[Archived] Default Router WPA Keys - Keyspace Used
- Thread starter Hash-IT
- Start date
Has anybody ever found a default router key [A-Z] that included any of the following characters... I or O ?
My thinking is that because they could be mistaken for digits by users any key containing them should ideally not be issued,
this would be good news for us because it reduces the number of possible combinations to brute-force. Not a lot I grant you,
but every little helps. (L and Q could also be regarded with some ambiguity as well)
My thinking is that because they could be mistaken for digits by users any key containing them should ideally not be issued,
this would be good news for us because it reduces the number of possible combinations to brute-force. Not a lot I grant you,
but every little helps. (L and Q could also be regarded with some ambiguity as well)
tamaska
Active member
so info from cyprus i recently moved to the uk..
this is the wifi of cyprus mostly
PRIMEHOME-85 # KEY FOUND! [ 9687dde4 ]
PRIMEHOME-45 # KEY FOUND! [ 90808148 ]
PRIMEHOME-51 # KEY FOUND! [ 16470F68 ]
All primehome networks in cyprus have 8 crt long wpa encr ... 9876543210ABCDEF ... on my pc it take max 2 days :) hope this will help you in some way :D
this is the wifi of cyprus mostly
PRIMEHOME-85 # KEY FOUND! [ 9687dde4 ]
PRIMEHOME-45 # KEY FOUND! [ 90808148 ]
PRIMEHOME-51 # KEY FOUND! [ 16470F68 ]
All primehome networks in cyprus have 8 crt long wpa encr ... 9876543210ABCDEF ... on my pc it take max 2 days :) hope this will help you in some way :D
hash-ire
Active member
Resuming my previous post about NETGEARXX networks:
NETGEARXX access points (where XX are decimal numbers from 00 to 99) have default factory passwords.
Each password is formed as follows: adjective + noun + 3 decimal numbers.
Here some examples in case someone wants to try to build up his own dictionary (ESSID : key : model : mac : serial: loginusrename : loginpassword : WPS / empty if unknown):
NETGEAR00 : mistymint902 : DGN 2200v3 : 100D7F34???? : : admin : password : 40408880
NETGEAR10 : imaginaryviolin590 : WNDR3400v3
NETGEAR12 : livelychair848 : WNDR4300 : 28C68E1854F3 : 36B1315X00585 : admin : password
NETGEAR25 : festiveflower225 : R6300 : : : admin : password : 81968220
NETGEAR29 : exoticbutter003
NETGEAR34 : sillybug772 : R6250 : 4494FC50B225 : : admin : password
NETGEAR35 : aquaticoctopus034 : R7000
NETGEAR37 : vastcoconut260 : WNDR3800 : : : admin : password
NETGEAR45 : blueprairie979 : : 4494FC?????? : BTA13??????4A : :
NETGEAR47 : heavybanana530 : DGN2200v4 : 28C68E8AB6E4
NETGEAR48 : breezysea672 : WNR220 : 008EF24B6ED8 : 2J74275T006AD : admin : password
NETGEAR53 : magicalwater421 : JNR3000 : 008EF28F4B64 : 2XS229B000001 : admin : password : 26168258
NETGEAR62 : friendlyjade842
NETGEAR70 : royalcheese478 : DGND4000 : 00BEF2??????: 34F128BN006FD : admin : password
NETGEAR70 : narrowjungle555 : WNDR3800 : 204E7F71704A : 2M81195F00171 : admin : password
NETGEAR89 : helpfultulip601 : WNDR3400v2 : 74440154701A / 744401547019 : *2NS21C77AA138* : admin : password
NETGEAR96 : huskyocean593 : R7000
NETGEAR99 : yellowtulip399 : WNDR3400v2 : 2CB05D3979AF / 2CB05D3979AE : *2NS2217X126DE* : admin : password
NETGEAR99 : imaginarytomato848 : WNDR3400v2 : : : admin : password
unknown : silkysky657
unknown : blackmoon339
unknown : helpfulflamingo578
Surewest-09 : oddviolin958 (provider is Surewest, manufacturer Netgear).
WPS should be ON by default but there are different models of these access points with different behaviors. The lock period may change from one to another. An easy workaround could be the option -d [num] or -r [x:y].
Of course all this data comes from tests and varios sources (googling). Some of the things described here could be not 100% correct.
NETGEARXX access points (where XX are decimal numbers from 00 to 99) have default factory passwords.
