Find seed from password about arrispwgen HOT 6 CLOSED

I think it should be possible to reverse the algorithm and get to the seed from the password, yes, as long as you also have the date for that password. It would have to be implemented but from a quick glance at the code I think it should be possible. Pull requests are welcome ;)

Keep in mind that this only applies to Arris modems that have a "password of the day". Other modems with a "fixed" password will not benefit from this.

from arrispwgen.

i know, just Arris modems, and i know too that is possible... i can try reversing the perl version but i am not a programmer i think is much more easy for you :D, i have a problem because i have the seed, i have the oid used for setting a oid "hex-string" value, conversing to ascii is just crap... -.- what do u think? ... and i soo soorry for my english :(

from arrispwgen.

No need to apologise for your English, I don't know where you're from but I bet I can't speak your native language as well as you speak English ;)

If you have the OID you could set the seed via SNMP - at least in theory. Converting from ASCII to HEX is easy, you can use one an online tool for that.

I added a feature-request tag to this issue and I'll try to implement the reverse algorithm but I don't know when I'll have the time for that. I'll post here again when I have some news.

from arrispwgen.

thank you.................. well i know the oid, but i can't get the seed, when i run the snmpget command i get just a big nothing ("") i looking how the system set the seed inside the nvram, i have the hexadecimal seed, i get it from a file config, i did the conversion from hexadecimal to ascii, but the word that i get is garbage, and don't work, i guess that the hexadecimal oid value in the config file its encrypted or coded. well... thank you for ur attention and i hope u have a time for reversing the algorithm and make the code :D regards...

from arrispwgen.

I have started an effort to implement a way to reverse a seed from a password but I don't think there's a way to do it efficiently.

It boils down to something like this:

I iterate over the password, one character at a time, and for each character I have to reverse the following equation from the generation algorithm (where % is the arithmetic modulus operator):

A = (X + Y) % 36

I know A but I don't know X or Y:

• A is the character from the password for the current iteration.
• Y is a value calculated for that position when the password is generated.
• X is the seed character at the same position as the position of the password character of the current iteration.

It is possible to know the value of X + Y (and even that is tricky because of the modulus) but that's useless because we need their values separately.

If there was a way to do this, the problem would be solved but as far as I can tell, the only way is by reversing the modulus, which many times has more than one possible solution and no way to know which one is the one we want.

Brute forcing is also not the answer, at least not on regular hardware. A seed consists of 10 characters from A to Z and 0 to 9, totalling 36 possibilities for each of the 10 seed characters. That means the number of possible seeds for a given password and its date is 36 to the power of ten, which is 36 billion possibilities - for each day. Unless you have a monster machine with a few powerful GPUs, it would take dozens of days, maybe even hundreds.

There might be a way around it but until I or someone comes up with it, I'm declaring this to be "impossible", sorry.

I might implement a brute forcer but I'm pretty sure it will be too slow to be usable. Perhaps if done via a GPU but I have never done something like that and have no idea where I would start. Maybe I'll give it a shot when I'm bored and want a new challenge.

from arrispwgen.

Just for fun I tried using crunch to generate all the possible seeds. It says the number of passwords is "slightly" larger than the 36 billion I mentioned before (must have been sleepy, I multiplied 36 by 10, ten times, which is obviously wrong).

$ ./crunch 10 10 ABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789 -o arris_seed_list.txt

Crunch will now generate the following amount of data: 40217742840692736 bytes
38354628411 MB
37455691 GB
36577 TB
35 PB
Crunch will now generate the following number of lines: 3656158440062976

lol

from arrispwgen.