[Cracking WPA-PSK with known password structure]

You could take a look at the chips they use to implement the technology, see if you can find flaws in the implementation of the networking stack. After all, to get a protocol going there needs to be an exchange of information, so try to fiddle with the bits in your packets and see if the router responds in a perculiar way to them.

In other words, don't attack the standard WPA-PSK algorithms but instead go for the blocks it has been built upon.

I'm sure you're right, but I'm still too noobie to know exactly what I would do to probe. If I can't crack the WPA algorithm it seems like the router wouldn't communicate. I imagine there is something I'm missing. I won't ask for a tutorial :P but maybe a tip on where to direct my research. Looking at the chip set for vulnerabilities. But how do I probe? Wireshark would just watch, right? Nmap, ping, netcat, etc can't communicate unless I'm connected, right? Or is the approach from the public side?

[Cracking WPA-PSK with known password structure]

OH I understand now! So essentially all routers from the ISP broadcast to the public and create a public wifi network that anyone can access? Right? If so, that's fantastic! There is nothing worse than needing wifi and having no open networks anywhere nearby.

You're right. The remote management needs never to be active. Unless I suppose I need to fix my grandmother's wireless from China :P.

Were I you I would be very interested in the holes made available by this extra "cloud". But I'm still not sold that a crappy 15RMB router is unhackable. But I'm wondering if the only access is through a social hole. Either a trojan or physical access. My goal is to access this router without either. Especially since social engineering is rather silly when I'm attacking myself...

[Cracking WPA-PSK with known password structure]

And I assumed that since the router has one internet-facing side and one lan-facing side, the management service would be active only on the lan-facing side...

What I'm interested in is the routers they have here where there's a small amount of bandwith alotted for other customers of the same ISP that would allow them to use that small amount to do their internetting via YOUR router. It's all perfectly legit, but now there's effectively two lan-facing sides and what I wonder is if the second lan-facing side is in fact unable to connect to the management service...

So if I understand this correctly, you can connect to your own router remotely and use the bandwidth through there? Like a VPN? Don't you need a net connection to get to your router? I'm from the US, living in China, and I'm not familiar with that. Unless I'm just not quite sure what you're talking about. :P

I'll try accessing the router via the external IP when I have a chance, but if I can not access the management and I can't brute force my way in by capturing IVS then what other options are there? I mean it's a super cheap junkie router. It can't be unhackable. It seems too easy for the management menu to be accessible from the outside, when the remote management is off by default.

[Cracking WPA-PSK with known password structure]

I was afraid that would be the answer. It would be really cheap to replace it with a route I know the password to, cause it's my router :P :P P However, these routers are as common as flies, so were I wanted to get into someone else's that would be a very clever and 007 kind of solution.

I once tried to use crunch to compute a wordlist with all possible WiFi password.

came around 1.5 Petabytes.
Simply, it's not worth it.
It's easier to hack the admin panel of the router remotely and try to extract the wifi password from there.

I'm very interested in this. I've never thought about hacking the admin panel when I wasn't already connected. How would I go about doing that? If I'm not connected then I can't just enter the gateway via http. I don't necessarily need a tutorial, but maybe a few bread crumbs to follow :P

Thanks guys!!!!

[Cracking WPA-PSK with known password structure]

So I know that the router generates random passwords in this structure:

xxxx-xxxx-xxxx

It uses all loweralphnumeric and includes the dashes, but no other special characters. I've been reading about generating rainbow tables, but all the options include too much, or wont allow me to generate 12 character long passwords. But I don't know if I totally understand the process yet, I'm still reading.

Does anyone know a good way of generating either plaintext dictionary or rainbow tables that fit this specific format only? I want to create a dictionary that includes all possible combinations for this format. Correct me if I'm wrong, but there should be:

62^12 = 3,226,266,762,397,899,821,056 possible combinations?

This if for my personal TP-Link router that I bought. Noticed this default password formatting and want to see if I can generate a customized table for it.

Really appreciate any advice or input.