NetgearKiller.dict - my Netgear WPA dict
#1
Hi all, new poster here.

I'm going to preface with this quote:
(from https://forum.hashkiller.co.uk/topic-view.aspx?t=2715)
Quote:Each password is formed as follows: adjective + noun + 3 decimal numbers.

Here some examples in case someone wants to try to build up his own dictionary (ESSID : key : model : mac : serial: loginusrename : loginpassword : WPS / empty if unknown):

NETGEAR00 : mistymint902 : DGN 2200v3 : 100D7F34???? : : admin : password : 40408880
NETGEAR10 : imaginaryviolin590 : WNDR3400v3
NETGEAR12 : livelychair848 : WNDR4300 : 28C68E1854F3 : 36B1315X00585 : admin : password
NETGEAR25 : festiveflower225 : R6300 : : : admin : password : 81968220
NETGEAR29 : exoticbutter003
NETGEAR34 : sillybug772 : R6250 : 4494FC50B225 : : admin : password
NETGEAR35 : aquaticoctopus034 : R7000
NETGEAR37 : vastcoconut260 : WNDR3800 : : : admin : password
NETGEAR45 : blueprairie979 : : 4494FC?????? : BTA13??????4A : :
NETGEAR47 : heavybanana530 : DGN2200v4 : 28C68E8AB6E4
NETGEAR48 : breezysea672 : WNR220 : 008EF24B6ED8 : 2J74275T006AD : admin : password
NETGEAR53 : magicalwater421 : JNR3000 : 008EF28F4B64 : 2XS229B000001 : admin : password : 26168258
NETGEAR62 : friendlyjade842
NETGEAR70 : royalcheese478 : DGND4000 : 00BEF2??????: 34F128BN006FD : admin : password
NETGEAR70 : narrowjungle555 : WNDR3800 : 204E7F71704A : 2M81195F00171 : admin : password
NETGEAR89 : helpfultulip601 : WNDR3400v2 : 74440154701A / 744401547019 : *2NS21C77AA138* : admin : password
NETGEAR96 : huskyocean593 : R7000
NETGEAR99 : yellowtulip399 : WNDR3400v2 : 2CB05D3979AF / 2CB05D3979AE : *2NS2217X126DE* : admin : password
NETGEAR99 : imaginarytomato848 : WNDR3400v2 : : : admin : password
unknown : silkysky657
unknown : blackmoon339
unknown : helpfulflamingo578
Surewest-09 : oddviolin958 (provider is Surewest, manufacturer Netgear).

These kinds of keys is what this dictionary is for, I created it myself.  I'm confident it should have a very high success rate, as the others I have tried weren't satisfying to me.  The other dicts I tested against this example list above had mixed results, mine has a 100% success rate.

A couple points:
-I'm confident I found the EXACT adjective list that Netgear uses, this saves tons of space when combinator'd.  It clocks in at only 8.8KB (1109 lines)
-I'm unsure of their exact noun list, but I pruned a comprehensive list from WordNet.

When used with combinator, the resulting file is 167 MB.  

Total keyspace when using the dict + mask attack ?d?d?d = 10,926,977,000.  A GTX 960 (at 90,000 H/s) can get through it in about 1 day 10 hours.

THIS LIST IS NOT COMPILED WITH THE 3 NUMBERS AT THE END.  IT'S MEANT TO BE USED WITH THE DICT + MASK ATTACK.  

A quick way to test this dict against something you know would be (3 ending numbers omitted):
Code:
grep "vastcoconut" NetgearKiller.dict
And see if the entry pops up.  If it pops up then it was a hit and it would have been cracked in a real world scenario. If nothing pops up, then it's missing from the dict.  Obviously in a real world scenario you're going to be using hybrid dict + mask ?d?d?d attack with this dictionary.

Feel free to use any/all/none of it, would love to hear the results:
https://drive.google.com/file/d/0By92_TZ...sp=sharing
#2
First - thanks for putting this together. Good work.

Secondly - I'd like to report a success with it. The numbers you gave for a full run are a bit less than the total time my run takes (2 x AMD HD7770).

The network in question's SSID was NETGEARXX (where XX is two digits).
#3
My attack was unsuccessful using your dictionary. Thank you for the effort.
UPDATE:
I did eventually find the password. It was a common password found in the rockyou dictionary using only a straight dictionary attack. Had the password not been changed to a custom password, your dictionary may have had a good chance of cracking it.
#4
Hello, I am currently using you dictionary to crack my sister's wifi (with her consent). I told her not to give me any information about the router and that I would attempt to hack the wifi. My question is if this dictionary does not work, should I simply try to Phish it out of her or perhaps try to use a different dictionary? I have already wasted like 3 days using dictionaries and once this one finishes, assuming the password is not found, I will have spent a total of 6 days. Any advice would be appreciated!
#5
The wordlist works only for default password. If the password was changed, it will not work.
#6
(05-16-2016, 01:38 PM)atom Wrote: The wordlist works only for default password. If the password was changed, it will not work.

So can I safely assume that the password has been changed if this doesnt work, and if so should I try a different dictionary? or another method?
#7
(05-16-2016, 03:28 PM)Luck161 Wrote: [quote='atom' pid='29409' dateline='1463398735']
The wordlist works only for default password. If the password was changed, it will not work.

Also the router in question is a NETGEARXX where XX are numbers.
#8
(05-16-2016, 03:30 PM)Luck161 Wrote: Also the router in question is a NETGEARXX where XX are numbers.


Try the Netgear dictionary from https://www.sendspace.com/file/8nk52w.  You can do a straight mode attack using adjective_noun_3d.txt.
#9
(05-18-2016, 06:21 AM)gearjunkie Wrote:
(05-16-2016, 03:30 PM)Luck161 Wrote: Also the router in question is a NETGEARXX where XX are numbers.


Try the Netgear dictionary from https://www.sendspace.com/file/8nk52w.  You can do a straight mode attack using adjective_noun_3d.txt.

Thanks for you reply. Unfortunately I have already tried this dictionary. Should I try to find another dictionary to use, or should I just try something else?
#10
omg be a hacker already.