articles
ISP Default WiFi Passwords Are Costlier to Keep Than to Crack (Value optimised Cloud GPU password cracking)

ISP Default WiFi Passwords Are Costlier to Keep Than to Crack (Value optimised Cloud GPU password cracking)

August 16, 2025·fyx(me)
fyx(me)

This article won’t tell you how bad the Canadian oligopoly is, there’s already posts ranging from 2008 to 2024 to tell you all about that! Instead, I’ll focus on their poor default WiFi password standards. I’m mentioning Canadian Internet Service Providers (ISPs) as an example here but so many ISPs and router manufacturers decide to set worse default passwords then your 3 year old toddler…

I’m not going to name any ISPs directly because I don’t want to annoy anyone and I’m just writing this for education purposes. I will use fictional password patterns that may or may not resemble real ISP default WiFi Passwords.

Identifying Default Router Password Patterns

If you have a physical router, simply grab the router and look for the “password” line on the sticker behind it…

Mind Blown
I told you I was dropping INSANE alpha in this post!

If you’re a peasant like me and can’t afford the router, don’t worry I’ve got the second best thing for you!

You can use your favourite search engine to find images of the router including the magic sticker I mentioned above! Ebay resellers could not care less and will happily take photos of the device’s SSID and Password which means a simple search can already give you an idea about what the password looks like (and if you’re the poor sucker who bought the router from them then your password is already out there):

Google Search for Livebox router ebay bottom
Google Search for 'Livebox router ebay bottom'

Ebay listing for Livebox Router with password visible
Ebay listing for Livebox Router with password visible

Note

I’m using Orange/Livebox as an example not because I want to roast them, but actually because their default passwords are usually pretty decent on these devices! Good job Orange!

Defining password patterns

To be able to identify the password pattern, you may need more then 1 router password (ie. differentiating between alphanumeric and hexadecimals). You can get this trivially by doing a reverse image search on the router sticker you’ve already found as such:

Google Reverse image search for Livebox Router
Google Reverse image search for Livebox Router

Once you have a few samples, you can define the default password pattern. Using Livebox again as an example, the pattern appears to be the following:

charset = uppercase + lowercase + digits
charcount = 18

pattern = 18 x charset

In plain English, the pattern for Livebox routers is 18 seemingly random alphanumeric characters with uppercase and lowercase letters.

We’ll come back to this example later to show why I believe this is a decent default router password.

Using Cloud GPUs for password cracking

I’m not going to cover how to do WiFi pentesting, so lets assume we’ve done WiFi testing and have recovered the Access Point’s hash. To emulate this, my friend Kimi K2 wrote a python script to generate a hashcat compatible hash from a given SSID and password:

# Generating the hash using the script
$ python3 wifi_hash_generator.py "HelloWorld" "SpicyPassword123" | tee hash.txt
WPA*01*09cd77f4bf8f32034914268c4980c40e*321bf0d198e4*8a429335416d*48656c6c6f576f726c64***

# Create a wordlist with the password
$ echo "SpicyPassword123" > wl.txt 

# Verify that the SSID decodes correctly from the hash 
$ cat hash.txt | egrep -v "^$" | python2 -c "import sys; print(''.join([l.split('*')[5].decode('hex')+'\t'+l for l in sys.stdin]))"
HelloWorld	WPA*01*09cd77f4bf8f32034914268c4980c40e*321bf0d198e4*8a429335416d*48656c6c6f576f726c64***

# Showing the hash can be cracked using hashcat
$ hashcat -m 22000 hash.txt  wl.txt                                                                                 lo at kali
hashcat (v6.2.6) starting

[...redacted for readability...]

09cd77f4bf8f32034914268c4980c40e:321bf0d198e4:8a429335416d:HelloWorld:SpicyPassword123

Session..........: hashcat
Status...........: Cracked
Hash.Mode........: 22000 (WPA-PBKDF2-PMKID+EAPOL)
Hash.Target......: hash.txt
Time.Started.....: Wed Aug 20 05:18:13 2025 (0 secs)
Time.Estimated...: Wed Aug 20 05:18:13 2025 (0 secs)
Kernel.Feature...: Pure Kernel
Guess.Base.......: File (wl.txt)
Guess.Queue......: 1/1 (100.00%)
Speed.#1.........:      392 H/s (0.55ms) @ Accel:64 Loops:1024 Thr:1 Vec:8
Recovered........: 1/1 (100.00%) Digests (total), 1/1 (100.00%) Digests (new)
Progress.........: 1/1 (100.00%)
Rejected.........: 0/1 (0.00%)
Restore.Point....: 0/1 (0.00%)
Restore.Sub.#1...: Salt:0 Amplifier:0-1 Iteration:0-1
Candidate.Engine.: Device Generator
Candidates.#1....: SpicyPassword123 -> SpicyPassword123

Started: Wed Aug 20 05:18:12 2025
Stopped: Wed Aug 20 05:18:15 2025

The above demo shows the hash is valid and can be used with hashcat to emulate a captured WiFi hash.

For the next part, we’re going to choose a random password pattern that is definitely not a password pattern used by some ISP in Canada.

