Keyspace List for WPA on Default Routers
Found another one that works with the Zykgen.... The Zyxel W3-SAP 9676 but with a password length of 16. Some serials have a 'V' as the 5 character, while others don't so probably make two rainbow tables, if that router has your interest.
I'm trying to crack default Wi-Fi key of a Huawei router. I know that the length of the password is 8 characters and it includes numbers, lowercase and uppercase characters. For example:


It would be great if a keygen would exist that could use SSID and MAC address to calculate the password but I guess that is not possible with this newer routers (or is it?).

I tried the basic bruteforce attack with a custom charset of ?l?u?d for all characters and it would take about 60 years for hashcat to go through all combinations.

I guess a rule could be applied to reduce the number of combinations, like:
password needs to have at least 3 of ?l but not over 5
password needs to have at least 2 of ?u but not over 4
password needs to have at least 1 of ?d but not over 2

Or if someone has a better idea it would be great.

Good start! Collect more default passwords to see if there's a pattern (for more rules)
Alternatively, you can try getting your hands on a used modem, open it up, and see if you can get root access via JTAG/UART. Sometimes (Zyxel) the password generator algorithm is still stored on the modem itself. Then you can use that to generate the rainbow tables. Or reverse engineer it and recreate the algo in python or whatever language you prefer.

After doing a bit of math... If you can reduce the keyspace by even 5 letters (e.g. very few vendors use upper case 'O' and number 0, as well as upper case 'I' and 1. etc) you can cut that time in half. If money is no object and the 4090ti is going to be as powerful as rumored, buy 8 of them and you can pop that password in two months!

You can also try doing a hash (MD5,SHA256 etc) on the ESSID, take the modulus of the digest and project that onto the charset. May be you get lucky and it wasn't obfuscated!
(06-26-2022, 07:47 PM)drsnooker Wrote: take the modulus of the digest and project that onto the charset. May be you get lucky and it wasn't obfuscated!

Could you please explain further or show an example?
I'm facing your issue with the 5268AC default keyspace, with sort of a how to guide. Here's the post describing the hash/modulus part.
Plumlulz has converted my Zyxel SBG3500 default keygen to python.
....and Plumlulz has now converted my Telus (Zyxel VSG1432) algo. ESSID is TELUSXXXX
anyone have the default keyspace for ZTE routers?
  • ZTE ZXHN F660
  • ZTE ZXHN F670
  • ZTE ZXHN F680
Does anyone have the default passwords for the router from UPC - Compal CH7465LG ? I was able to get the following from the internet:

SSID: UPC8980902 - Compal CH7465LG
PASS: msyrmHuhlfh2 - ?l?l?l?l?l?u?l?l?l?l?l?d
SSID: UPC21D5DCC - Compal CH7465LG
PASS: bYG2durnbhmz - ?l?u?u?d?l?l?l?l?l?l?l?l
SSID: UPC9448047 - Compal CH7465LG
PASS: xzc2vfAwwh6b - ?l?l?l?d?l?l?u?l?l?l?d?l
SSID: UPC4891752 - Compal CH7465LG
PASS: rJ3ksdcZsa7s - ?l?u?d?l?l?l?l?u?l?l?d?l
SSID: UPCD8499E6 - Compal CH7465LG
PASS: ej7B4fnuyMmh - ?l?l?d?u?d?l?l?l?l?u?l?l
SSID: UPC7457314 - Compal CH7465LG
PASS: z2bkuGtdttjh - ?l?d?l?l?l?u?l?l?l?l?l?l
SSID: UPCCD3A834 - Compal CH7465LG
PASS: v5Akhmhrspby - ?l?d?u?l?l?l?l?l?l?l?l?l
SSID: UPC5989917 - Compal CH7465LG
PASS: Fy2suz6zccwh - ?u?l?d?l?l?l?d?l?l?l?l?l
SSID: UPCE653D35 - Compal CH7465LG
PASS: tx8jfwbwnaTZ - ?l?l?d?l?l?l?l?l?l?l?u?u

I will be grateful for any further examples!
If someone is able to decode the password algorithm, that would be brilliant!
Do you have default keyspace for ZTE routers - ZXHN F680?