Jump to content

Archived

This topic is now archived and is closed to further replies.

haze1434

Table of WiFi Password Standards

Recommended Posts

Hopefully some of you will find this table useful for (legally and ethically) pentesting WiFi routers.

Please note that the figures shown in the far right column 'Time' are based on a Palit GTX 970 using oclHashCat. You will need to do your own maths for this, but it gives you a good idea of average crack times for a fairly standard £300 / $500 GPU.

For WPA2 with the GTX 970, my benchmarks with hashcat are;

  • 13,774,031,184 password hashes per day
  • 573,917,966 per hour
  • 9,565,299 per minute
  • 159,421 per second

Anything marked as 'Never' and red will take more than a year to crack.

Anything green is less than 1 week.

Anything amber is unknown or will require a word list. For EE/Brightbox wordlist details, see here (appears to have been taken down. Google cache search.) For NETGEAR details, see here.

 

Obviously most of you will find the SSID / Password Format / Length columns the most useful. Good info!

 

SSID

Length

Password Format

Combinations

Time

2WIREXXX

10

0-9

10,000,000,000

17 hrs

3MobileWiFi

8

0-9 a-z

2,821,109,907,456

7 mth

3Wireless-Modem-XXXX

8

0-9 A-F

(The first 4 digits are the same as the 4 digits on the SSID!)

65,536

1 sec

Alice_XXXXXXXX

24

0-9 a-z

22,452,257,707,354,557,240,087,211,123,792,674,816

Never

AOLBB-XXXXXX

8

0-9 A-Z

2,821,109,907,456

7 mth

ATT###

10

0-9

10,000,000,000

17 hrs

ATTxxxx 0000

10

0-9 A-Z

3,656,158,440,062,976

Never

ATTxxxxxxx

12

a-z + symbols

1,449,225,352,009,601,191,936

Never

belkin.xxx

8

2-9 a-f

1,475,789,056

2.5 hrs

belkin.xxxx

8

0-9 A-F

4,294,967,296

7.5 hrs

Belkin.XXXX

8

0-9 A-F

4,294,967,296

7.5 hrs

Belkin_XXXXXX

8

0-9 A-F

4,294,967,296

7.5 hrs

BigPondXXXXXX

10

0-9 A-F

1,099,511,627,776

2.5 mth

BOLT!SUPER 4G-XXXX

8

4 numbers + Last 4 of SSID

65,536

1 sec

BrightBox-XXXXXX

-

3 words, with hyphens in-between.

Lengths 3-4-5 or any combination.

 

Need dict.

BTHomeHub(1)-XXXX

10

0-9 a-f

1,099,511,627,776

2.5 mth

BTHomeHub2-XXXX

10

2-9 a-f

289,254,654,976

3 wks

BTHub3

10

2-9 a-f

289,254,654,976

3 wks

BTHub4

10

2-9 a-f

289,254,654,976

3 wks

BTHub5

10

2-9 a-f

289,254,654,976

3 wks

BTHub6

10, 12

0-9 a-z A-Z

100,000,000,000,000,000,000,000,000,000,000,000,000,000,000,000,000,000,000,000,000

Never

CenturyLinkXXXX

14

0-9 a-f

72,057,594,037,927,936

Never

Cisco

26

0-9 a-f

43,608,742,899,428,874,059,776

Never

Digicom_XXXX

8

0-9 A-Z

2,821,109,907,456

7 mth

DJAWEB_#####

10

0-9

10,000,000,000

17 hrs

Domino-XXXX

8

0-9 A-F

4,294,967,296

7.5 hrs

E583x-xxxx

8

0-9

10,000,000

1 min

E583x-xxxxx

8

0-9 A-F

4,294,967,296

7.5 hrs

EasyBox 904 LTE

9

0-9 a-z A-Z

13,537,086,546,263,552

Never

EasyBox-######

9

0-9 A-F

68,719,476,736

5 days

EEBrightBox-XXXXXX

-

3 words, with hyphens in-between.

Lengths 3-4-5 or any combination.

 

Need dict.

FRITZ!Box Fon WLAN ####

16

0-9

10,000,000,000,000,000

Never

FrontierXXXX

10

0-9

10,000,000,000

17 hrs

Hitron

12

0-9 A-Z

(sometimes use the device’s serial number as the default key!)

4,738,381,338,321,616,896

Never

INFINITUM####

10

0-9

10,000,000,000

17 hrs

iPhone 5

?

Lowercase word plus 4 numbers

172000^65,536

Need dict.

Keenetic-XXXX

8

0-9 a-z A-Z

218,340,105,584,896

Never

Linkem_XXXXXX

8

0-9

10,000,000

1 min

Livebox-XXXX

?

