Keyspace List for WPA on Default Routers
I don't know if anyone is looking at the algorithm for the 5268AC (another default device offering from AT&T), but I have noticed that it appears to be a variation on the 599 scheme.

I have noticed that both the python and C code for the nvg599 are correctly calculating the first 6 characters for the 5268AC, but the last 6 characters are not.

It seems that if you want to be able to brute force a default wifi password for the 5268AC, then you can get all of the output from the 599 python and/or C code, truncate every line to only the first 6 characters, sort, uniq, and then run a hybrid attack (mode 6, Hybrid Wordlist + Mask) with the applicable character set (37 characters).

Number of characters ^ positions = 37 ^ 6 = 2565726409

This method is far from time efficient given the number of unique 6 character prefixes that would be produced (multiplied by the number above, a little over 2.5 billion), but could work if you have no functional password calculator.

I welcome anyone to prove me wrong. Cross check the first 6 characters from passwords from 5268 devices with the output of the 599 code (both python and C) and see if this pattern is consistent. This pattern has a 100 percent hit rate for me.

Messages In This Thread
RE: Keyspace List for WPA on Default Routers - by devilsadvocate - 07-23-2017, 09:06 PM