Fios G3100 / E3200 Research

[FiosFiend]

@Sardukarrr yeah for the NOK 5G21 you would have to pay attention to the MAC prefix since there are other models with the same SSID. @samer59 posted wordlists for the TMobile KVD21 which looks similar to the FAST 5688W you posted.

We have another update to the password database this week, I’ve added over 100 new entries!

Updated Data Set: router_data_FULL_081125.xlsx
The Dataset now contains:
G3100/E3200 - 742 entries
CR1000 A/B - 194 entries
ARC-XCI55AX - 145 entries
ASK-NCQ1338 - 168 entries
WNC-CR200A - 65 entries
G1100 - 395 entries
NVG558HX - 67 entries
Other - 163 entries
Total - 1939 entries

This week we caught an interesting partial password collision of fro57 for the G3100



Nothing else seems to match up so I am not sure it really means anything, since we also have fro83 and fro38 for the same device.




I also looked through more of the Verizon hotspots. Most of them don’t show a default password, but I did find a few models that do!


Model 291LVW
SSID Verizon-291LVW-XXXX
Password is 8 characters HEX



Model MW513U
SSID Verizon-MW513U-XXXX
Password is 8 digits



Model MW513U
SSID Verizon-MBR1515-XXXX
Password is 8 digits

 

[FiosFiend]

Let’s see if the forums stay up long enough for me to get an update in. It’s been a little bit since the last one, but I have been keeping busy.

First, we have an update to the password database!

Updated Data Set: router_data_FULL_081125.xlsx
The Dataset now contains:
G3100/E3200 - 823 entries
CR1000 A/B - 232 entries
ARC-XCI55AX - 155 entries
ASK-NCQ1338 - 183 entries
WNC-CR200A - 74 entries
G1100 - 408 entries
NVG558HX - 68 entries
Other - 193 entries
Total - 2136 entries

I have been working with @RealEnder a bit on finding and clearing the default passwords in the devices I’ve outlined in this thread. I am happy to share that I have finally cracked a few Verizon hashes, however they are only hotspot devices from my last post . Attached below are the founds that I’ve submitted.

@Sardukarrr you’ll see I was able to find many of the T-MOBILE SSIDs, but only ones with the MAC address that I’ve shared. However, I was able to find 1 other by matching the information broadcast in the packet, which always looks like this.

38a067356b80    openwrt.org    WAP    12345    OpenWrt AP    876543219abcdef0123438a067356b77    TMOBILE-6B77

MAC prefixes 08:9B:B9, 0C:7C:28, 28:74:F5, 38:A0:67, 40:E1:E4, AC:8F:A9. DC:8D:8A, E0:1F:2B

I was also able to locate a few more MAC prefixes for the ATT MR1000 in the same manner, for this one the UUID is always random.

cc40d0b0438f                        09ce947ac5985981bfdd3c996ca610a2    ATT-WIFI-p2hx

MAC prefixes 10:0C:6B, 10:DA:43 , 3C:37:86, 44:A5:6E, 50:6A:03, 8C:3B:AD, CC:40:D0



Model Hitron CGNM-2250 and CGNM-2252
SSID CGNM-XXXX, sudden link.net-XXXX, SHAW-XXXX

The CGNM-XXXX SSID is for models 2250 and 2252, but most have already been found on WPA-SEC. However, the examples I found the password always starts with the prefix 2511. The 5th digit is 5,6, or 7 and the 7th digit is almost always 0, but I did capture a password with 1 in that position. This reduces the keyspace to much lower complexity.

hashcat -m 22000 -a 3 CGNM.txt -1 567 -2 01 2511?1?d?2?d?d?d?d?d


The SSID suddenlink.net-XXXX is also for this device and follows the same pattern, many of these have not been cracked yet. Sometimes they start with 2441 instead of 2511, but I believe there is also another, much harder default with these SSIDs as well.

hashcat -m 22000 -a 3 sdlink.txt -1 567 2441?1?d0?d?d?d?d?d


The SSID SHAW-XXXXXX is also for this device and follows the same patterns. However this and the CGNM-XXXX may have have upper case hex characters in the 6th,7th, or 8th position in the password. Surprisingly though, I was unable to crack any of this SSID.

hashcat -m 22000 -a 3 SHAW6.txt -1 567 2511?1?H?H?H?d?d?d?d



Model Hitron CGNM-2259, CGNM-3582, CGNM-3589
SSID CGNVM-XXXX

The SSIDs CGNVM-XXXX is for models 2259 3582 and 3589. These devices use the prefix 2511 and 2521, and the small possibility of an 8 as the 5th digit, but otherwise follow the same patterns that we’ve seen already.

hashcat -m 22000 -a 3 CGNVM.txt -1 5678 2511?1?H?H?H?d?d?d?d
hashcat -m 22000 -a 3 CGNVM.txt -1 5678 2521?1?H?H?H?d?d?d?d


Model HW51
SSID HW51--XXXXXX
TAC = 86764204

Password is MIFI + 6 digits of the IMEI (but not the last digit!)


