0phoi5 Posted October 27, 2016 Share Posted October 27, 2016 (edited) Hopefully some of you will find this table useful for (legally and ethically) pentesting WiFi routers. Please note that the figures shown in the far right column 'Time' are based on a Palit GTX 970 using oclHashCat. You will need to do your own maths for this, but it gives you a good idea of average crack times for a fairly standard £300 / $500 GPU. For WPA2 with the GTX 970, my benchmarks with hashcat are; 13,774,031,184 password hashes per day 573,917,966 per hour 9,565,299 per minute 159,421 per second Anything marked as 'Never' and red will take more than a year to crack. Anything green is less than 1 week. Anything amber is unknown or will require a word list. For EE/Brightbox wordlist details, see here (appears to have been taken down. Google cache search.) For NETGEAR details, see here. Obviously most of you will find the SSID / Password Format / Length columns the most useful. Good info! SSID Length Password Format Combinations Time 2WIREXXX 10 0-9 10,000,000,000 17 hrs 3MobileWiFi 8 0-9 a-z 2,821,109,907,456 7 mth 3Wireless-Modem-XXXX 8 0-9 A-F (The first 4 digits are the same as the 4 digits on the SSID!) 65,536 1 sec Alice_XXXXXXXX 24 0-9 a-z 22,452,257,707,354,557,240,087,211,123,792,674,816 Never AOLBB-XXXXXX 8 0-9 A-Z 2,821,109,907,456 7 mth ATT### 10 0-9 10,000,000,000 17 hrs ATTxxxx 0000 10 0-9 A-Z 3,656,158,440,062,976 Never ATTxxxxxxx 12 a-z + symbols 1,449,225,352,009,601,191,936 Never belkin.xxx 8 2-9 a-f 1,475,789,056 2.5 hrs belkin.xxxx 8 0-9 A-F 4,294,967,296 7.5 hrs Belkin.XXXX 8 0-9 A-F 4,294,967,296 7.5 hrs Belkin_XXXXXX 8 0-9 A-F 4,294,967,296 7.5 hrs BigPondXXXXXX 10 0-9 A-F 1,099,511,627,776 2.5 mth BOLT!SUPER 4G-XXXX 8 4 numbers + Last 4 of SSID 65,536 1 sec BrightBox-XXXXXX - 3 words, with hyphens in-between. Lengths 3-4-5 or any combination. Need dict. BTHomeHub(1)-XXXX 10 0-9 a-f 1,099,511,627,776 2.5 mth BTHomeHub2-XXXX 10 2-9 a-f 289,254,654,976 3 wks BTHub3 10 2-9 a-f 289,254,654,976 3 wks BTHub4 10 2-9 a-f 289,254,654,976 3 wks BTHub5 10 2-9 a-f 289,254,654,976 3 wks BTHub6 10, 12 0-9 a-z A-Z 100,000,000,000,000,000,000,000,000,000,000,000,000,000,000,000,000,000,000,000,000 Never CenturyLinkXXXX 14 0-9 a-f 72,057,594,037,927,936 Never Cisco 26 0-9 a-f 43,608,742,899,428,874,059,776 Never Digicom_XXXX 8 0-9 A-Z 2,821,109,907,456 7 mth DJAWEB_##### 10 0-9 10,000,000,000 17 hrs Domino-XXXX 8 0-9 A-F 4,294,967,296 7.5 hrs E583x-xxxx 8 0-9 10,000,000 1 min E583x-xxxxx 8 0-9 A-F 4,294,967,296 7.5 hrs EasyBox 904 LTE 9 0-9 a-z A-Z 13,537,086,546,263,552 Never EasyBox-###### 9 0-9 A-F 68,719,476,736 5 days EEBrightBox-XXXXXX - 3 words, with hyphens in-between. Lengths 3-4-5 or any combination. Need dict. FRITZ!Box Fon WLAN #### 16 0-9 10,000,000,000,000,000 Never FrontierXXXX 10 0-9 10,000,000,000 17 hrs Hitron 12 0-9 A-Z (sometimes use the device’s serial number as the default key!) 4,738,381,338,321,616,896 Never INFINITUM#### 