BT Home Hub 5

Discussion in 'Dictionary, Password & Wordlists' started by xploitzz, 2 Jul 2014.

  1. xploitzz

    xploitzz Member

    Joined:
    27 Aug 2013
    Messages:
    2
    Likes Received:
    0
    I want to build a dictionary file for BT Home Hub 5 as these are not WPS hackable. Can anyone confirm the default WPA mask so I can start generating the hashes please?

    What I think the password mask is (but would be grateful if anyone can confirm) is

    0000abcdef

    so numbers 0-9 letters a-f 10 chars long. Can anyone confirm?
     
  2. meknb

    meknb Mod
    Moderator Dev Team VIP

    Joined:
    2 Jun 2012
    Messages:
    702
    Likes Received:
    202
    BT hubs use 2-9 a-f 10 chars same as the bt hub 3 n 4 ,good luck with the dic it would be large best use hascat or somthing.
     
  3. xploitzz

    xploitzz Member

    Joined:
    27 Aug 2013
    Messages:
    2
    Likes Received:
    0
    got some pretty hard core GPU's some cheap disk space and plenty of time. Yes i'm using Hashcat, estimated time is around 45 days with the right mask.
     
  4. meknb

    meknb Mod
    Moderator Dev Team VIP

    Joined:
    2 Jun 2012
    Messages:
    702
    Likes Received:
    202
    Just hope your elecy is on the fiddle would cost a fortune to crack otherwise.
    Most stuff like that i just hire gpu time per day, but these days getting more expensive elecy prices, most gpu's mining bit/dodge coin's
    Most bt one's i've come across are 5 number's and lower case letter's a-f
    With the numbers never seen any 0 or 1 on hub 3/4/5
    although i have come across 6 number's on hubs 4/5.
    For the mask's maybe just split it
    i.e
    -1 23456789abcdef
    Masks:
    2?1?1?1?1?1?1?1?1?1
    3?1?1?1?1?1?1?1?1?1
    4?1?1?1?1?1?1?1?1?1
    ...etc...
    e?1?1?1?1?1?1?1?1?1
    f?1?1?1?1?1?1?1?1?1

    I've had various success using varmacreaver against bt hub's but you still won't get the key in a day maybe a day n a half slow the pin request right down
     
    #4 meknb, 3 Jul 2014
    Last edited: 3 Jul 2014
  5. h4x0rm1k3

    h4x0rm1k3 Active Member

    Joined:
    27 May 2013
    Messages:
    19
    Likes Received:
    2
    @meknb , Any chance you remember the command you used for BThub hacking using varmacreaver? I have loads of hubs in my area and most of them are very close to me so would like to attack 1 or 2 of them as all the other codes I have for networks in my area, although working, the connections and speeds are crap at the moment so would rather use the time (especially when sleeping!) to get some of these hubs cracked!

    If you have any settings for Virginmedia & SKY i'd be interested to hear them too!

    Thanks
     
  6. meknb

    meknb Mod
    Moderator Dev Team VIP

    Joined:
    2 Jun 2012
    Messages:
    702
    Likes Received:
    202
    Can't remember which commands best start slow usually takes a couple of days but still quicker than cracking the handshake.
     
    #6 meknb, 31 Jul 2014
    Last edited: 31 Jul 2014
  7. Pixi-Overlord

    Pixi-Overlord Well-Known Member
    VIP

    Joined:
    9 Sep 2013
    Messages:
    20
    Likes Received:
    4
    Im in UK too and i have issues with all the SKY routers with WPS that locks after 3 attempts, but BT routers no problem. Also all Virgin have WPS disabled by default.
    AM currently working on a BT Home Hub 5 ;)
    [​IMG]
     
  8. meknb

    meknb Mod
    Moderator Dev Team VIP

    Joined:
    2 Jun 2012
    Messages:
    702
    Likes Received:
    202
    I think the sky routers require the push button for wps (I haven't got a new one to test on), have a look in wireshark, i think the lock out is about a hour.
    I don't think the bt hub's require the push button just restrict the amount per sec, might sound daft but if you slow the pin's per sec you can crack it quicker (stops the repeat pins) also use -vv for better debug.
     