Model MW70VK-2ARGPL1
SSID MW70VK_XXXX
TAC = 35700709

password is last 8 digits of IMEI


Model ARRIS TG1672G
SSID ARRIS-XXXX
password is TG1672G + last 6 characters of MAC +2 (uppercase).
Ex: d40598292810:TG1672G292812



Model inseego FX3110
SSID FX3100-XXXX
password is 8 character HEX lowercase


Model ZTE Z700A
SSID ATT-HOMEBASE-XXXX
password is 8 digits, but not related to IMEI

???
SSID Fibre_inwi_XXXX

I was unable to locate a sticker for this device, please post one if you’re able to find it. However, looking at the WPA-SEC data I could see that the default password is often

1. all 12 characters of the MAC address uppercase,
2. the MAC address +/- 6
3. the MAC address with the 4th character -1. This last “rule” allowed me to successfully unmask some.

Example passwords: ccb171a00408:CCB071A00408, 88669f77c9c0:88669F77C9C4, 88669f765c40:88659F765C40

I was also able to help locate new IMEI TACs for SSIDs inwi Home 4GXXXXXX (without the space), inwi Home 4G XXXXXX (with the space), BOX4G_Inwi_XXXX and Box 4G inwi_XXXX.

The tool imeigen has been updated to cover the devices in this thread.

I also cracked a few NETGEARXX SSIDs using a well known dictionary that runs pretty fast.

 

[FiosFiend]

I have been trying to run this dictionary (https://github.com/rhettrhett1/Technicolor-Router-Default-Passwords/tree/main) against the SSID SHAW-XXXX. I know the dictionary works, however it’s massive and takes an unreasonably long time to run. I rented 4x 5090 on vast.ai just to see, and it would still take 24+ hours to run the dictionary against 241 hashes. These passwords are the same as SSIDs EasyConnect, SETUP-, SPSETUP, XFSETUP, CBCI-, HOME-. So I collected the words from known WPA-SEC passwords and used them to create a much smaller dictionary. These wordlists (attached) can run in a reasonable amount of time and caught a surprising number of hits! Recovered 205/241 (85.06%) I have scraped eBay/FB listings for images and added them to the list as well, there are still a few known words I need to add. Then I pointed the dictionary back at the other WPA-SEC unknowns...

SETUP-XXXX 312/448 (69.64%)
SPSETUP-XXXX 13/27 (48.15%)
XPSETUP-XXXX 23/29 (79.31%)


The other big hit I had was with the SSID A1_XXXX. I somehow stumbled across this SSID, and noticed the few known entries on WPA-SEC seemed to follow a pattern. They are 16 character passwords, but start with 48575443 followed by 8 HEX characters. Looking at similar MAC addresses, we can see many of them have the same last characters (ie: 9C, 9D, 9F).. which means that we only need to brute force 6 character hex. Furthermore, some passwords seemed to have the same 9th character, reducing it to a simple 5 character search. Recovered 1080/2160 (50.00%). Then @RealEnder informed me that this was a known HUAWEI algorithm that also works for some M-Tel_XXXX, CLAROXXXXX, HUAWEI-XXXX SSIDs.



SSIDs starting with StarNet also use the same passwords, but do not match up with the algorithm meaning they need to be brute forced as well. Using this method I recovered 347/714 (48.60%)
Some example commands:
hashcat -m 22000 -a 3 STAR.txt "48575443?H?H?H?H?H?HA2" --session=STARA2
hashcat -m 22000 -a 3 STAR.txt "48575443?H?H?H?H?H?HA6" --session=STARA6
hashcat -m 22000 -a 3 STAR.txt "48575443?H?H?H?H?H?H9E" --session=STAR9E

I also found this sticker

Model HUAWEI E5783B
SSID PLAY INTERNET 4G LTE - XXXX
password is 8 digits, but not related to IMEI

 

[PROger4everPublic]

@FiosFiend, you can expand your word-based-password APs collection with this file.

If you want to expand your word list, you can use passwords from APs with ESSIDs like:

• Altice, MyAltice (beige-703-134, 98-cobalt-2638, 7489-95-grey)
• Optimum, MyOptimum (beige-703-134, 98-cobalt-2638, 7489-95-grey)
• ASUS (account_3536)
• CBCI-XY, ARRIS-XY, HOME-XY, SETUP-XY, SHAW-XY, SPSETUP-XY, XFSETUP-XY (Vantiva OUI, block7296harbor)
• FreeBox (solatiis!-dilabendi*&-remotivos@6-senar&3)
• hex6-essids (0927b4: cold.261.make)
• NETGEAR (jaggedtrumpet912)
• MySpectrumWiFi, SpectrumSetup (ancientstate339)
• OPTUS (dittysalty54114)
• Tenda (hardbody779)

Tell me if you need passwords from these APs (maybe I will have some boring moment in the future to gather them for you :))

 

[RifRafus]

@FiosFiend did you stop your research? I was following for a while, hope you can and are willing to continue...

 

[Buunta]

I'm running his python script right now to build a 95gb wordlist with his original 3, 4, and 5 letter wordlists as detailed on his other thread. I really appreciate all of this.

 

[FiosFiend]

@RifRafus I haven’t stopped researching various routers, but I have mostly moved away from Verizon. Despite automating the process, I still had to process much of the scrape data by hand, and that took a while. Unfortunately after collecting over 2000 passwords and a ton of information, I wasn’t really any further ahead.

@Buunta Good luck! @Sparton is the only person that I’ve seen actually crack a Verizon capture, and that's because he has an incredible amount of determination.

This research in this thread was a great deep dive however, and taught me quite a bit. I have found and successfully reversed several WPA keygens since joining the site, but despite my username not any for Fios/Verizon