Wh1t3Rh1n0

I will find a way, or I will make one.

Jun 16, 2014 - wireless

Introducing WoNDeR-List

TLDR: Wordlist of Netgear default WPA keys. Download link is at the bottom.

What is WoNDeR-List?

WoNDeR-List is the wordlist I created to crack the default WPA keys of several models of Netgear wireless routers.

How does it work?

Some Netgear WNDR series routers (including the N900, N750, and N600) come with a factory-set default WPA key in the form of: adjectivenoun###. For example, quietunicorn604 (bold added for clarity). After seeing a few of these I was able to make a few assumptions:

  • There is a finite set of adjectives they used to generate these passwords.
  • There is also a finite set of nouns used to generate these passwords.
  • The words all seem to be easy enough to spell and pronounce, especially since these routers are sold in countries where the English is not the primary language.
  • Given any combination of noun and adjective, there are only 1,000 passwords that can be made from adding three digits to the end.

How was WoNDeR-List created?

My goal was to uncover the actual lists of adjectives and nouns Netgear used to generate the default passwords. It’s not enough for me to just download a million adjectives and a million nouns and call the job done. For one thing, my computer isn’t fast enough to go through a wordlist of that size in a reasonable amount of time. My plan was to make an exact duplicate (or close to it) of the wordlists that Netgear uses, so I can (1) reduce the amount of time it takes to go through the entire list to as little as possible and (2) guarantee with 100% accuracy that if a default password is is use, it will be recovered by my wordlist.

So I put myself in the shoes of Mr. Netgear employee. I imagine myself working at Netgear when one day my boss comes to me and says, “make me a list of 2,000 English adjectives and 2,000 English nouns.” So, being a good employee - not lazy, but not wanting to waste his company’s time typing those lists out by hand - what am I going to do? I’m going to find those lists online and download them. I figured the person that made those lists probably compiled one or two lists from the Internet, ran them through sort and greg to weed out duplicates or words that were too long or too short, and turned them in to the boss. So to start, I did the same thing.

I already had a small set of known words that I found on a forum post here. The problem I had was that every time I found what looked like a good set of words (the 2,000 most common nouns in the English language for instance), words that I knew were in the list would be missing. In particular, the word “coconut” was missing from many of the noun lists I found. And when I did find “coconut”, other words like “banana” would be missing.

That lead me to my next idea. Maybe the large list of nouns was actually a combination of several small lists. For instance, maybe it was 10 (or 100) nouns starting with each letter of the alphabet. Or maybe it was 10 nouns from each of several categories: fruits, colors, animals, etc. Given the information I had, those were pretty good guesses, but really, there was no way to tell. I had such a small set of words I had positively identified as being in the Netgear lists. So I came up with plan B.

I needed a larger set of known words to work from - words I could prove were in the Netgear lists. Then maybe I could identify any patterns and figure out exactly how the list was generated. But to do that, I needed access to more default passwords. I thought, “if only there was some way I could get lots of people on the Internet to take pictures of their routers and send them to me.” (The passwords are printed on stickers on the backs of the routers, after all.) Then, after a couple Google searches, I had an epiphany. People on the Internet already are taking pictures of their routers! And they’re putting them on eBay!

I thought about all the times I sold something on eBay, and all the close-up shots I took from every angle, showing that whatever I was selling was exactly as I said it was. How ironic that those same close-up shots from every angle could be the key to deciphering the passwords put in place to protect those same products!

I used eBay’s advanced search functions to narrow my searches down to just those listings that I thought were most likely to have a photo of the default password sticker on the back of the router. I figured out which models usually had default password stickers, and I only searched for “used” routers, since new ones would still be in the box where their password isn’t visible. That worked really well for a while, but after a day or two, the number of new routers I was seeing started to slow down. I needed more data!

That’s when I had epiphany number two. It finally occurred to me to search eBay’s foreign domains: eBay.co.uk, eBay.ca, and eBay.com.au. (I picked English speaking countries so I could still read the pages.) I recorded all the passwords I found and wrote a little Python script to sort them into nouns and adjectives and then merge them all back together to make the WoNDeR-List. The result is the ever-growing password list I present to you today.

How effective is WoNDeR-List?

“Sixty percent of the time it works every time!”

–Brian Fantana, Anchorman

At this point, I don’t know exactly how effective the list is. I do know that every word used to generate the list is in Netgear’s wordlists. In other words, even though every default Netgear password might not (yet) be in the list, every password in the list is a valid Netgear default password.

How do I know if the wireless network I’m targeting is vulnerable?

Wireless routers that use these default passwords also have a default network name (or SSID) in the form of NETGEAR##. For example: NETGEAR86. If the person who setup that network is using the default SSID, it stands to reason that they could be using the default wireless key too.

Using the wireless router’s MAC address to lookup the vendor is another good tactic here. If the vendor is Netgear, there’s still a decent chance that it has one of these default passwords. In fact, that brings me to my real point here…

What’s your point?

The problem with these default passwords is that to the average user, they look secure. Most people are going to say, “hey, that password is 12 or 15 characters long. No one will ever guess that.” So they don’t change it. They might even change the SSID, but the password looks good, and it’s impossible to forget since it’s printed right there on the back of the router, so why change it?

Don’t get me wrong. I think this was a good move in the right direction by Netgear. By providing a WPA password by default, they’re bringing immediate attention to the fact that consumers need to secure their routers, and they’re encouraging the move away from WEP. I’m just not sure they used a large enough set of data to generate the passwords.

The most recent build of WoNDeR-List is always available here in my Dropbox shared folder.