10 0-9 10,000,000,000 17 hrs iPhone 5 ? Lowercase word plus 4 numbers 172000^65,536 Need dict. Keenetic-XXXX 8 0-9 a-z A-Z 218,340,105,584,896 Never Linkem_XXXXXX 8 0-9 10,000,000 1 min Livebox-XXXX ? ? mifi2 13 0-9 A-Z 170,581,728,179,578,208,256 Never MobileWifi-xxxx 8 0-9 10,000,000 1 min MYWIFI (EE) - MYWIFI + 4 numbers 65,536 1 sec NETGEARXX - Adjective + Noun + 3 numbers Need dict. Netia-XXXXXX 13 0-9 a-f 4,503,599,627,370,496 Never ONOXXXX 10 0-9 10,000,000,000 17 hrs Orange-0a0aa0 8 0-9 a-f 4,294,967,296 7.5 hrs Orange-AA0A00 12 0-9 A-F 281,474,976,710,656 Never Orange-XXXX 8 2345679 ACEF 214,358,881 23 mins PLDT - PLDTWIFI + Last 5 digits of router MAC 1 1 sec Plusnet Broadband UK 64 a-z A-Z 0-9 - Never PlusnetWireless-XXXXXX 10 0-9 A-F 1,099,511,627,776 2.5 mth PLUSNET-XXXXXX 10 0-9 a-f 1,099,511,627,776 2.5 mth Sitecom_XXXX 8 0-9 A-F 4,294,967,296 7.5 hrs SKYXXXXX 8 A-Z http://www.ph-mb.com/products/sky-calc 208,827,064,576 2 wks SpeedTouchXXXXXX 10 0-9 a-f 1,099,511,627,776 2.5 mth TALKTALK-XXXXXX 8 346789 A-Z (bar ILOSZ) 282,429,536,481 3 wks TDC-#### 9 0-9 a-f 68,719,476,736 5 days Tech_XXXXXXXX 8 A-Z 208,827,064,576 15 days Technicolor-Router 10 0-9 A-F 1,099,511,627,776 2.5 mth Telecom-XXXXXXXX ? ? TelstraXXXXXX 10 0-9 A-F 1,099,511,627,776 2.5 mth TELUSXXXX 10 0-9 a-f 1,099,511,627,776 2.5 mth Thomson 10 0-9 A-F 1,099,511,627,776 2.5 mth ThomsonXXXXXX 10 0-9 a-f 1,099,511,627,776 2.5 mth TIM_PN51T_XXXX 8 0-9 WPS PIN is 12345670 10,000,000 1 min TNCAP-XXXX 10 0-9 A-F 1,099,511,627,776 2.5 mth TNCAPXXXXXX 10 0-9 A-F 1,099,511,627,776 2.5 mth TP-LINK_###### 8 0-9 0-9 A-F 10,000,000 1 min TRENDnet TEW-123ABC 11 First 3 digits in SSID (123 here) + 8 digits https://forums.kali.org/showthread.php?26366-TRENDnet-WPA-disclosure-amp-dictionaries 2,821,109,907,456 7 mth TRKASHI-###### 8 2 numbers, 6 digits (10^2)^(26^6) Need dict. UNITE-XXXX 8 0-9 10,000,000 1 min UPCXXXXXXX 8 A-Z 208,827,064,576 15 days Verizon MIFIXXXX XXXX 11 0-9 100,000,000,000 7.5 days virginmediaXXXXXX 8 a-z (bar iol) 78,310,985,281 6 days VirginMobile MiFiXXXX XXX 11 0-9 100,000,000,000 7.5 days VMXXXXXXX 12 0-9 a-z A-Z 3,226,266,762,397,899,821,056 Never VMXXXXXXX-2G 8 a-z (bar iol) 78,310,985,281 6 days VMXXXXXXX-5G 8 a-z (bar iol) 78,310,985,281 6 days Vodaphone_XXXXXXXX 15 0-9 a-z 221,073,919,720,733,357,899,776 Never WLAN1-XXXXXX 11 0-9 A-F 17,592,186,044,416 Never ZyXELXXXXXX 13 10 0-9 A-Z 0-9 A-F 1,099,511,627,776 2.5 mth Please inform me of any inaccuracies or additional data you feel could be added. Enjoy! *edit* My sources are my own personal experiences, plus; http://xiaopan.co/forums/threads/netgearxx-wordlist.6571/ https://scotthelme.co.uk/ee-brightbox-router-hacked/ https://forum.hashkiller.co.uk/topic-view.aspx?t=1660&m=46959#46959 https://forum.hashkiller.co.uk/topic-view.aspx?t=2715&p=2 Edited November 15, 2016 by haze1434 Amended time for virginmediaXXXXXX Quote Link to comment Share on other sites More sharing options...
bingowings85 Posted November 14, 2016 Share Posted November 14, 2016 Loving your work! Is there any merit to a random walk through the keyspace? markov chains? Does the routers ssid/mac address influence random key generation? There also must be a non-repeating rule when generating these keys that states you can't have more than two (for example) of the same characters in a sequence. So if attacking a 2WIRE 0-9, 10char, 8765934999 would be a wasted attempt because of the 999 at the end. How drastically could you reduce the keyspace? I note your entry for virginmediaXXXXXX says 3 weeks, but its the same complexity as VMXXXXXXX-2G/5G at 6 days. Thanks! Quote Link to comment Share on other sites More sharing options...
0phoi5 Posted November 14, 2016 Author Share Posted November 14, 2016 If you use oclHashcat, it already uses Markov mathematics for it's work, so a lot of that stuff is done for you. There are some cases where the SSID influences the password, I've attempted to mark these in the chart above. Most of them are random-gen nowadays though, only pretty poorly designed routers or old routers (PLDT, BOLT!) tend to use the SSID or MAC to generate anything, too obvious. Quote Link to comment Share on other sites More sharing options...
0phoi5 Posted November 14, 2016 Author Share Posted November 14, 2016 7 hours ago, bingowings85 said: I note your entry for virginmediaXXXXXX says 3 weeks, but its the same complexity as VMXXXXXXX-2G/5G at 6 days. Apologies, I'll update :) Quote Link to comment Share on other sites More sharing options...
bingowings85 Posted November 15, 2016 Share Posted November 15, 2016 16 hours ago, haze1434 said: Apologies, I'll update :) No worries! Are you in a position to do cracks on request? (easier ones!) I see the EE-brightbox wordlist is 404, do you have a copy? or do I just use that C++ wordlist generator? Quote Link to comment Share on other sites More sharing options...
0phoi5 Posted November 15, 2016 Author Share Posted November 15, 2016 Try the quick-list from here first; horse-duck-dog route-know-apt guest-mean-apt nerve-pick-six truck-rank-few cash-sting-six vase-boast-own farm-blend-own want-dwell-fit curb-appal-top wait-rob-weary dog-duck-horse ant-stab-ideal gum-sleep-free pea-share-nice leg-draft-good use-teach-thin toe-guard-calm alarm-rub-male label-fan-cool Take a look at this also. I'm at work at the moment, so can't test it, but does Google cache have an entry for https://hackforums.net/showthread.php?tid=3975861? (cache:https://hackforums.net/showthread.php?tid=3975861) Quote Link to comment Share on other sites More sharing options...
0phoi5 Posted November 15, 2016 Author Share Posted November 15, 2016 (edited) 6 hours ago, bingowings85 said: Are you in a position to do cracks on request? (easier ones!) At the moment, unfortunately not. My GPU is already being utilised for CEH prep You could try signing up at https://forum.hashkiller.co.uk/, in particular they have a section for Hash-Cracking Requests where they have some members who will happily crack hashes for you. Edited November 15, 2016 by haze1434 Quote Link to comment Share on other sites More sharing options...
Decoy Posted November 16, 2016 Share Posted November 16, 2016 What about Gemtek routers? Do you know how those are setup? I can't seem to find any info out there. Trying to build a word list. Same for Xfinity routers, I think they might be the same as Netgear, but I'm not 100% positive. The SSIDs are usually HOME-C582-2.4 where C582 are last 2 octets. Any encounter these before? Thanks, D Quote Link to comment Share on other sites More sharing options...
bingowings85 Posted November 16, 2016 Share Posted November 16, 2016 I did a quick Google image search, didn't find much for gemtek I recommend Googling ebay for SSID stickers (site:eBay.com gemtek) . Xfinity on the other hand seems to be 16 chars hex. Is that 16 to the power of 16? Breaks my calculator! Quote Link to comment Share on other sites More sharing options...
