Skip to content

Instantly share code, notes, and snippets.

@staaldraad

staaldraad/huaweiDecrypt.py

Created March 11, 2015 13:19
Show Gist options
  • Save staaldraad/605a5e40abaaa5915bc7 to your computer and use it in GitHub Desktop.
Save staaldraad/605a5e40abaaa5915bc7 to your computer and use it in GitHub Desktop.
Download ZIP
Decrypt Huawei router/firewall passwords. Huawei stores passwords using DES encryption when the crypted option is enabled.
Raw
huaweiDecrypt.py
#!/usr/bin/python
"""
Simple tool to extract local users and passwords from most Huawei routers/firewalls config files.
Will extract plain-text passwords and crypted credentials. Huawei config files use DES encryption with
a known key. Using this information, the script will decrypt credentials found in the config file.
Author: Etienne Stalmans ([email protected])
Version: 1.0 (12/01/2014)
"""
from Crypto.Cipher import DES
import sys
import binascii
def decode_char(c):
if c == 'a':
r = '?'
else:
r = c
return ord(r) - ord('!')
def ascii_to_binary(s):
assert len(s) == 24
out = [0]*18
i = 0
j = 0
for i in range(0, len(s), 4):
y = decode_char(s[i + 0])
y = (y << 6) & 0xffffff
k = decode_char(s[i + 1])
y = (y | k) & 0xffffff
y = (y << 6) & 0xffffff
k = decode_char(s[i + 2])
y = (y | k) & 0xffffff
y = (y << 6) & 0xffffff
k = decode_char(s[i + 3])
y = (y | k) & 0xffffff
out[j+2] = chr(y & 0xff)
out[j+1] = chr((y>>8) & 0xff)
out[j+0] = chr((y>>16) & 0xff)
j += 3
return "".join(out)
def decrypt_password(p):
r = ascii_to_binary(p)
r = r[:16]
d = DES.new("\x01\x02\x03\x04\x05\x06\x07\x08", DES.MODE_ECB)
r = d.decrypt(r)
return r.rstrip("\x00")
f_in = open(sys.argv[1],'r')
print "[*] Huawei Password Decryptor"
for line in f_in:
if ('local-user' not in line) or ('password' not in line):
continue
inp = line.split()
print "[*]-----------------------"
print "\t[+] User: %s"%inp[1]
print "\t[+] Password type: %s"%inp[3]
if inp[3] == "cipher":
print "\t[+] Cipher: %s"%inp[4]
print "\t[+] Password: %s"%decrypt_password(inp[4])
else:
print "\t[+] Password: %s"%(inp[4])
@davidwkirsch
Copy link

davidwkirsch commented Oct 17, 2025

Just writing in here the step by step that I followed in case it helps someone, as it helped me:

  1. Get the password from "X_HW_WebUserInfoInstance" block in the xml, example:
    $2lG$uOG$C{D@pN\8@F#'YAFX_46f~BKB"Bn=pP@~6;_%U4pt6+8iM,s2K=u(E1$aK.!ZhcQk[elW<s<]+E,52WlXF@F]82y,^xzWU$
  2. Use that website to decipher: https://andreluis034.github.io/huawei-utility-page/#cipher
    Result: c8c64da7a21f52b2e214eb017eb8bde79a09f9c8950cb44b8b9c35ac28088add
  3. Convert from HEX then the result to base64: yMZNp6IfUrLiFOsBfri955oJ+ciVDLRLi5w1rCgIit0=
  4. Mount the payload like that: pbkdf2_sha256$5000$SALT$RESULT_FROM_ABOVE
    Which in that example was: pbkdf2_sha256$5000$1d74dc1baaed5c3a691bc0ce$yMZNp6IfUrLiFOsBfri955oJ+ciVDLRLi5w1rCgIit0=
  5. Throw that in hashcat with a wordlist like so:
    hashcat -d 1 -a 0 -m 10000 'pbkdf2_sha256$5000$8f84c1d97b40afa6ec8d2341$6kvEhxQ4dwkr+YK3hp4F1amWtVddk1mQl6AAavEUFbY=' custom_wordlist.txt -o secret.txt

