Hey guys I'm trying to make a word list for the newer actiontec Verizon FiOSFiOS router (Red Router) I know it has 16 characters numerical and uppercase letters only. I tried making a list in crunch but it was to big. Any way to cut down on the size or where I can get one?
I know from personal experience that those are near impossible to crack, Com-cast has same method with their Keys... Sorry for not knowing the website off hand but maybe a mod will see this and point you to it.. or I will go find it and repost.. there is a calculator that will do the math for you on how many possible combos there are to a 16 digit CAP. Alpha Numeric... But I have gotten lucky once or twice cause they changed the default pass to one of their own... why I don't know but I was grateful... We have the ACTIONTEC Verison and ARRISGRO Comcast here in Sarasota fl... IT bytes... :locktopic: The locks on WPS are fierce to. I have an old PC with a live KALI running on it, found in someones trash no less, just to run aircrack-ng W/ HUGE word-list against the handshake in case they did change it. But hey if you know something I don't my ears are open. I have had MD5 hash sites turn it down because its such a huge amount of combination... Maybe write a script to take out all the combos that it normally wouldn't be, such as 000000 etc. 11111 etc. 1234etc.. 1A2Betc.. Good luck though, its a good feeling when you do find that one in umpteen bazzillion..:fadancing:
I know that this is a old thread, but wondering if anyone has any new, reliable information on Verizon Fios (Frontier) Actiontec routers. Have a post #2143 in Auditing Service Forum regarding mentioned type router. Sure would like to narrow down possibilites to create wordlist or crack posted .cap file thanks carnivore1
All of you are on to something and it all works id say 90% of the time, ill have you know that and together we can understand the format these passwords are placed in here is a pic of the new fios router and their password format. Now as i look at this netgear format comes to mind and how we add a mask and can also use crunch to make a dictionary and we can combine dictionaries. For this i need help if i can find a way this will be it. The one dictionary to rule them. I need to do this: the format i see is im guessing adj+4digits+noun+4digits+adj ? what are the words being used are they adjectives or nouns ? After that answer how do I combine and compile the corresponding dictionaries with masks in between them??!! If everyone uploads the routers stickers we can compare notes. And create a dictionary for them. The variance cant be that much maybe other stickers have 3 digits and 4 digits between words i dont know i hope find out. But anyway everyone help please take a look. Custom dictionaries for routers work period. And if its changed you get creative there is not a password on earth for a router made by a person that cannot be calculated using educated guesswork knowledge of router and area router is being used even the demographic of the person it belongs to all this comprise into the perfect dictionary. Anyway let the cracking and theorizing begin.
In our area of orange county , ca. verizon ( frontier) had been using Verizon MI424WR rev G (Actiontec) routers. Have no photo, but know the wifi password on sticker was 16 digits, that only included numerals and upper case letters. Tried cracking it several times I have listed on post # 2143 of auditing serv,, Yes, hope other people confirm these type router information to create data base.Only reliable to way to hack these routers on a regular basis is to have a good mask attack formula or custom dictionary, like the one created as netgearxx..Keep the info coming, because ,as I had joked about before, it was my white whale of routers....carnivore1
All things posted here are for educational purposes, the use of them for malicious means is not my intention when sharing, and strictly prohibited. I joined this site just to share my research into these routers, and their keyspace sets. There are the business models, and the residential models(they look identical, different MAC registry), Frontier has them manufactured by Greenwave, and Verizon manufacturers their routers themselves(or at least, that's the vendor that's registered to the MAC. However, If you inspect the metadata of one of their network packets, the WPS vendor is Broadcom). Total of 4 different routers, that are almost identical, and have the same keyspace/algorithm. I went online, and looked for second-hand routers for sell, found ones with pictures of the WiFi password in it, downloaded the picture, and entered their data in a spreadsheet, this gave me my keyspace, and my starting point for my wordlist. Some of the pictures were blurry, so the characters were hard to make out (might be one or two errors), but I think I got a pretty descent data-set. The data-set is divided as follows. First, it is the part of the ESSID that follows "FIOS-", for example, the first data-set in the array is "FIOS-FPX9H". The next 5 parts, is the password broken up into Strings(3-5 lowercase characters) and Integers(1-4 numbers). The password follows the pattern of String-Integer-String-Integer-String, this pattern is