Posts: 102
Threads: 2
Joined: Jul 2016
Found another one that works with the Zykgen.... The Zyxel W3-SAP 9676 but with a password length of 16. Some serials have a 'V' as the 5 character, while others don't so probably make two rainbow tables, if that router has your interest.
Posts: 2
Threads: 0
Joined: Jun 2022
I'm trying to crack default Wi-Fi key of a Huawei router. I know that the length of the password is 8 characters and it includes numbers, lowercase and uppercase characters. For example:
tSya7yQj
8po4eDUU
It would be great if a keygen would exist that could use SSID and MAC address to calculate the password but I guess that is not possible with this newer routers (or is it?).
I tried the basic bruteforce attack with a custom charset of ?l?u?d for all characters and it would take about 60 years for hashcat to go through all combinations.
I guess a rule could be applied to reduce the number of combinations, like:
password needs to have at least 3 of ?l but not over 5
password needs to have at least 2 of ?u but not over 4
password needs to have at least 1 of ?d but not over 2
Or if someone has a better idea it would be great.
Tnx
Posts: 102
Threads: 2
Joined: Jul 2016
06-26-2022, 07:47 PM
(This post was last modified: 06-26-2022, 09:19 PM by drsnooker.)
Good start! Collect more default passwords to see if there's a pattern (for more rules)
Alternatively, you can try getting your hands on a used modem, open it up, and see if you can get root access via JTAG/UART. Sometimes (Zyxel) the password generator algorithm is still stored on the modem itself. Then you can use that to generate the rainbow tables. Or reverse engineer it and recreate the algo in python or whatever language you prefer.
After doing a bit of math... If you can reduce the keyspace by even 5 letters (e.g. very few vendors use upper case 'O' and number 0, as well as upper case 'I' and 1. etc) you can cut that time in half. If money is no object and the 4090ti is going to be as powerful as rumored, buy 8 of them and you can pop that password in two months!
You can also try doing a hash (MD5,SHA256 etc) on the ESSID, take the modulus of the digest and project that onto the charset. May be you get lucky and it wasn't obfuscated!
Posts: 2
Threads: 0
Joined: Jun 2022
(06-26-2022, 07:47 PM)drsnooker Wrote: take the modulus of the digest and project that onto the charset. May be you get lucky and it wasn't obfuscated!
Could you please explain further or show an example?
Posts: 102
Threads: 2
Joined: Jul 2016
I'm facing your issue with the 5268AC default keyspace, with sort of a how to guide. Here's the post describing the
hash/modulus part.
Posts: 102
Threads: 2
Joined: Jul 2016
Plumlulz has converted my Zyxel SBG3500 default keygen to python.
https://github.com/PlumLulz/sbg3500py
Posts: 102
Threads: 2
Joined: Jul 2016
....and Plumlulz has now converted my Telus (Zyxel VSG1432) algo. ESSID is TELUSXXXX
https://github.com/PlumLulz/teluspy
Posts: 1
Threads: 0
Joined: Aug 2022
anyone have the default keyspace for ZTE routers?
Posts: 2
Threads: 1
Joined: Sep 2022
09-04-2022, 12:16 AM
(This post was last modified: 09-04-2022, 12:54 AM by kuny1991.)
Hello,
Does anyone have the default passwords for the router from UPC - Compal CH7465LG ? I was able to get the following from the internet:
SSID: UPC8980902 - Compal CH7465LG
PASS: msyrmHuhlfh2 - ?l?l?l?l?l?u?l?l?l?l?l?d
SSID: UPC21D5DCC - Compal CH7465LG
PASS: bYG2durnbhmz - ?l?u?u?d?l?l?l?l?l?l?l?l
SSID: UPC9448047 - Compal CH7465LG
PASS: xzc2vfAwwh6b - ?l?l?l?d?l?l?u?l?l?l?d?l
SSID: UPC4891752 - Compal CH7465LG
PASS: rJ3ksdcZsa7s - ?l?u?d?l?l?l?l?u?l?l?d?l
SSID: UPCD8499E6 - Compal CH7465LG
PASS: ej7B4fnuyMmh - ?l?l?d?u?d?l?l?l?l?u?l?l
SSID: UPC7457314 - Compal CH7465LG
PASS: z2bkuGtdttjh - ?l?d?l?l?l?u?l?l?l?l?l?l
SSID: UPCCD3A834 - Compal CH7465LG
PASS: v5Akhmhrspby - ?l?d?u?l?l?l?l?l?l?l?l?l
SSID: UPC5989917 - Compal CH7465LG
PASS: Fy2suz6zccwh - ?u?l?d?l?l?l?d?l?l?l?l?l
SSID: UPCE653D35 - Compal CH7465LG
PASS: tx8jfwbwnaTZ - ?l?l?d?l?l?l?l?l?l?l?u?u
I will be grateful for any further examples!
If someone is able to decode the password algorithm, that would be brilliant!
Posts: 1
Threads: 0
Joined: Jan 2023
Do you have default keyspace for ZTE
routers - ZXHN F680?