For that example, create a wordlist with the word "admin" in it, and it will work.
Also, one more information: I didn't have the full root access at first, I had a secondary account, but that account had access to telnet and in telnet I was able to print the config (had to do that because the web interface didn't allow me)
Another thing: if someone wants help of someone else to decrypt it, and its encrypted with PassMode 3, you have to also send the salt.

I couldn't understand step 4 and this is what i did: Username: admin Password: $2%h#wXS,`{G3uLS6pDAOAH>7Ah=p+{l/MX&Z|!@9&OECgMGY<VG';/v(0f+;sBS(.=:BSma\FG{^2[IUoe-6T)$m3}t=f25_c;_$ Salt: a37f3a20a4e49477cc24c1e8

5d700f268adff09a6e9af11d19a6ab59c346c64e243728a5a81c17b3dfe8232c

LDrcoAws4Cz9VJolJcaJW7VSMGJvbCnJk1jWewHrpro=

Username: telecomadmin Password: $2zQaAAx+a"QGUyp@B^n=QuDNOB4[%{Y)0_m$w>N+E\4NY6wUAj0bsfTQ$P*u;T^]-U{yJg49TAhB.[^=S-fs~>.oB{YV2>/3rjtFA$ Salt: f69f0d7ab9a13a97c12afa93

95478664f2d8d9d5930cf88461f17a0ba391b9cd53431f966fecfe5142271c37

EG37m1YyD9Cv20nB16DHPUOkIHS9ji9ntXAKdscQ50Y=

Username:root Password: $28e[BSri]&bL|,/rGm6Z.GPNQTtkHE(f4FAbjtxEU0$AT1u!B"'Z/=/w"ZM,&<WSGGv'(2"kNkH%2ppJ7JLOK3jiuGctpHJ#+dl9$ Salt: 8c06e92ac8c69c9aab9d3ce3

240fa47edb3bddaf12a7a8b4d26582063160613399b94c12f378c9c34fad3bee

qY4537Yc7HBdn32TJPht2WCR0AZ6hMcrf2LNYgdKt44= is that correct? and how to do step 4? regards

in the step 4 just take the string that I sent and replace SALT with the salt and RESULT_FROM_ABOVE with the result from the step above, like that:

Username: admin
Password: $2%h#wXS,`{G3uLS6pDAOAH>7Ah=p+{l/MX&Z|!@9&OECgMGY<VG';/v(0f+;sBS(.=:BSma\FG{^2[IUoe-6T)$m3}t=f25c;$
Salt: a37f3a20a4e49477cc24c1e8

5d700f268adff09a6e9af11d19a6ab59c346c64e243728a5a81c17b3dfe8232c

LDrcoAws4Cz9VJolJcaJW7VSMGJvbCnJk1jWewHrpro=

pbkdf2_sha256$5000$a37f3a20a4e49477cc24c1e8$LDrcoAws4Cz9VJolJcaJW7VSMGJvbCnJk1jWewHrpro=

hashcat -d 1 -a 0 -m 10000 'pbkdf2_sha256$5000$a37f3a20a4e49477cc24c1e8$LDrcoAws4Cz9VJolJcaJW7VSMGJvbCnJk1jWewHrpro=' wordlist.txt -o result.txt


Username: telecomadmin
Password: $2zQaAAx+a"QGUyp@B^n=QuDNOB4[%{Y)0_m$w>N+E\4NY6wUAj0bsfTQ$P*u;T^]-U{yJg49TAhB.[^=S-fs~>.oB{YV2>/3rjtFA$
Salt: f69f0d7ab9a13a97c12afa93