Decoy Posted November 16, 2016 Share Posted November 16, 2016 Wow, I have to say I am impressed with Xfinity on their default passwords in this case. Looks like I will have to settle for WPS pins on those instead. I'll update with my lockout findings. Thanks for the info. Quote Link to comment Share on other sites More sharing options...
bingowings85 Posted November 16, 2016 Share Posted November 16, 2016 7 hours ago, Decoy said: Wow, I have to say I am impressed with Xfinity on their default passwords in this case. Looks like I will have to settle for WPS pins on those instead. I'll update with my lockout findings. Thanks for the info. FYI gemtek seem to be access point/4G routers or internal WiFi cards! The cat and mouse game continues with default passphrases. I could see some sort of decentralised OCLhashcat whatever with participants being rewarded with bitcoin or something. Does anyone know what limits the crack rate? Is it stream processors or is it raw clockspeed or both? Wheres the bottleneck? Which part of the silicon is OCL stressing? Quote Link to comment Share on other sites More sharing options...
0phoi5 Posted November 17, 2016 Author Share Posted November 17, 2016 (edited) On 16/11/2016 at 7:10 AM, bingowings85 said: Xfinity on the other hand seems to be 16 chars hex. Is that 16 to the power of 16? Appears to be uppercase and numbers. Uppercase = 26 letters, numbers = 10 (including 0) (26+10)^16 = 7,958,661,109,946,400,884,391,936. Correction: On closer inspection, there does not appear to be any letters above F, which is pretty standard for a lot of router passwords. Therefore you are correct bingowings85, it would be; (6+10)^16 = 18,446,744,073,709,551,616 Would take years to crack unless you have an amazing rig or a super computer. Therefore not worth bothering trying to crack this one via Brute Force. Stick to dictionaries. One point to note is that how hard a password is to crack tends to relate more to it's length, rather than it's complexity. Both help, but this Xfinity is a prime example of a password only using 2 types of digits but still being almost impossible to brute-force simply due to it's length. This, of course, does not apply should standard dictionary words be used, or obvious replacements such as $ for S and 3 for E. I will look at updating the table shortly, busy morning at work today! Edited November 17, 2016 by haze1434 Quote Link to comment Share on other sites More sharing options...
0phoi5 Posted November 17, 2016 Author Share Posted November 17, 2016 (edited) Found Gemtek in Russian - http://www.mobile-review.com/articles/2012/yota-lte-msk.shtml Appears to be 8 digits, numbers and uppercase. Probably 0-9 A-F, maybe 0-9 A-Z. If 0-9 A-F and 8 digits, piece of cake to crack. Edited November 17, 2016 by haze1434 Quote Link to comment Share on other sites More sharing options...
bingowings85 Posted November 17, 2016 Share Posted November 17, 2016 (edited) 42 minutes ago, haze1434 said: If 0-9 A-F and 8 digits, piece of cake to crack. you've answered my question Edited November 17, 2016 by bingowings85 Quote Link to comment Share on other sites More sharing options...
0phoi5 Posted November 17, 2016 Author Share Posted November 17, 2016 1 hour ago, bingowings85 said: you've answered my question 7.5 hours with a GTX 970 £300 graphics card. May as well not put any default passwords on those hubs! Quote Link to comment Share on other sites More sharing options...
Decoy Posted November 17, 2016 Share Posted November 17, 2016 I'll give it a shot and let you know what I find. Thanks for the info. Quote Link to comment Share on other sites More sharing options...
bingowings85 Posted November 24, 2016 Share Posted November 24, 2016 news just in the new virgin media hub 3.0 made by Arris has an SSID of VM1234567 and a 12 character password a-z + A-Z and a settings password of 8 digits. seems all new routers are trending towards impossible.. Quote Link to comment Share on other sites More sharing options...
0phoi5 Posted November 25, 2016 Author Share Posted November 25, 2016 (edited) 12 hours ago, bingowings85 said: Seems all new routers are trending towards impossible.. I would say so, yes. The ability to capture a WPA/2 handshake is not something they can get rid of any time soon, as it's the way routers actually work, so the easiest way for companies to secure their routers is to simply make the password more difficult. Older routers are certainly the easier passwords, most of the time. One mitigation is to get better equipment, such as a rig of 8 x GPUs, but this is expensive. Or you could pay someone with a rig like this to do the cracking for you. Another option is to get a massive amount of hard drive space and create the rainbow tables required to crack passwords really quickly, but you're talking at least hundreds of Terabytes of storage to store any decent amount of tables, which again is expensive. Unfortunately, sometimes another method is required. Social Engineering, or attacking WPS, WEP etc. Edited November 25, 2016 by haze1434 Quote Link to comment Share on other sites More sharing options...
bingowings85 Posted December 8, 2016 Share Posted December 8, 2016 related/unrelatedTalkTalk's wi-fi hack advice is 'astonishing'http://www.bbc.co.uk/news/technology-38223805 "They had been investigating the spread of a variant of the Mirai worm, which was causing several makes of routers to stop working properly. During tests of a TalkTalk model, the researchers discovered that the vulnerability exploited by the worm was also being abused to carry out a separate attack that forced the router to reveal its wi-fi password." Quote Link to comment Share on other sites More sharing options...
0phoi5 Posted December 9, 2016 Author Share Posted December 9, 2016 (edited) On 08/12/2016 at 3:57 AM, bingowings85 said: related/unrelatedTalkTalk's wi-fi hack advice is 'astonishing'http://www.bbc.co.uk/news/technology-38223805 "They had been investigating the spread of a variant of the Mirai worm, which was causing several makes of routers to stop working properly. During tests of a TalkTalk model, the researchers discovered that the vulnerability exploited by the worm was also being abused to carry out a separate attack that forced the router to reveal its wi-fi password." "no risk to their personal information". I could show them a few risks! "The risk is probably no higher than using a [coffee shop's] open wi-fi network." Hahaha! Which I would never do, because the 'risk' of which they speak is actually much higher than people give credit for. To be fair though, the funniest thing about articles like this is that they come from the point-of-view that it's not easy to get someone's Wi-Fi password via other methods. Which 99.9% of the time, as the table above shows - it is. Edited December 9, 2016 by haze1434 Quote Link to comment Share on other sites More sharing options...
bingowings85 Posted December 15, 2016 Share Posted December 15, 2016 For when one is in Spain, specifically Valencia: SSID: VALENCIACABLE_XXXX , 0-9, 9 chars, X = number. 10^9 = 1000000000 / gfx 970 = 1hr 45mins Quote Link to comment Share on other sites More sharing options...
0phoi5 Posted December 16, 2016 Author Share Posted December 16, 2016 12 hours ago, bingowings85 said: For when one is in Spain, specifically Valencia: SSID: VALENCIACABLE_XXXX , 0-9, 9 chars, X = number. 10^9 = 1000000000 / gfx 970 = 1hr 45mins Excuse for a holiday? Quote Link to comment Share on other sites More sharing options...
bingowings85 Posted December 16, 2016 Share Posted December 16, 2016 (edited) 20mb down / 5mb up, enough for some mischief ;) yeah I needed a change of scenery, back home for Xmas ? PS, WEP wifi is still used in Spain, so many legacy routers that nobody bothers to upgrade. Edited December 16, 2016 by bingowings85 Quote Link to comment Share on other sites More sharing options...
0phoi5 Posted December 16, 2016 Author Share Posted December 16, 2016 1 hour ago, bingowings85 said: PS, WEP wifi is still used in Spain, so many legacy routers that nobody bothers to upgrade. You'd be surprised how many WEP routers are around in the UK still. I did a 20 mile kismet run a few months back and got 5-6 WEP routers show up. Quote Link to comment Share on other sites More sharing options...
UndercoverDog Posted April 2, 2022 Share Posted April 2, 2022 Idk if you are still active, but I want to say wow, thanks for this insane list! Quote Link to comment Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.