Each password is formed as follows: adjective + noun + 3 decimal numbers.
Here some examples in case someone wants to try to build up his own dictionary (ESSID : key : model : mac : serial: loginusrename : loginpassword : WPS / empty if unknown):
NETGEAR00 : mistymint902 : DGN 2200v3 : 100D7F34???? : : admin : password : 40408880
NETGEAR10 : imaginaryviolin590 : WNDR3400v3
NETGEAR12 : livelychair848 : WNDR4300 : 28C68E1854F3 : 36B1315X00585 : admin : password
NETGEAR25 : festiveflower225 : R6300 : : : admin : password : 81968220
NETGEAR29 : exoticbutter003
NETGEAR34 : sillybug772 : R6250 : 4494FC50B225 : : admin : password
NETGEAR35 : aquaticoctopus034 : R7000
NETGEAR37 : vastcoconut260 : WNDR3800 : : : admin : password
NETGEAR45 : blueprairie979 : : 4494FC?????? : BTA13??????4A : :
NETGEAR47 : heavybanana530 : DGN2200v4 : 28C68E8AB6E4
NETGEAR48 : breezysea672 : WNR220 : 008EF24B6ED8 : 2J74275T006AD : admin : password
NETGEAR53 : magicalwater421 : JNR3000 : 008EF28F4B64 : 2XS229B000001 : admin : password : 26168258
NETGEAR62 : friendlyjade842
NETGEAR70 : royalcheese478 : DGND4000 : 00BEF2??????: 34F128BN006FD : admin : password
NETGEAR70 : narrowjungle555 : WNDR3800 : 204E7F71704A : 2M81195F00171 : admin : password
NETGEAR89 : helpfultulip601 : WNDR3400v2 : 74440154701A / 744401547019 : *2NS21C77AA138* : admin : password
NETGEAR96 : huskyocean593 : R7000
NETGEAR99 : yellowtulip399 : WNDR3400v2 : 2CB05D3979AF / 2CB05D3979AE : *2NS2217X126DE* : admin : password
NETGEAR99 : imaginarytomato848 : WNDR3400v2 : : : admin : password
unknown : silkysky657
unknown : blackmoon339
unknown : helpfulflamingo578
Surewest-09 : oddviolin958 (provider is Surewest, manufacturer Netgear).
WPS should be ON by default but there are different models of these access points with different behaviors. The lock period may change from one to another. An easy workaround could be the option -d [num] or -r [x:y].
Of course all this data comes from tests and varios sources (googling). Some of the things described here could be not 100% correct.
smellymoo
Active member
shows that you are wrong to differatiate between EE and non-EE brightboxes.
they all use the word-word-word [word=3-5 letter] format.
hash-ire
Active member
Now, a list of default AP passwords. Yes, some AP have default wireless passwords and some users don't even bother to change them. LOL.
I hope I'm not going overthread with this one.
> Italy:
Linkem-XXXX (XXXX: last 2 bytes of the BSSID): 12345678
> Russia:
YotaRouterXX: 12345678
Beeline-Router: beeline2011
MTS-ROUTER: adminmts1
OnLime: onlime.ru
> Holland:
POS: ABCABCABCA
I had not a chance to verify all these passwords. I hope this data is correct.
I hope I'm not going overthread with this one.
> Italy:
Linkem-XXXX (XXXX: last 2 bytes of the BSSID): 12345678
> Russia:
YotaRouterXX: 12345678
Beeline-Router: beeline2011
MTS-ROUTER: adminmts1
OnLime: onlime.ru
> Holland:
POS: ABCABCABCA
I had not a chance to verify all these passwords. I hope this data is correct.
I'm working with an access point which I assume to be netgear, having looked up the mac address and finding it in netgear's range.
The essid is ATTxxx, which would be a default for an AT&T provided router. Although I know they used to use dLink routers, I've seen a couple of ATTxxx named access points with mac addresses in the netgear range, so I would guess they are now using netgear in at least some cases.
(It occurs to me that renaming the router to another ISP's default, and giving it the mac address of another router manufacturer, would be a good way to discourage penetration....)
I've tried oclhashcat+ using the rockyou and psychowar databases to no avail.
Now since I realize it's a netgear router, I'm attacking it using the adjective + noun + xxx default you've suggested.
(I know that this is a relatively new router, and that the previous router (probably a dLink) had a 10 digit numeric password: possibly the default for the dLink router. So with a default att access point name, and with the previous passphrase likely the router's default, it seems likely that the passphrase is the netgear default. On the other hand the passphrase could be wildly different: this is for a chinese restaurant owned by a vietnamese couple...!)
