Keyspace List for WPA on Default Routers
#11
thanks
Reply
#12
OUI: 38:3B:C8 = 2WIRE
ESSID: ATTXXXXXXX
Passphrase consists of:

a-z
0-9
=
?

Notice: No capital letter in my home router's passpharase. Length is exactly 12 char.
EDIT: Yes, this is the default passphrase. And yes, I have changed it Wink
Reply
#13
a-z = 26 chars
0-9 = 10 chars
=
?

38 chars, len 12. Keyspace is 38^12 = 9,065,737,908,494,995,456

(01-19-2017, 06:38 AM)calexico Wrote: Yes, this is the default passphrase. And yes, I have changed it Wink

Change it back!
Reply
#14
(01-19-2017, 06:38 AM)calexico Wrote: OUI: 38:3B:C8 = 2WIRE
ESSID: ATTXXXXXXX
Passphrase consists of:

a-z
0-9
=
?

Notice: No capital letter in my home router's passpharase. Length is exactly 12 char.
EDIT: Yes, this is the default passphrase. And yes, I have changed it Wink

Is there a fixed pattern or they are completely random?
Reply
#15
(01-20-2017, 01:30 PM)miccee Wrote:
(01-19-2017, 06:38 AM)calexico Wrote: OUI: 38:3B:C8 = 2WIRE
ESSID: ATTXXXXXXX
Passphrase consists of:

a-z
0-9
=
?

Notice: No capital letter in my home router's passpharase. Length is exactly 12 char.
EDIT: Yes, this is the default passphrase. And yes, I have changed it Wink

Is there a fixed pattern or they are completely random?
Good question. Arriving at the answer is partly why I posted. Since I can provide just one sample, it's too early to discern randomness from order. Honestly, I think the entropy is quite high, both in passwords and in ESSID assignment.
Reply
#16
(01-21-2017, 06:17 AM)calexico Wrote:
(01-20-2017, 01:30 PM)miccee Wrote:
(01-19-2017, 06:38 AM)calexico Wrote: OUI: 38:3B:C8 = 2WIRE
ESSID: ATTXXXXXXX
Passphrase consists of:

a-z
0-9
=
?

Notice: No capital letter in my home router's passpharase. Length is exactly 12 char.
EDIT: Yes, this is the default passphrase. And yes, I have changed it Wink

Is there a fixed pattern or they are completely random?
Good question. Arriving at the answer is partly why I posted. Since I can provide just one sample, it's too early to discern randomness from order. Honestly, I think the entropy is quite high, both in passwords and in ESSID assignment.

Can you please post the original passphrase? Does it have any relation to the last 6 characters of ATTXXXXXXX?
Reply
#17
ssid = DG1670AXX
preshared key = DG1670A+[0-9A-F][len6]

Example:
SSID = DG1670AB2
PSK = DG1670A919DB2

keyspace = 16^6 = 16,777,216

edit- I cracked a few more of these and I noticed that the last two characters of the PSK are the same as the last two characters of the SSID.

This takes the keyspace down to 16^4 = 65536
Reply
#18
(02-11-2017, 03:54 AM)duhblow7 Wrote: ssid = DG1670AXX
preshared key = DG1670A+[0-9A-F][len6]

Example:
SSID = DG1670AB2
PSK = DG1670A919DB2

keyspace = 16^6 = 16,777,216

edit- I cracked a few more of these and I noticed that the last two characters of the PSK are the same as the last two characters of the SSID.

This takes the keyspace down to 16^4 = 65536

It seems like it would be worthwhile to build a list of all possible model numbers and then prepare a .hcmask file.

For example:
DG1670A?H?H?H?HB2
TC8715D?H?H?H?HB2

Note that the DG1670A is Motorola device.  The TC8715D is a Technicolor device.  Both use the same scheme for their default WPA2 password and both are for use with Time Warner.  Both have the last two digits of their default password as the last two digits of their default SSID.

Is this default password scheme being used on several devices that are in use with Time Warner customers?  Maybe.  It seems less likely that two different vendors of modems/routers decided to use the same default password scheme.

This is a quick list of model numbers that I have come up with.  Note that most of these model numbers are Technicolor and just a few are Motorola model numbers.

