-
-
Save staaldraad/605a5e40abaaa5915bc7 to your computer and use it in GitHub Desktop.
| #!/usr/bin/python | |
| """ | |
| Simple tool to extract local users and passwords from most Huawei routers/firewalls config files. | |
| Will extract plain-text passwords and crypted credentials. Huawei config files use DES encryption with | |
| a known key. Using this information, the script will decrypt credentials found in the config file. | |
| Author: Etienne Stalmans ([email protected]) | |
| Version: 1.0 (12/01/2014) | |
| """ | |
| from Crypto.Cipher import DES | |
| import sys | |
| import binascii | |
| def decode_char(c): | |
| if c == 'a': | |
| r = '?' | |
| else: | |
| r = c | |
| return ord(r) - ord('!') | |
| def ascii_to_binary(s): | |
| assert len(s) == 24 | |
| out = [0]*18 | |
| i = 0 | |
| j = 0 | |
| for i in range(0, len(s), 4): | |
| y = decode_char(s[i + 0]) | |
| y = (y << 6) & 0xffffff | |
| k = decode_char(s[i + 1]) | |
| y = (y | k) & 0xffffff | |
| y = (y << 6) & 0xffffff | |
| k = decode_char(s[i + 2]) | |
| y = (y | k) & 0xffffff | |
| y = (y << 6) & 0xffffff | |
| k = decode_char(s[i + 3]) | |
| y = (y | k) & 0xffffff | |
| out[j+2] = chr(y & 0xff) | |
| out[j+1] = chr((y>>8) & 0xff) | |
| out[j+0] = chr((y>>16) & 0xff) | |
| j += 3 | |
| return "".join(out) | |
| def decrypt_password(p): | |
| r = ascii_to_binary(p) | |
| r = r[:16] | |
| d = DES.new("\x01\x02\x03\x04\x05\x06\x07\x08", DES.MODE_ECB) | |
| r = d.decrypt(r) | |
| return r.rstrip("\x00") | |
| f_in = open(sys.argv[1],'r') | |
| print "[*] Huawei Password Decryptor" | |
| for line in f_in: | |
| if ('local-user' not in line) or ('password' not in line): | |
| continue | |
| inp = line.split() | |
| print "[*]-----------------------" | |
| print "\t[+] User: %s"%inp[1] | |
| print "\t[+] Password type: %s"%inp[3] | |
| if inp[3] == "cipher": | |
| print "\t[+] Cipher: %s"%inp[4] | |
| print "\t[+] Password: %s"%decrypt_password(inp[4]) | |
| else: | |
| print "\t[+] Password: %s"%(inp[4]) |
hello, can anyone decript this?
local-user root password irreversible-cipher g-1CeT32Y$..R"-F[fW<;W15,m-yn>.Y.-J>{wC@@Q|,!+Q&G$
can anyone decrypt that:
What is SU button function on GUI I ever try $1 and $2 only
I don't know.
Where i can find this GUI ?
sorry for inconviniace,
What is SU button function on GUI I ever try $1 and $2 only
I don't know.
Where i can find this GUI ?
Thanks
@Boboaung-Myanmar - Try this 18855117
$2M^7i5]ps.KDN0XI>kLtUo{cZ~\ZMZ2R.*.POxM|2t-Z'6"e{P~e6WM9D^[l)DtF8(_]48(b$v9WjPQ,&+0fO>c'Nb/_b||6$;,rR$
Can you helpme ser
sorry for inconviniace,
What is SU button function on GUI I ever try $1 and $2 only
I don't know.
Where i can find this GUI ?
Thanks
$2M^7i5]ps.KDN0XI>kLtUo{cZ~\ZMZ2R.*.POxM|2t-Z'6"e{P~e6WM9D^[l)DtF8(_]48(b$v9WjPQ,&+0fO>c'Nb/_b||6$;,rR$
Can you helpme ser
Hello!
It it possible to decrypt this one?
$1c$nIyL.#{5F2$TzF'@"gEaH_mJb*Vd>fBD"px&M1'i1aOXF:ptG:E$
Thank you in advance!
for dg 8245
i need Administrator user and password
i search through notpade and this what i get
UserName="vodadsl" Password="41a69149e63df1ce83234fc39a70caeab11eed3d390629ca7cffc2dcd327480b" UserLevel="0" Enable="1" ModifyPasswordFlag="0"
i need to decrypt the password
$2GACZYhI-vIoR>v/Cdi:7dkP=;9/(HKvZ2UK[5,]AA9ALE\Z%.S*&iVCn216/StW,(M%'bpB{@[jdL!1:Be=`9P*Ky}2(&|=jsR$
pls
i tried the site, it doesnt give a good result:
https://andreluis034.github.io/huawei-utility-page/#cipher
$2#$A:@i5s+L7OAK/KQ.r9gfB`5v,-S%T=rz~&0[6I:Zt,<Rvhz):[v3(*"K@(OMJMf<*aA1z#1KIlO4LUwr,FX$5D||9s)E#|%0$
Result: bbf2073ca9c495606fe49628cffef83e0dfce8dc29270703b3c6709e14029911
Hey guys, i tried both the website https://andreluis034.github.io/huawei-utility-page/#cipher and the python script here, nothing seems to work. I'm using a HG8145X6-10 and the ISP (Nova Greece) is using a very restricted custom firmware on it. I managed to extract the config data and the admin user is:
Nova_admin
Password as per the config file is: $2z0m&BlvfqI'$Tw1grk@!Gs46RKnm)]UmP"9Z8c$CVHnor<A/WHPI)X8SP!$
I understand it contains html elements and after cleaning it it reads this:
$2z$Z|9jwJWMO(S8,0)1%-pzg#;mH:-.@vm|IBC@I2a2kN3x#J`XaMe4*.gkUL$
I need to be able to bridge it to my router but none of the option work, can anyone assist?
