Keyspace List for WPA on Default Routers
#85
Hi robertoakira1.

It is fixed.
Analyzing a few default pair of BSSID:KEY, you can see this relation. E.g:
BSSID                                 KEY
6c198f02b804:91E5007819
6c198f027914:91E4019783
6c198f023368:91E4008101

As you can see, every time the OUI is 6c198f the KEY start with 91E
That is valid for GVT ISP (Brazil).
If I can help with something more, just ask.

(09-09-2017, 04:06 AM)robertoakira1 Wrote: Hi Zarabatana,

thank you for the information.

Could you explain how did you get "91E" from "6c:19:8f"?

Thanks.

(09-07-2017, 08:36 PM)zarabatana Wrote: Hi all.

Thanks to a member of the forum, I have good news about the GVT network.
The task is not completed yet, but, we have a new informations to share.
1) the first 3 chars of the password come from OUI. E.g:
      OUI         Partial Pass    Router Brand
     6c:19:8f    91E             D-Link International
     84:c9:b2   N1B             D-Link International
     ec:22:80   S1E              D-Link International
So, if the router are a D-Link, we can get the 1st, 2nd and 3rd digts from from the OUI.
The last 6 chars are only numbers.
The 4th position can be number or letter.
The mask for hashcat is: <OUI - info>?1?d?d?d?d?d?d -1 ?u?d
The serial should be linked to the MAC, but i really lack the skill to analyze the firmware.
Any help will be more than welcome here.

A few pairs to analyse:
MAC                                     ESSID      WPA/WPA2
ec2280d30193:fc15b4365e87:GVT-0193:S1E9051450
6c198f02b804:40786ac94fe1:GVT-B805:91E5007819
6815905da437:a89fba14ad7c:GVT-A436:5067014811
c4a81d7f4054:c06599c2d762:GVT-4056:91DC064046
6c198f027914:7ce9d3d7b853:GVT-7917:91E4019783
6c198f023368:d022bed72ab1:GVT-336B:91E4008101
84c9b2eb327d:5c0a5b1f7cd9:GVT-327C:N1B9006527
84c9b2ebbbff:cc52af6190a4:GVT-BBFE:N1B9033142
ec228045ef13:e006e6d03827:GVT-EF13:S1E8013780

Thank you all!

Edit: link to download a firmware
http://ryan.com.br/wp/download/Firmware/...com.br.zip

(08-25-2017, 11:40 PM)zarabatana Wrote: Here in Brazil we have an ISP called GVT.
The default password is the Serial Number of the wireless router.
Here is an example:

D-Link
SSID: GVT-8A8A
PASS: N1B9027544
SERIAL: PJ2N1B9027544
MAC: 84:C9:B2:EB:8A:8A

Just count 10 chars from right to left, and that is the WPA/WPA2 Key.
My question is: there is a way to calculate the Serial Number?
D-link was used in this example, but, it can be Arcadyan, Sagemcom, etc. It always will be the Serial Number.
Using wireshark, the serial number received isn't the same in the stick on the bottom.
Thank you for your time.


Messages In This Thread
RE: Keyspace List for WPA on Default Routers - by zarabatana - 09-10-2017, 04:58 PM