represented by a 5-digit-integer in the next part of the this data-set, for example, tact(4) 38(2) oat(3) 2923(4) handy(5) = 42345. I did this to help visualize patterns in the password, and calculated statistical normality in the password, for example, roughly 50% of the passwords consist of only 4 and 3 digit integers and strings. The final number is self explanatory, it's the total length of the password, looking at this number, you can see that over 90% of the passwords are 17 or 18 characters. In conclusion, the first passwords to be tested, should be a total length of 17-18 characters, and consist of 3-4 character strings, and 3-4 digit-integers, as these are statistically more likely to be the password, and will save time when performing a brute-force, wordlist-combination attack. ESSID | Part1 | Part2 | Part3 | Part4 | Part5 | Pattern of characters | Total length of password FPX9H tact 38 oat 2923 handy 42345 18 PX0CZ chew 405 ben C305 wife 43344 18 QAMX3 ear 3784 bio 7486 peak 34344 18 4NLXZ nakes 93 hop 4540 hulk 52344 18 UP0HS road 55 sarah 663 yak 42533 17 ODZVS* adept 483 tee 3039 way 53343 18 T9NOJ hue 2233 greg 414 aim 34433 17 QXWLU beak 7865 rust 58 box 44423 17 6Y6KO sam 5526 hero 8294 era 34443 18 9QCBO* sad 8300 jane 2572 one 34443 18 4EZE8 bet 290 thumb 529 pup 33533 17 OSFJF nog 9578 cary 93 jay 34423 16 WBNYP hat 4809 act 3155 rad 34343 17 ZU95I day 344 hut 6928 cruch 33345 18 RV58G shy 8710 week 697 kit 34433 17 QHO57 take 2 rebels 4672 don 41543 17 X241B cub 473 sales 6227 hog 33543 18 All that being said, I did see one router with a password that contained a 6 character string (I didn't add it to the array), and the existence of a 5 digit-integer can't be ruled out with such a limited data-set, but sticking with what is evident, you could still have a success rate in the high 90 percentile. I also found a list of known router keyspaces/key-generators (most WEP). https://hashcat.net/forum/thread-6170.html If you go to that page, and click on this link (Under Verizon) http://www.xkyle.com/verizon-fios-wireless-key-calculator/ You get the algorithm Verizon used to generate their WEP passwords for their FIOS routers. My guess would be, that they used a modified version of this algorithm to generate their WPA2 keys, but I could be wrong, and this could be a dead end, and it's hard to test without MAC addresses in my data-set. Now for the probability of correctly guessing a password with the info we already have (It's not good). There are roughly 1292 three-letter words in the English language, according to this word list. https://www.bestwordlist.com/3letterwords.htm I looked at that wordlist, and estimated roughly 50% (or slightly more) of those words could be removed from a final wordlist, due to the words not being used often enough in English(They're incomprehensible), that leaves roughly 600 three-letter words in the wordlist. If you look at four-letter words on that site https://www.bestwordlist.com/4letterwords.htm There are 5454 four-letter words, roughly 2/3 are incomprehensible, leaving 1800 four-letter words on the wordlist. Following the patterns from the data-set, you would start with the most likely, which are as follow 44433 44333 43334 33344 33444 34443 43434 34343 Out of those options, 2 patterns are easier to eliminate because they have the least amount of combinations. 43434 and 43334 I am figuring these are easier, because there are 1000(including 000) combinations of three digit numbers, and only 600 possible three-letter words, same goes for the 10000(including 0000) combinations of four digit numbers, compared to the 1800 four-letter words. The following calculations will calculation all possibilities of just these 2 patterns. 43434 = 1800*1000*1800*1000*1800 = 5.832×10¹⁵ and 43334 = 1800*1000*1000*1000*1800 = 3.24×10¹⁵ The amount of computing power needed to calculate just the two most used patterns would take years to complete, and because WPA2 passwords use the ESSID in their algorithms, a permutation rainbow table can't be used to cut down processing time. Without a smaller wordlist (Which will only exist if it's leaked, or is assembled from a larger data-set), it's almost impossible to brute-force these passwords. The most likely vulnerability for these routers, will be the reverse engineering of the algorithm used to generate the default password, like the breakthrough with the routers WEP encryption mentioned in the link above, or a social engineering attack(Evil Twin Attack, .ect). It's also worth mentioning that eliminating integers the have the same number repeating three consecutive times (For example 111, 222, 0222) will also help limit the number of failed brute-force attempts (Still not enough to make a significant difference as of yet). I also cross reference these data-sets with the known adjective and noun wordlists used to crack Netgear routers, they don't contain most of the words. I've uploaded the wordlists to pastebin for reference. Nouns https://pastebin.com/zRz2h32T Adjectives https://pastebin.com/DPcTW5vW I hope you found this post educational, and insightful. (P.S. Running those wordlist against Netgear routers with the pattern of Adjective/Noun/3-Digit-Integer has a success rate in the high 90%)