?

 

 

mifi2

13

0-9 A-Z

170,581,728,179,578,208,256

Never

MobileWifi-xxxx

8

0-9

10,000,000

1 min

MYWIFI (EE)

-

MYWIFI + 4 numbers

65,536

1 sec

NETGEARXX

-

Adjective + Noun + 3 numbers

 

Need dict.

Netia-XXXXXX

13

0-9 a-f

4,503,599,627,370,496

Never

ONOXXXX

10

0-9

10,000,000,000

17 hrs

Orange-0a0aa0

8

0-9 a-f

4,294,967,296

7.5 hrs

 

Orange-AA0A00

12

0-9 A-F

281,474,976,710,656

Never

Orange-XXXX

8

2345679 ACEF

214,358,881

23 mins

PLDT

-

PLDTWIFI + Last 5 digits of router MAC

1

1 sec

Plusnet Broadband UK

64

a-z A-Z 0-9

-

Never

PlusnetWireless-XXXXXX

10

0-9 A-F

1,099,511,627,776

2.5 mth

PLUSNET-XXXXXX

10

0-9 a-f

1,099,511,627,776

2.5 mth

Sitecom_XXXX

8

0-9 A-F

4,294,967,296

7.5 hrs

SKYXXXXX

8

A-Z

http://www.ph-mb.com/products/sky-calc

208,827,064,576

2 wks

SpeedTouchXXXXXX

10

0-9 a-f

1,099,511,627,776

2.5 mth

TALKTALK-XXXXXX

8

346789 A-Z

(bar ILOSZ)

282,429,536,481

3 wks

TDC-####

9

0-9 a-f

68,719,476,736

5 days

Tech_XXXXXXXX

8

A-Z

208,827,064,576

15 days

Technicolor-Router

10

0-9 A-F

1,099,511,627,776

2.5 mth

Telecom-XXXXXXXX

?

?

 

 

TelstraXXXXXX

10

0-9 A-F

1,099,511,627,776

2.5 mth

TELUSXXXX

10

0-9 a-f

1,099,511,627,776

2.5 mth

Thomson

10

0-9 A-F

1,099,511,627,776

2.5 mth

ThomsonXXXXXX

10

0-9 a-f

1,099,511,627,776

2.5 mth

TIM_PN51T_XXXX

8

0-9

WPS PIN is 12345670

10,000,000

1 min

TNCAP-XXXX

10

0-9 A-F

1,099,511,627,776

2.5 mth

TNCAPXXXXXX

10

0-9 A-F

1,099,511,627,776

2.5 mth

TP-LINK_######

8

0-9

0-9 A-F

10,000,000

1 min

 

 

 

 

TRENDnet

TEW-123ABC

11

First 3 digits in SSID (123 here) + 8 digits

https://forums.kali.org/showthread.php?26366-TRENDnet-WPA-disclosure-amp-dictionaries

2,821,109,907,456

7 mth

TRKASHI-######

8

2 numbers, 6 digits

(10^2)^(26^6)

 

Need dict.

UNITE-XXXX

8

0-9

10,000,000

1 min

UPCXXXXXXX

8

A-Z

208,827,064,576

15 days

Verizon MIFIXXXX XXXX

11

0-9

100,000,000,000

7.5 days

virginmediaXXXXXX

8

a-z (bar iol)

78,310,985,281

6 days

VirginMobile MiFiXXXX XXX

11

0-9

100,000,000,000

7.5 days

VMXXXXXXX

12

0-9 a-z A-Z

3,226,266,762,397,899,821,056

Never

VMXXXXXXX-2G

8

a-z (bar iol)

78,310,985,281

6 days

VMXXXXXXX-5G

8

a-z (bar iol)

78,310,985,281

6 days

Vodaphone_XXXXXXXX

15

0-9 a-z

221,073,919,720,733,357,899,776

Never

WLAN1-XXXXXX

11

0-9 A-F

17,592,186,044,416

Never

ZyXELXXXXXX

13

10

0-9 A-Z

0-9 A-F

 

1,099,511,627,776

2.5 mth

 

Please inform me of any inaccuracies or additional data you feel could be added.

Enjoy!

 

*edit*

My sources are my own personal experiences, plus;

http://xiaopan.co/forums/threads/netgearxx-wordlist.6571/

https://scotthelme.co.uk/ee-brightbox-router-hacked/

https://forum.hashkiller.co.uk/topic-view.aspx?t=1660&m=46959#46959

https://forum.hashkiller.co.uk/topic-view.aspx?t=2715&p=2

Share this post


Link to post
Share on other sites

Loving your work! Is there any merit to a random walk through the keyspace? markov chains? Does the routers ssid/mac address influence random key generation? There also must be a non-repeating rule when generating these keys that states you can't have more than two (for example) of the same characters in a sequence. So if attacking a 2WIRE 0-9, 10char, 8765934999 would be a wasted attempt because of the 999 at the end. How drastically could you reduce the keyspace?

I note your entry for virginmediaXXXXXX says 3 weeks, but its the same complexity as VMXXXXXXX-2G/5G at 6 days.

Thanks!

Share this post


Link to post
Share on other sites

If you use oclHashcat, it already uses Markov mathematics for it's work, so a lot of that stuff is done for you.

There are some cases where the SSID influences the password, I've attempted to mark these in the chart above. Most of them are random-gen nowadays though, only pretty poorly designed routers or old routers (PLDT, BOLT!) tend to use the SSID or MAC to generate anything, too obvious.

Share this post


Link to post
Share on other sites
7 hours ago, bingowings85 said:

I note your entry for virginmediaXXXXXX says 3 weeks, but its the same complexity as VMXXXXXXX-2G/5G at 6 days.

Apologies, I'll update :)

Share this post


Link to post
Share on other sites
16 hours ago, haze1434 said:

Apologies, I'll update :)

No worries! Are you in a position to do cracks on request? (easier ones!)
I see the EE-brightbox wordlist is 404, do you have a copy? or do I just use that C++ wordlist generator?

Share this post


Link to post
Share on other sites

Try the quick-list from here first;

horse-duck-dog
route-know-apt
guest-mean-apt
nerve-pick-six
truck-rank-few
cash-sting-six
vase-boast-own
farm-blend-own
want-dwell-fit
curb-appal-top
wait-rob-weary
dog-duck-horse
ant-stab-ideal
gum-sleep-free
pea-share-nice
leg-draft-good
use-teach-thin
toe-guard-calm
alarm-rub-male
label-fan-cool

 

Take a look at this also.

 

I'm at work at the moment, so can't test it, but does Google cache have an entry for https://hackforums.net/showthread.php?tid=3975861?

(cache:https://hackforums.net/showthread.php?tid=3975861)

Share this post


Link to post
Share on other sites
6 hours ago, bingowings85 said:

Are you in a position to do cracks on request? (easier ones!)

At the moment, unfortunately not. My GPU is already being utilised for CEH prep :wink:

You could try signing up at https://forum.hashkiller.co.uk/, in particular they have a section for Hash-Cracking Requests where they have some members who will happily crack hashes for you.

Share this post


Link to post
Share on other sites

What about Gemtek routers? Do you know how those are setup? I can't seem to find any info out there. Trying to build a word list. Same for Xfinity routers, I think they might be the same as Netgear, but I'm not 100% positive. The SSIDs are usually HOME-C582-2.4 where C582 are last 2 octets. Any encounter these before? Thanks,

D

Share this post


Link to post
Share on other sites

I did a quick Google image search, didn't find much for gemtek I recommend Googling ebay for SSID stickers (site:eBay.com gemtek) . Xfinity on the other hand seems to be 16 chars hex. Is that 16 to the power of 16? Breaks my calculator! image008.png

Share this post


Link to post
Share on other sites

Wow, I have to say I am impressed with Xfinity on their default passwords in this case. Looks like I will have to settle for WPS pins on those instead. I'll update with my lockout findings. Thanks for the info.

Share this post


Link to post
Share on other sites
7 hours ago, Decoy said:

Wow, I have to say I am impressed with Xfinity on their default passwords in this case. Looks like I will have to settle for WPS pins on those instead. I'll update with my lockout findings. Thanks for the info.

FYI gemtek seem to be access point/4G routers or internal WiFi cards! The cat and mouse game continues with default passphrases. I could see some sort of decentralised OCLhashcat whatever with participants being rewarded with bitcoin or something. Does anyone know what limits the crack rate? Is it stream processors or is it raw clockspeed or both? Wheres the bottleneck? Which part of the silicon is OCL stressing?

Share this post


Link to post
Share on other sites
On ‎16‎/‎11‎/‎2016 at 7:10 AM, bingowings85 said:

Xfinity on the other hand seems to be 16 chars hex. Is that 16 to the power of 16?

Appears to be uppercase and numbers.

Uppercase = 26 letters, numbers = 10 (including 0)

(26+10)^16 = 7,958,661,109,946,400,884,391,936.

 

Correction: On closer inspection, there does not appear to be any letters above F, which is pretty standard for a lot of router passwords.

