Keyspace List for WPA on Default Routers
$ cat noun | awk 'length($0)==6' > w6
$ cat noun | awk 'length($0)==5' > w5

Code:
#include <stdio.h>
#include <stdlib.h>

int main()
{
int c;
for(c = 0; c < 10000; c++) printf("%04d\n", c);
return EXIT_SUCCESS;
}
$ gcc digit.c -o digit

$ ./digit > digit4
$ combinator3 w5 digit4 w6 | hashcat -m 22000 hash.22000
$ combinator3 w6 digit4 w5 | hashcat -m 22000 hash.22000

Very old model:
https://wpa-sec.stanev.org/?search=XFSETUP
Reply
Thanks Zerbea! I manually just modified the large netgear word list with 4 numbers then use a -1...

However, now I need to fill out a bug/anomaly report, because hashcat a -1's dictionaries require a char(10) followed by char(13) or else it thinks the dictionary is empty. All the other dictionaries just need a char(13)
Reply
Do you mean this mode, where e.g. w5dg4 = album0001 and w6 = anchor

$ hashcat -a 1 -m 22000 zn.22000 -S w5dg4 w6

Code:
hashcat (v6.2.1-157-g388e0a1c7) starting...
Session..........: hashcat                               
Status...........: Quit
Hash.Name........: WPA-PBKDF2-PMKID+EAPOL
Hash.Target......: zn.22000
Time.Started.....: Sat Jun 12 08:26:52 2021 (2 secs)
Time.Estimated...: Sat Jun 12 09:50:59 2021 (1 hour, 24 mins)
Kernel.Feature...: Pure Kernel
Guess.Base.......: File (w5dg4), Left Side
Guess.Mod........: File (w6), Right Side
Speed.#1.........:  488.4 kH/s (5.80ms) @ Accel:8 Loops:64 Thr:1024 Vec:1
Recovered........: 0/16 (0.00%) Digests, 0/10 (0.00%) Salts
Progress.........: 688128/2464800000 (0.03%)
Rejected.........: 0/688128 (0.00%)
Restore.Point....: 0/246480000 (0.00%)
Restore.Sub.#1...: Salt:3 Amplifier:0-1 Iteration:0-1
Candidate.Engine.: Host Generator + PCIe
Candidates.#1....: album0000absent -> album1451salute
Hardware.Mon.#1..: Temp: 66c Fan: 39% Util: 86% Core:1784MHz Mem:5005MHz Bus:16

I can't confirm the problem, you mentioned. 0x0a is enough at the end of the line (combination of 0x0a 0x0d is not mandatory).
Attached example part of the lists (each line terminated with 0x0a) used above - viewing it, running ghex will confirm this:

.zip   example.zip (Size: 462 bytes / Downloads: 0)

A look at the source code will confirm this, too,
in superchop_with_length():
https://github.com/hashcat/hashcat/blob/...ing.c#L711
hashcat accept 0x0a
https://github.com/hashcat/hashcat/blob/...ing.c#L717
as well as 0x0d
https://github.com/hashcat/hashcat/blob/...ing.c#L726

or in in_superchop():
https://github.com/hashcat/hashcat/blob/...ing.c#L681
0x0a:
https://github.com/hashcat/hashcat/blob/...ing.c#L687
0x0d:
https://github.com/hashcat/hashcat/blob/...ing.c#L696
Reply
Could be related to the generation of your lists in combination with your OS.

I'm running Arch Linux:
$ uname -r
5.12.10-arch1-1

BTW:
If you're looking for an up-to-date word list that contain real PSKs beside
https://wpa-sec.stanev.org/dict/cracked.txt.gz
please take a look at the daily snapshot of "Download Found Lists" here:
https://hashmob.net/downloads
Code:
Download Found Lists
Last snapshot date: 2021-06-13

If you take a look at "Download Left Lists" at the end of this page, you'll notice that hash mode 22000 is full supported:
Code:
WPA-PBKDF2-PMKID+EAPOL 1 (22000)

We can assume that findings of "WPA-PBKDF2-PMKID+EAPOL" hash list will be stored to the Daily Found List. So this list will contain real PSKs (from WiFi), too.
Reply
I'm running windows 10 x64

separators that work
char(10)
char(10)+char(13)
char(13)+char(10)

separator that doesn't work:
char(13)

Interesting that for -a 1
you get an error message
xxxxx.txt: empty file

but for generic dictionary attack
It just shows:
Guess Queue 1/1 

so if you run dictionaries in batch mode, you don't even notice that it didn't use the dictionary
Reply
Thanks for your detailed explanation. I can confirm that on Linux, too if:
w5 is a txt file where 0x0a is replaced by 0x0d

$ hashcat -a 1 -m 22000 zn.22000 -S w5 dg4w6
hashcat (v6.2.1-171-g3ee77aa58) starting...

