Page 1 of 3 123 LastLast
Results 1 to 10 of 30

Thread: Need help with a very specific wordlist [stkeys]

  1. #1
    Member skor78's Avatar
    Join Date
    Jul 2009
    Posts
    140

    Default Need help with a very specific wordlist [stkeys]

    Hi,

    We all know what is stkeys, and how useful it became to many of us, like myself.
    As this exploit was discovered and spread around the world, eventually, also Thomson discovered their major security leak, and to solve the issue, in the latest routers they've changed the SSID from the sha1 termination to the last 6 digits of the BSSID, making it impossible to calculate the key with stkeys... However, the key calc method has not changed, only the SSID. I've checked this myself in several routers..

    So, i'm looking for a wordlist with all possible keys, from 2007 to 2011..
    I've read somewhere that the online stkeys calc's use a similar pre-created wordlist with the passwords and respective SSID's, to avoid wasting time to calc the key, but can't find the wl anywhere..

    Can someone help me find/generating such a wordlist? I don't know much about programing, and i know this is not a very easy job, it needs the conversion to hex of the last 3 digits from the serial (from 000 to ZZZ), and for each one of these hex's we need to calc the 52 possible keys for each year..

    Like i said, i know this is not an easy job, but i'm sure once this is created it will be widely useful to everyone attacking a thomson router..

    Most people prefer to change the SSID and leave the key intact, so they can easily find the key when they need it (sticker under the router), so, if we had such a wordlist it would improve our attack alot, reducing the aircrack time drastically..

    Any pointers would be appreciated..

    Thanx!

  2. #2
    Just burned his ISO
    Join Date
    Oct 2010
    Posts
    4

    Default Re: Need help with a very specific wordlist [stkeys]

    I'm little confused as to what stkey is? Is it a word list based on the default key's used by Thomson routers or is it a precalculated PMK?...If its a word list, you can use John the Ripper or similar programs to mangle your current word list. But to me it sounds like stkey is a precalulated PMK based on a default ESSID, which is no longer static due to the update. If that's the case, they have completely squash that exploit!

  3. #3
    Just burned his ISO
    Join Date
    Sep 2010
    Posts
    20

    Default Re: Need help with a very specific wordlist [stkeys]

    I'm not quite sure what you mean...
    Do you mean the wordlist of something like this?
    hxxp://code.google.com/p/wifipassreminder/

  4. #4
    Member skor78's Avatar
    Join Date
    Jul 2009
    Posts
    140

    Default

    Hi,

    Right and wrong my friend.. "stkey is a precalulated PMK based on a default ESSID"

    stkey is a precalulated PMK based on the serial number, reversed engineered to calc PMK from a default ESSID..

    maybe this helps u understand better:

    CP YY WW PP XXX (CC)

    S/N: CP0647EH6DM(BF) (serial number)

    Remove CC and PP values: CP06476DM

    "XXX" values hex-encoded: CP064736444D (the last chars 3 changed to hex)

    SHA1-ed: 06f48a28eba1ab896a396077d772fd65503b8df3

    Default SSID: BTHomeHub-8DF3 (not applicable for the new version routers)

    Default encryption key: 06f48a28eb
    This PMK calc method hasn't changed, what changed was the SSID method, from the last digits of the sha1 to the last digits from the MAC address, making it impossible to calc PMK by reverse engineering.. Also, many ISP's have done this with they're clients (change SSID) to protect they're routers, and avoiding both, that the clients loses the key and we can RE calc the PMK.

    But this doesn't squash the exploit, only for RE calculation.
    If we create a wordlist with all possible keys (1st 10 digits of sha1 of CPYYWWHHHHHH: HHHHHH from 000 to ZZZ converted to hex (6 digits), WW from 01 to 52, and YY from 08 to 11) it will reduce the attack time in this type of routers with the default key...

    Anyway, i'm already trying to develop this word list with a person out from the linux world, the big problem is that he only knows .NET Framework that it's very heavy and slow to create such a wordlist..
    I've only posted this here because of Adrian Pastor BTHHkeygen that already comes with a complete wordlist (.csv format) of all possible keys in all BTHomeHubs SSID's, so i figured someone could help me do something very similar to this, which is what i'm looking for..

    @Moderator

    if you know a better section, or another site to post such request, please advice.

    Thanx!

    Hello again,

    For those interested i've found a wordlist with all possible keys from 2004 to 2009. 2010 and 2011 still in progress.

    Cheers!
    Last edited by Archangel-Amael; 10-11-2010 at 07:24 PM.

  5. #5
    My life is this forum Snayler's Avatar
    Join Date
    Jan 2010
    Posts
    1,418

    Default Re: Need help with a very specific wordlist [stkeys]

    Quote Originally Posted by skor78 View Post
    Hello again,

    For those interested i've found a wordlist with all possible keys from 2004 to 2009. 2010 and 2011 still in progress.

    Cheers!
    I'm interested, because I have 4 Thomson/Speedtouch routers I can test it against. But one of them is from 2010, so I don't think it'll be crackable. Either way, I would appreciate it very much if you posted the wordlist.

