No luck with my wordlist. Try posting it here: https://forum.hashkiller.io/index.php?forums/wpa-packet-cracking.16/ Make sure you fill this out when you do: ESSID: BSSID: Known Default Mask: Country Of Origin: Attempts already made:
Hello everybody. Discovered that Netgear has a relatively new alias. Especially when it comes to their default essid. In case you dont know Netgear is using the name ORBI instead of Netgear in some of its default ESSID's. Therefore instead of finding say NETGEAR75, you might find ORBI75. I will upload some interesting pictures. Feel free to collect ORBI compliance labels from the regular sites and post the info here if its not in the V1.08 list. Note the ORBI series is advertised as satellite series. This just means the system has multiple wifi receivers. The word satellite does not refer to the ones spinning round the earth. Now if you have ORBI in your essid list, run the wordlist, as ORBI is Netgear! Enjoy ! Garry
Thank you so much for the advice and help. Ill check out that ULM - sounds killer. Thats awesome to clarify the askey models - In my recon Ive noticed several of those askeys in the same " group" with sagecom charters. Been using the same attack against all. Im gonna upload a few Ive had no luck with. I started collecting pcaps and tryin to break those, but have had more luck with the pmkid. Ill post the ones I been successful on, should I upload the POTFILE only or do you need ESSID info too? Thanks again --- Double Post Merged, 1 Jun 2020 --- AWESOME - thank you for those pics. Ive located one if those - cloaked.. These are great - thanx ! --- Double Post Merged, 1 Jun 2020 --- Here are just a few charter wifi caps i havent been able to crack - mycharterwifi3g - which has two MACs - 2 devices..- one beginning 1C: - charter supplied sagecom gateway - the other CC: Netgear. These might be messy - I can recap if necessary. I have pmkids I can post as well, those Ive had success with, see below. Heres the ones Ive cracked - using netgearkiller or rockyou, with hashcat64.exe -m 16800 -a 6 -w 4 0222.hccapx NetgearKiller.dict ?d?d etc.
I got one of them to pop. Something wrong with the attached pcap. 1cb04477f63a:64166640884b:MySpectrumWiFi3c-2G:watchglobal570 1cb04477f63a:64166640884b:MySpectrumWiFi3c-2G:watchglobal570 1cb04477f63a:64166640884b:MySpectrumWiFi3c-2G:watchglobal570 1cb04477f63a:64166640884b:MySpectrumWiFi3c-2G:watchglobal570 1cb04477f63a:64166640884b:MySpectrumWiFi3c-2G:watchglobal570 1cb04477f63a:64166640884b:MySpectrumWiFi3c-2G:watchglobal570 1cb04477f63a:18b430f4b5ee:MySpectrumWiFi3c-2G:watchglobal570 1cb04477f63a:64166640884b:MySpectrumWiFi3c-2G:watchglobal570 1cb04477f63a:64166640884b:MySpectrumWiFi3c-2G:watchglobal570 1cb04477f63a:64166640884b:MySpectrumWiFi3c-2G:watchglobal570 1cb04477f63a:64166640884b:MySpectrumWiFi3c-2G:watchglobal570 1cb04477f63a:18b430f4b5ee:MySpectrumWiFi3c-2G:watchglobal570 1cb04477f63a:64166640884b:MySpectrumWiFi3c-2G:watchglobal570 1cb04477f63a:64166640884b:MySpectrumWiFi3c-2G:watchglobal570 1cb04477f63a:64166640884b:MySpectrumWiFi3c-2G:watchglobal570 1cb04477f63a:18b430f4b5ee:MySpectrumWiFi3c-2G:watchglobal570 1cb04477f63a:18b430f4b5ee:MySpectrumWiFi3c-2G:watchglobal570 1cb04477f63a:64166640884b:MySpectrumWiFi3c-2G:watchglobal570 1cb04477f63a:64166640884b:MySpectrumWiFi3c-2G:watchglobal570 1cb04477f63a:64166640884b:MySpectrumWiFi3c-2G:watchglobal570 1cb04477f63a:18b430f4b5ee:MySpectrumWiFi3c-2G:watchglobal570 1cb04477f63a:64166640884b:MySpectrumWiFi3c-2G:watchglobal570 1cb04477f63a:64166640884b:MySpectrumWiFi3c-2G:watchglobal570 1cb04477f63a:64166640884b:MySpectrumWiFi3c-2G:watchglobal570 1cb04477f63a:64166640884b:MySpectrumWiFi3c-2G:watchglobal570 1cb04477f63a:64166640884b:MySpectrumWiFi3c-2G:watchglobal570 1cb04477f63a:18b430f4b5ee:MySpectrumWiFi3c-2G:watchglobal570 1cb04477f63a:18b430f4b5ee:MySpectrumWiFi3c-2G:watchglobal570 1cb04477f63a:64166640884b:MySpectrumWiFi3c-2G:watchglobal570
That's amazing! Thanks for doing the recon! I've been focusing on my uncracked Askeys for a while but I've also been wanting to do a big netgear crackathon as well. I'll give those captures a shot if by that time someone hasn't cracked them yet --- Double Post Merged, 1 Jun 2020, Original Post Date: 1 Jun 2020 --- I also got errors for 2 of those pcap files
