Take a look at some wireless keys that I’ve collected from some Verizon FiOS installs around Tampa:
00-18-01-EA-3D-99,E3X12,6,WEP,1801349FCA
00-18-01-F0-6D-C4,NAMX2,1,WEP,18014B311F
00-18-01-F0-95-78,MWXV2,11,WEP,180149FF66
00-18-01-FD-4F-0E,R0LC7,1,WEP,1801BC5C6B
00-18-01-FE-15-46,JE2K7,1,WEP,1801C1B02B
00-18-01-FF-DF-DD,HH150,1,WEP,1F900396C5
00-1F-90-E0-B1-F8,3RA18,6,WEP,1801CDF4AF
00-1F-90-E0-B5-AC,OQ838,6,WEP,1801CF5700
00-1F-90-E2-7E-61,7WY20,6,WEP,1F90021D27
00-1F-90-E3-1E-90,C7WA0,6,WEP,1F9007C188
00-1F-90-E3-2E-07,DJP80,6,WEP,1F90063349
00-1F-90-E6-A7-D5,BJ2Z0,11,WEP,1F9018F797
00-1F-90-E6-D4-E3,RSHZ0,4,WEP,1F901944DB
What you are looking at here is MAC, SSID, Channel, Encryption, Key.
Notice that they are all WEP, 64bit, with 5 Alpha numeric SSID’s.
I want to emphasize that these are the defaults, and only geeks, nerds and the like change the defaults. 
Here is a typical type of router (actiontec) that does this:
Take a real close look at two of the examples:
00-18-01-FE-15-46,JE2K7,1,WEP,1801C1B02B
00-1F-90-E2-7E-61,7WY20,6,WEP,1F90021D27
Notice the relationship the MAC and the key have. Let me split up the bytes for you:
00:18:01:FE:15:46 - 18:01:C1:B0:2B
Verizon, or Actiontec, or someone is setting the first byte of the 40bit key to the second byte of the MAC of the unit. And then they are setting the second byte of the key to the third byte of the MAC!
You can look on the list, and this is mostly the case, there is some overlap on the OIDs. (sometimess it is 1801, sometimes 1f90) Why is this useful? Well if you know it is a FiOS install, you have already decreased your “64bit” key to a real “40bit” key, and you already know 16 bits of it, so you only have to crack 24 bits. This is insane. This is like guessing 3 letters.
The way to use this is with the Aircrack-ng program. Capture some packets, and use the -d option to tell it what the key starts with.
aircrack-ng -d 1801 stupid-fios.cap
You will get the key in No time! Silly Verizon, you didn’t think we would notice you weren’t using constructed (not random) keys?
Have FiOS yourself? Want to share your MAC and default key in the comments?
The SSID name itself gives away the last 6 hex digits of the WEP Key. All you need is a calculator to figure it out. Its completely passive.
You don’t need a network sniffer, aircrack, or access to see the sticker on the bottom of the router.
The 5-character SSID name is a base-36 number of the lower 48 bits (6 hex digits) of the WEP key. The string is reversed, with the most significant digit on the right.
Base-36 numbers uses 0-9 followed A-Z to represent 36 digits (0123456789ABCDEFGHIJKLMNOPQRSTUVWXYZ)
It maps out like this:
0=00, 1=01, 2=02, 3=03, 4=04, 5=05,
6=06, 7=07, 8=08, 9=09, A=10, B=11,
C=12, D=13, E=14, F=15, G=16, H=17,
I=18, J=19, K=20, L=21, M=22, N=23,
O=24, P=25, Q=26, R=27, S=28, T=29,
U=30, V=31, W=32, X=33, Y=34, Z=35
To go through an example, the SSID name of “E3X12″ comes out as follows.
E*(36^0) is 14 * 1 = 14
3*(36^1) is 03 * 36 = 108
X*(36^2) is 33 * 1296 = 42,768
1*(36^3) is 01 * 46656 = 46,656
2*(36^4) is 02 * 1679616 = 3,359,232
Add these up, and you get 3,448,778 decimal which is 349FCA in Hexadecimal notation.
The first 4 hex digits of the WEP key are the 2nd and 3rd byte from the MAC address as indicated in the original post above.
The Wired side and Wireless side MAC addresses are generally from the same Actiontec pool of MAC addresses (and of those, I’ve only seen 001801 and 001F90 used so far in their manufacturing).
NetStumbler will show you the BSSID (wireless MAC) is 00-18-01-EA-3D-99, but you don’t even need NetStumbler… just assume it’s either 18-01 or 1F-90.
Therefore the default WEP key for this router is: 1801349FCA
(On the off chance the wired and wireless side MAC address differ, just try 1F90349FCA instead)
To make life easier, you can use a macro formula in Excel to help out.
Put the 5-character SSID in the 1st cell (A1), and paste in this formula in A2.
