Page 1 of 3 123 LastLast
Results 1 to 10 of 22

Thread: Sky router WPA algorithm available

  1. #1
    Member
    Join Date
    Jun 2008
    Posts
    50

    Default Sky router WPA algorithm available

    xxx.cm9.net/skypass/

    this will only work on SKY broadband and V1 routers.

    This website allows you to put in the airodump MACS address and it will return the default WPA key. It will only work on the white V1 netgear router, the later versions require the Serial number.

    Tested it and it does work.

    If anyone knows the algo for generating the S/N from the SSID / MACS this may open up the remaining routers.

    xxx.nickkusters.com/SpeedTouch.aspx

    This website does the same for SpeedTouch routers.

  2. #2
    Junior Member
    Join Date
    Aug 2007
    Posts
    45

    Default

    Do you know of any more sites like cm9.net/skypass/ and nickkusters.com/SpeedTouch.aspx
    Having a list of all sites that provide the default router passkey would be very handy to have! :-)

  3. #3
    Member
    Join Date
    Jun 2008
    Posts
    50

    Default

    I am not aware of any more, but the guy who owns nickbusters.cmo and a guy from the gnucitizen site we talking of making a windows based program to exploit the BTHH, SKy V1, Speedtouch and another they knwo, The idea being you can switch on the program it'll see which type have the strongest signal and try the various default exploits... might be one to look out for!!

    There are standard exploits for a dutch (I think) and a Spainish main broadband supplier, but pretty useless unless you travel....

  4. #4
    Junior Member
    Join Date
    Aug 2007
    Posts
    45

    Default

    Cheers mate, i will keep an eye out for it!
    Ive got a couple of siemens gigaset routers from tiscali that use wpa2 as default, Ive noticed that their ssid's match the last six Characters/Digits of the routers mac address and that most of the wpa2 passkey seems to be made up from the mac address!

    Check this out and let me know what you think.

    ssid Tiscali 153BDB -- ROUTER MAC 002104153BDB -- PASSKEY B14B03B5B3D6
    ssid Tiscali 11ECCF -- ROUTER MAC 00210411ECCF -- PASSKEY F34C0EF1C7C5

  5. #5
    Just burned his ISO kraven666's Avatar
    Join Date
    Sep 2008
    Posts
    19

    Default

    Cheers for this bud. Very interesting stuff.

    Thanks
    Kraven666

  6. #6
    Member
    Join Date
    Jun 2008
    Posts
    50

    Default

    Mapping the WPa to the MAC address shows that the WPA key is made up as follows?

    MACS code digit
    1 - 12th digit of MAC
    2 - can't figure out - possibly connected to serial number?
    3 - 6th digit of MAC
    4 - 10th digit of MAC
    5 - 5th digit of MAC
    6 - 9th digit of MAC
    7 - 12th digit of MAC
    8 - 8th digit of MAC
    9 - 10th digit of MAC
    10 - can't figure out - possibly connected to serial number?
    11 - 11th digit of MAC
    12 - can't figure out - possibly connected to serial number?

    This works for the 2 combinations given, could be coincidence but unlikley... do you have any more we can check against (this is a call to all Tiscali BB users)? Have alook at the Serial numbers (or any other numbers on the router) the 3 missing may be on their. Either way of this works it would be pretty easy to work out the missing key digits through bruteforce once the handshake is a captured!!

    Let me know if this helps....

  7. #7
    Junior Member
    Join Date
    Aug 2007
    Posts
    45

    Default

    Cool! Thats what i worked out too, the 2nd, 10th and the 12th i couldnt work out either!
    I did think they were ramdom, but reading your reply made me look at the serial again!
    I can confirm that the 2nd 10th and 12th are in the router serial, do you know of a way to obtain the router serial?

  8. #8
    Member
    Join Date
    Jun 2008
    Posts
    50

    Default

    I take it you mean to obtain to the SN over the wireless network?

    This can be done with the BTHH once connected but dont think its possible to obtain info on a router with out being connected or knwoing the IP address to run a NMAP scan. I dont think either will give the info required.

    Post the SN and I'll see if I can see any link.

    Alternatives is to build a dictionary containing all permutations of the missing digits (16^3 = 4096 combinations) with a handshake this could be cracked in seconds. There are people on this site that could do this I suspect quite quickly.

    I would be best to run some more MAC's through this to see if they all stack up? The Sky routers had different Versions which had different algorithms?

  9. #9
    Junior Member
    Join Date
    Aug 2007
    Posts
    45

    Default

    I have some more ssid's and mac's too! but no passkey's for them :-(
    If i can find a way to generate all the combinations for the last three, I can then get some more passkeys to check against our formula!
    I only have two router's that are my own and would have to be a little naughty to get the other passkeys!

  10. #10
    Member
    Join Date
    Mar 2007
    Posts
    121

    Default

    Hi there just wondering if any of you guys got any further with this?
    Don't discount Windows, I would be a poor man without it ;)

Page 1 of 3 123 LastLast

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •