Tag Archives: wifi

Thoughts on reducing the keyspace of the 2WIRE default WPA key

I visited my daughter recently and she gave me the (unchanged default) key  to her 2WIRE so I could use wifi on the Kindle.  

 

The key was 10 digits, which got me thinking.  10 alpha-numerical-special chars are impractical to brute force, but 10 digits are not.   It’s only 10 billion combinations, about 5 weeks to exhaust the keyspace on an old computer like mine.  Since we are resigned to checking all the keyspace what if we did it in an optimal order?  For the purposes of this discussion I will assume you have permission to analyze the router in question.

 

I have read that in some cases the the default key is the serial number of the device.  The serials are numerical like the default key.  Hmmmm…  I have also read that the nnn in the 2WIREnnn ESSID is the last three of the serial number.    Put these two things together and we can check for this default by doing something like:

# final $ anchors the expression to the end of the line, and the -v looks for inversion.
# so "dike out any string that ends in nnn"
seq --equal-width 0000000000 9999999999 | grep -v nnn$
and piping that to the input of your favorite analysis tool (cough aircrack cough).

which reduces this set to 1mil or about an hour.  No joy?  Fine, let’s plod on.

 

There are also cases of using the customer’s phone number for the default key.  Hmmm, fully-qualified tel numbers are 10 digits, too.  To use the Greater Dallas area as an example one might do something like:

for AREACODE in 214 469 817 903 972
    do         seq ${AREACODE}0000000 ${AREACODE}9999999 | \             # your tool here!     done

Check the exit codes upon each iteration (or code in a pause) to make sure you see the output.  Or maybe output could be redirected into a log or something.

Further gains could be made if the 2WIRE serials were in some known space, like 8nnnnnnnnn or whatever. 

After we’ve checked the easy stuff we can do the rest of the keyspace:

# build the egrep regex using the ${AREACODE} var above?

# drop anything that starts with an areacode or ends with the ESSID suffix.
seq --equal-width 0000000000 9999999999 | \
      nice egrep -v '(^214|^469|^903|^972|${ESSID}$)'

and pipe that to your analysis tool for the long haul.  Or give up on it as counterproductive and move to the next.

 

Anyhow, those are some rough first thoughts. 

 

 

 

 

 

Advertisements