi-fi.org/download.php?...otected_Setup_Specification_v2.0.8.pdf#page53 (if it asks you to register just put in fake info). The pin is actually 7 digits long (and also split into two halves). If you know the first 7 digits, 8 is completely predictable.
 

kopppo1

Active member
Feedback: 0 / 0 / 0
Joined
Apr 27, 2022
Messages
46
Reaction score
13
Credits
320
i couldn't upload the file so here's a link gofile


- Compressed file & attached. :smile:
 

Attachments

  • rt5392ap.zip
    411.9 KB · Views: 3
Last edited by a moderator:

drsnooker

Active member
Contributor
Feedback: 0 / 0 / 0
Joined
Aug 1, 2020
Messages
79
Reaction score
116
Credits
627
The C3510ZX algo is in /lib/private/libzcfg_be.so called zcfgBeWlanGenDefaultKey_CTLK
Matches the other centurylink algo except for a slight tweak to the s2 mixing from p and s1. @pretorian if you really want this algo, all you need to do is figure out line 48 in the python code...
 

drsnooker

Active member
Contributor
Feedback: 0 / 0 / 0
Joined
Aug 1, 2020
Messages
79
Reaction score
116
Credits
627
Alright, waited long enough LOL. @Plum here's the C3510XZ centurylink code. I've left in (but commented out) the old interchelation of s2 so you can compare and contrast, but it's the only change!
Turns out not all 3510 are created equal and the @pretorian model is an EX3510-B0. So doesn't get solved by this algo.

Lastly for @RealEnder we have a few pics of the stickers on the C3510XZ
SNPassword
S210Z0401395888a6e878d3bxef
S200Z52002911cffah7c346adxf
S223W080018078f8f34aa3b77tc
Note that we have a new letter; the 'W'. Which now brings the known middle letters to the following set 'AEHKSVWYZ'

Also from the tracking spreadsheet, @RealEnder doesn't look like they tried the 'K' for the Telus model, which is a known variant, may be that'll catch you some more hits!
 

Attachments

  • centurylink3510.zip
    2 KB · Views: 6

Plum

Moderator
Staff member
Moderator
Trusted
Contributor
Feedback: 6 / 0 / 0
Joined
Dec 30, 2019
Messages
3,481
Reaction score
3,340
Credits
7,441
Alright, waited long enough LOL. @Plum here's the C3510XZ centurylink code. I've left in (but commented out) the old interchelation of s2 so you can compare and contrast, but it's the only change!
Turns out not all 3510 are created equal and the @pretorian model is an EX3510-B0. So doesn't get solved by this algo.

Lastly for @RealEnder we have a few pics of the stickers on the C3510XZ
SNPassword
S210Z0401395888a6e878d3bxef
S200Z52002911cffah7c346adxf
S223W080018078f8f34aa3b77tc
Note that we have a new letter; the 'W'. Which now brings the known middle letters to the following set 'AEHKSVWYZ'

Also from the tracking spreadsheet, @RealEnder doesn't look like they tried the 'K' for the Telus model, which is a known variant, may be that'll catch you some more hits!
 

StrongWind

New member
Feedback: 0 / 0 / 0
Joined
Aug 8, 2022
Messages
2
Reaction score
7
Credits
53
Using the wonderful Centurylink keygen written by drsnooker and converted by Plum, I was able to modify it a bit to generate possible passwords based on all possible serials. I recovered the following list from my collection of hashes. I still have a decent chunk that I have not cracked in the CenturyLinkXXXX format. (Yes I made sure to filter for the Zyxel OUI as well)