Thanks!
Hey guys, i tried both the website https://andreluis034.github.io/huawei-utility-page/#cipher and the python script here, nothing seems to work. I'm using a HG8145X6-10 and the ISP (Nova Greece) is using a very restricted custom firmware on it. I managed to extract the config data and the admin user is: Nova_admin
Password as per the config file is: $2z0m&BlvfqI'$Tw1grk@_!Gs46RKnm)]UmP"9Z8c$CVHn_or<A/WHPI)X8SP!$
I understand it contains html elements and after cleaning it it reads this:
$2z$Z|9jwJWMO(S8,0)1%-pzg#;mH:-.@vm|IBC@I2a2kN3x#J`XaMe4*.gkUL$
I need to be able to bridge it to my router but none of the option work, can anyone assist?
Thanks!
Please send me your Password= from <InterfaceInstance InstanceID="1" maybe a CLI or Webuser password which are salted and can't decrypt. You can modify the config to set root or default password as unencrypted then you get into the ONT.
Thanks,
J
Hey guys, i tried both the website https://andreluis034.github.io/huawei-utility-page/#cipher and the python script here, nothing seems to work. I'm using a HG8145X6-10 and the ISP (Nova Greece) is using a very restricted custom firmware on it. I managed to extract the config data and the admin user is: Nova_admin
Password as per the config file is: $2z0m&BlvfqI'$Tw1grk@_!Gs46RKnm)]UmP"9Z8c$CVHn_or<A/WHPI)X8SP!$
I understand it contains html elements and after cleaning it it reads this:
$2z$Z|9jwJWMO(S8,0)1%-pzg#;mH:-.@vm|IBC@I2a2kN3x#J`XaMe4*.gkUL$
I need to be able to bridge it to my router but none of the option work, can anyone assist?
Thanks!
Hey, I just received the HG8145X6-10 fiber modem from my ISP (Algérie Télécom). I need to access some advanced settings that are locked under the default user account. I saw that you managed to retrieve the configuration file—could you share how you did it? Also, were you able to decrypt the superadmin credentials? Did you use Telnet, SSH, or another method to gain full access? Any guidance would be greatly appreciated ! :) @filipposxeil
Hello, can someone help me decrypt this?
-->
Hey guys, i tried both the website https://andreluis034.github.io/huawei-utility-page/#cipher and the python script here, nothing seems to work. I'm using a HG8145X6-10 and the ISP (Nova Greece) is using a very restricted custom firmware on it. I managed to extract the config data and the admin user is: Nova_admin
Password as per the config file is: $2z0m&BlvfqI'$Tw1grk@_!Gs46RKnm)]UmP"9Z8c$CVHn_or<A/WHPI)X8SP!$
I understand it contains html elements and after cleaning it it reads this:
$2z$Z|9jwJWMO(S8,0)1%-pzg#;mH:-.@vm|IBC@I2a2kN3x#J`XaMe4*.gkUL$
I need to be able to bridge it to my router but none of the option work, can anyone assist?
Thanks!Hey, I just received the HG8145X6-10 fiber modem from my ISP (Algérie Télécom). I need to access some advanced settings that are locked under the default user account. I saw that you managed to retrieve the configuration file—could you share how you did it? Also, were you able to decrypt the superadmin credentials? Did you use Telnet, SSH, or another method to gain full access? Any guidance would be greatly appreciated ! :) @filipposxeil
same here, I tried messing with the network traffic on the config website (by setting cfgmode into an isp other than "DZTELECOM" in addition to some other things) which did make a download config button pop up, yet when clicked the router forbids the request
I am trying to find some code/command execution bug but it seems like im going nowhere
also telnet/ssh/ftp are all filtered so no luck
i did manage to find sql copyright data which contained a bunch of packages and their respective versions (some had vulnerabilities, yet after poking around it seems that none of them relate to this problem)
aaand firmware dumping or hardware debugging is not a valid option fr
wbu? what did you try? and did you find anything relevant(i dont think so, this was written yesterday lmao)
Hey guys, i tried both the website https://andreluis034.github.io/huawei-utility-page/#cipher and the python script here, nothing seems to work. I'm using a HG8145X6-10 and the ISP (Nova Greece) is using a very restricted custom firmware on it. I managed to extract the config data and the admin user is: Nova_admin
Password as per the config file is: $2z0m&BlvfqI'$Tw1grk@_!Gs46RKnm)]UmP"9Z8c$CVHn_or<A/WHPI)X8SP!$
I understand it contains html elements and after cleaning it it reads this:
$2z$Z|9jwJWMO(S8,0)1%-pzg#;mH:-.@vm|IBC@I2a2kN3x#J`XaMe4*.gkUL$
I need to be able to bridge it to my router but none of the option work, can anyone assist?
Thanks!Hey, I just received the HG8145X6-10 fiber modem from my ISP (Algérie Télécom). I need to access some advanced settings that are locked under the default user account. I saw that you managed to retrieve the configuration file—could you share how you did it? Also, were you able to decrypt the superadmin credentials? Did you use Telnet, SSH, or another method to gain full access? Any guidance would be greatly appreciated ! :) @filipposxeil
same here, I tried messing with the network traffic on the config website (by setting cfgmode into an isp other than "DZTELECOM" in addition to some other things) which did make a download config button pop up, yet when clicked the router forbids the request I am trying to find some code/command execution bug but it seems like im going nowhere
also telnet/ssh/ftp are all filtered so no luck
i did manage to find sql copyright data which contained a bunch of packages and their respective versions (some had vulnerabilities, yet after poking around it seems that none of them relate to this problem)
aaand firmware dumping or hardware debugging is not a valid option fr
wbu? what did you try? and did you find anything relevant(i dont think so, this was written yesterday lmao)
I received the modem three days ago, so I haven’t had the chance to try anything yet. From what I’ve seen online, there don’t seem to be any exploitable vulnerabilities. For now, I’m considering simply requesting the ISP (Algérie Télécom) to switch it to bridge mode and pushing for it if necessary. We’ll see if they comply
Hey there.. check X_HW_WebUserInfoInstance factory pass..
Try using this for the web interface as well on my case it worked..
Hey guys, i tried both the website https://andreluis034.github.io/huawei-utility-page/#cipher and the python script here, nothing seems to work. I'm using a HG8145X6-10 and the ISP (Nova Greece) is using a very restricted custom firmware on it. I managed to extract the config data and the admin user is: Nova_admin
Password as per the config file is: $2z0m&BlvfqI'$Tw1grk@_!Gs46RKnm)]UmP"9Z8c$CVHn_or<A/WHPI)X8SP!$
I understand it contains html elements and after cleaning it it reads this:
$2z$Z|9jwJWMO(S8,0)1%-pzg#;mH:-.@vm|IBC@I2a2kN3x#J`XaMe4*.gkUL$
I need to be able to bridge it to my router but none of the option work, can anyone assist?
Thanks!Hey, I just received the HG8145X6-10 fiber modem from my ISP (Algérie Télécom). I need to access some advanced settings that are locked under the default user account. I saw that you managed to retrieve the configuration file—could you share how you did it? Also, were you able to decrypt the superadmin credentials? Did you use Telnet, SSH, or another method to gain full access? Any guidance would be greatly appreciated ! :) @filipposxeil
same here, I tried messing with the network traffic on the config website (by setting cfgmode into an isp other than "DZTELECOM" in addition to some other things) which did make a download config button pop up, yet when clicked the router forbids the request I am trying to find some code/command execution bug but it seems like im going nowhere
also telnet/ssh/ftp are all filtered so no luck
i did manage to find sql copyright data which contained a bunch of packages and their respective versions (some had vulnerabilities, yet after poking around it seems that none of them relate to this problem)
aaand firmware dumping or hardware debugging is not a valid option fr
wbu? what did you try? and did you find anything relevant(i dont think so, this was written yesterday lmao)I received the modem three days ago, so I haven’t had the chance to try anything yet. From what I’ve seen online, there don’t seem to be any exploitable vulnerabilities. For now, I’m considering simply requesting the ISP (Algérie Télécom) to switch it to bridge mode and pushing for it if necessary. We’ll see if they comply
consider asking them for the superadmin credentials, that way you can configure it at home without needing their support
other than that extracting the credentials requires either firmware dumping or developing your own exploit, which may be troublesome
let me know if they give you any useful information
Hey guys, i tried both the website https://andreluis034.github.io/huawei-utility-page/#cipher and the python script here, nothing seems to work. I'm using a HG8145X6-10 and the ISP (Nova Greece) is using a very restricted custom firmware on it. I managed to extract the config data and the admin user is: Nova_admin
Password as per the config file is: $2z0m&BlvfqI'$Tw1grk@_!Gs46RKnm)]UmP"9Z8c$CVHn_or<A/WHPI)X8SP!$
I understand it contains html elements and after cleaning it it reads this:
$2z$Z|9jwJWMO(S8,0)1%-pzg#;mH:-.@vm|IBC@I2a2kN3x#J`XaMe4*.gkUL$
I need to be able to bridge it to my router but none of the option work, can anyone assist?
