Keyspace List for WPA on Default Routers
This kinda belongs in this thread...
CGM4140COM routers have a default password that doesn't quite fit in the hybrid mode or the combinator mode

wordlist ?d?d?d?d wordlist

Any suggestions how to tackle this one? Do we need an -a 8?
$ cat noun | awk 'length($0)==6' > w6
$ cat noun | awk 'length($0)==5' > w5

#include <stdio.h>
#include <stdlib.h>

int main()
int c;
for(c = 0; c < 10000; c++) printf("%04d\n", c);
$ gcc digit.c -o digit

$ ./digit > digit4
$ combinator3 w5 digit4 w6 | hashcat -m 22000 hash.22000
$ combinator3 w6 digit4 w5 | hashcat -m 22000 hash.22000

Very old model:
Thanks Zerbea! I manually just modified the large netgear word list with 4 numbers then use a -1...

However, now I need to fill out a bug/anomaly report, because hashcat a -1's dictionaries require a char(10) followed by char(13) or else it thinks the dictionary is empty. All the other dictionaries just need a char(13)
Do you mean this mode, where e.g. w5dg4 = album0001 and w6 = anchor

$ hashcat -a 1 -m 22000 zn.22000 -S w5dg4 w6

hashcat (v6.2.1-157-g388e0a1c7) starting...
Session..........: hashcat                               
Status...........: Quit
Hash.Name........: WPA-PBKDF2-PMKID+EAPOL
Hash.Target......: zn.22000
Time.Started.....: Sat Jun 12 08:26:52 2021 (2 secs)
Time.Estimated...: Sat Jun 12 09:50:59 2021 (1 hour, 24 mins)
Kernel.Feature...: Pure Kernel
Guess.Base.......: File (w5dg4), Left Side
Guess.Mod........: File (w6), Right Side
Speed.#1.........:  488.4 kH/s (5.80ms) @ Accel:8 Loops:64 Thr:1024 Vec:1
Recovered........: 0/16 (0.00%) Digests, 0/10 (0.00%) Salts
Progress.........: 688128/2464800000 (0.03%)
Rejected.........: 0/688128 (0.00%)
Restore.Point....: 0/246480000 (0.00%)
Restore.Sub.#1...: Salt:3 Amplifier:0-1 Iteration:0-1
Candidate.Engine.: Host Generator + PCIe
Candidates.#1....: album0000absent -> album1451salute
Hardware.Mon.#1..: Temp: 66c Fan: 39% Util: 86% Core:1784MHz Mem:5005MHz Bus:16

I can't confirm the problem, you mentioned. 0x0a is enough at the end of the line (combination of 0x0a 0x0d is not mandatory).
Attached example part of the lists (each line terminated with 0x0a) used above - viewing it, running ghex will confirm this:

.zip (Size: 462 bytes / Downloads: 0)

A look at the source code will confirm this, too,
in superchop_with_length():
hashcat accept 0x0a
as well as 0x0d

or in in_superchop():
Could be related to the generation of your lists in combination with your OS.

I'm running Arch Linux:
$ uname -r

If you're looking for an up-to-date word list that contain real PSKs beside
please take a look at the daily snapshot of "Download Found Lists" here:
Download Found Lists
Last snapshot date: 2021-06-13

If you take a look at "Download Left Lists" at the end of this page, you'll notice that hash mode 22000 is full supported:

We can assume that findings of "WPA-PBKDF2-PMKID+EAPOL" hash list will be stored to the Daily Found List. So this list will contain real PSKs (from WiFi), too.
I'm running windows 10 x64

separators that work

separator that doesn't work:

Interesting that for -a 1
you get an error message
xxxxx.txt: empty file

but for generic dictionary attack
It just shows:
Guess Queue 1/1 

so if you run dictionaries in batch mode, you don't even notice that it didn't use the dictionary
Thanks for your detailed explanation. I can confirm that on Linux, too if:
w5 is a txt file where 0x0a is replaced by 0x0d

$ hashcat -a 1 -m 22000 zn.22000 -S w5 dg4w6
hashcat (v6.2.1-171-g3ee77aa58) starting...

Dictionary cache built:
* Filename..: w5
* Passwords.: 1
* Bytes.....: 421
* Keyspace..: 0
* Runtime...: 0 secs

w5: empty file.

Started: Sun Jun 13 23:31:25 2021
Stopped: Sun Jun 13 23:31:26 2021

Using a single 0x0d to terminate a line is a very old standard used by ancient systems, e.g.:
Commodore 8-bit machines (C64, C128), Acorn BBC, ZX Spectrum, TRS-80, Apple II series, Oberon, the classic Mac OS, MIT Lisp Machine and OS-9
None of my Linux tools (e.g. Geany) is doing this (except I replace 0x0a by 0x0d using GHEX, awk, sed, ...).

A good explanation of the standard/behavior is here:
and, of course, here:
There is a company in india called Jio. Can you provide deafault pass of JioFiber routers??
It will be very helpful.
(08-23-2021, 06:11 PM)scriptkiddy Wrote: There is a company in india called Jio. Can you provide deafault pass of JioFiber routers??
It will be very helpful.

Might want to check out ebay for what their default passwords look like. Then see if you can find a pattern!

<edit add-on>
Not much on ebay, but some on Facebook marketplace. It's 10 characters: lower case and numbers mixed together. You might want to try some things like SHA1 or MD5 on the serial and then mod 36 on each byte to see if that gets you something. Not particularly likely, but worth a shot. Probably have to brute force these...