Need help with a very specific wordlist [stkeys]

[skor78]

Hi,

We all know what is stkeys, and how useful it became to many of us, like myself.
As this exploit was discovered and spread around the world, eventually, also Thomson discovered their major security leak, and to solve the issue, in the latest routers they've changed the SSID from the sha1 termination to the last 6 digits of the BSSID, making it impossible to calculate the key with stkeys... However, the key calc method has not changed, only the SSID. I've checked this myself in several routers..

So, i'm looking for a wordlist with all possible keys, from 2007 to 2011..
I've read somewhere that the online stkeys calc's use a similar pre-created wordlist with the passwords and respective SSID's, to avoid wasting time to calc the key, but can't find the wl anywhere..

Can someone help me find/generating such a wordlist? I don't know much about programing, and i know this is not a very easy job, it needs the conversion to hex of the last 3 digits from the serial (from 000 to ZZZ), and for each one of these hex's we need to calc the 52 possible keys for each year..

Like i said, i know this is not an easy job, but i'm sure once this is created it will be widely useful to everyone attacking a thomson router..

Most people prefer to change the SSID and leave the key intact, so they can easily find the key when they need it (sticker under the router), so, if we had such a wordlist it would improve our attack alot, reducing the aircrack time drastically..

Any pointers would be appreciated..

Thanx!

[deathwave]

I'm little confused as to what stkey is? Is it a word list based on the default key's used by Thomson routers or is it a precalculated PMK?...If its a word list, you can use John the Ripper or similar programs to mangle your current word list. But to me it sounds like stkey is a precalulated PMK based on a default ESSID, which is no longer static due to the update. If that's the case, they have completely squash that exploit!

[jonathan11]

I'm not quite sure what you mean...
Do you mean the wordlist of something like this?
hxxp://code.google.com/p/wifipassreminder/

[skor78]

Hi,

Right and wrong my friend.. "stkey is a precalulated PMK based on a default ESSID"

stkey is a precalulated PMK based on the serial number, reversed engineered to calc PMK from a default ESSID..

maybe this helps u understand better:

CP YY WW PP XXX (CC)

S/N: CP0647EH6DM(BF) (serial number)

Remove CC and PP values: CP06476DM

"XXX" values hex-encoded: CP064736444D (the last chars 3 changed to hex)

SHA1-ed: 06f48a28eba1ab896a396077d772fd65503b8df3

Default SSID: BTHomeHub-8DF3 (not applicable for the new version routers)

Default encryption key: 06f48a28eb

This PMK calc method hasn't changed, what changed was the SSID method, from the last digits of the sha1 to the last digits from the MAC address, making it impossible to calc PMK by reverse engineering.. Also, many ISP's have done this with they're clients (change SSID) to protect they're routers, and avoiding both, that the clients loses the key and we can RE calc the PMK.

But this doesn't squash the exploit, only for RE calculation.
If we create a wordlist with all possible keys (1st 10 digits of sha1 of CPYYWWHHHHHH: HHHHHH from 000 to ZZZ converted to hex (6 digits), WW from 01 to 52, and YY from 08 to 11) it will reduce the attack time in this type of routers with the default key...

Anyway, i'm already trying to develop this word list with a person out from the linux world, the big problem is that he only knows .NET Framework that it's very heavy and slow to create such a wordlist..
I've only posted this here because of Adrian Pastor BTHHkeygen that already comes with a complete wordlist (.csv format) of all possible keys in all BTHomeHubs SSID's, so i figured someone could help me do something very similar to this, which is what i'm looking for..

@Moderator

if you know a better section, or another site to post such request, please advice.

Thanx!

Hello again,

For those interested i've found a wordlist with all possible keys from 2004 to 2009. 2010 and 2011 still in progress.

Cheers!

[Snayler]

Hello again,

For those interested i've found a wordlist with all possible keys from 2004 to 2009. 2010 and 2011 still in progress.

Cheers!

I'm interested, because I have 4 Thomson/Speedtouch routers I can test it against. But one of them is from 2010, so I don't think it'll be crackable. Either way, I would appreciate it very much if you posted the wordlist.

BTW, have you looked into the source code of stkeys? It should be possible to alter the code to make it dump all the possible combinations into a file. It would also be possible to make year-specific wordlists. I believe it is written in C, I'll have a look into it later today.

[jonathan11]

I think I have what you guys are looking for. I used the hxxp://code.google.com/p/wifipassreminder/ witch could look up the keys based on the "old method"

The wifi pass reminder created a file about 180MB, containing 10 000 000 keys.
I then used cat to get the actual keys
I checked with my old Thomson and it sure found it.
I can post it when I get home from work if that is what you guys are looking for.

[skor78]

Hey Snayler, "Mékié?"

I've just finished the clean-up on the wordlist, removing all the SSID's, and leaving just all the keys listed with L517, but i'm not being able to merge all the files together with L517 cuz it crashes while it's reading the files, so what i have now is 16 files from 0 to F, being the file, the first char of the SSID (in ex. "Thomson147499", the key will be in "1.txt"), needless to say this is pointless in a changed SSID, so i've zipped the files and i'm uploading them as we speak.
You could help me too, after i post the link, I'd really appreciate if you merged the files together and re-upload them, or even better, tell me how can i do it in linux.. Also, in L517 we have an option to remove duplicate keys, if you can teach me such command in linux, i really appreciate.

Just give me 1h or so, and i'll post the link.

Cheers!

[Snayler]

Hey Snayler, "Mékié?"

"Tá tudo!"

but i'm not being able to merge all the files together (...) tell me how can i do it in linux..

cat should do the job. In your case:

Code:

cat *.txt > thomsonkeys.txt

Also, in L517 we have an option to remove duplicate keys, if you can teach me such command in linux, i really appreciate.

I believe backtrack has a tool for that, uniq.

Code:

cat *txt > keys.txt | uniq -u

[skor78]

Thomson all keys 2004/2009

I think I have what you guys are looking for. I used the hxxp://code.google.com/p/wifipassreminder/ witch could look up the keys based on the "old method"

The wifi pass reminder created a file about 180MB, containing 10 000 000 keys.
I then used cat to get the actual keys
I checked with my old Thomson and it sure found it.
I can post it when I get home from work if that is what you guys are looking for.

hi jona,

I was convinced that wifipassreminder was just a GUI stkeys.. but if u'r saying i can create such a wordlist with all 2010 possible keys, i'll give it a look tomorrow..

Thanks for the useful info!

Cheers!

Edit:

@ Mod

Sorry, i forgot again to merge the posts.. and now i can't delete this one.. And thanx for those silent, yet, very useful tips.. I'm still new around here, but hopefully very soon i'll adapt... As you say around here, i will TRY HARDER!

[Snayler]

I was convinced that wifipassreminder was just a GUI stkeys.. but if u'r saying i can create such a wordlist with all 2010 possible keys, i'll give it a look tomorrow..

I know the author of wifipassreminder, he told me his program calculates passwords until 2010 (wrong info, see below), so it could be it.