It is known by everyone that Telefónica’s ADSL routers come configured with a specific ESSID, therefore it is very easy to locate this type of networks. Depending on the router model, the wireless network password will be one or the other, passwords follow a common pattern if the default one is not changed.
Passwords follow this pattern:
Password: RootXXXXYY
Depending on the model, they have a “password root”
- Z-com -> Z001349
- Zyxel -> Z001349
- P-660HW-D1 -> Z001349
- Xavy -> X000138
- Comtrend -> C0030DA
- Zygate -> Z0002CF or C0030DA
By the AP’s MAC, the manufacturer can be known.
The last two digits YY are the last two characters of the ESSID –> WLANYY
As you can see, we only need four more characters and we will have the complete password.
The attack we are going to perform on these characters will be brute force, for this we are going to use a tool called wlandecrypter.
We will also need the weplab software and the aircrack-ng suite.
cd /usr/src
wget http://weplab.sourceforge.net/src/wxweplab-0.1.6-3.tgz
Now that we have everything installed, we start the process:
airodump-ng mon0 –> Check what can be seen on mon0
airodump-ng –write CAPTURAWLAN –channel CHANNEL –bssid BSSID mon0 –> Capture the traffic of the Wifi we are interested in.
When we have 4 or more packets in the data field, we can stop the capture by pressing Ctrl+C
Now is the time to use wlandecrypter.
This should give us the password in ASCII and hexadecimal:
Right KEY found!!
Passphrase was --> C0030DAA46F05
Key: 43:30:30:33:30:44:41:41:34:36:46:30:35
In this case, it can be seen that it is a Comtrend:C0030 and the ESSID is WLAN05: 05. Through brute force, we have obtained the characters DAA46.
NOTE: Change the default password!