Thanks!Hey, I just received the HG8145X6-10 fiber modem from my ISP (Algérie Télécom). I need to access some advanced settings that are locked under the default user account. I saw that you managed to retrieve the configuration file—could you share how you did it? Also, were you able to decrypt the superadmin credentials? Did you use Telnet, SSH, or another method to gain full access? Any guidance would be greatly appreciated ! :) @filipposxeil
same here, I tried messing with the network traffic on the config website (by setting cfgmode into an isp other than "DZTELECOM" in addition to some other things) which did make a download config button pop up, yet when clicked the router forbids the request I am trying to find some code/command execution bug but it seems like im going nowhere
also telnet/ssh/ftp are all filtered so no luck
i did manage to find sql copyright data which contained a bunch of packages and their respective versions (some had vulnerabilities, yet after poking around it seems that none of them relate to this problem)
aaand firmware dumping or hardware debugging is not a valid option fr
wbu? what did you try? and did you find anything relevant(i dont think so, this was written yesterday lmao)I received the modem three days ago, so I haven’t had the chance to try anything yet. From what I’ve seen online, there don’t seem to be any exploitable vulnerabilities. For now, I’m considering simply requesting the ISP (Algérie Télécom) to switch it to bridge mode and pushing for it if necessary. We’ll see if they comply
consider asking them for the superadmin credentials, that way you can configure it at home without needing their support other than that extracting the credentials requires either firmware dumping or developing your own exploit, which may be troublesome
let me know if they give you any useful information
do you have default superadmin creds ? or did you get your hands on the firmware files since i want to mess with them ?
Disculpe las molestias.
¿Cuál es la función del botón SU en la GUI? ¿Alguna vez probé solo $1 y $2?
No sé.
¿Dónde puedo encontrar esta GUI?
Gracias
$2M^7i5]ps.KDN0XI>kLtUo{cZ~\ZMZ2R.*.POxM|2t-Z'6"e{P~e6WM9D^[l)DtF8(_]48(b$v9WjPQ,&+0fO>c'Nb/_b||6$;,rR$
¿Puedes ayudarme?
Listo espero aun te sirva: 1274380565c7e25acde5c9d28e2ef73677056a4efe2f4576973e79136e284aea
espero aun te sirva: 1274380565c7e25acde5c9d28e2ef73677056a4efe2f4576973e79136e284aea
Hey guys, i tried both the website https://andreluis034.github.io/huawei-utility-page/#cipher and the python script here, nothing seems to work. I'm using a HG8145X6-10 and the ISP (Nova Greece) is using a very restricted custom firmware on it. I managed to extract the config data and the admin user is: Nova_admin
Password as per the config file is: $2z0m&BlvfqI'$Tw1grk@_!Gs46RKnm)]UmP"9Z8c$CVHn_or<A/WHPI)X8SP!$
I understand it contains html elements and after cleaning it it reads this:
$2z$Z|9jwJWMO(S8,0)1%-pzg#;mH:-.@vm|IBC@I2a2kN3x#J`XaMe4*.gkUL$
I need to be able to bridge it to my router but none of the option work, can anyone assist?
Thanks!Hey, I just received the HG8145X6-10 fiber modem from my ISP (Algérie Télécom). I need to access some advanced settings that are locked under the default user account. I saw that you managed to retrieve the configuration file—could you share how you did it? Also, were you able to decrypt the superadmin credentials? Did you use Telnet, SSH, or another method to gain full access? Any guidance would be greatly appreciated ! :) @filipposxeil
same here, I tried messing with the network traffic on the config website (by setting cfgmode into an isp other than "DZTELECOM" in addition to some other things) which did make a download config button pop up, yet when clicked the router forbids the request I am trying to find some code/command execution bug but it seems like im going nowhere
also telnet/ssh/ftp are all filtered so no luck
i did manage to find sql copyright data which contained a bunch of packages and their respective versions (some had vulnerabilities, yet after poking around it seems that none of them relate to this problem)
aaand firmware dumping or hardware debugging is not a valid option fr
wbu? what did you try? and did you find anything relevant(i dont think so, this was written yesterday lmao)I received the modem three days ago, so I haven’t had the chance to try anything yet. From what I’ve seen online, there don’t seem to be any exploitable vulnerabilities. For now, I’m considering simply requesting the ISP (Algérie Télécom) to switch it to bridge mode and pushing for it if necessary. We’ll see if they comply
Any update? @arkali
Just writing in here the step by step that I followed in case it helps someone, as it helped me:
-
Get the password from "X_HW_WebUserInfoInstance" block in the xml, example:
$2lG$uOG$C{D@pN\8@F#'YAFX_46f~BKB"Bn=pP@~6;_%U4pt6+8iM,s2K=u(E1$aK.!ZhcQk[elW<s<]+E,52WlXF@F]82y,^xzWU$ -
Use that website to decipher: https://andreluis034.github.io/huawei-utility-page/#cipher
Result: c8c64da7a21f52b2e214eb017eb8bde79a09f9c8950cb44b8b9c35ac28088add -
Convert from HEX then the result to base64: yMZNp6IfUrLiFOsBfri955oJ+ciVDLRLi5w1rCgIit0=
-
Mount the payload like that: pbkdf2_sha256$5000$SALT$RESULT_FROM_ABOVE
Which in that example was: pbkdf2_sha256$5000$1d74dc1baaed5c3a691bc0ce$yMZNp6IfUrLiFOsBfri955oJ+ciVDLRLi5w1rCgIit0= -
Throw that in hashcat with a wordlist like so:
hashcat -d 1 -a 0 -m 10000 'pbkdf2_sha256$5000$8f84c1d97b40afa6ec8d2341$6kvEhxQ4dwkr+YK3hp4F1amWtVddk1mQl6AAavEUFbY=' custom_wordlist.txt -o secret.txt
For that example, create a wordlist with the word "admin" in it, and it will work.