Therefore you are correct bingowings85, it would be;

(6+10)^16 = 18,446,744,073,709,551,616

Would take years to crack unless you have an amazing rig or a super computer. Therefore not worth bothering trying to crack this one via Brute Force. Stick to dictionaries.

 

One point to note is that how hard a password is to crack tends to relate more to it's length, rather than it's complexity. Both help, but this Xfinity is a prime example of a password only using 2 types of digits but still being almost impossible to brute-force simply due to it's length. This, of course, does not apply should standard dictionary words be used, or obvious replacements such as $ for S and 3 for E.

I will look at updating the table shortly, busy morning at work today!

Share this post


Link to post
Share on other sites
1 hour ago, bingowings85 said:

you've answered my question :grin:

7.5 hours with a GTX 970 £300 graphics card. May as well not put any default passwords on those hubs!

Share this post


Link to post
Share on other sites

I'll give it a shot and let you know what I find. Thanks for the info.

 

Share this post


Link to post
Share on other sites

news just in the new virgin media hub 3.0 made by Arris
has an SSID of VM1234567 and a 12 character password a-z + A-Z :ph34r:
and a settings password of 8 digits. seems all new routers are trending towards impossible..

Share this post


Link to post
Share on other sites
12 hours ago, bingowings85 said:

Seems all new routers are trending towards impossible..

I would say so, yes.

The ability to capture a WPA/2 handshake is not something they can get rid of any time soon, as it's the way routers actually work, so the easiest way for companies to secure their routers is to simply make the password more difficult. Older routers are certainly the easier passwords, most of the time.

One mitigation is to get better equipment, such as a rig of 8 x GPUs, but this is expensive. Or you could pay someone with a rig like this to do the cracking for you.

Another option is to get a massive amount of hard drive space and create the rainbow tables required to crack passwords really quickly, but you're talking at least hundreds of Terabytes of storage to store any decent amount of tables, which again is expensive.

Unfortunately, sometimes another method is required. Social Engineering, or attacking WPS, WEP etc.

Share this post


Link to post
Share on other sites

related/unrelated
TalkTalk's wi-fi hack advice is 'astonishing'
http://www.bbc.co.uk/news/technology-38223805

"They had been investigating the spread of a variant of the Mirai worm, which was causing several makes of routers to stop working properly.

During tests of a TalkTalk model, the researchers discovered that the vulnerability exploited by the worm was also being abused to carry out a separate attack that forced the router to reveal its wi-fi password."

Share this post


Link to post
Share on other sites
On ‎08‎/‎12‎/‎2016 at 3:57 AM, bingowings85 said:

related/unrelated
TalkTalk's wi-fi hack advice is 'astonishing'
http://www.bbc.co.uk/news/technology-38223805

"They had been investigating the spread of a variant of the Mirai worm, which was causing several makes of routers to stop working properly.

During tests of a TalkTalk model, the researchers discovered that the vulnerability exploited by the worm was also being abused to carry out a separate attack that forced the router to reveal its wi-fi password."

"no risk to their personal information".

I could show them a few risks!

 

"The risk is probably no higher than using a [coffee shop's] open wi-fi network."

Hahaha! Which I would never do, because the 'risk' of which they speak is actually much higher than people give credit for.

 

To be fair though, the funniest thing about articles like this is that they come from the point-of-view that it's not easy to get someone's Wi-Fi password via other methods. Which 99.9% of the time, as the table above shows - it is.

Share this post


Link to post
Share on other sites

For when one is in Spain, specifically Valencia: SSID: VALENCIACABLE_XXXX ,  0-9,  9 chars, X = number. 10^9 = 1000000000 / gfx 970 = 1hr 45mins 

Share this post


Link to post
Share on other sites
12 hours ago, bingowings85 said:

For when one is in Spain, specifically Valencia: SSID: VALENCIACABLE_XXXX ,  0-9,  9 chars, X = number. 10^9 = 1000000000 / gfx 970 = 1hr 45mins 

Excuse for a holiday? :wink:

Share this post


Link to post
Share on other sites

20mb down / 5mb up, enough for some mischief ;) yeah I needed a change of scenery, back home for Xmas ?

PS, WEP wifi is still used in Spain, so many legacy routers that nobody bothers to upgrade. 

Share this post


Link to post
Share on other sites
1 hour ago, bingowings85 said:

PS, WEP wifi is still used in Spain, so many legacy routers that nobody bothers to upgrade. 

You'd be surprised how many WEP routers are around in the UK still. I did a 20 mile kismet run a few months back and got 5-6 WEP routers show up. 

Share this post


Link to post
Share on other sites

  • Recently Browsing   0 members

    No registered users viewing this page.

×
×
  • Create New...