Awesome brother thank you! that one has been elusive - wrong attack im sure... --- Double Post Merged, 2 Jun 2020, Original Post Date: 1 Jun 2020 --- Thanks for the nice words brother! Ive been workin on this solo for so long its amazing to have some help from some friends. Ive alot more pcaps I can post - as well as a long list from hcxdumptools with some cool identifying info, essid, mac address stuff if thats useful, it seemed to dump some passwords with it, but I cant tell what MAC?AP they go with. Ill start sorting my madness pile here and upload some stuff. BTW - on running the noun + noun attack on askeys, how do I merge the two noun or noun_large files to accomodate that attack? I did download a merge.sh file from github - honestly ive no idea how to work it... python it looks like? not sure.. I just tried when I woke up - but only one noun and 3 digi on side, it did crack one tho lol but its one I already had. That charter 1c is the first in a big string if AP's, charter AP - netgear AP- ORBI - netgear extenders- also a Mikrotik that I cant get around as well as two ATT's. Ill recapture and upload if I dont have them orderly, I suspect given the network structure they might share passwords... Sorry for the bad caps uploaded. Here are also a few other captures - hopefully functional - from the others APs Ive had no luck with, The Netgear router ( CC ) which is a EX8000 i believe, ATT and that mikrotik anomoly.. Thanks again to yall for your help and hard work - cheers!
No problem. That one was on the askey list. Looks like the ATT capture is messed up also. --- Double Post Merged, 2 Jun 2020, Original Post Date: 2 Jun 2020 --- I ran the other 2 and it was a no go.
ATT cap only has broadcast message and message 1. (no handshake there) Mirotik cap, has two pmkids in it. 532223d733c689e34126c82b3373a573*cc2de0bdce80*34d270b5298c*4d696b726f54696b2d424443453830 127164e1e6c6e4bdf2bde3cc374dbf47*cc2de0bdce80*b0fc0d305a01*4d696b726f54696b2d424443453830 Netgear cap is good. here is a cleaned Hccapx. You need to learn how to clean a cap properly, using wireshark. you export specified packets, choosing the broadcast message and M1,M2.
That's odd. It came up as the MySpectrum one I cracked earlier. cc40d04cfb0d:ec2ce201c75c:MySpectrumWiFi3c-2G:watchglobal570 Session..........: hashcat Status...........: Cracked Hash.Name........: WPA-EAPOL-PBKDF2 Hash.Target......: MySpectrumWiFi3c-2G (AP:cc:40:d0:4c:fb:0d STA:ec:2c:e2:01:c7:5c) Time.Started.....: Mon Jun 01 17:09:23 2020 (3 secs) Time.Estimated...: Mon Jun 01 17:09:26 2020 (0 secs)
Just the ATT , check it with wireshark too, usually i first check it with: aircrack-ng xx.cap then wireshark to clean it. then cap2hccapx to convert it.
Thank you Longshanks - I will learn that immediately, I feared some of my caps were messy.. --- Double Post Merged, 2 Jun 2020, Original Post Date: 2 Jun 2020 --- So looking at this I am realizing that since the myspetrumwifi3c cracked earlier is related to the ATT somehow- (part of same convoluted network - the owner has a whole crap load of ap's there in one house and a exterior building) is that why they came up with the same pass? , Im gonna recapture the ATT now and try that out - BTW - the CC:0D MAC is the Netgear router that is connected to the myspectrumwifi3c cracked earlier by Ntrain if that helps with the network relationship. I believe all these pcaps Ive posted are in the same house- randomly connected.
Here, have a look at this, i made this video to teach someone else. Its just a demo. https://mega.nz/file/TzB3ACoY#TiNIR41AQo8xaOqIcUlzQ-AtheIZ-KPrdgYdTYYao2s First use eapol as a filter to choose m1 and m2 (make sure the mac's correspond correctly) then use this as a filter, then choose the broadcast message. wlan.fc.type_subtype == 0x08 || wlan.fc.type_subtype == 0x05 || eapol then export specified packets and choose marked packets only (3) and name it.
Im looking for some details on cleaning that capture using wireshark - is there a easy way to explain that or should I keep digging for tutorials
