i have recently been looking into the default WEP/WPA keys used on many modern wireless routers, and it seems that on quite a few (in the UK anyway) the default WEP/WPA key and the last 4 or 6 characters of the essid are produced by "padding" the serial number of the router up to a certain length,MD5 or SHA-1 hashing it and then using parts of the resulting hash string. Here is a example for the BTHomeHub, a Thomson router given away by the main isp in Britain.

S/N: CP0647EH6DM(BF) (serial number)

Remove CC and PP values: CP06476DM

"XXX" values hex-encoded: CP064736444D (the last chars 3 changed to hex)

SHA1-ed: 06f48a28eba1ab896a396077d772fd65503b8df3

Default SSID: BTHomeHub-8DF3

Default encryption key: 06f48a28eb

Now the 10 digit key can either be used as a WEP 64 key or used as a seemingly ramdom looking 10 character WPA passphrase depending on what your router defaults too. Only its not as ramdom as it looks, as after it has been hashed it contains only Hex,so 0-9 and a-f, cutting a massive amount off the number of possible combinations.

I have hunted and searched for a wordlist generator or bruteforcer that will work with JUST 0-9,a-f and maybe A-F too but i'm drawing a blank, every programme or script i find wants to use whole charsets and i can't find any easyily let you alter the characters being used.
While searching the forum all unusual wordlist generator requests seem to get sent onto the programming sub-forum so i thought i'd try here first! Does anyone know of such a programme/script or one that can be easily modified(by a newbie)?

Thanks in advance,

Talkie Toaster