    BTW, have you looked into the source code of stkeys? It should be possible to alter the code to make it dump all the possible combinations into a file. It would also be possible to make year-specific wordlists. I believe it is written in C, I'll have a look into it later today.

  6. #6
    Just burned his ISO
    Join Date
    Sep 2010
    Posts
    20

    Default Re: Need help with a very specific wordlist [stkeys]

    I think I have what you guys are looking for. I used the hxxp://code.google.com/p/wifipassreminder/ witch could look up the keys based on the "old method"

    The wifi pass reminder created a file about 180MB, containing 10 000 000 keys.
    I then used cat to get the actual keys
    I checked with my old Thomson and it sure found it.
    I can post it when I get home from work if that is what you guys are looking for.

  7. #7
    Member skor78's Avatar
    Join Date
    Jul 2009
    Posts
    140

    Default Re: Need help with a very specific wordlist [stkeys]

    Hey Snayler, "Mékié?"

    I've just finished the clean-up on the wordlist, removing all the SSID's, and leaving just all the keys listed with L517, but i'm not being able to merge all the files together with L517 cuz it crashes while it's reading the files, so what i have now is 16 files from 0 to F, being the file, the first char of the SSID (in ex. "Thomson147499", the key will be in "1.txt"), needless to say this is pointless in a changed SSID, so i've zipped the files and i'm uploading them as we speak.
    You could help me too, after i post the link, I'd really appreciate if you merged the files together and re-upload them, or even better, tell me how can i do it in linux.. Also, in L517 we have an option to remove duplicate keys, if you can teach me such command in linux, i really appreciate.

    Just give me 1h or so, and i'll post the link.

    Cheers!

  8. #8
    My life is this forum Snayler's Avatar
    Join Date
    Jan 2010
    Posts
    1,418

    Default Re: Need help with a very specific wordlist [stkeys]

    Quote Originally Posted by skor78 View Post
    Hey Snayler, "Mékié?"
    "Tá tudo!"

    Quote Originally Posted by skor78 View Post
    but i'm not being able to merge all the files together (...) tell me how can i do it in linux..
    cat should do the job. In your case:
    Code:
    cat *.txt > thomsonkeys.txt
    Quote Originally Posted by skor78 View Post
    Also, in L517 we have an option to remove duplicate keys, if you can teach me such command in linux, i really appreciate.
    I believe backtrack has a tool for that, uniq.
    Code:
    cat *txt > keys.txt | uniq -u
    Last edited by Snayler; 10-11-2010 at 04:55 PM.

  9. #9
    Member skor78's Avatar
    Join Date
    Jul 2009
    Posts
    140

    Default

    Thomson all keys 2004/2009

    Quote Originally Posted by jonathan11 View Post
    I think I have what you guys are looking for. I used the hxxp://code.google.com/p/wifipassreminder/ witch could look up the keys based on the "old method"

    The wifi pass reminder created a file about 180MB, containing 10 000 000 keys.
    I then used cat to get the actual keys
    I checked with my old Thomson and it sure found it.
    I can post it when I get home from work if that is what you guys are looking for.
    hi jona,

    I was convinced that wifipassreminder was just a GUI stkeys.. but if u'r saying i can create such a wordlist with all 2010 possible keys, i'll give it a look tomorrow..

    Thanks for the useful info!

    Cheers!

    Edit:

    @ Mod

    Sorry, i forgot again to merge the posts.. and now i can't delete this one.. And thanx for those silent, yet, very useful tips.. I'm still new around here, but hopefully very soon i'll adapt... As you say around here, i will TRY HARDER!
    Last edited by Archangel-Amael; 10-12-2010 at 02:11 PM.

  10. #10
    My life is this forum Snayler's Avatar
    Join Date
    Jan 2010
    Posts
    1,418

    Default Re: Need help with a very specific wordlist [stkeys]

    Quote Originally Posted by skor78 View Post
    I was convinced that wifipassreminder was just a GUI stkeys.. but if u'r saying i can create such a wordlist with all 2010 possible keys, i'll give it a look tomorrow..
    I know the author of wifipassreminder, he told me his program calculates passwords until 2010 (wrong info, see below), so it could be it.
    Last edited by Snayler; 10-16-2010 at 06:03 AM.

Page 1 of 3 123 LastLast

Similar Threads

  1. Specific Wordlist needs
    By Paradoxid in forum Beginners Forum
    Replies: 5
    Last Post: 10-02-2010, 01:22 AM
  2. How can I generate this specific wordlist?
    By Elysium in forum Beginners Forum
    Replies: 6
    Last Post: 04-13-2010, 10:13 AM
  3. Replies: 2
    Last Post: 11-25-2008, 11:42 AM
  4. Replies: 28
    Last Post: 10-23-2008, 10:28 AM
  5. Generate specific wordlist for brute forcing
    By sdrowkcab in forum OLD Newbie Area
    Replies: 5
    Last Post: 04-30-2008, 02:56 PM

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •