Decrypt Huawei router/firewall passwords. Huawei stores passwords using DES encryption when the crypted option is enabled.

huaweiDecrypt.py

#!/usr/bin/python
"""
Simple tool to extract local users and passwords from most Huawei routers/firewalls config files.
Will extract plain-text passwords and  crypted credentials. Huawei config files use DES encryption with 
a known key. Using this information, the script will decrypt credentials found in the config file.
Author: Etienne Stalmans ([email protected])
Version: 1.0 (12/01/2014)
"""

from Crypto.Cipher import DES
import sys
import binascii

def decode_char(c):
    if c == 'a':
        r = '?'
    else:
        r = c
    return ord(r) - ord('!')

def ascii_to_binary(s):
    assert len(s) == 24

    out = [0]*18
    i = 0
    j = 0

    for i in range(0, len(s), 4):
        y = decode_char(s[i + 0])
        y = (y << 6) & 0xffffff

        k = decode_char(s[i + 1])
        y = (y | k) & 0xffffff
        y = (y << 6) & 0xffffff

        k = decode_char(s[i + 2])
        y = (y | k) & 0xffffff
        y = (y << 6) & 0xffffff

        k = decode_char(s[i + 3])
        y = (y | k) & 0xffffff

        out[j+2] = chr(y & 0xff)
        out[j+1] = chr((y>>8) & 0xff)
        out[j+0] = chr((y>>16) & 0xff)

        j += 3

    return "".join(out)

def decrypt_password(p):
    r = ascii_to_binary(p)
    r = r[:16]

    d = DES.new("\x01\x02\x03\x04\x05\x06\x07\x08", DES.MODE_ECB)
    r = d.decrypt(r)

    return r.rstrip("\x00")


f_in = open(sys.argv[1],'r')

print "[*] Huawei Password Decryptor"

for line in f_in:
    
    if ('local-user' not in line) or ('password' not in line):
        continue
    
    inp = line.split()
    print "[*]-----------------------"
    print "\t[+] User: %s"%inp[1]
    print "\t[+] Password type: %s"%inp[3]
    if inp[3] == "cipher":
        print "\t[+] Cipher: %s"%inp[4]
        print "\t[+] Password: %s"%decrypt_password(inp[4])
    else:
        print "\t[+] Password: %s"%(inp[4])

Just writing in here the step by step that I followed in case it helps someone, as it helped me:

1. Get the password from "X_HW_WebUserInfoInstance" block in the xml, example:
   $2lG$uOG$C{D@pN\8@F#'YAFX_46f~BKB"Bn=pP@~6;_%U4pt6+8iM,s2K=u(E1$aK.!ZhcQk[elW<s<]+E,52WlXF@F]82y,^xzWU$
2. Use that website to decipher: https://andreluis034.github.io/huawei-utility-page/#cipher
   Result: c8c64da7a21f52b2e214eb017eb8bde79a09f9c8950cb44b8b9c35ac28088add
3. Convert from HEX then the result to base64: yMZNp6IfUrLiFOsBfri955oJ+ciVDLRLi5w1rCgIit0=
4. Mount the payload like that: pbkdf2_sha256$5000$SALT$RESULT_FROM_ABOVE
   Which in that example was: pbkdf2_sha256$5000$1d74dc1baaed5c3a691bc0ce$yMZNp6IfUrLiFOsBfri955oJ+ciVDLRLi5w1rCgIit0=
5. Throw that in hashcat with a wordlist like so:
   hashcat -d 1 -a 0 -m 10000 'pbkdf2_sha256$5000$8f84c1d97b40afa6ec8d2341$6kvEhxQ4dwkr+YK3hp4F1amWtVddk1mQl6AAavEUFbY=' custom_wordlist.txt -o secret.txt

For that example, create a wordlist with the word "admin" in it, and it will work.

Also, one more information: I didn't have the full root access at first, I had a secondary account, but that account had access to telnet and in telnet I was able to print the config (had to do that because the web interface didn't allow me)

Another thing: if someone wants help of someone else to decrypt it, and its encrypted with PassMode 3, you have to also send the salt.

I couldn't understand step 4 and this is what i did:
Username: admin
Password: $2%h#wXS,`{G3uLS6pDAOAH>7Ah=p+{l/MX&Z|!@9&OECgMGY<VG';/v(0f+;sBS(.=:BSma\FG{^2[IUoe-6T)$m3}t=f25c;$
Salt: a37f3a20a4e49477cc24c1e8

5d700f268adff09a6e9af11d19a6ab59c346c64e243728a5a81c17b3dfe8232c

LDrcoAws4Cz9VJolJcaJW7VSMGJvbCnJk1jWewHrpro=

Username: telecomadmin
Password: $2zQaAAx+a"QGUyp@B^n=QuDNOB4[%{Y)0_m$w>N+E\4NY6wUAj0bsfTQ$P*u;T^]-U{yJg49TAhB.[^=S-fs~>.oB{YV2>/3rjtFA$
Salt: f69f0d7ab9a13a97c12afa93

95478664f2d8d9d5930cf88461f17a0ba391b9cd53431f966fecfe5142271c37

EG37m1YyD9Cv20nB16DHPUOkIHS9ji9ntXAKdscQ50Y=

Username:root
Password: $28e[BSri]&bL|,/rGm6Z.GPNQTtkHE(f4FAbjtxEU0$AT1u!B"'Z/=/w"ZM,&<WSGGv'(2"kNkH%2ppJ7JLOK3jiuGctpHJ#+dl9$
Salt: 8c06e92ac8c69c9aab9d3ce3

240fa47edb3bddaf12a7a8b4d26582063160613399b94c12f378c9c34fad3bee

qY4537Yc7HBdn32TJPht2WCR0AZ6hMcrf2LNYgdKt44=
is that correct? and how to do step 4? regards

Just writing in here the step by step that I followed in case it helps someone, as it helped me:

1. Get the password from "X_HW_WebUserInfoInstance" block in the xml, example:
   $2lG$uOG$C{D@pN\8@F#'YAFX_46f~BKB"Bn=pP@~6;_%U4pt6+8iM,s2K=u(E1$aK.!ZhcQk[elW<s<]+E,52WlXF@F]82y,^xzWU$
2. Use that website to decipher: https://andreluis034.github.io/huawei-utility-page/#cipher
   Result: c8c64da7a21f52b2e214eb017eb8bde79a09f9c8950cb44b8b9c35ac28088add
3. Convert from HEX then the result to base64: yMZNp6IfUrLiFOsBfri955oJ+ciVDLRLi5w1rCgIit0=
4. Mount the payload like that: pbkdf2_sha256$5000$SALT$RESULT_FROM_ABOVE
   Which in that example was: pbkdf2_sha256$5000$1d74dc1baaed5c3a691bc0ce$yMZNp6IfUrLiFOsBfri955oJ+ciVDLRLi5w1rCgIit0=
5. Throw that in hashcat with a wordlist like so:
   hashcat -d 1 -a 0 -m 10000 'pbkdf2_sha256$5000$8f84c1d97b40afa6ec8d2341$6kvEhxQ4dwkr+YK3hp4F1amWtVddk1mQl6AAavEUFbY=' custom_wordlist.txt -o secret.txt

For that example, create a wordlist with the word "admin" in it, and it will work.
Also, one more information: I didn't have the full root access at first, I had a secondary account, but that account had access to telnet and in telnet I was able to print the config (had to do that because the web interface didn't allow me)
Another thing: if someone wants help of someone else to decrypt it, and its encrypted with PassMode 3, you have to also send the salt.

I couldn't understand step 4 and this is what i did: Username: admin Password: $2%h#wXS,`{G3uLS6pDAOAH>7Ah=p+{l/MX&Z|!@9&OECgMGY<VG';/v(0f+;sBS(.=:BSma\FG{^2[IUoe-6T)$m3}t=f25_c;_$ Salt: a37f3a20a4e49477cc24c1e8

5d700f268adff09a6e9af11d19a6ab59c346c64e243728a5a81c17b3dfe8232c

LDrcoAws4Cz9VJolJcaJW7VSMGJvbCnJk1jWewHrpro=

Username: telecomadmin Password: $2zQaAAx+a"QGUyp@B^n=QuDNOB4[%{Y)0_m$w>N+E\4NY6wUAj0bsfTQ$P*u;T^]-U{yJg49TAhB.[^=S-fs~>.oB{YV2>/3rjtFA$ Salt: f69f0d7ab9a13a97c12afa93

95478664f2d8d9d5930cf88461f17a0ba391b9cd53431f966fecfe5142271c37

EG37m1YyD9Cv20nB16DHPUOkIHS9ji9ntXAKdscQ50Y=

Username:root Password: $28e[BSri]&bL|,/rGm6Z.GPNQTtkHE(f4FAbjtxEU0$AT1u!B"'Z/=/w"ZM,&<WSGGv'(2"kNkH%2ppJ7JLOK3jiuGctpHJ#+dl9$ Salt: 8c06e92ac8c69c9aab9d3ce3

240fa47edb3bddaf12a7a8b4d26582063160613399b94c12f378c9c34fad3bee

qY4537Yc7HBdn32TJPht2WCR0AZ6hMcrf2LNYgdKt44= is that correct? and how to do step 4? regards

in the step 4 just take the string that I sent and replace SALT with the salt and RESULT_FROM_ABOVE with the result from the step above, like that:

Username: admin
Password: $2%h#wXS,`{G3uLS6pDAOAH>7Ah=p+{l/MX&Z|!@9&OECgMGY<VG';/v(0f+;sBS(.=:BSma\FG{^2[IUoe-6T)$m3}t=f25c;$
Salt: a37f3a20a4e49477cc24c1e8

