Forum Thread: Hacking the BTHub 3/4 (Or Potentially More)

I'm very glad you brought this up. All the wifi hubs in my area are BThomehub 4 or 5. Almost everyone uses the default 10 character hexadecimal key. This is written on the based of the modem. I figured cracking 12^10 by brute force was nearly impossible and the only option would be to physically sneak a glance under the modem to read the key. A shortcut would be a life saver.

I'm looking at four keys now. Here are the characters used:
f593ceb824a76d
In order: abcdef23456789

Thanks for the reply John good to see some interest showing already, the wireless key must then be solely in the hex range so that means the max bruteforce I thought was 16^10 though you stated 12^10 may i ask how you reduced to that? also what we need doesn't rely on the keys used they will be anywhere in the range 0-9 a-f but, lemme try explaining this as best i can bear with me, it lies in using the hub info i think the serial number is what all other info is derived from so really we need the RAW serial number to be encoded using various hashing methods or algorithms and alterations of some characters (as like the gnu post) to see if we can generate some of the hub info using only the serial number then hopefully we can build a script that compares the SSID against a list of possible serial numbers to guess the wireless key, like a dictionary attack

hopefully that made sense i'm very tired here will be researching this heavily over the coming days

Oh good catch sorry I did mean 16^10. I previously thought there were only 12 characters used but I now believe its likely to be hexadecimal. I will watch this thread with interest and I'll post anything useful I come up with.

after some careful inspection and some more research I found out that, apparently, BT no longer use the serial number method for generation and the best information i could gather is that they moved on to use the last 6 digits of the mac address however I couldn't get a strong match the closest i came was by using the SHA-512 and whirlpool hashing methods but i believe there is something i'm missing still

Do you mean they take the last 6 digits of the modem mac address then encrypt them and use the result as part of the default WPA key?

I tried to do a WPS pixie dust and WPS pin attack on my own modem again today with a new wifi adapter (TL-WN722N) and Wifite. It ran for 6.5 hours. No luck. These routers seem to make everything I've learnt about wi-fi hacking redundant.

sorry i've been inactive, i think they take the last 6 digits of the MAC and hash them to produce a WPA key. and yes these routers are surprisingly resilient to attack but nothing is impenetrable don't give up!

I too have been looking into the algorithm used to generate the WPA keys. I imagine the BTHub uses a method not to dissimilar to this:

http://ednolo.alumnos.upv.es/?p=1883

Without looking into the decompiled assembly of any version of the firmware it's going to be difficult and I haven't been able to find a OEM firmware image anywhere. No doubt a secret seed is used when hashing the MAC (or just the last 6 bytes) which first must be discovered to make any progress.

Just FYI the first numeric section of the serial number is the "item code" basicly an internal reference number if one were to order them from BT's internal stores.

Hi, I am very new to pen testing but I thought I would chip in my 2 cents as I am currently thinking about the same problem, all the hubs in the area including mine being BT 4 or 5.

I have been trying to write down rules for the password and cross them off once I see a BT password that doesn't follow them in order to shorten my wordlists to a realistic size. It doesn't look hopeful at the moment and I'm sure you'll have more luck with the hash method but if it's any help here's the rules that I haven't disproved yet for BT hub 4:

1: length = 10
2: Uses hexadecimal with no zeroes, i.e. abcdef123456789
3: No more than 3 numbers or 3 letters in a row
4: No digit is repeated
5: Only uses 3 different letters

With these rules I can say that there are 548 pattern combinations which
I have generated with:

>crunch 10 10 @% -d 3^

Then I wanted to use crunch again to generate a word list for each pattern, although I couldn't think of a way to include rule 5 yet. So I was going to start with my own password's 3 letters (b,c and d) in order to prove my password would be generated:

>crunch 10 10 bcd123456789 -d 1@ -d 1% -t %@@%%%@%@%

but this still produces a 100gb-ish wordlist, so not really practical considering there are going to be 548 of these lists even if I only stuck with b, c and d instead of the whole a-f.

Any other ideas or criticism would be appreciated because as I said, I am very new to this but enjoy the challenge and the learning curve.

Step 1: Just Wanted to Say

I think the last 2 rules are wrong as I have a BTHub4-PX2Q with passkey c6b94dc93 however I'm not sure that is correct as it is only 9 characters long and not 10 and I got it from an app called wifimap. The reason I believe the last time is wrong is that BTHub4-29ZR as seen above has a passkey cfa6d494a8, and has a c d and f . Just my thoughts on the issue because I really need to crack a hub4 passkey. The hub in question is BTHub4-NGRX for anyone Who is interested. Please help if you can!