I found a lexical database at http://wordnetcode.princeton.edu.. This provides large files of adjectives, nouns, etc., which can be manipulated with software tools, ulm, a good editor, etc. I've stripped out a list of adjectives and a list of nouns, cleaned out any special characters (which I assume are not found in the netgear keyspace), selected lengths from 2 to 10 characters (an arbitrary restriction, but seems reasonable), sorted and unduplicated the lists, and used combinator to generate a rather large list, which I then cut down to a 17character maximum string length,. This with the numerical digits added would give me strings of 7 to 20 characters (WPA max keylen). Then I used the hashcat gui to run a hybrid dictionary + mask attack, and got a estimated run time of about 30 days for my single HD7970. Then I came across the recommendation to use splitlen to cut the input dictionary into same length wordlists. oclhashcat+ starts with the shorter length wordlists and works up. This seems good, since I would think the netgear passphrases would normally be less than the maximum length. I note that splitlen unless recompiled defaults to a maximum length of 15 characters, which plus xxx numeric give me a max length of 18. So if I don't get a hit, I may use "len" to split out the 16 and 17 character strings and run those separately.
I'm about 4 days in, and oclhashcat+ is working on the "11" length file. I'm hoping to hit paydirt in the next few days....
Others working against netgear routers may wish to look at the princeton site for good lists of adjectives and nouns. If desired, I'd be happy to contribute my adjective and noun lists, which are quite reasonable in size, or any of the further processed files - which become rather large.
The essid is ATTxxx, which would be a default for an AT&T provided router. Although I know they used to use dLink routers, I've seen a couple of ATTxxx named access points with mac addresses in the netgear range, so I would guess they are now using netgear in at least some cases.
(It occurs to me that renaming the router to another ISP's default, and giving it the mac address of another router manufacturer, would be a good way to discourage penetration....)
I've tried oclhashcat+ using the rockyou and psychowar databases to no avail.
Now since I realize it's a netgear router, I'm attacking it using the adjective + noun + xxx default you've suggested.
(I know that this is a relatively new router, and that the previous router (probably a dLink) had a 10 digit numeric password: possibly the default for the dLink router. So with a default att access point name, and with the previous passphrase likely the router's default, it seems likely that the passphrase is the netgear default. On the other hand the passphrase could be wildly different: this is for a chinese restaurant owned by a vietnamese couple...!)
I found a lexical database at http://wordnetcode.princeton.edu.. This provides large files of adjectives, nouns, etc., which can be manipulated with software tools, ulm, a good editor, etc. I've stripped out a list of adjectives and a list of nouns, cleaned out any special characters (which I assume are not found in the netgear keyspace), selected lengths from 2 to 10 characters (an arbitrary restriction, but seems reasonable), sorted and unduplicated the lists, and used combinator to generate a rather large list, which I then cut down to a 17character maximum string length,. This with the numerical digits added would give me strings of 7 to 20 characters (WPA max keylen). Then I used the hashcat gui to run a hybrid dictionary + mask attack, and got a estimated run time of about 30 days for my single HD7970. Then I came across the recommendation to use splitlen to cut the input dictionary into same length wordlists. oclhashcat+ starts with the shorter length wordlists and works up. This seems good, since I would think the netgear passphrases would normally be less than the maximum length. I note that splitlen unless recompiled defaults to a maximum length of 15 characters, which plus xxx numeric give me a max length of 18. So if I don't get a hit, I may use "len" to split out the 16 and 17 character strings and run those separately.
I'm about 4 days in, and oclhashcat+ is working on the "11" length file. I'm hoping to hit paydirt in the next few days....
Others working against netgear routers may wish to look at the princeton site for good lists of adjectives and nouns. If desired, I'd be happy to contribute my adjective and noun lists, which are quite reasonable in size, or any of the further processed files - which become rather large.
johnsmith556186
Member
If U still have questions about port forward, visit to www.portforward.co.uk! Can be useful...
Hash-IT
Active member
This may be a long shot, but I have just looked at every SKY password I could find and I noticed that none of them start with an A.
Has anyone ever found a SKY WPA password starting with an A ?
Like A?u?u?u?u?u?u?u
Thanks.
Has anyone ever found a SKY WPA password starting with an A ?
Like A?u?u?u?u?u?u?u
Thanks.