SerialESSIDPassword
S170Y48000019CenturyLink001933f4ba4ffd6ufc
S150Y21030131CenturyLink01313cd3ec64acceca
S140Y19081176CenturyLink1176c37346radd467k
S130Y05043010CenturyLink3010e43dc6d76ab8c6
S130Y05043186CenturyLink3186v8f88d7f64e68f
S170Y26005549CenturyLink554967dfmc6me4r8de
S140Y35085621CenturyLink5621e338bfaca4ad6a
S140Y22076542CenturyLink6542tf7fa8443rdeaf
S140Y16048459CenturyLink8459a68n88ub67ucbd
S170Y51018743CenturyLink87434fxfd6a8344c8c
C1100ZS150Y32010017CenturyLink001773d3ubffh33baf
C1100ZS160Y22000122CenturyLink0122e3874467ea6cuc
C1100ZS170Y11010236CenturyLink0236pa63da746dp77k
C1100ZS160Y03010300CenturyLink0300a76a46w46bbf47
C1100ZS150Y51020660CenturyLink06608cd647ude6fpbe
C1100ZS160Y49000876CenturyLink0876c7k47cnfaaa6aa
C1100ZS160Y51010979CenturyLink0979eaxw63ccdb3df3
C1100ZS160Y48001079CenturyLink1079bb688bc3a4ceyv
C1100ZS160Y50011195CenturyLink1195df8cbmb67aadac
C1100ZS150Y36011515CenturyLink1515afectw8dff6x7a
C1100ZS150Y43031565CenturyLink1565ebdda344dedxrd
C1100ZS170Y02011603CenturyLink1603ed8e77eeef867a
C1100ZS170Y16032180CenturyLink2180afe86868d7dafc
C1100ZS150Y42022307CenturyLink2307u74udbmb64cca6
C1100ZS170Y23002350CenturyLink235087d3c3ce64edfd
C1100ZS170Y23002352CenturyLink2352bd4n8dbb7btrbf
C1100ZS170Y21042414CenturyLink24144meb8df637b6f6
C1100ZS160Y14002419CenturyLink24193hd4er6bb77e7d
C1100ZS170Y21012432CenturyLink243233cne744b7a4bc
C1100ZS160Y49002534CenturyLink2534dd6ac7daadk7fk
C1100ZS170Y02002588CenturyLink2588cefuaad76r3umv
C1100ZS160Y10022628CenturyLink2628b73n4kfay6bv88
C1100ZS160Y50002671CenturyLink26717ee7erufcb76f6
C1100ZS170Y02012688CenturyLink2688477af6u3e4a473
C1100ZS150Y52042790CenturyLink2790h68f688468eec8
C1100ZS160Y50002793CenturyLink2793a77fdd8837cd37
C1100ZS150Y44022918CenturyLink2918fda86xffap8add
C1100ZS160Y33002978CenturyLink2978pb8uab487y84vd
C1100ZS150Y47003049CenturyLink304988hcc3pe74df4d
C1100ZS160Y02003082CenturyLink3082ab433efe7efa6b
C1100ZS150Y29033093CenturyLink3093fadc37b3aafdf6
C1100ZS160Y50013127CenturyLink3127b3au87ea46467d
C1100ZS160Y32003140CenturyLink31407ee3e6f4e4ecd8
C1100ZS160Y49003342CenturyLink3342a6fcd4666kacm8
C1100ZS150Y36003620CenturyLink362073838m6364y6fb
C1100ZS160Y15003638CenturyLink3638afcc6fc6cbva8d
C1100ZS160Y10023884CenturyLink3884f3bw8b8ac676ac
C1100ZS160Y49003893CenturyLink3893a83fbtdebkfffb
C1100ZS150Y46024013CenturyLink401363bbb7c8344ecx
C1100ZS150Y29014030CenturyLink4030ba3a68dfdfc4f8
C1100ZS160Y51004039CenturyLink4039a63cm6caak4t4c
C1100ZS150Y23004173CenturyLink4173af88fcdb4eaff4
C1100ZS160Y46014272CenturyLink4272df3f4eaae7dtax
C1100ZS170Y12014310CenturyLink43106c8db388d7eex3
C1100ZS150Y37004521CenturyLink45214ad7e3t8f3e4ae
C1100ZS160Y03014551CenturyLink45514bdfc7aauhm4f3
C1100ZS170Y33004584CenturyLink4584aca7c4t76eecc4
C1100ZS160Y02034749CenturyLink4749dah3d37medr336
C1100ZS170Y16015333CenturyLink53334h4w44bb34dv8a
C1100ZS150Y43005700CenturyLink570067ffd44dbb4uaf
C1100ZS160Y03015840CenturyLink5840ddxb7fr6f7eeea
C1100ZS160Y51006058CenturyLink6058dfab7fc7cbdbcx
C1100ZS150Y32026318CenturyLink63186dab8acbnfeadc
C1100ZS160Y34016440CenturyLink64406xcef7m66c6ya6
C1100ZS160Y18016517CenturyLink6517b87736nma4afe8
C1100ZS150Y44016753CenturyLink6753433e7687b74368
C1100ZS150Y37016857CenturyLink6857acc8d4aa68exfd
C1100ZS150Y32027000CenturyLink7000773e4c3477aac6
C1100ZS160Y34017086CenturyLink7086pfdcaa4b683ufk
C1100ZS170Y21027155CenturyLink7155fecerdff884bdd
C1100ZS170Y41017838CenturyLink78388e4abb4f68fa46
C1100ZS170Y26008058CenturyLink8058c6fdcfee3da8ce
C1100ZS170Y25008501CenturyLink8501ycc86ebmfde6fb
C1100ZS170Y21038528CenturyLink8528ked4fe4b87k3bb
C1100ZS160Y34018714CenturyLink8714av647cnf64688v
C1100ZS160Y34018719CenturyLink8719bbde44a7ffe8fd
C1100ZS170Y19008756CenturyLink8756fbbccdn4y8e4fd
C1100ZS170Y20019008CenturyLink90084cccaf43bvd8ed
C1100ZS150Y44019559CenturyLink9559bffeadc4eedx3c
C1100ZS160Y49009648CenturyLink9648db3ca78a4p44c3
 

StrongWind

New member
Feedback: 0 / 0 / 0
Joined
Aug 8, 2022
Messages
2
Reaction score
7
Credits
53
Given the list of serial numbers (all 10065 of them) posted in this thread or provided in links (Thanks @drsnooker, @RealEnder, @Plum, and @Sparton!!!) the following consensus matrix was made:

Code:
   [,1]  [,2] [,3] [,4] [,5] [,6] [,7] [,8] [,9] [,10] [,11] [,12] [,13]
0     0     0   38 4304  134 1434  798 9946 5047  1261  1045   985   979
1     0 10028    6  432 2176 2099  917  118 1960  1187  1062  1096   984
2     0    37   21 2327  234 1262 1018    0  799  1124   997  1089   992
3     0     0   49  383  173 1386  976    0  679  1116  1107   978  1056
4     0     0  762 2446  107 1222  567    0  381  1111  1017   961   997
5     0     0 1600  170  144  502  869    1  339  1029   988  1039   989
6     0     0 2525    0  179    0  591    0  285   976   990   941  1029
7     0     0 1488    0  257    0  539    0  185   893   943   944  1027
8     0     0 2304    0  441    0  894    0  241   726   971  1049  1020
9     0     0 1272    0  356    0  736    0  149   642   945   983   992
A     0     0    0    3  779    0    0    0    0     0     0     0     0
E     0     0    0    0 1380    0    0    0    0     0     0     0     0
F     0     0    0    0    2    0  224    0    0     0     0     0     0
K     0     0    0    0    7    0    0    0    0     0     0     0     0
N     0     0    0    0    0 1936    0    0    0     0     0     0     0
S 10065     0    0    0    0    0 1936    0    0     0     0     0     0
V     0     0    0    0  638    0    0    0    0     0     0     0     0
W     0     0    0    0    0  224    0    0    0     0     0     0     0
Y     0     0    0    0 2972    0    0    0    0     0     0     0     0
Z     0     0    0    0   86    0    0    0    0     0     0     0     0

Removing the 1936 N and S letters in positions 6 and 7
Removing the 224 W and F letters in positions 6 and 7
Removing the 3 A letters in position 4
Removing the 1 5 number in position 8
the following mask can be created:

-1 12 -2 012345 -3 ?dAEFKVYZ -4 01 S?1?d?2?3?2?d?4?d?d?d?d?d (24,480,000,000 combinations)

The last 4 digits can be removed from the mask and replaced with the 4 digits in the ESSID if available. (2,448,000 combinations)

If you want to include the removed letters/numbers in their positions a script will need to be made or modify maskprocessor to have additional character set options.
 
Top