Good start! Collect more default passwords to see if there's a pattern (for more rules)
Alternatively, you can try getting your hands on a used modem, open it up, and see if you can get root access via JTAG/UART. Sometimes (Zyxel) the password generator algorithm is still stored on the modem itself. Then you can use that to generate the rainbow tables. Or reverse engineer it and recreate the algo in python or whatever language you prefer.
After doing a bit of math... If you can reduce the keyspace by even 5 letters (e.g. very few vendors use upper case 'O' and number 0, as well as upper case 'I' and 1. etc) you can cut that time in half. If money is no object and the 4090ti is going to be as powerful as rumored, buy 8 of them and you can pop that password in two months!
You can also try doing a hash (MD5,SHA256 etc) on the ESSID, take the modulus of the digest and project that onto the charset. May be you get lucky and it wasn't obfuscated!
Alternatively, you can try getting your hands on a used modem, open it up, and see if you can get root access via JTAG/UART. Sometimes (Zyxel) the password generator algorithm is still stored on the modem itself. Then you can use that to generate the rainbow tables. Or reverse engineer it and recreate the algo in python or whatever language you prefer.
After doing a bit of math... If you can reduce the keyspace by even 5 letters (e.g. very few vendors use upper case 'O' and number 0, as well as upper case 'I' and 1. etc) you can cut that time in half. If money is no object and the 4090ti is going to be as powerful as rumored, buy 8 of them and you can pop that password in two months!
You can also try doing a hash (MD5,SHA256 etc) on the ESSID, take the modulus of the digest and project that onto the charset. May be you get lucky and it wasn't obfuscated!