So i was adding a wireless device to my BThub4 and typing in the password i realised that no characters were after f so immediately thinking this hex must be generated someways i delved online and found some material on gnucitizen on a researcher who cracked the generation for the old the old BTHub 1.0 based on the Thomson SpeedTouch 7G and ST790. Although this was WEP encryption to give an idea of how dated this is.
http://www.gnucitizen.org/blog/default-key-algorithm-in-thomson-and-bt-home-hub-routers/
information on some of the hubs here
https://en.wikipedia.org/wiki/BT_Home_Hub
I experimented with sha-1 hashing the serial number of the newer routers and found the method (as expected) no longer works, However using an old bthub 2 and bt hub 4 I see that:
- The SSID format still remains the same i.e BTHub4-XXXX where x can be 0-9 or A-Z all uppercase (on the hub stickers)
- Serial number format is the same i.e. +XXXXXX+AAAAAAAAAA where X is 0-9 and A is A-Z case insensitive things i noted are that the first X was 0 across the 3 hubs i tried are all 0 though this may herald nothing special, and on the two BTHub 4 models the first 3 A characters were NQ3 (note these two were acquired in a small timeframe from BT which may explain this )
- wireless keys are a strict length 10 and in a hex range so 0-9 a-f case insensitive of course - here is an intriguing part where i will really require other home hub users to assist, there is some simple recurrence i've noticed in the wireless passwords that i hope other users can confirm, the characters c 6 d appear in all models tested with things like db pairs appearing and the number 9 frequenting in the keys hopefully this may make it easier to determine how the key is generated eg SHA-1 hash etc.. or it may be completely trivial I am really out on a longshot here. I will post full info on two of the hubs the other i cannot as i am not the owner and it is still active
- the admin password is 8 long and can be 0-9 or A-Z upper case (login manager is case sensitive)
So as we can see there is set rules for these fields persisting across the hub versions (there is currently 5) but something changed from the original to how this is done but what? was some salt added to the hash? another hashing method used?
If interest is shown in this topic i will post details on my BTHub 3 as well and will see if i can acquire more complete hub info using the helpful google and ebay pictures of hubs for sale and would encourage readers to post any they may know (preferably old ones as well its all the information you need to own the router)
SSID - BTHub2-QR5H
SERIAL NUMBER - +044024+1105986137
MAC - C0D044BEDDC8
WIRELESS KEY (WPA) - 5dbca439c6
ADMIN PASSWORD - Y6FFYN34
WIRELESS PIN - 2695-0761
SSID - BTHub4-29ZR
SERIAL NUMBER - +068341+NQ31245897 (maybe only first two characters are letters?)
MAC - 2C399662E812
WIRELESS KEY (WPA & WPA2) - cfa6d494a8
ADMIN PASSWORD - XMJHT3MJ
WIRELESS PIN - not printed on the hub & haven't successfully hacked with reaver to find.. yet
- cover image is another hub too for bonus info ;P
I hope to hear from you all soon i hope i have provided adequate information for any cracker out there to take a shot at this and if you need more information don't hesitate to comment or message and hope you enjoy a different perspective on WiFi/Router hacking
12 Responses
I'm very glad you brought this up. All the wifi hubs in my area are BThomehub 4 or 5. Almost everyone uses the default 10 character hexadecimal key. This is written on the based of the modem. I figured cracking 12^10 by brute force was nearly impossible and the only option would be to physically sneak a glance under the modem to read the key. A shortcut would be a life saver.
I'm looking at four keys now. Here are the characters used:
f593ceb824a76d
In order: abcdef23456789
Thanks for the reply John good to see some interest showing already, the wireless key must then be solely in the hex range so that means the max bruteforce I thought was 16^10 though you stated 12^10 may i ask how you reduced to that? also what we need doesn't rely on the keys used they will be anywhere in the range 0-9 a-f but, lemme try explaining this as best i can bear with me, it lies in using the hub info i think the serial number is what all other info is derived from so really we need the RAW serial number to be encoded using various hashing methods or algorithms and alterations of some characters (as like the gnu post) to see if we can generate some of the hub info using only the serial number then hopefully we can build a script that compares the SSID against a list of possible serial numbers to guess the wireless key, like a dictionary attack
hopefully that made sense i'm very tired here will be researching this heavily over the coming days
Oh good catch sorry I did mean 16^10. I previously thought there were only 12 characters used but I now believe its likely to be hexadecimal. I will watch this thread with interest and I'll post anything useful I come up with.
after some careful inspection and some more research I found out that, apparently, BT no longer use the serial number method for generation and the best information i could gather is that they moved on to use the last 6 digits of the mac address however I couldn't get a strong match the closest i came was by using the SHA-512 and whirlpool hashing methods but i believe there is something i'm missing still
Do you mean they take the last 6 digits of the modem mac address then encrypt them and use the result as part of the default WPA key?
I tried to do a WPS pixie dust and WPS pin attack on my own modem again today with a new wifi adapter (TL-WN722N) and Wifite. It ran for 6.5 hours. No luck. These routers seem to make everything I've learnt about wi-fi hacking redundant.
sorry i've been inactive, i think they take the last 6 digits of the MAC and hash them to produce a WPA key. and yes these routers are surprisingly resilient to attack but nothing is impenetrable don't give up!
I too have been looking into the algorithm used to generate the WPA keys. I imagine the BTHub uses a method not to dissimilar to this:
http://ednolo.alumnos.upv.es/?p=1883
Without looking into the decompiled assembly of any version of the firmware it's going to be difficult and I haven't been able to find a OEM firmware image anywhere. No doubt a secret seed is used when hashing the MAC (or just the last 6 bytes) which first must be discovered to make any progress.
Just FYI the first numeric section of the serial number is the "item code" basicly an internal reference number if one were to order them from BT's internal stores.
Hi, I am very new to pen testing but I thought I would chip in my 2 cents as I am currently thinking about the same problem, all the hubs in the area including mine being BT 4 or 5.
I have been trying to write down rules for the password and cross them off once I see a BT password that doesn't follow them in order to shorten my wordlists to a realistic size. It doesn't look hopeful at the moment and I'm sure you'll have more luck with the hash method but if it's any help here's the rules that I haven't disproved yet for BT hub 4:
1: length = 10
2: Uses hexadecimal with no zeroes, i.e. abcdef123456789
3: No more than 3 numbers or 3 letters in a row
4: No digit is repeated
5: Only uses 3 different letters
With these rules I can say that there are 548 pattern combinations which
I have generated with:
>crunch 10 10 @% -d 3^
Then I wanted to use crunch again to generate a word list for each pattern, although I couldn't think of a way to include rule 5 yet. So I was going to start with my own password's 3 letters (b,c and d) in order to prove my password would be generated:
>crunch 10 10 bcd123456789 -d 1@ -d 1% -t %@@%%%@%@%
but this still produces a 100gb-ish wordlist, so not really practical considering there are going to be 548 of these lists even if I only stuck with b, c and d instead of the whole a-f.
Any other ideas or criticism would be appreciated because as I said, I am very new to this but enjoy the challenge and the learning curve.
Step 1: Just Wanted to Say
I think the last 2 rules are wrong as I have a BTHub4-PX2Q with passkey c6b94dc93 however I'm not sure that is correct as it is only 9 characters long and not 10 and I got it from an app called wifimap. The reason I believe the last time is wrong is that BTHub4-29ZR as seen above has a passkey cfa6d494a8, and has a c d and f . Just my thoughts on the issue because I really need to crack a hub4 passkey. The hub in question is BTHub4-NGRX for anyone Who is interested. Please help if you can!
Share Your Thoughts