06-09-2025, 02:47 AM
I realized this week that my eBay scraping tool wasn’t working as expected anymore as it was getting flagged as a bot. So I switched the code to use a real browser and did a DEEP scrape again to see if I missed anything. I processed 36218 images from 4441 listings. I’ve only had a chance to add the entries that had QR reads, so I have a bunch of manual entries that I still have to go through.
Updated Data Set:
router_data_FULL_060825.xlsx (Size: 807.72 KB / Downloads: 2)
The Dataset now contains:
G3100/E3200 - 608 entries
CR1000 A/B - 127 entries
ARC-XCI55AX - 120 entries
ASK-NCQ1338 - 139 entries
WNC-CR200A - 45 entries
G1100 - 313 entries
NVG558HX - 54 entries
Other - 95 entries
Total - 1501 entries
We managed to jump from 4 to 54 entries for the NVG558HX, so now they have their own sheet in the database. We already saw that the SSID is generated from the last 4 characters of the MAC, but we already caught a SSID collision!
![[Image: attachment.php?aid=1303]](https://hashcat.net/forum/attachment.php?aid=1303)
![[Image: attachment.php?aid=1304]](https://hashcat.net/forum/attachment.php?aid=1304)
I mentioned last post that these devices have the least secure passwords that we have encountered. This was based on the 12 character length, <a-z><0-9>. However, I failed to check the calculations. For each position, there are 26 characters +10 digits = 36 possible choices. The number of possible password combinations is 36^12 = 4,738,381,338,321,616,896 which is uncrackable. Now that we have more entries, we see some characters are omitted (a,e,i,l,o,u,0,1) = 28 possible choices. 28^12 = 232,218,265,089,212,416 which is significantly smaller, but still uncrackable
.
We also have over 300 entries for G1100 now! I finally had a chance to match a good many of the second stickers, which adds the MAC address, Hardware version, Firmware version, and a few missing Serial numbers. Now we can fill in some of the missing info from before!
SSID is FiOS_XXXXX or Fios_XXXXX where X is any char <A-Z><0-9> (The FiOS prefix is unique to this device)
SSID Passwords follow <word><number><word><number><word> (They’re rare, but I did find a few that are <number><word><number><word>)
Admin Passwords are 8-10 characters and follow <word><number><word>
From this sample we can gain some other info:
I also found a bit more information about this device. When translated, this site elaborates on the way to get root. CVE-2019-3916 was a password salt information disclosure. The final result is a response from the device that looks like this response "passwordSalt":"6299bfce-1d56-4a6c-9bd8-352dc9ce865c”. Hey, we recognize that as the UUID! The device stores the admin password as a SHA-512 using the UUID as the salt.
The admin password is also stored as a SHA-512 hash in the CR1000A firmware:
option default_gui_pwd ‘ad7336a048595ddcb52007daf66fe750007a30c88a594a1882a2971c432b1007e381cc8ca5556c4f77f7df1aefc82bc5f083eb799b5e5867470cf3fe6731dcc3’
However looking a bit more at the code, we see instead they take the password --> MD5 --> SHA-512
hash_guipwd=$(echo -n $guipwd | xargs echo -n | openssl md5 | awk '{printf $2}' | openssl sha512 | awk '{printf $2}')
Researching other Verizon CVEs I found CVE-2022-28376 for the LVSKIHP
![[Image: attachment.php?aid=1305]](https://hashcat.net/forum/attachment.php?aid=1305)
"This function reveals that the engineering username is "verizon" and the engineering password is the first and last 7 characters of the SHA256 hash of the Serial Number concatenated with the Model Number of the device.”
Similarly, CVE-2022-28377 provides us with this info:
Line 162 of InDoorUnit /etc/init.d/wnc_factoryssidkeypwd:
rpc_pwd=`/usr/sbin/wnc_get_sec_2 $baseMAC`
An attacker must extract the binary from the firmware image, run it in an ARM environment with the string "DEVICE_MANUFACTURER='Wistron_NeWeb_Corp.'" in a file /etc/device_info, and provide the IDU's base ethernet MAC address.
The author shows where the firmware was originally downloaded from: https://4g2.vzwdm.com/oma-dlserver/reque...8140226730
Unfortunately the link returns an error for me.
