Keyspace List for WPA on Default Routers
I collected about 40 PACE 5268AC router serials, mac addresses, SSIDs, and passwords from different sources online. I havent been able to come up with any correlation. Following this thread I thought this might help. I have been trying to figure out where the default passwords are coming from. I will keep working on this there has to be some type of algorithm or something that selects the password, this can not be randomly selected. Using only these characters  23456789 abcdefghijkmnpqrstuvwxyz +=%?#
(11-05-2018, 09:17 AM)ApJack Wrote: I collected about 40 PACE 5268AC router serials, mac addresses, SSIDs, and passwords from different sources online.

If you'd like to share your collection on this forum, I'll add them to my collection. If we ever get enough we might be able to determine a pattern, but this thread is over a year and a half old now, and we're still just guessing.
See also:

ALU/Nokia GPON Admin and WIFI keygen

Hak5 forums Table of WiFi Password Standards (2016)
...and if you don't have the default ESSID (with the 4 xdigits, required by the WIFI keygen),
$ hcxpsktool --digit10
will calculate the whole key space , based on wpa-sec analyses (known SEEDs):

$ hcxpsktool --digit10 | wc
no hashes loaded
7077888 7077888 77856768

Please notice:
The SEED not identical to the 4 xdigits within the ESSID.

If you need to calculate the SEED:

.zip (Size: 806 bytes / Downloads: 1)

$ gcc -o calcseed calcseed.c -l crypto
$ ./calcseed xxxx dddddddd

ssss xxxx dddddddddd

ssss = calculated SEED
xxxx = 4 digit of the ESSID
ddddddddddd = valid PSK
Thank you Royce for re-opening this thread. I came here over a year ago to share some info on ATT routers but the thread had been closed.

Long ago, I tried to explain that ATT's "magic" was in those things I called "keys", the numbers that make up the passwords, and as it turned out, I was right. But nobody was interested in straining their brains when Mr. Fancypants was handing things out for free. He gave you 2,147,483,647 passwords for the NVG-599, and also for the NVG-589, but he made a few mistakes.

So I just wanted to let everyone know that there are actually just over 12,000,000,000 valid passwords (about 165Gb if stored as a file) for each of the NVG-589, the NVG-599, and the 5268AC. If you'd like to find them, and if you're willing to put in the effort, I'll help.
Maybe you're interested in this (not only ATT):

You can reduce the key space, if you assume "N0" within every serial number:
That makes life easier (and faster) to run first tests against some well selected hashes.