Keyspace List for WPA on Default Routers
This kinda belongs in this thread...
CGM4140COM routers have a default password that doesn't quite fit in the hybrid mode or the combinator mode

wordlist ?d?d?d?d wordlist

Any suggestions how to tackle this one? Do we need an -a 8?
Reply
$ cat noun | awk 'length($0)==6' > w6
$ cat noun | awk 'length($0)==5' > w5

Code:
#include <stdio.h>
#include <stdlib.h>

int main()
{
int c;
for(c = 0; c < 10000; c++) printf("%04d\n", c);
return EXIT_SUCCESS;
}
$ gcc digit.c -o digit

$ ./digit > digit4
$ combinator3 w5 digit4 w6 | hashcat -m 22000 hash.22000
$ combinator3 w6 digit4 w5 | hashcat -m 22000 hash.22000

Very old model:
https://wpa-sec.stanev.org/?search=XFSETUP
Reply
Thanks Zerbea! I manually just modified the large netgear word list with 4 numbers then use a -1...

However, now I need to fill out a bug/anomaly report, because hashcat a -1's dictionaries require a char(10) followed by char(13) or else it thinks the dictionary is empty. All the other dictionaries just need a char(13)
Reply
Do you mean this mode, where e.g. w5dg4 = album0001 and w6 = anchor

$ hashcat -a 1 -m 22000 zn.22000 -S w5dg4 w6

Code:
hashcat (v6.2.1-157-g388e0a1c7) starting...
Session..........: hashcat                               
Status...........: Quit
Hash.Name........: WPA-PBKDF2-PMKID+EAPOL
Hash.Target......: zn.22000
Time.Started.....: Sat Jun 12 08:26:52 2021 (2 secs)
Time.Estimated...: Sat Jun 12 09:50:59 2021 (1 hour, 24 mins)
Kernel.Feature...: Pure Kernel
Guess.Base.......: File (w5dg4), Left Side
Guess.Mod........: File (w6), Right Side
Speed.#1.........:  488.4 kH/s (5.80ms) @ Accel:8 Loops:64 Thr:1024 Vec:1
Recovered........: 0/16 (0.00%) Digests, 0/10 (0.00%) Salts
Progress.........: 688128/2464800000 (0.03%)
Rejected.........: 0/688128 (0.00%)
Restore.Point....: 0/246480000 (0.00%)
Restore.Sub.#1...: Salt:3 Amplifier:0-1 Iteration:0-1
Candidate.Engine.: Host Generator + PCIe
Candidates.#1....: album0000absent -> album1451salute
Hardware.Mon.#1..: Temp: 66c Fan: 39% Util: 86% Core:1784MHz Mem:5005MHz Bus:16

I can't confirm the problem, you mentioned. 0x0a is enough at the end of the line (combination of 0x0a 0x0d is not mandatory).
Attached example part of the lists (each line terminated with 0x0a) used above - viewing it, running ghex will confirm this:

.zip   example.zip (Size: 462 bytes / Downloads: 0)

A look at the source code will confirm this, too,
in superchop_with_length():
https://github.com/hashcat/hashcat/blob/...ing.c#L711
hashcat accept 0x0a
https://github.com/hashcat/hashcat/blob/...ing.c#L717
as well as 0x0d
https://github.com/hashcat/hashcat/blob/...ing.c#L726

or in in_superchop():
https://github.com/hashcat/hashcat/blob/...ing.c#L681
0x0a:
https://github.com/hashcat/hashcat/blob/...ing.c#L687
0x0d:
https://github.com/hashcat/hashcat/blob/...ing.c#L696
Reply
Could be related to the generation of your lists in combination with your OS.

I'm running Arch Linux:
$ uname -r
5.12.10-arch1-1

BTW:
If you're looking for an up-to-date word list that contain real PSKs beside
https://wpa-sec.stanev.org/dict/cracked.txt.gz
please take a look at the daily snapshot of "Download Found Lists" here:
https://hashmob.net/downloads
Code:
Download Found Lists
Last snapshot date: 2021-06-13

If you take a look at "Download Left Lists" at the end of this page, you'll notice that hash mode 22000 is full supported:
Code:
WPA-PBKDF2-PMKID+EAPOL 1 (22000)

We can assume that findings of "WPA-PBKDF2-PMKID+EAPOL" hash list will be stored to the Daily Found List. So this list will contain real PSKs (from WiFi), too.
Reply
I'm running windows 10 x64

separators that work
char(10)
char(10)+char(13)
char(13)+char(10)

separator that doesn't work:
char(13)

Interesting that for -a 1
you get an error message
xxxxx.txt: empty file

but for generic dictionary attack
It just shows:
Guess Queue 1/1 

so if you run dictionaries in batch mode, you don't even notice that it didn't use the dictionary
Reply
Thanks for your detailed explanation. I can confirm that on Linux, too if:
w5 is a txt file where 0x0a is replaced by 0x0d

$ hashcat -a 1 -m 22000 zn.22000 -S w5 dg4w6
hashcat (v6.2.1-171-g3ee77aa58) starting...

Dictionary cache built:
* Filename..: w5
* Passwords.: 1
* Bytes.....: 421
* Keyspace..: 0
* Runtime...: 0 secs

w5: empty file.

Started: Sun Jun 13 23:31:25 2021
Stopped: Sun Jun 13 23:31:26 2021

Using a single 0x0d to terminate a line is a very old standard used by ancient systems, e.g.:
Commodore 8-bit machines (C64, C128), Acorn BBC, ZX Spectrum, TRS-80, Apple II series, Oberon, the classic Mac OS, MIT Lisp Machine and OS-9
None of my Linux tools (e.g. Geany) is doing this (except I replace 0x0a by 0x0d using GHEX, awk, sed, ...).

A good explanation of the standard/behavior is here:
https://superuser.com/questions/374028/h...nd-windows
and, of course, here:
https://en.wikipedia.org/wiki/CRLF
Reply