We’ll use the following password pattern, a fixed string (ie. “FYXME”) followed by 8 random alphanumeric characters:

charset = uppercase + lowercase + digits
charcount = 8

pattern = "FYXME" + 8 x charset

Using the script showcased above, we can create a valid hash for our fictitious WiFi Access Point:

# generating a random password that matches our pattern
$ printf 'FYXME%s\n' "$(tr -dc 'A-Za-z0-9' </dev/urandom | head -c 8)"
FYXME0s385dFg

$ python3 wifi_hash_generator.py "FYXME-9999" "FYXME0s385dFg"
WPA*01*1096bab4d7f172a4f2016bb0d83cf795*2b37f50e88a7*46f6be6294b2*4659584d452d39393939***

Assuming this was a hash captured via a WiFi capture tool like hcxdumptool or aircrack-ng, we could try to crack the password using the following hashcat command which performs a bruteforce attack with the password mask adjusted for our password pattern:

hashcat -m 22000 hashes.hc22000 -a 3 -1 ?l?u?d FYXME?1?1?1?1?1?1?1?1

Cracking it offline is fun and all but what if we’re in a hurry and wanted more fire power?

Password cracking in the cloud

In order to speed up cracking we can either buy really expensive GPUs or make use of the GPU rental markets which have exploded with AI and have driven the prices down significantly!

I’m using vast.ai1 in this case since it has a section for interruptible GPUs (ie. similar to AWS Spot instances) which have lower prices when nobody is using them. This provides good opportunities to find cheap GPUs for research or pentesting purposes.

A few tips and tricks that I’ve found while using vast.ai’s marketplace:

  • You can enable “interruptible” and “unverified” machines to be showed the lowest prices
  • You can select the docker template you want to deploy on the machine and the templates library includes a Hashcat CUDA template for hashcat v7.0.0
  • Your credit goes down per minute so if you need it for less than 1 hour, you pay for the number of minutes you used making it potentially incredibly cheap.
  • The interruptible machines market is a bidding system which means you can get outbid by other users

vast.ai marketplace interruptible machine listing
vast.ai marketplace 'interruptible' machine listing

If you’re lucky, you can find some real gems for example I found the following machine (5x RTX 3090) priced at $0.088/hr:

vast.ai rented GPU 5x RTX 3090
vast.ai rented GPU 5x RTX 3090

In the end, its a VPS server so you can just ssh into it and proceed as you please. The UI allows you to set your SSH key for direct access.

After setting up the SSH key, you can connect to your machine and run your hashcat command. In this case, we’re trying to crack the hash we generated previously so I run the following hashcat command:

hashcat -m 22000 test.hc22000 -a 3 -1 ?l?u?d FYXME?1?1?1?1?1?1?1?1 -O -w4

Even with the firepower of five RTX 3090, this would take about 1 year 92 days to complete which seems like a lot but considering this is only 1 of the many machines we can rent, its really not that long:

hashcat running on 5x RTX 3090 rented GPU
hashcat running on 5x RTX 3090 rented GPU

I don’t want to wait 1 year 92 days for this article to come out so we’ll speed it up and use Math to see how much it would cost to crack that hash.

Calculating cost to crack the hash

We can use the hashcat estimates to calculate how much it would cost to crack the hash which ends up being $965 USD (or $482.5 USD on average):

Time to finish: 1 year 92 days == 457 days == 10968 hours
Cost per hour: $0.088

Cost to finish: 0.088 * 10968 ~= $965
Cost to finish on average: 965 / 2 = $482.5

We can also estimate this using the cracking speed and the number of potential passwords based on the password pattern (this will help us later when we look at benchmarking different GPUs):

Cracking speed: 5520.7 kH/s == 5520700 H/s

Number of characters in our charset (uppercase + lowercase + digits): 26 + 26 + 10 = 62
Sample space based on our pattern (ie. number of possible passwords): 62 ** 8 = 218340105584896

Number of seconds to exhaust sample space: 218340105584896 / 5520700 ~= 39549351.64
Number of hours to exhaust sample space: 39549351.64 / 3600 ~= 10985.93

Cost to finish: 0.088 * 10985 ~= $967
Cost to finish on average: 967 / 2 = $483.5

Lets assume the monthly cost for our ISP is $62 CAD ($44.69 USD), again a totally random figure that does not represent any actual Canadian ISP. One year of service would cost us about $536.28 USD.

If we compare that to the average cost of cracking our generated hash, we find that it is LITERALLY CHEAPER to crack that hash then to pay for 1 year of internet service.

Comparatively, the Livebox (from Orange) would take $405,701,336,942,240,858,112 USD to crack… Might have to ask my grandma for a loan to help with this one…

Number of hours to exhaust sample space: 62 ** 18 / 5520700 / 3600 = 9.220484930505475e+21 
Cost to finish: 9.220484930505475e+21 * 0.088 = 8.114026738844817e+20 = $811,402,673,884,481,716,224
Cost to finish on average: 8.114026738844817e+20 / 2 = $4.0570133694224086e+20 = $405,701,336,942,240,858,112

811,402,673,884,481,716,224 in words:
eight hundred eleven sextillion, four hundred two quintillion, six hundred seventy-three quadrillion, eight hundred eighty-four trillion, four hundred eighty-one billion, seven hundred sixteen million, two hundred twenty-four dollars.

