Keyspace List for WPA on Default Routers

[drsnooker]

January 2024 update for all the found Zyxel modem keygens. (deleted the previous tables to keep the thread clean)

[brahim7]

So , how we get password list by these funtions?

[drsnooker]

So , how we get password list by these funtions?

A small python script to loop thru a range of serial numbers would work for most of these.

[dexter4242]

Is there any key space list for wpa for fiberhome routers? ( router/ont model example : hg6544c)

Thanks

[Have Blue]

Have found two 'Eufy' SSIDs, which by OUI lookup are:
04:17:B6 Smart Innovation LLC
10:2C:B1 Smart Innovation LLC
Just discovered that the keyspace is ?h?h?h?h?h?h?h?h

Also found a few NVRxxxxxxxxxxxx devices:
08:3A:2F Guangzhou Juan Intelligent Tech Joint Stock Co.,Ltd
Keyspace appears to be ?d?d?d?d?d?d?d?d

Finally, I dug through some Ebay listings for D-Link DIR-605L devices, and collected the PSKs:

  2024-12-25 21_41_33-d-link DIR-605L.xlsx - Excel.png (Size: 97.89 KB / Downloads: 4)
This has probably already been discovered by others, but it looks like the first 5 characters only consist of a-j, so it seems to be an alpha substitution for 0-9, making the keyspace:  -1 abcdefghij -a 3 ?1?1?1?1?1?d?d?d?d?d

[drsnooker]

The d-link DIR-605L is likely pretty complicated. I managed to reverse the 640L. If you want to see how that's done check out Plums conversion to Python:
https://github.com/PlumLulz/dir_640lpy

[drsnooker]

This has probably already been discovered by others, but it looks like the first 5 characters only consist of a-j, so it seems to be an alpha substitution for 0-9, making the keyspace:  -1 abcdefghij -a 3 ?1?1?1?1?1?d?d?d?d?d

After looking a little bit closer at your dir-605L data, it looks to be very much in the family of the 640L
The 640L takes a hexadecimal hash, and plucks letters from them (0..F) followed by modulus 10. (Hex value % 10)
Which means that values 0..5 (and a..f) are almost twice as likely of showing up, versus chars '6789' and 'ghij' and that is reflected by the data you collected.

d-link cleverly uses a few variants of the algo for each model, so tracking the exact algo down will be a bit tricky but it might be possible with enough data....

[RealEnder]

Hi and Merry Christmas!
Here are my dlink- hits:

Code:

0001015B7F0C dlink-4A1C yzlgq27544
000101A732B7 dlink-4AC0 gfjon85581
00238CC9A40A dlink-4A1C yzlgq27544
0024FBCA4FAC dlink-4AC0 gfjon85581
0C811248BB6F dlink-4A1C yzlgq27544
1062EB98265C dlink-265C bhapn93722
10BEF52643F0 dlink-43F0 ozupg41817
1407084E39BD dlink-44F5-5GHz atmxv87643
180F763E4750 dlink-4750 faqva09646
48EE0CEF3422 dlink-3422 defar96528
48F3172C41E9 dlink-4A1C yzlgq27544
50C7BF32DC77 dlink-438C qspkx01690
544E455AC877 dlink-4A1C yzlgq27544
586ED6271451 dlink-8370 isnix44524
58D56EA91D79 dlink-1D78 evzaa62453
6C72200E0A38 dlink-0A38 cccec64025
706F8196C64E dlink-4A1C yzlgq27544
74DADA5E8C78 dlink-8C77 caebd25880
78542EFBBCD8 dlink-BCD8 tnrgp24789
802689AE55B8 dlink-55B8 jkrvd91410
A09F7AD2B28F dlink-M961-2.4G-b28f amggs42288
A0AB1B771FC8 dlink-1FC8 bccff65164
C4A81D8B7CD8 dlink-7CD8 wfjlq94954
E46F133EE5D8 dlink-E5D8 bgfkz73664
E46F1365E32C dlink-E32C bbdee24215

As always, BSSIDs are  not to be trusted.
Sadly, none of these match the dir-640l keygen :( I have 3K+ uncracked dlink hashes, so we can confirm other variations of the algo.
Recently a tool for DLink FW image decryption for various devices was released: delink. It's already integrated upstream in binwalk v3.
Many dlink FW images for outdated models can be directly downloaded here.

[drsnooker]

This is getting interesting. Perhaps a worthy foe?

I ran all the variants I could think of from the 640L algo against the 605L and struck out. Some hits, but as you get with enough monkeys and typewriters even with a hash there are enough possibilities.
The 605L firmware does not include the algo, but there might be variants in others. Let's see if the d-link engineers left any presents under the binwalk extracts tree....

[Have Blue]

After looking a little bit closer at your dir-605L data, it looks to be very much in the family of the 640L
The 640L takes a hexadecimal hash, and plucks letters from them (0..F) followed by modulus 10. (Hex value % 10)
Which means that values 0..5 (and a..f) are almost twice as likely of showing up, versus chars '6789' and 'ghij' and that is reflected by the data you collected.

One thing that struck me was the prevalence of the 'b' character versus 'a' which made me wonder if zeroes are for whatever reason much less likely to be generated from whatever the 'seed' is (my assumption being that 'a' equates to '0' and 'b' equates to '1').  I had done a statistical analysis on the data, and 'b' was indeed among the most common characters.