7300B
C1100T
C2000T
C2100T
CGM423X
DCM425
DCM475
DCM476
DDW36C
DEPC3928
DG1670
DG1670A
DHG757
DPC3941T
DPC3941TV2
DPC3941TV3
DVW32CB
EPC3940
EPC3949
TC4310
TC4300
TC4350
TC4400
TC7110
TC7200
TC7200K
TC7200U
TC7200-U
TC7210DNZ
TC7210-DNZ
TC7230
TC7300
TC8305C
TC8715D
TC8717
TC8717T
TD5130
TD5136
TD5136V2
TD5336
TG1672
TG2000
TG2200AC
TG582N
TG582NO2
TG582NV2
TG587N
TG587NV2
TG587NV3
TG589VN
TG589VNV2
TG589VNV3
TG784N
TG784NV2
TG784NV3
TG788VN
TG788VNV2
TG789BVN
TG789VAC
TG789VNV3
TG797NV3
TG799
TG799VAC
TG799VN
TG799VNV2
TG852N

The only Time Warner devices that are in use (as of this post, February 2017) are:

ARRIS/Motorola CM550A Up to 15Mbps
ARRIS/Motorola CM820A Up to 100Mbps
ARRIS/Motorola DG1670A Up to 300Mbps
ARRIS/Motorola DG860A Upto 100Mbps
ARRIS/Motorola DG950 Up to 100Mbps
ARRIS/Motorola SB5101 Up to 15Mbps
ARRIS/Motorola SB5101N Up to 15Mbps
ARRIS/Motorola SB5101U Up to 15Mbps
ARRIS/Motorola SBG901 Up to 15Mbps
ARRIS/Motorola SBG941 Up to 15Mbps
Cisco DPC3000 Up to 15Mbps
Netgear CG814WGv2 Up to 15Mbps
Netgear CGD24G-100NAS Up to 15Mbps
SMC Networks 8014WG-SI Up to 15Mbps
Technicolor/Thomson/RCA TC4310 Up to 300Mbps
Technicolor/Thomson/RCA TC8715D Up to 300Mbps
UbeeAmbit DDC2700 Up to 15Mbps
UbeeAmbit DDM3521 Up to 100Mbps
UbeeAmbit DDM354 Up to 300Mbps
UbeeAmbit DDW2600 Up to 15Mbps
UbeeAmbit DDW3611 Up to 100Mbps
UbeeAmbit DDW365 Up to 100Mbps
UbeeAmbit DDW36C Up to 300Mbps
UbeeAmbit U10C018 Up to 15Mbps
UbeeAmbit U10C019 Up to 15Mbps
UbeeAmbit U10C020 Up to 15Mbps

Distilled down (only the middle column from above), the Time Warner devices are:

CM550A
CM820A
DG1670A
DG860A
DG950
SB5101
SB5101N
SB5101U
SBG901
SBG941
DPC3000
CG814WGv2
CGD24G-100NAS
8014WG-SI
TC4310
TC8715D
DDC2700
DDM3521
DDM354
DDW2600
DDW3611
DDW365
DDW36C
U10C018
U10C019
U10C020

The above list comes from https://www.timewarnercable.com/content/...modems.pdf
Reply
#19
(01-19-2017, 06:38 AM)calexico Wrote: OUI: 38:3B:C8 = 2WIRE
ESSID: ATTXXXXXXX
Passphrase consists of:

a-z
0-9
=
?

Notice: No capital letter in my home router's passpharase. Length is exactly 12 char.
EDIT: Yes, this is the default passphrase. And yes, I have changed it Wink

Whoa, quite by accident, discovered another one:
OUI: F8:2C:18 = 2WIRE
ESSID: ATTXXXXXXX
Passphrase consists of:

a-z
0-9
=
?

--> Which is the same as my home 2WIRE device.
Observe: regular and consistent use of special chars: "=" and "?"
Which somewhat reduces the entropy, insofar as 2 samples could help do so...
Reply
#20
(03-04-2017, 05:42 PM)calexico Wrote:
(01-19-2017, 06:38 AM)calexico Wrote: OUI: 38:3B:C8 = 2WIRE
ESSID: ATTXXXXXXX
Passphrase consists of:

a-z
0-9
=
?

Notice: No capital letter in my home router's passpharase. Length is exactly 12 char.
EDIT: Yes, this is the default passphrase. And yes, I have changed it Wink

Whoa, quite by accident, discovered another one:
OUI: F8:2C:18 = 2WIRE
ESSID: ATTXXXXXXX
Passphrase consists of:

a-z
0-9
=
?

--> Which is the same as my home 2WIRE device.
Observe: regular and consistent use of special chars: "=" and "?"
Which somewhat reduces the entropy, insofar as 2 samples could help do so...

Any specific pattern in both of these passphrase? eg ?l?d?l?l?d etc
Reply