Also, one more information: I didn't have the full root access at first, I had a secondary account, but that account had access to telnet and in telnet I was able to print the config (had to do that because the web interface didn't allow me)
Another thing: if someone wants help of someone else to decrypt it, and its encrypted with PassMode 3, you have to also send the salt.
Just writing in here the step by step that I followed in case it helps someone, as it helped me:
1. Get the password from "X_HW_WebUserInfoInstance" block in the xml, example: $2lG$uOG$C{D@pN\8@F#'YAFX_46f~BKB"Bn=pP@~6;_%U4pt6+8iM,s2K=u(E1$aK.!ZhcQk[elW<s<]+E,52WlXF@F]82y,^xzWU$ 2. Use that website to decipher: https://andreluis034.github.io/huawei-utility-page/#cipher Result: c8c64da7a21f52b2e214eb017eb8bde79a09f9c8950cb44b8b9c35ac28088add 3. Convert from HEX then the result to base64: yMZNp6IfUrLiFOsBfri955oJ+ciVDLRLi5w1rCgIit0= 4. Mount the payload like that: pbkdf2_sha256$5000$SALT$RESULT_FROM_ABOVE Which in that example was: pbkdf2_sha256$5000$1d74dc1baaed5c3a691bc0ce$yMZNp6IfUrLiFOsBfri955oJ+ciVDLRLi5w1rCgIit0= 5. Throw that in hashcat with a wordlist like so: hashcat -d 1 -a 0 -m 10000 'pbkdf2_sha256$5000$8f84c1d97b40afa6ec8d2341$6kvEhxQ4dwkr+YK3hp4F1amWtVddk1mQl6AAavEUFbY=' custom_wordlist.txt -o secret.txtFor that example, create a wordlist with the word "admin" in it, and it will work.
Also, one more information: I didn't have the full root access at first, I had a secondary account, but that account had access to telnet and in telnet I was able to print the config (had to do that because the web interface didn't allow me)
Another thing: if someone wants help of someone else to decrypt it, and its encrypted with PassMode 3, you have to also send the salt.
good work i try this methode and i have some quetions
first salt value should be convert to base64 or not
i try for this value
password decrypt (925d7ced11d07d01372b258930685c6765ca699c1de7fe0156784a1b72f60d82)
password base 64 ( kl187RHQfQE3KyWJMGhcZ2XKaZwd5/4BVnhKG3L2DYI=)
salt ( 38fa9b0625b6fdf11cf802c0 )
i use this website for pbkdf2 https://www.dcode.fr/pbkdf2-hash
and the result was
$pbkdf2-sha1$1000$MzhmYTliMDYyNWI2ZmRmMTFjZjgwMmMw$zXjXSIl5drOY41.ienQlbShrfN0
the user name for this password is Nova_admin
any help will be fine
Just writing in here the step by step that I followed in case it helps someone, as it helped me:
1. Get the password from "X_HW_WebUserInfoInstance" block in the xml, example: $2lG$uOG$C{D@pN\8@F#'YAFX_46f~BKB"Bn=pP@~6;_%U4pt6+8iM,s2K=u(E1$aK.!ZhcQk[elW<s<]+E,52WlXF@F]82y,^xzWU$ 2. Use that website to decipher: https://andreluis034.github.io/huawei-utility-page/#cipher Result: c8c64da7a21f52b2e214eb017eb8bde79a09f9c8950cb44b8b9c35ac28088add 3. Convert from HEX then the result to base64: yMZNp6IfUrLiFOsBfri955oJ+ciVDLRLi5w1rCgIit0= 4. Mount the payload like that: pbkdf2_sha256$5000$SALT$RESULT_FROM_ABOVE Which in that example was: pbkdf2_sha256$5000$1d74dc1baaed5c3a691bc0ce$yMZNp6IfUrLiFOsBfri955oJ+ciVDLRLi5w1rCgIit0= 5. Throw that in hashcat with a wordlist like so: hashcat -d 1 -a 0 -m 10000 'pbkdf2_sha256$5000$8f84c1d97b40afa6ec8d2341$6kvEhxQ4dwkr+YK3hp4F1amWtVddk1mQl6AAavEUFbY=' custom_wordlist.txt -o secret.txtFor that example, create a wordlist with the word "admin" in it, and it will work.
Also, one more information: I didn't have the full root access at first, I had a secondary account, but that account had access to telnet and in telnet I was able to print the config (had to do that because the web interface didn't allow me)
Another thing: if someone wants help of someone else to decrypt it, and its encrypted with PassMode 3, you have to also send the salt.good work i try this methode and i have some quetions first salt value should be convert to base64 or not i try for this value password decrypt (925d7ced11d07d01372b258930685c6765ca699c1de7fe0156784a1b72f60d82) password base 64 ( kl187RHQfQE3KyWJMGhcZ2XKaZwd5/4BVnhKG3L2DYI=) salt ( 38fa9b0625b6fdf11cf802c0 ) i use this website for pbkdf2 https://www.dcode.fr/pbkdf2-hash and the result was $pbkdf2-sha1$1000$MzhmYTliMDYyNWI2ZmRmMTFjZjgwMmMw$zXjXSIl5drOY41.ienQlbShrfN0 the user name for this password is Nova_admin any help will be fine
No, the salt shouldn't be base64.
Don't edit the beginning of the payload (you did "$pbkdf2-sha1$1000$", my example is "pbkdf2_sha256$5000$")
Your final payload will look like that:
pbkdf2_sha256$5000$38fa9b0625b6fdf11cf802c0$kl187RHQfQE3KyWJMGhcZ2XKaZwd5/4BVnhKG3L2DYI=
I have a gtx1660, tried all the passwords from seclists wordlists and didn't get a result, good luck
your command:
hashcat -d 1 -a 0 -m 10000 'pbkdf2_sha256$5000$38fa9b0625b6fdf11cf802c0$kl187RHQfQE3KyWJMGhcZ2XKaZwd5/4BVnhKG3L2DYI=' mega_wordlist.txt
Just writing in here the step by step that I followed in case it helps someone, as it helped me:
1. Get the password from "X_HW_WebUserInfoInstance" block in the xml, example: $2lG$uOG$C{D@pN\8@F#'YAFX_46f~BKB"Bn=pP@~6;_%U4pt6+8iM,s2K=u(E1$aK.!ZhcQk[elW<s<]+E,52WlXF@F]82y,^xzWU$ 2. Use that website to decipher: https://andreluis034.github.io/huawei-utility-page/#cipher Result: c8c64da7a21f52b2e214eb017eb8bde79a09f9c8950cb44b8b9c35ac28088add 3. Convert from HEX then the result to base64: yMZNp6IfUrLiFOsBfri955oJ+ciVDLRLi5w1rCgIit0= 4. Mount the payload like that: pbkdf2_sha256$5000$SALT$RESULT_FROM_ABOVE Which in that example was: pbkdf2_sha256$5000$1d74dc1baaed5c3a691bc0ce$yMZNp6IfUrLiFOsBfri955oJ+ciVDLRLi5w1rCgIit0= 5. Throw that in hashcat with a wordlist like so: hashcat -d 1 -a 0 -m 10000 'pbkdf2_sha256$5000$8f84c1d97b40afa6ec8d2341$6kvEhxQ4dwkr+YK3hp4F1amWtVddk1mQl6AAavEUFbY=' custom_wordlist.txt -o secret.txtFor that example, create a wordlist with the word "admin" in it, and it will work.
Also, one more information: I didn't have the full root access at first, I had a secondary account, but that account had access to telnet and in telnet I was able to print the config (had to do that because the web interface didn't allow me)
Another thing: if someone wants help of someone else to decrypt it, and its encrypted with PassMode 3, you have to also send the salt.
I need to create a script that, based on an existing configuration file from a Huawei ONT, creates a new configuration file for new devices. Can you tell me if it's possible to encrypt the passwords so that they're compatible with the Huawei device configuration file? So that I can simply edit the passwords in a configuration file and send that file to a new device?
Thanks in advance for any help!
Just writing in here the step by step that I followed in case it helps someone, as it helped me:
- Get the password from "X_HW_WebUserInfoInstance" block in the xml, example:
$2lG$uOG$C{D@pN\8@F#'YAFX_46f~BKB"Bn=pP@~6;_%U4pt6+8iM,s2K=u(E1$aK.!ZhcQk[elW<s<]+E,52WlXF@F]82y,^xzWU$- Use that website to decipher: https://andreluis034.github.io/huawei-utility-page/#cipher
Result: c8c64da7a21f52b2e214eb017eb8bde79a09f9c8950cb44b8b9c35ac28088add- Convert from HEX then the result to base64: yMZNp6IfUrLiFOsBfri955oJ+ciVDLRLi5w1rCgIit0=
- Mount the payload like that: pbkdf2_sha256$5000$SALT$RESULT_FROM_ABOVE
Which in that example was: pbkdf2_sha256$5000$1d74dc1baaed5c3a691bc0ce$yMZNp6IfUrLiFOsBfri955oJ+ciVDLRLi5w1rCgIit0=- Throw that in hashcat with a wordlist like so:
hashcat -d 1 -a 0 -m 10000 'pbkdf2_sha256$5000$8f84c1d97b40afa6ec8d2341$6kvEhxQ4dwkr+YK3hp4F1amWtVddk1mQl6AAavEUFbY=' custom_wordlist.txt -o secret.txtFor that example, create a wordlist with the word "admin" in it, and it will work.
Also, one more information: I didn't have the full root access at first, I had a secondary account, but that account had access to telnet and in telnet I was able to print the config (had to do that because the web interface didn't allow me)
Another thing: if someone wants help of someone else to decrypt it, and its encrypted with PassMode 3, you have to also send the salt.
I couldn't understand step 4 and this is what i did:
Username: admin
Password: $2%h#wXS,`{G3uLS6pDAOAH>7Ah=p+{l/MX&Z|!@9&OECgMGY<VG';/v(0f+;sBS(.=:BSma\FG{^2[IUoe-6T)$m3}t=f25c;$
Salt: a37f3a20a4e49477cc24c1e8
5d700f268adff09a6e9af11d19a6ab59c346c64e243728a5a81c17b3dfe8232c
LDrcoAws4Cz9VJolJcaJW7VSMGJvbCnJk1jWewHrpro=
Username: telecomadmin
Password: $2zQaAAx+a"QGUyp@B^n=QuDNOB4[%{Y)0_m$w>N+E\4NY6wUAj0bsfTQ$P*u;T^]-U{yJg49TAhB.[^=S-fs~>.oB{YV2>/3rjtFA$
Salt: f69f0d7ab9a13a97c12afa93
95478664f2d8d9d5930cf88461f17a0ba391b9cd53431f966fecfe5142271c37
EG37m1YyD9Cv20nB16DHPUOkIHS9ji9ntXAKdscQ50Y=
Username:root
Password: $28e[BSri]&bL|,/rGm6Z.GPNQTtkHE(f4FAbjtxEU0$AT1u!B"'Z/=/w"ZM,&<WSGGv'(2"kNkH%2ppJ7JLOK3jiuGctpHJ#+dl9$
Salt: 8c06e92ac8c69c9aab9d3ce3
240fa47edb3bddaf12a7a8b4d26582063160613399b94c12f378c9c34fad3bee
qY4537Yc7HBdn32TJPht2WCR0AZ6hMcrf2LNYgdKt44=
is that correct? and how to do step 4? regards
Just writing in here the step by step that I followed in case it helps someone, as it helped me:
- Get the password from "X_HW_WebUserInfoInstance" block in the xml, example:
$2lG$uOG$C{D@pN\8@F#'YAFX_46f~BKB"Bn=pP@~6;_%U4pt6+8iM,s2K=u(E1$aK.!ZhcQk[elW<s<]+E,52WlXF@F]82y,^xzWU$- Use that website to decipher: https://andreluis034.github.io/huawei-utility-page/#cipher
Result: c8c64da7a21f52b2e214eb017eb8bde79a09f9c8950cb44b8b9c35ac28088add- Convert from HEX then the result to base64: yMZNp6IfUrLiFOsBfri955oJ+ciVDLRLi5w1rCgIit0=
- Mount the payload like that: pbkdf2_sha256$5000$SALT$RESULT_FROM_ABOVE
Which in that example was: pbkdf2_sha256$5000$1d74dc1baaed5c3a691bc0ce$yMZNp6IfUrLiFOsBfri955oJ+ciVDLRLi5w1rCgIit0=- Throw that in hashcat with a wordlist like so:
hashcat -d 1 -a 0 -m 10000 'pbkdf2_sha256$5000$8f84c1d97b40afa6ec8d2341$6kvEhxQ4dwkr+YK3hp4F1amWtVddk1mQl6AAavEUFbY=' custom_wordlist.txt -o secret.txtFor that example, create a wordlist with the word "admin" in it, and it will work.
Also, one more information: I didn't have the full root access at first, I had a secondary account, but that account had access to telnet and in telnet I was able to print the config (had to do that because the web interface didn't allow me)
Another thing: if someone wants help of someone else to decrypt it, and its encrypted with PassMode 3, you have to also send the salt.I couldn't understand step 4 and this is what i did: Username: admin Password: $2%h#wXS,`{G3
uLS6pDAOAH>7Ah=p+{l/MX&Z|!@9&OECgMGY<VG';/v(0f+;sBS(.=:BSma\FG{^2[IUoe-6T)$m3}t=f25_c;_$ Salt: a37f3a20a4e49477cc24c1e85d700f268adff09a6e9af11d19a6ab59c346c64e243728a5a81c17b3dfe8232c
LDrcoAws4Cz9VJolJcaJW7VSMGJvbCnJk1jWewHrpro=
Username: telecomadmin Password: $2zQaAAx+a"QGUyp@B^n=QuDNOB4[%{Y)0_m$w>N+E\4NY6wUAj0bsfTQ$P*u;T^]-U{yJg49TAhB.[^=S-fs~>.oB{YV2>/3rjtFA$ Salt: f69f0d7ab9a13a97c12afa93
95478664f2d8d9d5930cf88461f17a0ba391b9cd53431f966fecfe5142271c37
EG37m1YyD9Cv20nB16DHPUOkIHS9ji9ntXAKdscQ50Y=
Username:root Password: $28e[BSri]&bL|,/rGm6Z.GPNQTtkHE(f4FAbjtxEU0$AT1u!B"'Z/=/w"ZM,&<WSGGv'(2"kNkH%2ppJ7JLOK3jiuGctpHJ#+dl9$ Salt: 8c06e92ac8c69c9aab9d3ce3
240fa47edb3bddaf12a7a8b4d26582063160613399b94c12f378c9c34fad3bee
qY4537Yc7HBdn32TJPht2WCR0AZ6hMcrf2LNYgdKt44= is that correct? and how to do step 4? regards
in the step 4 just take the string that I sent and replace SALT with the salt and RESULT_FROM_ABOVE with the result from the step above, like that:
Username: admin
Password: $2%h#wXS,`{G3uLS6pDAOAH>7Ah=p+{l/MX&Z|!@9&OECgMGY<VG';/v(0f+;sBS(.=:BSma\FG{^2[IUoe-6T)$m3}t=f25c;$
Salt: a37f3a20a4e49477cc24c1e8
5d700f268adff09a6e9af11d19a6ab59c346c64e243728a5a81c17b3dfe8232c
LDrcoAws4Cz9VJolJcaJW7VSMGJvbCnJk1jWewHrpro=
pbkdf2_sha256$5000$a37f3a20a4e49477cc24c1e8$LDrcoAws4Cz9VJolJcaJW7VSMGJvbCnJk1jWewHrpro=
hashcat -d 1 -a 0 -m 10000 'pbkdf2_sha256$5000$a37f3a20a4e49477cc24c1e8$LDrcoAws4Cz9VJolJcaJW7VSMGJvbCnJk1jWewHrpro=' wordlist.txt -o result.txt
Username: telecomadmin
Password: $2zQaAAx+a"QGUyp@B^n=QuDNOB4[%{Y)0_m$w>N+E\4NY6wUAj0bsfTQ$P*u;T^]-U{yJg49TAhB.[^=S-fs~>.oB{YV2>/3rjtFA$
Salt: f69f0d7ab9a13a97c12afa93
95478664f2d8d9d5930cf88461f17a0ba391b9cd53431f966fecfe5142271c37
EG37m1YyD9Cv20nB16DHPUOkIHS9ji9ntXAKdscQ50Y=
pbkdf2_sha256$5000$f69f0d7ab9a13a97c12afa93$EG37m1YyD9Cv20nB16DHPUOkIHS9ji9ntXAKdscQ50Y=
hashcat -d 1 -a 0 -m 10000 'pbkdf2_sha256$5000$f69f0d7ab9a13a97c12afa93$EG37m1YyD9Cv20nB16DHPUOkIHS9ji9ntXAKdscQ50Y=' wordlist.txt -o result.txt
Username:root
Password: $28e[BSri]&bL|,/rGm6Z.GPNQTtkHE(f4FAbjtxEU0$AT1u!B"'Z/=/w"ZM,&<WSGGv'(2"kNkH%2ppJ7JLOK3jiuGctpHJ#+dl9$
Salt: 8c06e92ac8c69c9aab9d3ce3
240fa47edb3bddaf12a7a8b4d26582063160613399b94c12f378c9c34fad3bee
qY4537Yc7HBdn32TJPht2WCR0AZ6hMcrf2LNYgdKt44=
pbkdf2_sha256$5000$8c06e92ac8c69c9aab9d3ce3$qY4537Yc7HBdn32TJPht2WCR0AZ6hMcrf2LNYgdKt44=
hashcat -d 1 -a 0 -m 10000 'pbkdf2_sha256$5000$8c06e92ac8c69c9aab9d3ce3$qY4537Yc7HBdn32TJPht2WCR0AZ6hMcrf2LNYgdKt44=' wordlist.txt -o result.txt
Just writing in here the step by step that I followed in case it helps someone, as it helped me:
1. Get the password from "X_HW_WebUserInfoInstance" block in the xml, example: $2lG$uOG$C{D@pN\8@F#'YAFX_46f~BKB"Bn=pP@~6;_%U4pt6+8iM,s2K=u(E1$aK.!ZhcQk[elW<s<]+E,52WlXF@F]82y,^xzWU$ 2. Use that website to decipher: https://andreluis034.github.io/huawei-utility-page/#cipher Result: c8c64da7a21f52b2e214eb017eb8bde79a09f9c8950cb44b8b9c35ac28088add 3. Convert from HEX then the result to base64: yMZNp6IfUrLiFOsBfri955oJ+ciVDLRLi5w1rCgIit0= 4. Mount the payload like that: pbkdf2_sha256$5000$SALT$RESULT_FROM_ABOVE Which in that example was: pbkdf2_sha256$5000$1d74dc1baaed5c3a691bc0ce$yMZNp6IfUrLiFOsBfri955oJ+ciVDLRLi5w1rCgIit0= 5. Throw that in hashcat with a wordlist like so: hashcat -d 1 -a 0 -m 10000 'pbkdf2_sha256$5000$8f84c1d97b40afa6ec8d2341$6kvEhxQ4dwkr+YK3hp4F1amWtVddk1mQl6AAavEUFbY=' custom_wordlist.txt -o secret.txtFor that example, create a wordlist with the word "admin" in it, and it will work.
Also, one more information: I didn't have the full root access at first, I had a secondary account, but that account had access to telnet and in telnet I was able to print the config (had to do that because the web interface didn't allow me)
Another thing: if someone wants help of someone else to decrypt it, and its encrypted with PassMode 3, you have to also send the salt.I need to create a script that, based on an existing configuration file from a Huawei ONT, creates a new configuration file for new devices. Can you tell me if it's possible to encrypt the passwords so that they're compatible with the Huawei device configuration file? So that I can simply edit the passwords in a configuration file and send that file to a new device?
Thanks in advance for any help!
I don't know honestly.
Hi guys has anyone teste Encryption and Decryption on Huawei AX2 wifi6 routers? it seems the user is allways the same: admin.. just password on input menu login screen.. i have managed to analyze with F12 network traffic.. and it has 2 requests.. user_login_nonce, and user_login_proof which returns a RSAE : 010001 and RSA_N public modulus and RSA signature and Server signature keys , together with CSRF tokens for security protection.. on the user_login_nonce the password seems to be encripted.. and we can only see a SALT key info