HEX only wordlist generator? (WEP/WPA)

[Talkie Toaster]

i have recently been looking into the default WEP/WPA keys used on many modern wireless routers, and it seems that on quite a few (in the UK anyway) the default WEP/WPA key and the last 4 or 6 characters of the essid are produced by "padding" the serial number of the router up to a certain length,MD5 or SHA-1 hashing it and then using parts of the resulting hash string. Here is a example for the BTHomeHub, a Thomson router given away by the main isp in Britain.

S/N: CP0647EH6DM(BF) (serial number)

Remove CC and PP values: CP06476DM

"XXX" values hex-encoded: CP064736444D (the last chars 3 changed to hex)

SHA1-ed: 06f48a28eba1ab896a396077d772fd65503b8df3

Default SSID: BTHomeHub-8DF3

Default encryption key: 06f48a28eb

Now the 10 digit key can either be used as a WEP 64 key or used as a seemingly ramdom looking 10 character WPA passphrase depending on what your router defaults too. Only its not as ramdom as it looks, as after it has been hashed it contains only Hex,so 0-9 and a-f, cutting a massive amount off the number of possible combinations.

I have hunted and searched for a wordlist generator or bruteforcer that will work with JUST 0-9,a-f and maybe A-F too but i'm drawing a blank, every programme or script i find wants to use whole charsets and i can't find any easyily let you alter the characters being used.
While searching the forum all unusual wordlist generator requests seem to get sent onto the programming sub-forum so i thought i'd try here first! Does anyone know of such a programme/script or one that can be easily modified(by a newbie)?

Thanks in advance,

Talkie Toaster

[Talkie Toaster]

*bump*

anyone? A programme/script to make a hex (0-9,a-f) wordlist must be out there somewhere....

p.s. thought i should say the process ^above^ is not my own, it came from Adrian Pastor at GNU citizen, was just using it as a example as its quite a simple one.

[opreat0r]

learn bash you can do it with a for i in loop

set all yer vars and convert the numbers to hex IE 1=a 2=b etc ...

[karabaja4]

this sounds simple enough to do in C, but im too lazy now (its damn hot).. maybe in a few weeks.. cheers..

[Talkie Toaster]

Thanks for your suggestion operat0r, i'm learning bash right now but hadn't thought of using it, i'll use this as my first 'proper' (not out a book) project, prepare for some bash related questions!!

and karabaja4 quite a few people seem interested in default WPA codes in routers, which if they are easily predictable are just as bad as WEP..... A tool written in C which will output to a text file or to a pipe for handling by another programme would be a great addition to most peoples tools, and i'm sure other uses could be found for it.....

TT

[SWFu64]

Thanks to reading bofh28's great password cracking guide this might be the very script you require:

hxxp://freshmeat.net/projects/wg/

[karabaja4]

Toaster - i think i made what you are looking for.

Here is the code:

Code:

//made by karabaja4

#include <stdio.h>
#include <stdlib.h>

int main(int argc, char** argv)
{
    char format[10];
	
    unsigned long long last = 0;
    unsigned long long i;
	
    if ((argc != 2) || (atoi(argv[1]) > 16)) {
        printf("\n hex wordlist generator - by karabaja4\n\n");
        printf(" usage: ./hwg n > wordlist.txt\n");
        printf(" n - number of digits (max 16)\n\n");
        exit(0);
    }
    
    sprintf(format, "%s%s%s", "%0", argv[1], "llx\n"); //linux (gcc)
    //sprintf(format, "%s%s%s", "%0", argv[1], "I64x\n"); //windows (mingw)
    
    for (i = 0; i < atoi(argv[1]); i++)
    	last = ((last + 1) * 16) - 1;
	
    for (i = 0; i < last; i++) printf(format, i);
    printf(format, last);
	
    return 0; //hooray!
}

save it as hwg.c and to compile it do:

Code:

gcc hwg.c -o hwg

to run it do:

Code:

./hwg n > wordlist.txt

where n is the number of hex digits (maximum 16 digits, hope it's enough). to see the output on the screen remove the > wordlist.txt part.

IMPORTANT! I didn't test the pipelinening password feed, test it and if it works please let me know (let me know if it doesn't work too )

have phun

[Talkie Toaster]

Many thanks karabaja4, I'll check it tomorrow night when i get time to get my lappy out i'm at a vista machine just now, I'm stuck learning microsh*te access just now....

TT

[M1ck3y]

Watch out for my script "Giga password Generat0r". It has 23 differents modes for generating almost everything, including hexadecimal and personnal charset. The script is using the crunch generator, which makes it really fast to generate. The script is still in dev, I will add more modes later so that it will cover all the possibilities, including special chars and blank spaces.

The script is still in french yet, I will translate it when I will find some time.

You can download the script here: Giga Password Generat0r v 1.2 (latest version with 23 generating modes)

Here is the menu (in french for now):



All the details about how the script works and how to use it:
-Giga Password Generat0r little how to (in french)
-Giga Password Generat0r little how to (translated in english with google translation)

The 23 modes allows you to make almost every possible dictionary, I hope it will help

[Talkie Toaster]

I cant wait for final, shame i did German instead of French at school.....!

many many thanks,

TT