We starting this thread to bring to public domain some exclusive unpublished default WPA key algorithms that we use in our every day work.
Unpublished means you can't find it anywhere on the Web so (we hope) Hashkiller forum now will be its origin.
Lets start with TTNET_ZyXEL_XXXX default WPA key algorithm.
These Turkish ZyXEL routers have very strong default WPA key of 13 mixedcase hex digits uncrackable with ordinary bruteforcing.
Knowing the algo becomes possible to calculate default password from the router serial number.
Unfortunately router S/N not always known but search keyspace could be dramatically reduced to ~10^9 and even smaller size.
PoC with some test vectors attached below. The code is not optimal in any way and sometimes can contain (surprise!) MIPS disassembly written in python.
Unpublished means you can't find it anywhere on the Web so (we hope) Hashkiller forum now will be its origin.
Lets start with TTNET_ZyXEL_XXXX default WPA key algorithm.
These Turkish ZyXEL routers have very strong default WPA key of 13 mixedcase hex digits uncrackable with ordinary bruteforcing.
Knowing the algo becomes possible to calculate default password from the router serial number.
Unfortunately router S/N not always known but search keyspace could be dramatically reduced to ~10^9 and even smaller size.
PoC with some test vectors attached below. The code is not optimal in any way and sometimes can contain (surprise!) MIPS disassembly written in python.