Verizon made improvements after the disclosure, but it looks like there still might be a keygen on the device?
![[Image: attachment.php?aid=1306]](https://hashcat.net/forum/attachment.php?aid=1306)
Updated Data Set:
router_data_FULL_060825.xlsx (Size: 807.72 KB / Downloads: 2)
The Dataset now contains:
G3100/E3200 - 608 entries
CR1000 A/B - 127 entries
ARC-XCI55AX - 120 entries
ASK-NCQ1338 - 139 entries
WNC-CR200A - 45 entries
G1100 - 313 entries
NVG558HX - 54 entries
Other - 95 entries
Total - 1501 entries
We managed to jump from 4 to 54 entries for the NVG558HX, so now they have their own sheet in the database. We already saw that the SSID is generated from the last 4 characters of the MAC, but we already caught a SSID collision!
I mentioned last post that these devices have the least secure passwords that we have encountered. This was based on the 12 character length, <a-z><0-9>. However, I failed to check the calculations. For each position, there are 26 characters +10 digits = 36 possible choices. The number of possible password combinations is 36^12 = 4,738,381,338,321,616,896 which is uncrackable. Now that we have more entries, we see some characters are omitted (a,e,i,l,o,u,0,1) = 28 possible choices. 28^12 = 232,218,265,089,212,416 which is significantly smaller, but still uncrackable
.We also have over 300 entries for G1100 now! I finally had a chance to match a good many of the second stickers, which adds the MAC address, Hardware version, Firmware version, and a few missing Serial numbers. Now we can fill in some of the missing info from before!
SSID is FiOS_XXXXX or Fios_XXXXX where X is any char <A-Z><0-9> (The FiOS prefix is unique to this device)
SSID Passwords follow <word><number><word><number><word> (They’re rare, but I did find a few that are <number><word><number><word>)
Admin Passwords are 8-10 characters and follow <word><number><word>
From this sample we can gain some other info:
- SSID passwords are 16-18 characters long (16 characters is rare, but a few entries so far)
- These appear to be the most complex out of all of the devices.
- Password <word> are between 3-6 characters for SSID Password
- MAC Prefixes 18.78.D4, 20.C0.47, 48.5D.36, C8.A7.0A, D4.A9.28
- HW version 1.03 and 1.04
- Shipped firmware is 0.17.17 to 02.02.00.14
I also found a bit more information about this device. When translated, this site elaborates on the way to get root. CVE-2019-3916 was a password salt information disclosure. The final result is a response from the device that looks like this response "passwordSalt":"6299bfce-1d56-4a6c-9bd8-352dc9ce865c”. Hey, we recognize that as the UUID! The device stores the admin password as a SHA-512 using the UUID as the salt.
The admin password is also stored as a SHA-512 hash in the CR1000A firmware:
option default_gui_pwd ‘ad7336a048595ddcb52007daf66fe750007a30c88a594a1882a2971c432b1007e381cc8ca5556c4f77f7df1aefc82bc5f083eb799b5e5867470cf3fe6731dcc3’
However looking a bit more at the code, we see instead they take the password --> MD5 --> SHA-512
hash_guipwd=$(echo -n $guipwd | xargs echo -n | openssl md5 | awk '{printf $2}' | openssl sha512 | awk '{printf $2}')
Researching other Verizon CVEs I found CVE-2022-28376 for the LVSKIHP
"This function reveals that the engineering username is "verizon" and the engineering password is the first and last 7 characters of the SHA256 hash of the Serial Number concatenated with the Model Number of the device.”
Similarly, CVE-2022-28377 provides us with this info:
Line 162 of InDoorUnit /etc/init.d/wnc_factoryssidkeypwd:
rpc_pwd=`/usr/sbin/wnc_get_sec_2 $baseMAC`
An attacker must extract the binary from the firmware image, run it in an ARM environment with the string "DEVICE_MANUFACTURER='Wistron_NeWeb_Corp.'" in a file /etc/device_info, and provide the IDU's base ethernet MAC address.
The author shows where the firmware was originally downloaded from: https://4g2.vzwdm.com/oma-dlserver/reque...8140226730
Unfortunately the link returns an error for me.
Verizon made improvements after the disclosure, but it looks like there still might be a keygen on the device?