Keyspace List for WPA on Default Routers
No one has the info ?
I was asking for the shared GDrive sheet with keyspaces... Thanks
Reply
(11-28-2020, 02:18 PM)dre Wrote: I am trying to identify Huawei and Arris default key spaces. Does anyone have that info?

Had you taken a moment to read this thread you would have found ATTXXXXXXX-[0-9a-z+][len12]  on the very first page in the very first post. (Yes, ATTXXXXXXX is manufactured by Arris.) Had you read a bit further, you would have discovered that this keyspace was corrected to "abcdefghijkmnpqrstuvwxyz23456789#%+=?"

It's also been pointed out that Huawei uses [0-9A-F][len6].

But somewhere in one of my own posts I pointed out that you only have to add two octets from the MAC address.

Example:
SSID = DG1670AB2
SSID = DG1670A        B2  <- slide last 2 characters to the right
PSK =  DG1670A  XXXX  B2  <- drop in the 4th and 5th octet of the MAC address
        DG1670AXXXXB2      <- squish it all back together

Newer versions (WIFIxxxxxx) use use a 16 character passphrase consisting of A-Z and 1-9, (without 0,o,8,and b)
Reply
or simply take a look at hcxpsktool:
https://github.com/ZerBea/hcxtools/blob/...ol.c#L1282
It covers several algos (based on analysis of wpa-sec submissions).
Most of them are not covered by RouterKeyGen, because hcxpsktool calculate the entire key space, instead of a single hit.
This behavior is wanted due to analysis purpose, especially in combination with hcxdumptool attacks on CLIENTs (we don't have the origin MAC AP on this attack vector).
Reply