Now you can understand why I said Orange’s default passwords are usually pretty decent!

Cost and Speed Optimisations

Math is fun and all but in the end we still want to crack hashes the fastest and cheapest way possible. For this, we need to:

  1. Benchmark various GPUs and compare them
  2. Use our estimated cracking speeds and compare with GPU rental market prices to find the best value offerings
  3. Split our workload between different machine instances to increase cracking speed

Benchmarking hashcat speed on various GPUs

You can find a number of hashcat benchmarks online in gists, github repositories and various other websites. For this example, I’ve rented out 3 machines with NVIDIA RTX GPUs and I’ve ran a hashcat benchmark for each of them:

Here are the results:

This obviously show that the RTX 5090 is better than the 4090 and 3090 but is it the best value to rent a RTX 5090 vs a 4090/3090?

Finding the best value GPU market offering

To get the most value per each dollar spent, we need to compare the benchmarks we did above with the machine offerings available to us. To do this, I identified the endpoint for querying vast.ai’s machine offering and downloaded those offerings. I then compared the offering with the average hashes per second by GPU type which gives me the machine with the best value opportunity (ie. cheapest per hash crack attempt):

As we can see from the table, Offering ID 23752330 is our best choice which is not necessarily the first option in the vast.ai UI:

vast.ai marketplace listings with best offering selected
vast.ai marketplace listings with best offering selected

Obviously, the offerings and prices change over time so you’d need to do this regularly to get a better estimate. Prices in our table are also estimates and may differ slightly vs prices displayed on the site.

Splitting the workload between multiple instances

Once we have rented multiple machines, we’ll want to split our hashcat workload between the different instances. For our optimistic bruteforce use case, we can do it with hashcat’s skip / limit mechanism plus a little scripting so that every machine works on a non-overlapping slice of the keyspace.

HOSTS=5 # number of hosts
K=$(hashcat -m 22000 -a 3 -1 ?u?l?d --keyspace 'FYXME?1?1?1?1?1?1?1?1') # calculating keyspace
slice=$(( K / HOSTS )) # number of attempts per host

# for each host where i is the host index
hashcat -m 22000 hashes.hc22000 -a 3 -1 ?u?l?d FYXME?1?1?1?1?1?1?1?1 -s $((slice * i)) -l $((slice))

Since this is basically just a VPS, there’s already so many tools to split workloads:

  • ax / axiom / ansible : Tools to help split workloads/commands on a list of servers
  • hashtopolis : web application for distributed password cracking with Hashcat
  • hashcrack-ai : An all in one script to setup and crack passwords on vast.ai GPU instances (not recommend, code is meh)
  • custom: just write your own ssh wrapper… LLMs can basically one shot this.

Note

When using interruptible instances, your instance may shut down if someone outbids you. As such, its important to take progress snapshots which can be done easily in hashcat using sessions (--session <filename>). And restored using the following command: hashcat --session <filename> --restore

Conclusion

There’s two parts to this blog which deserve their own conclusion.

ISPs and router providers need to up their game when it comes to setting default passwords. The password templates they use are really weak and a determined attacker will crack your WiFi with less than a year’s worth of service in computing power. Furthermore, the rise of AI has boosted the GPU rental market tremendously and people have flooded the market with ever cheaper GPUs. This brings us to our second conclusion.

Its important to test your tools and compare offerings if you want to find the most valuable opportunity out there. There’s already plenty of hashcat benchmarks online you can assess to find the best GPU for the hash mode you are targeting. Compare those cracking speeds with the GPU offerings and you’ll find the best value offerings. The cheapest GPU is not always the best! I’ve decided not to release any tools yet as I’m still building out functionality for those but I intend on release something in the near future which should automate. Stay tuned!

Finally, remember to always change those pesky default passwords to something safe and secure. Regardless of your password, I would also not recommend using the default router provided by your ISP. These are usually cheap as they are mass manufactured, potentially more likely to have vulnerabilities and usually have a functionality for ISPs to be able to access remotely (aka built-in backdoor)… If you’re serious about security, it might be time to use your own router. You can change the MAC address to match the router they provided so they don’t get annoyed.

Test your tools, secure your stuff and stay safe out there.

Improvements and future research ideas

  • Better benchmarking database using benchmarks found online and application/tool to periodically identify the best value offering based on benchmarks and rental price
  • Using LLMs to search and scrape images for WiFi credentials and MAC addresses, store those in a database and generate SSID/password patterns per router/ISP type

References

Hashcat benchmarks:

GPU provider:

Datasets:

Other readings:

  1. The vast.ai links have a referral token in there. Referral earning will be used to support any future cloud shenanigans like making hashcat benchmarks of all types of GPUs available on the platform. ↩︎

Creating a Havoc Module to run commands on all agents at once and map out an environment passively