"Home&Life SuperWiFi-xxxx" (Password length 16 charaters)
"Infostrada-xxxxxx" (Password length 10 charaters)
"TISCALI_xxxx" (Password length 10 charaters)
This routers generate their default WPA password using their S/N (serial number), but this number can be easly guessed because have got an easy pattern.
"Home&Life SuperWiFi-xxxx"/"Home&Life 2.4GHz" Range:
S182V00000000-S182V99999999
S192V00000000-S192V99999999
"Infostrada-xxxxxx" Range:
S172V00000000-S172V99999999
S182V00000000-S182V99999999
"TISCALI_xxxx" Range:
S172V00000000-S172V99999999
S182V00000000-S182V99999999
- The first charaters is always an
'S'
. - The second and third characters should be the year of production (
2017/2018/2019
for the examples above). - The string
"2V"
should be costant for the SSID above, it may be the family's model identifier. - The rest of the string is different from router to router, but is possibile to generate a dictionary for all the combinations to use alongside with Hashcat, and it is just a numerical string
[0-9]
.
zykgen (-m|-n|-c) [-l <length> -L <letter>] <startserial> <endserial>
Using the command above will create a dictionary in the root directory with all the combination of WPA passwords of the inpunt range, using the specified algorithm, the default letter is the 'V'
(which is the fourth letter), while the first 'S'
is added automatically and you don't need to insert it, just skip it.
zykgen.exe -c -l 10 182000000000 182000000010
Will create a dictionary of the WPA passwords with 10 charaters long of the serials ranging from S182V00000000
to S182V00000010
using the 'cosmopolitan' algorithm
- Cosmopolitan generate WPA password with this combination of charaters:
[0-9][A-Z]
- Negroni generate WPA password with this combination of charaters:
[0-9][A-Z]
- Mojito generate WPA password with this combination of charaters:
[0-9][A-Z][a-z]
For example the routers above use the Cosmopolitan algorithm, but other router could use another one. In order to find which algotithm you router use just look at the back of your router, or if you are unable to do it use google to find images of the back. (or just try all of them untill you find the correct one)
- The VMG8823-B50B Model transmit his serial in the probe response, so it's much much more easy to generate his passwords without guessing his serial.
Don't use it for illegal purpose, this project is mainly used for research purpose and I'm not responsable of it.