=IF(A1=”",”0″,SUMPRODUCT( POWER(36,ROW(INDIRECT(“1:5″))-1),
(CODE(UPPER(MID(A1,ROW(INDIRECT(“1:5″)),1)))
– 48*(CODE(MID(A1,ROW(INDIRECT(“1:5″)),1))64))))
The result is the decimal value of the lower 48-bits of the WEP Key.
If you have the Analysis Toolpack (See Tools->Add-Ins…), this formula in A3:
=DEC2HEX(A2,6)
will convert the above number to hexadecimal.
Or use Windows Calculator (in Scientific mode) to convert decimal to hexadecimal.
Btw, all the Actiontec Electronics, Inc. registered MAC prefixes are:
001801, 001F90, 0020E0, 001EA7, 000FB3, 001505, 00247B
(But I’ve only seen the first two of them used on the MI424WR routers)
Way Cool! This Makes things Way Easier
The Excel Formula does not work right. it gives me an error for “=IF(A1=””,”0″,SUMPRODUCT( POWER(36,ROW(INDIRECT(”1:5″))-1),
(CODE(UPPER(MID(A1,ROW(INDIRECT(”1:5″)),1)))
- 48*(CODE(MID(A1,ROW(INDIRECT(”1:5″)),1))64))))”
Found some APs that have MAC addresses starting with 00-21-63
Here Is a short list
ESSID MAC
5JNF4 00-21-63-5D-A0-B5
NNKSP 00-21-63-37-2F-3F
Oh and the first one repeats as unprotected with a different MAC address
5JNF4 00-16-B6-53-F2-43
Some SSIDs ending in 0 (zero) When you run them through the calculator they are one bit short of a WEP key
I’ve used the calculator to test on my ssid which works, but when I try another one around me i have one character extra….
1215K is the SSID. I used NetStumbler and the MAC is 0018C06…..
any ideas?
Have you tried just dropping the extra character? I’m interested. Do you have the skills to crack it manually? Its also possible they just changed their SSID.
Those AP’s must use a different algorithm to calculate their keys. Maybe with a lot of them we could figure out the pattern and generate a calculator that works.
I’m trying to use aircrack to get the key, but my card is not supported so i’m going to go buy a card that is. Once i have the key, i’ll use your method and possibly modify it to figure out the algo….but that might be in a while
I did drop the extra character and it did not work, as with the changing of the SSID, it is very possible.
Thanks for the reply..
Hi all,
I am also from the Tampa Bay area. I noticed this WEP key thing a last year but I swear I remember it as being the BSSID minus the first 00. I will check my notes and get back to you all. Now that I think about it…it was the MAC b/c my router has MAC and WEP on the side of it and it is the same (except the 00). So I don’t know why the default (not using of course) is equal to the WEP and not just a couple of number from it. Anyway, I will test out some around me to see if this is the case. Note: 00:18 my router
Thanks for the info…
how would you turn 07fx08128884 in a 5 dighit ssid so i can use ur calculator step by step it will be useful thx
I’m also in the Tampa Bay area. In my neighborhood, I’ve encountered several of the 5 character ssids with Actiontec MAC addresses. However, the algorithm as explained above has not been able to produce any valid keys.
Hmm, I think I also may have found some that do not work with this algorithm. Can you supply the ESSIDs and the keys so we can see if there is a correlation?
great!!!
that works very good i hace docens of verizn wi fi and i can acces to all!!!
if somebody needs i litle of help am here . again thanks . very good info
I found some that the Key Calculator can’t do, they are 66YJU, 8Y76V, and I found one that I can connect to but when I’m connected I can’t load any websites, it’s GJ3K4. I know it’s the right key because I can load up the router login page but i have no idea what the user name and password be. That’s man!
leo
since they moved to rev.D now, where does one begin to unlock and play around with this?
the old calc doesn’t work and you and kyle seem to be having all the fun…
SSID vendor MAC Address
TalkTalk3f3bk ASKEY COMPUTER CORP 00:21:63:71:01:57
TalkTalk2a44f ASKEY COMPUTER CORP 00:21:63:fa:6f:01
how can i caculater a connection with more than 5 Character
what is the connection between the mac address and the ssid or the mac address and the key? What I mean is that can I take the mac address and find out what the ssid or the key?
Thanks
The calculator dosnt work anymore I’ve used it bofore
And it worked perfectly but not anymore I type in the 5 characters
And nothing happens.
But maybe u can figure it out and post it up as a comment or somthing
here it is.
Wep : ENBS1
Much appreciated
I’m sorry, I broke it. Try again please?
If still not, here are the possible keys for ENBS1:
18012DCAFA or 1F902DCAFA
Does my mac adresse change if I upgrade my computer with some other hardware? For example change the graphic card?