Keyspace List for WPA on Default Routers
Finished the full conversion and simplification of the default WIFI password generators for the ZyXEL VMG3312 (based on GPUhash_me on hashkiller) as well as the Zyxel VMG8823 (VMG8825, VMG4825, VMG3925, others???)  from Lucio Corsa's Zykgen, to Matlab. Plum on Hashkiller has converted the second one to python3!

Either way, it now allows me to make rainbow tables for those modems. However, the goal was to try and modify them to the videotron charset and there I sadly struck out. That's got to be another algo...

One thing these two algos have in common is that it starts with an MD5 of the serial number, then does some string manipulations (insertions, addons) of the lower case hex-hash, before doing another MD5 of the resulting string.
The password is based on the second MD5, with some creative math or just pulled from the middle of the hex-hash.

There's really no guessing what these manipulations are, unless you have the algo pulled from the firmware. So little hope on discovering this from the stickers.
Reply
Found another one that works with the Zykgen.... The Zyxel W3-SAP 9676 but with a password length of 16. Some serials have a 'V' as the 5 character, while others don't so probably make two rainbow tables, if that router has your interest.
Reply
I'm trying to crack default Wi-Fi key of a Huawei router. I know that the length of the password is 8 characters and it includes numbers, lowercase and uppercase characters. For example:

tSya7yQj
8po4eDUU

It would be great if a keygen would exist that could use SSID and MAC address to calculate the password but I guess that is not possible with this newer routers (or is it?).

I tried the basic bruteforce attack with a custom charset of ?l?u?d for all characters and it would take about 60 years for hashcat to go through all combinations.

I guess a rule could be applied to reduce the number of combinations, like:
password needs to have at least 3 of ?l but not over 5
password needs to have at least 2 of ?u but not over 4
password needs to have at least 1 of ?d but not over 2

Or if someone has a better idea it would be great.

Tnx
Reply
Good start! Collect more default passwords to see if there's a pattern (for more rules)
Alternatively, you can try getting your hands on a used modem, open it up, and see if you can get root access via JTAG/UART. Sometimes (Zyxel) the password generator algorithm is still stored on the modem itself. Then you can use that to generate the rainbow tables. Or reverse engineer it and recreate the algo in python or whatever language you prefer.

After doing a bit of math... If you can reduce the keyspace by even 5 letters (e.g. very few vendors use upper case 'O' and number 0, as well as upper case 'I' and 1. etc) you can cut that time in half. If money is no object and the 4090ti is going to be as powerful as rumored, buy 8 of them and you can pop that password in two months!

You can also try doing a hash (MD5,SHA256 etc) on the ESSID, take the modulus of the digest and project that onto the charset. May be you get lucky and it wasn't obfuscated!
Reply
(06-26-2022, 07:47 PM)drsnooker Wrote: take the modulus of the digest and project that onto the charset. May be you get lucky and it wasn't obfuscated!

Could you please explain further or show an example?
Reply
I'm facing your issue with the 5268AC default keyspace, with sort of a how to guide. Here's the post describing the hash/modulus part.
Reply
Plumlulz has converted my Zyxel SBG3500 default keygen to python.
https://github.com/PlumLulz/sbg3500py
Reply
....and Plumlulz has now converted my Telus (Zyxel VSG1432) algo. ESSID is TELUSXXXX
https://github.com/PlumLulz/teluspy
Reply
...and now even the videotron default password has fallen. (so people can stop asking about it LOL)
Here's a nice table of all the different Zyxel models for which there are default key generators.
[Image: xaDAaov.jpg]
See PlumLulz github for details!
Reply