  9. h4x0rm1k3

    h4x0rm1k3 Active Member

    Joined:
    27 May 2013
    Messages:
    19
    Likes Received:
    2
    Did you ever manage to get the WPS pin for that BThub 5 Pixi-overlord? Would be interested to know as i'll then start trying at 15 sec per pin if it did! Thanks


     
  10. m4cc48100

    m4cc48100 Member

    Joined:
    25 Oct 2015
    Messages:
    2
    Likes Received:
    0
    Wondering if you had joy with this..?
    My BT home hub 4. Has a default pass of 8 chars. Again between 2-9. And a-f

    Its making me wonder if all hub 4' have 8chars and hub 5 has 10
     
  11. h4x0rm1k3

    h4x0rm1k3 Active Member

    Joined:
    27 May 2013
    Messages:
    19
    Likes Received:
    2
    The BTHub5 has an 8 character using the same keyspace as the 2,3 & 4, i'm looking at making a reduced keyspace list for these & SKY at some point as I have done just for the Virgin Media but it's still going to be a fairly big size.
     
  12. m4cc48100

    m4cc48100 Member

    Joined:
    25 Oct 2015
    Messages:
    2
    Likes Received:
    0
    I had better warn and apologize for my long post here.. sorry peeps...


    correction for my earlier post, after getting off my arse i went and checked my hub 4's default password and it is 10. so your right..

    I have a question that kinda mixes with the original question.. it is..:-

    Ive made a list with crunch of 10 letter 'words/keys' and ive done them using the a@@@@@@@@@ - b@@@@@@@@@ - c@@@@@@@@@...
    But what i need is a command that i can use to remove all keys that have only numbers or only letters after the first static letter..:- a222222222 / b764851234 , or abcdefedca ./. aaaaaaaaaa ./.

    So the original list i made stats with letter b.. So all combinations using the lalphanumeric flag (abcdef34567890) but making the first letter static.. The list comes to 108gb...lol... So i used the -z flag so crunch will make separate compressed files once they reach 8gb. so far its up to 24 files that are 850mb (8gb really but zipped) .. Im assuming that if i can find the command or way to remove all the 'words' that only have nums and lettrs it will reduce their size quite a bit....

    I hope anyway.. :(

    Also just to note.. I originally tried cracking it with reaver , that took roughly 40 hours for it only to get the bloody 90.90% loop on key something like 99987***.. It simply didn't find it.. A lot said to insert the 4 numbers and let it carry on, which is what i did originally 9keeping the 9998 and trying to find the rest..
    But after reading everyones comments about this fault were getting i started again from scratch and went into reavers db folder and changed the 5th pin attempt to the pin it said was it (9998).. So I left it wunning and I seen my number come up.. pin advanced,- trying next pin,-9998.. ...??!!??!?!?!?!?

    Pin advanced.. Didnt stop and jump to 90% because it was the wrong one.. So I therefore start from scratch using the -t flag, along with -d ,-x ... the list goes on and on.. using all these seems to make reaver very buggy and it sometimes just stops looking altogether.. I tried leaving 61 seconds between each pin attempt if it gets a message that the AP is down ive set it to stop for 1 hour 15 mins and so on and so on, but never any luck.. Its really frustrating now.. I hate giving up but if it carries on like this for much longer i might do.. ive tried seeing if its a bug but doesn't seem to be or no one seems to know a way to fix it.
    Im assuming that its the router that shuts shop once a wrong pin is entered.. Trying to figure out how long to wait is key i guess, and figuring out which flags will work without making reaver stop..
    Any help regarding this would be reallly really appreciated.. And if someone could show me or direct me to a fix im willing to even donate a few quid.. So please, if anyone knows what im doing wrong, theres a reward for showing me and getting it right... lol.. :)

    Honestly.. I will give reward.. And not a cheapo tenner or something.. it'll be a propper one
     
    #12 m4cc48100, 27 Oct 2015
    Last edited: 27 Oct 2015
  13. h4x0rm1k3

    h4x0rm1k3 Active Member

    Joined:
    27 May 2013
    Messages:
    19
    Likes Received:
    2
    I had access to a 10char HEX wordlist generator which had various rules built in specifically for based on WIFI handshake cracking/bruteforcing. It also has extra switches that you can use to build them to your specification for example I would probably advise using the -lower for lowercase output & -5minuniques switch so that your wordlists will have 5 minimum unique characters per password, the switch info is in the read me anyway.I would also use the -no01 switch also so that it uses 2-9 & a-f only so the keysapace is correct. The source is included just incase you want to add or refine the rules yourself. Hope it's helpful.

    https://www.mediafire.com/?zc10jvpojgz381p
     
    #13 h4x0rm1k3, 29 Oct 2015
    Last edited: 29 Oct 2015
    • Like Like x 1

Share This Page

Loading...