Tncap Router Keygen Github Io Default Router WPA Keys - Keyspace Used. I'm working with an access point which I assume to be netgear, having looked up the mac address and finding it in netgear's range.
Default WEP/WPA key algorithm for Thomson routers Default WEP/WPA key algorithm for Thomson routers. SEND YOUR SPEEDTOUCH SERIAL NUMBERS TO ME PLEASE!. Author: Kevin Devine WWW: Date: April 2008 Tools Hardware used. SpeedTouch 585v6 Wireless Router.
SpeedTouch 123 G USB adapter Software used. stInstall.exe 1.2.6.1 build 064.
IDA Pro 4.3 Freeware. Windows Debugging Tools. PEiD with KANAL plugin The algorithm was found inside the stInstall.exe setup wizard which accompanies the CD-ROM provided by some ISP's around the world. The version i obtained is distributed by ORANGE in Spain I've modified the configuration file to display english instead of spanish. Hit 'g' again and paste in the function name, hit return. Now you're at the very beginning of the KANAL referenced function.
If you're familiar with SHA-1, you'll know there are 3 main functions and its these that we should search for. SHA1Init - initialize a context SHA1Update - update a context with input SHA1Final - finalize a context, storing the result in output buffer. Of course, they will not be named this in IDA Pro, but can be found by cross-referencing the SHA-1 code we've already found using the 'x' command. I've determined already that this is the main compression routine which i've renamed SHA1Transform using the 'n' command. Although much more could be discussed, such as where input is validated - We have enough information to perform debugging and analyze input to this function. Start WinDbg or whatever debugger you're comfortable working with. This version of IDA has built-in debugger, but i believe WinDbg is more suitable for the task.
Assuming you've already installed any necessary USB/PCMCIA drivers, insert the wireless adapter you have before debugging the wizard. Open the stinstall.exe file with windbg File-Open Executable After windbg initializes, hit F5 to run. Depending on the configuration file and the plugins available to the wizard, you may or may not get the following window.Click Yes. Here is what we know so far. The format of a serial number: CP YY WW PP XXX (CC) And from what i can tell of the following serial number taken from router i received. CP 06 15 JT 109 (53) YY is the year produced.
WW is the week of year. ( some week of April )? PP is the production code. ( JT ) factory code? CC is the configuration code? ( 53 ) seems to be 00 - FF (0-9/A-F) (more like checksum byte) I can only guess that the XXX values represent the unit number To generate a default WEP/WPA key Remove the CC and PP values 'CP0615109' Convert the XXX values to hexadecimal.
'CP' Process with SHA-1 742da831d2b657fa53d347301ec610e1ebf8a3d0 The last 3 bytes are converted to 6 byte string, and appended to the word 'SpeedTouch' which becomes the default SSID. 'SpeedTouchF8A3D0' The first 5 bytes are converted to a 10 byte string which becomes the default WEP/WPA key. '742DA831D2' Thats it. Recovery With further analysis of the validation routine, it may be possible to recover a key based on the MAC. 'stkeys' is a simple program which attempts to find default keys based on the default SSID octets that appear after the word SpeedTouch.
![Tncap router keygen windows 10 Tncap router keygen windows 10](http://s002.radikal.ru/i198/1210/da/218c0b0da199.jpg)
It works simply by generating serial numbers, hashing with SHA-1 and comparing last 3 bytes with 3 octets of default SSID supplied to it. When a match is found, a.potential. key is printed.