5d700f268adff09a6e9af11d19a6ab59c346c64e243728a5a81c17b3dfe8232c

LDrcoAws4Cz9VJolJcaJW7VSMGJvbCnJk1jWewHrpro=

pbkdf2_sha256$5000$a37f3a20a4e49477cc24c1e8$LDrcoAws4Cz9VJolJcaJW7VSMGJvbCnJk1jWewHrpro=

hashcat -d 1 -a 0 -m 10000 'pbkdf2_sha256$5000$a37f3a20a4e49477cc24c1e8$LDrcoAws4Cz9VJolJcaJW7VSMGJvbCnJk1jWewHrpro=' wordlist.txt -o result.txt


Username: telecomadmin
Password: $2zQaAAx+a"QGUyp@B^n=QuDNOB4[%{Y)0_m$w>N+E\4NY6wUAj0bsfTQ$P*u;T^]-U{yJg49TAhB.[^=S-fs~>.oB{YV2>/3rjtFA$
Salt: f69f0d7ab9a13a97c12afa93

95478664f2d8d9d5930cf88461f17a0ba391b9cd53431f966fecfe5142271c37

EG37m1YyD9Cv20nB16DHPUOkIHS9ji9ntXAKdscQ50Y=

pbkdf2_sha256$5000$f69f0d7ab9a13a97c12afa93$EG37m1YyD9Cv20nB16DHPUOkIHS9ji9ntXAKdscQ50Y=
hashcat -d 1 -a 0 -m 10000 'pbkdf2_sha256$5000$f69f0d7ab9a13a97c12afa93$EG37m1YyD9Cv20nB16DHPUOkIHS9ji9ntXAKdscQ50Y=' wordlist.txt -o result.txt


Username:root
Password: $28e[BSri]&bL|,/rGm6Z.GPNQTtkHE(f4FAbjtxEU0$AT1u!B"'Z/=/w"ZM,&<WSGGv'(2"kNkH%2ppJ7JLOK3jiuGctpHJ#+dl9$
Salt: 8c06e92ac8c69c9aab9d3ce3

240fa47edb3bddaf12a7a8b4d26582063160613399b94c12f378c9c34fad3bee

qY4537Yc7HBdn32TJPht2WCR0AZ6hMcrf2LNYgdKt44=

pbkdf2_sha256$5000$8c06e92ac8c69c9aab9d3ce3$qY4537Yc7HBdn32TJPht2WCR0AZ6hMcrf2LNYgdKt44=
hashcat -d 1 -a 0 -m 10000 'pbkdf2_sha256$5000$8c06e92ac8c69c9aab9d3ce3$qY4537Yc7HBdn32TJPht2WCR0AZ6hMcrf2LNYgdKt44=' wordlist.txt -o result.txt

Just writing in here the step by step that I followed in case it helps someone, as it helped me:

1. Get the password from "X_HW_WebUserInfoInstance" block in the xml, example:
   $2lG$uOG$C{D@pN\8@F#'YAFX_46f~BKB"Bn=pP@~6;_%U4pt6+8iM,s2K=u(E1$aK.!ZhcQk[elW<s<]+E,52WlXF@F]82y,^xzWU$

2. Use that website to decipher: https://andreluis034.github.io/huawei-utility-page/#cipher
   Result: c8c64da7a21f52b2e214eb017eb8bde79a09f9c8950cb44b8b9c35ac28088add

3. Convert from HEX then the result to base64: yMZNp6IfUrLiFOsBfri955oJ+ciVDLRLi5w1rCgIit0=

4. Mount the payload like that: pbkdf2_sha256$5000$SALT$RESULT_FROM_ABOVE
   Which in that example was: pbkdf2_sha256$5000$1d74dc1baaed5c3a691bc0ce$yMZNp6IfUrLiFOsBfri955oJ+ciVDLRLi5w1rCgIit0=

5. Throw that in hashcat with a wordlist like so:
   hashcat -d 1 -a 0 -m 10000 'pbkdf2_sha256$5000$8f84c1d97b40afa6ec8d2341$6kvEhxQ4dwkr+YK3hp4F1amWtVddk1mQl6AAavEUFbY=' custom_wordlist.txt -o secret.txt

For that example, create a wordlist with the word "admin" in it, and it will work.
Also, one more information: I didn't have the full root access at first, I had a secondary account, but that account had access to telnet and in telnet I was able to print the config (had to do that because the web interface didn't allow me)
Another thing: if someone wants help of someone else to decrypt it, and its encrypted with PassMode 3, you have to also send the salt.

I need to create a script that, based on an existing configuration file from a Huawei ONT, creates a new configuration file for new devices. Can you tell me if it's possible to encrypt the passwords so that they're compatible with the Huawei device configuration file? So that I can simply edit the passwords in a configuration file and send that file to a new device?

Thanks in advance for any help!

I don't know honestly.