Keyspace List for WPA on Default Routers - Printable Version +- hashcat Forum (https://hashcat.net/forum) +-- Forum: Misc (https://hashcat.net/forum/forum-15.html) +--- Forum: User Contributions (https://hashcat.net/forum/forum-25.html) +--- Thread: Keyspace List for WPA on Default Routers (/thread-6170.html) |
RE: Keyspace List for WPA on Default Routers - miccee - 01-19-2017 thanks RE: Keyspace List for WPA on Default Routers - calexico - 01-19-2017 OUI: 38:3B:C8 = 2WIRE ESSID: ATTXXXXXXX Passphrase consists of: a-z 0-9 = ? Notice: No capital letter in my home router's passpharase. Length is exactly 12 char. EDIT: Yes, this is the default passphrase. And yes, I have changed it RE: Keyspace List for WPA on Default Routers - rico - 01-20-2017 a-z = 26 chars 0-9 = 10 chars = ? 38 chars, len 12. Keyspace is 38^12 = 9,065,737,908,494,995,456 (01-19-2017, 06:38 AM)calexico Wrote: Yes, this is the default passphrase. And yes, I have changed it Change it back! RE: Keyspace List for WPA on Default Routers - miccee - 01-20-2017 (01-19-2017, 06:38 AM)calexico Wrote: OUI: 38:3B:C8 = 2WIRE Is there a fixed pattern or they are completely random? RE: Keyspace List for WPA on Default Routers - calexico - 01-21-2017 (01-20-2017, 01:30 PM)miccee Wrote:Good question. Arriving at the answer is partly why I posted. Since I can provide just one sample, it's too early to discern randomness from order. Honestly, I think the entropy is quite high, both in passwords and in ESSID assignment.(01-19-2017, 06:38 AM)calexico Wrote: OUI: 38:3B:C8 = 2WIRE RE: Keyspace List for WPA on Default Routers - miccee - 02-03-2017 (01-21-2017, 06:17 AM)calexico Wrote:(01-20-2017, 01:30 PM)miccee Wrote:Good question. Arriving at the answer is partly why I posted. Since I can provide just one sample, it's too early to discern randomness from order. Honestly, I think the entropy is quite high, both in passwords and in ESSID assignment.(01-19-2017, 06:38 AM)calexico Wrote: OUI: 38:3B:C8 = 2WIRE Can you please post the original passphrase? Does it have any relation to the last 6 characters of ATTXXXXXXX? RE: Keyspace List for WPA on Default Routers - duhblow7 - 02-11-2017 ssid = DG1670AXX preshared key = DG1670A+[0-9A-F][len6] Example: SSID = DG1670AB2 PSK = DG1670A919DB2 keyspace = 16^6 = 16,777,216 edit- I cracked a few more of these and I noticed that the last two characters of the PSK are the same as the last two characters of the SSID. This takes the keyspace down to 16^4 = 65536 RE: Keyspace List for WPA on Default Routers - devilsadvocate - 02-11-2017 (02-11-2017, 03:54 AM)duhblow7 Wrote: ssid = DG1670AXX It seems like it would be worthwhile to build a list of all possible model numbers and then prepare a .hcmask file. For example: DG1670A?H?H?H?HB2 TC8715D?H?H?H?HB2 Note that the DG1670A is Motorola device. The TC8715D is a Technicolor device. Both use the same scheme for their default WPA2 password and both are for use with Time Warner. Both have the last two digits of their default password as the last two digits of their default SSID. Is this default password scheme being used on several devices that are in use with Time Warner customers? Maybe. It seems less likely that two different vendors of modems/routers decided to use the same default password scheme. This is a quick list of model numbers that I have come up with. Note that most of these model numbers are Technicolor and just a few are Motorola model numbers. 7300B C1100T C2000T C2100T CGM423X DCM425 DCM475 DCM476 DDW36C DEPC3928 DG1670 DG1670A DHG757 DPC3941T DPC3941TV2 DPC3941TV3 DVW32CB EPC3940 EPC3949 TC4310 TC4300 TC4350 TC4400 TC7110 TC7200 TC7200K TC7200U TC7200-U TC7210DNZ TC7210-DNZ TC7230 TC7300 TC8305C TC8715D TC8717 TC8717T TD5130 TD5136 TD5136V2 TD5336 TG1672 TG2000 TG2200AC TG582N TG582NO2 TG582NV2 TG587N TG587NV2 TG587NV3 TG589VN TG589VNV2 TG589VNV3 TG784N TG784NV2 TG784NV3 TG788VN TG788VNV2 TG789BVN TG789VAC TG789VNV3 TG797NV3 TG799 TG799VAC TG799VN TG799VNV2 TG852N The only Time Warner devices that are in use (as of this post, February 2017) are: ARRIS/Motorola CM550A Up to 15Mbps ARRIS/Motorola CM820A Up to 100Mbps ARRIS/Motorola DG1670A Up to 300Mbps ARRIS/Motorola DG860A Upto 100Mbps ARRIS/Motorola DG950 Up to 100Mbps ARRIS/Motorola SB5101 Up to 15Mbps ARRIS/Motorola SB5101N Up to 15Mbps ARRIS/Motorola SB5101U Up to 15Mbps ARRIS/Motorola SBG901 Up to 15Mbps ARRIS/Motorola SBG941 Up to 15Mbps Cisco DPC3000 Up to 15Mbps Netgear CG814WGv2 Up to 15Mbps Netgear CGD24G-100NAS Up to 15Mbps SMC Networks 8014WG-SI Up to 15Mbps Technicolor/Thomson/RCA TC4310 Up to 300Mbps Technicolor/Thomson/RCA TC8715D Up to 300Mbps UbeeAmbit DDC2700 Up to 15Mbps UbeeAmbit DDM3521 Up to 100Mbps UbeeAmbit DDM354 Up to 300Mbps UbeeAmbit DDW2600 Up to 15Mbps UbeeAmbit DDW3611 Up to 100Mbps UbeeAmbit DDW365 Up to 100Mbps UbeeAmbit DDW36C Up to 300Mbps UbeeAmbit U10C018 Up to 15Mbps UbeeAmbit U10C019 Up to 15Mbps UbeeAmbit U10C020 Up to 15Mbps Distilled down (only the middle column from above), the Time Warner devices are: CM550A CM820A DG1670A DG860A DG950 SB5101 SB5101N SB5101U SBG901 SBG941 DPC3000 CG814WGv2 CGD24G-100NAS 8014WG-SI TC4310 TC8715D DDC2700 DDM3521 DDM354 DDW2600 DDW3611 DDW365 DDW36C U10C018 U10C019 U10C020 The above list comes from https://www.timewarnercable.com/content/dam/residential/pdfs/support/internet/byom-allowed-modems.pdf RE: Keyspace List for WPA on Default Routers - calexico - 03-04-2017 (01-19-2017, 06:38 AM)calexico Wrote: OUI: 38:3B:C8 = 2WIRE Whoa, quite by accident, discovered another one: OUI: F8:2C:18 = 2WIRE ESSID: ATTXXXXXXX Passphrase consists of: a-z 0-9 = ? --> Which is the same as my home 2WIRE device. Observe: regular and consistent use of special chars: "=" and "?" Which somewhat reduces the entropy, insofar as 2 samples could help do so... RE: Keyspace List for WPA on Default Routers - miccee - 03-04-2017 (03-04-2017, 05:42 PM)calexico Wrote:(01-19-2017, 06:38 AM)calexico Wrote: OUI: 38:3B:C8 = 2WIRE Any specific pattern in both of these passphrase? eg ?l?d?l?l?d etc |