95478664f2d8d9d5930cf88461f17a0ba391b9cd53431f966fecfe5142271c37

EG37m1YyD9Cv20nB16DHPUOkIHS9ji9ntXAKdscQ50Y=

pbkdf2_sha256$5000$f69f0d7ab9a13a97c12afa93$EG37m1YyD9Cv20nB16DHPUOkIHS9ji9ntXAKdscQ50Y=
hashcat -d 1 -a 0 -m 10000 'pbkdf2_sha256$5000$f69f0d7ab9a13a97c12afa93$EG37m1YyD9Cv20nB16DHPUOkIHS9ji9ntXAKdscQ50Y=' wordlist.txt -o result.txt


Username:root
Password: $28e[BSri]&bL|,/rGm6Z.GPNQTtkHE(f4FAbjtxEU0$AT1u!B"'Z/=/w"ZM,&<WSGGv'(2"kNkH%2ppJ7JLOK3jiuGctpHJ#+dl9$
Salt: 8c06e92ac8c69c9aab9d3ce3

240fa47edb3bddaf12a7a8b4d26582063160613399b94c12f378c9c34fad3bee

qY4537Yc7HBdn32TJPht2WCR0AZ6hMcrf2LNYgdKt44=

pbkdf2_sha256$5000$8c06e92ac8c69c9aab9d3ce3$qY4537Yc7HBdn32TJPht2WCR0AZ6hMcrf2LNYgdKt44=
hashcat -d 1 -a 0 -m 10000 'pbkdf2_sha256$5000$8c06e92ac8c69c9aab9d3ce3$qY4537Yc7HBdn32TJPht2WCR0AZ6hMcrf2LNYgdKt44=' wordlist.txt -o result.txt

@davidwkirsch
Copy link

davidwkirsch commented Oct 17, 2025

Just writing in here the step by step that I followed in case it helps someone, as it helped me:

1. Get the password from "X_HW_WebUserInfoInstance" block in the xml, example:
   $2lG$uOG$C{D@pN\8@F#'YAFX_46f~BKB"Bn=pP@~6;_%U4pt6+8iM,s2K=u(E1$aK.!ZhcQk[elW<s<]+E,52WlXF@F]82y,^xzWU$

2. Use that website to decipher: https://andreluis034.github.io/huawei-utility-page/#cipher
   Result: c8c64da7a21f52b2e214eb017eb8bde79a09f9c8950cb44b8b9c35ac28088add

3. Convert from HEX then the result to base64: yMZNp6IfUrLiFOsBfri955oJ+ciVDLRLi5w1rCgIit0=

4. Mount the payload like that: pbkdf2_sha256$5000$SALT$RESULT_FROM_ABOVE
   Which in that example was: pbkdf2_sha256$5000$1d74dc1baaed5c3a691bc0ce$yMZNp6IfUrLiFOsBfri955oJ+ciVDLRLi5w1rCgIit0=

5. Throw that in hashcat with a wordlist like so:
   hashcat -d 1 -a 0 -m 10000 'pbkdf2_sha256$5000$8f84c1d97b40afa6ec8d2341$6kvEhxQ4dwkr+YK3hp4F1amWtVddk1mQl6AAavEUFbY=' custom_wordlist.txt -o secret.txt

For that example, create a wordlist with the word "admin" in it, and it will work.
Also, one more information: I didn't have the full root access at first, I had a secondary account, but that account had access to telnet and in telnet I was able to print the config (had to do that because the web interface didn't allow me)
Another thing: if someone wants help of someone else to decrypt it, and its encrypted with PassMode 3, you have to also send the salt.

I need to create a script that, based on an existing configuration file from a Huawei ONT, creates a new configuration file for new devices. Can you tell me if it's possible to encrypt the passwords so that they're compatible with the Huawei device configuration file? So that I can simply edit the passwords in a configuration file and send that file to a new device?

Thanks in advance for any help!

I don't know honestly.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment