Sky router WPA algorithm available

[letmein]

xxx.cm9.net/skypass/

this will only work on SKY broadband and V1 routers.

This website allows you to put in the airodump MACS address and it will return the default WPA key. It will only work on the white V1 netgear router, the later versions require the Serial number.

Tested it and it does work.

If anyone knows the algo for generating the S/N from the SSID / MACS this may open up the remaining routers.

xxx.nickkusters.com/SpeedTouch.aspx

This website does the same for SpeedTouch routers.

[slim76]

Do you know of any more sites like cm9.net/skypass/ and nickkusters.com/SpeedTouch.aspx
Having a list of all sites that provide the default router passkey would be very handy to have! :-)

[letmein]

I am not aware of any more, but the guy who owns nickbusters.cmo and a guy from the gnucitizen site we talking of making a windows based program to exploit the BTHH, SKy V1, Speedtouch and another they knwo, The idea being you can switch on the program it'll see which type have the strongest signal and try the various default exploits... might be one to look out for!!

There are standard exploits for a dutch (I think) and a Spainish main broadband supplier, but pretty useless unless you travel....

[slim76]

Cheers mate, i will keep an eye out for it!
Ive got a couple of siemens gigaset routers from tiscali that use wpa2 as default, Ive noticed that their ssid's match the last six Characters/Digits of the routers mac address and that most of the wpa2 passkey seems to be made up from the mac address!

Check this out and let me know what you think.

ssid Tiscali 153BDB -- ROUTER MAC 002104153BDB -- PASSKEY B14B03B5B3D6
ssid Tiscali 11ECCF -- ROUTER MAC 00210411ECCF -- PASSKEY F34C0EF1C7C5

[kraven666]

Cheers for this bud. Very interesting stuff.

Thanks
Kraven666

[letmein]

Mapping the WPa to the MAC address shows that the WPA key is made up as follows?

MACS code digit
1 - 12th digit of MAC
2 - can't figure out - possibly connected to serial number?
3 - 6th digit of MAC
4 - 10th digit of MAC
5 - 5th digit of MAC
6 - 9th digit of MAC
7 - 12th digit of MAC
8 - 8th digit of MAC
9 - 10th digit of MAC
10 - can't figure out - possibly connected to serial number?
11 - 11th digit of MAC
12 - can't figure out - possibly connected to serial number?

This works for the 2 combinations given, could be coincidence but unlikley... do you have any more we can check against (this is a call to all Tiscali BB users)? Have alook at the Serial numbers (or any other numbers on the router) the 3 missing may be on their. Either way of this works it would be pretty easy to work out the missing key digits through bruteforce once the handshake is a captured!!

Let me know if this helps....

[slim76]

Cool! Thats what i worked out too, the 2nd, 10th and the 12th i couldnt work out either!
I did think they were ramdom, but reading your reply made me look at the serial again!
I can confirm that the 2nd 10th and 12th are in the router serial, do you know of a way to obtain the router serial?

[letmein]

I take it you mean to obtain to the SN over the wireless network?

This can be done with the BTHH once connected but dont think its possible to obtain info on a router with out being connected or knwoing the IP address to run a NMAP scan. I dont think either will give the info required.

Post the SN and I'll see if I can see any link.

Alternatives is to build a dictionary containing all permutations of the missing digits (16^3 = 4096 combinations) with a handshake this could be cracked in seconds. There are people on this site that could do this I suspect quite quickly.

I would be best to run some more MAC's through this to see if they all stack up? The Sky routers had different Versions which had different algorithms?

[slim76]

I have some more ssid's and mac's too! but no passkey's for them :-(
If i can find a way to generate all the combinations for the last three, I can then get some more passkeys to check against our formula!
I only have two router's that are my own and would have to be a little naughty to get the other passkeys!

[johnyt]

Hi there just wondering if any of you guys got any further with this?