Dictionary cache built:
* Filename..: w5
* Passwords.: 1
* Bytes.....: 421
* Keyspace..: 0
* Runtime...: 0 secs

w5: empty file.

Started: Sun Jun 13 23:31:25 2021
Stopped: Sun Jun 13 23:31:26 2021

Using a single 0x0d to terminate a line is a very old standard used by ancient systems, e.g.:
Commodore 8-bit machines (C64, C128), Acorn BBC, ZX Spectrum, TRS-80, Apple II series, Oberon, the classic Mac OS, MIT Lisp Machine and OS-9
None of my Linux tools (e.g. Geany) is doing this (except I replace 0x0a by 0x0d using GHEX, awk, sed, ...).

A good explanation of the standard/behavior is here:
https://superuser.com/questions/374028/h...nd-windows
and, of course, here:
https://en.wikipedia.org/wiki/CRLF
Reply
(08-23-2021, 06:11 PM)scriptkiddy Wrote: There is a company in india called Jio. Can you provide deafault pass of JioFiber routers??
It will be very helpful.

Might want to check out ebay for what their default passwords look like. Then see if you can find a pattern!

<edit add-on>
Not much on ebay, but some on Facebook marketplace. It's 10 characters: lower case and numbers mixed together. You might want to try some things like SHA1 or MD5 on the serial and then mod 36 on each byte to see if that gets you something. Not particularly likely, but worth a shot. Probably have to brute force these...
Reply
https://packetstormsecurity.com/files/16...2-5701.txt

"The password is generated using the last 4 values from device's MAC address which is disclosed on the main webUI login page to an unauthenticated attacker. The values are then concatenated with the string 'LTEFemto' resulting in something like 'LTEFemtoD080' as the default Admin password."
~
Reply
Found some Zyxel related default keyspace materials:


Luc10 on github has Zykgen generator for the Zyxel VMG8823 from various forum entries here. Mostly used in Italy though.

The French Canadian Videotron (Zyxel EMG2926) looks very similar to the cosmopolitan in Zykgen, with a few subsitutions in the charset. Somebody with a vested interest might have time to close the loop on this one.
Code:
Password      ESSID         SN            MAC
4AXCF9CAT7XV3 VIDEOTRON9364 S160A13009364 04BF6D5A2DCB
UNXPKKXRA7HTU VIDEOTRON3104 S160A24003104 04BF6D5D2D3B
K3TMPK7943UWY VIDEOTRON8694 S160A24008694 04BF6D5D8493
UUTUV43THA943 VIDEOTRON1586 S160A22001586 04BF6D5C77DB
74H44P4E33PHV VIDEOTRON4323 S180A32004323 BC9911F89A9F
PVUNMJKKWNHUK VIDEOTRON0296 S160A40000296 603197FC773B
RPFNX4MYHK7A4 VIDEOTRON0137 S140A36000137 5CF4ABAAF5C3
U7KC4ENX34C4K VIDEOTRON0558 S140A09000558 FCF528D395AB
3FKNJ343JVN94 VIDEOTRON4708 S170A02004708 B8ECA32FC98B
EUK44VH3RY749 VIDEOTRON4122 S170A02004122 B8ECA3303FE3
V9MW          VIDEOTRON6220 S170A08006220 B8ECA332A4AB
XJK7M3M4PNYPY VIDEOTRON0627               A0E4CBFB7590
7XC37U33X3RX3
Reply
Finished the full conversion and simplification of the default WIFI password generators for the ZyXEL VMG3312 (based on GPUhash_me on hashkiller) as well as the Zyxel VMG8823 (VMG8825, VMG4825, VMG3925, others???)  from Lucio Corsa's Zykgen, to Matlab. Plum on Hashkiller has converted the second one to python3!

Either way, it now allows me to make rainbow tables for those modems. However, the goal was to try and modify them to the videotron charset and there I sadly struck out. That's got to be another algo...

One thing these two algos have in common is that it starts with an MD5 of the serial number, then does some string manipulations (insertions, addons) of the lower case hex-hash, before doing another MD5 of the resulting string.
The password is based on the second MD5, with some creative math or just pulled from the middle of the hex-hash.

There's really no guessing what these manipulations are, unless you have the algo pulled from the firmware. So little hope on discovering this from the stickers.
Reply