I was having a discussion with a friend of mine on netgear default password for wifi, you know the ones they put on a sticker on the bottom….or top….of a netgear router. More than just Netgear are doing this but that was the one we were particularly discussing.
Anyway, we discovered, or I guess it could be just a theory right now because we don’t have enough information actually, that the password consists of two words and a 3 digit number. More specifically it appears to be made of two word, 6 or 7 character words, with the number.
So…I thought to myself….what would it look like to build a word list of just using all the English dictionary 6 character words, combine them, then use a hashcat rule to append every combination of 3 digit number on the end? So that is what I made.
I looked around on the interwebs and most of the word lists based on my description were for scramble games…classic…then I found this: https://github.com/dwyl/english-words
There is a file called words_alpha.txt in that repo that claims to have pretty much all the words in the English language that doesn’t have any special characters or numbers in them. GOLD!
Ok, so now I want to extract only the words that are 6 characters long. This is the command that I used, but I want to preface it with the fact that a line in a file that has 6 characters will also have a new-line character making that line in the file actually 7 characters long. Here is what I did to extract all the 6 character words from that dictionary file:
grep -x '.{7}' words_alpha.txt > 6char-words.txt
So this gave me a file with all the 6 character words, now we needed to combine so that each line would have two words. Luckily hashcat-utils has a little tool called combinator.bin so I used this same file for both the first and second params like this:
combinator.bin 6char-words.txt 6char-words.txt > combined-6-words.txt
This made an 11G file! Luckily I have access to a cracker box with lots of ram and some good GPUs!
Now this only gets us part of the way here, and the reason I did it this was as opposed to using the combinator attack in hashcat….we still need the 3 digit number added to the end of each combined word! So for this I did a simple rule file, and I generated the rule file by using the mp64 binary, this was my command and it created a rule to append every 3 digit combination to the end like we needed:
mp64 -o add3digits.rule '$?d $?d $?d'
Now we have what we need…or at least my first iteration of this anyway….to perform a more specific netgear wifi brute force attack. So if you used this with hashcat it would look a little like this:
hashcat -a 0 -m 2500 wpa-password-audits.hccapx combined-6-words.txt -r add3digits.rule
***********ANOTHER WAY*********** (there is always another way)
Ok, so that was my first attempt and it is going to take 5 days to roll through that attempt so I wanted to try list out some other options…. lets say, we want to do the same attack but using the combinator attack via hashcat… we will still create the 11G file as we mentioned above called combined-6-words.txt but we are going to create a new file that has every 3 digit number from 000 to 999:
seq -w 0 999 > 000-999numberfile.txt
Now we use the hashcat combinator attack using our files like this:
hashcat -a 1 -m 2500 wpa-password-audits.hccapx combined-6-words.txt 000-999numberfile.txt
************ANOTHER WAY*************
Always gotta have a few options right? Ok, with this one we are going to say you don’t have enough disk space to hold 11G file….so we are going to take our 6char-words.txt file and the add3digits.rule that we created above, and use the combinator.bin from hashcat-utils to do it like this:
combinator.bin 6char-words.txt 6char-words.txt | hashcat -m 2500 -a 0 -r add3digits.rule wpa-password-audits.hccapx
The downside here is you don’t get to see how long it is going to take…….I like status output…but this also works!