Decrypt Huawei router/firewall passwords. Huawei stores passwords using DES encryption when the crypted option is enabled.

huaweiDecrypt.py

#!/usr/bin/python
"""
Simple tool to extract local users and passwords from most Huawei routers/firewalls config files.
Will extract plain-text passwords and  crypted credentials. Huawei config files use DES encryption with 
a known key. Using this information, the script will decrypt credentials found in the config file.
Author: Etienne Stalmans ([email protected])
Version: 1.0 (12/01/2014)
"""

from Crypto.Cipher import DES
import sys
import binascii

def decode_char(c):
    if c == 'a':
        r = '?'
    else:
        r = c
    return ord(r) - ord('!')

def ascii_to_binary(s):
    assert len(s) == 24

    out = [0]*18
    i = 0
    j = 0

    for i in range(0, len(s), 4):
        y = decode_char(s[i + 0])
        y = (y << 6) & 0xffffff

        k = decode_char(s[i + 1])
        y = (y | k) & 0xffffff
        y = (y << 6) & 0xffffff

        k = decode_char(s[i + 2])
        y = (y | k) & 0xffffff
        y = (y << 6) & 0xffffff

        k = decode_char(s[i + 3])
        y = (y | k) & 0xffffff

        out[j+2] = chr(y & 0xff)
        out[j+1] = chr((y>>8) & 0xff)
        out[j+0] = chr((y>>16) & 0xff)

        j += 3

    return "".join(out)

def decrypt_password(p):
    r = ascii_to_binary(p)
    r = r[:16]

    d = DES.new("\x01\x02\x03\x04\x05\x06\x07\x08", DES.MODE_ECB)
    r = d.decrypt(r)

    return r.rstrip("\x00")


f_in = open(sys.argv[1],'r')

print "[*] Huawei Password Decryptor"

for line in f_in:
    
    if ('local-user' not in line) or ('password' not in line):
        continue
    
    inp = line.split()
    print "[*]-----------------------"
    print "\t[+] User: %s"%inp[1]
    print "\t[+] Password type: %s"%inp[3]
    if inp[3] == "cipher":
        print "\t[+] Cipher: %s"%inp[4]
        print "\t[+] Password: %s"%decrypt_password(inp[4])
    else:
        print "\t[+] Password: %s"%(inp[4])

Just writing in here the step by step that I followed in case it helps someone, as it helped me:

1. Get the password from "X_HW_WebUserInfoInstance" block in the xml, example:
   $2lG$uOG$C{D@pN\8@F#'YAFX_46f~BKB"Bn=pP@~6;_%U4pt6+8iM,s2K=u(E1$aK.!ZhcQk[elW<s<]+E,52WlXF@F]82y,^xzWU$

2. Use that website to decipher: https://andreluis034.github.io/huawei-utility-page/#cipher
   Result: c8c64da7a21f52b2e214eb017eb8bde79a09f9c8950cb44b8b9c35ac28088add

3. Convert from HEX then the result to base64: yMZNp6IfUrLiFOsBfri955oJ+ciVDLRLi5w1rCgIit0=

4. Mount the payload like that: pbkdf2_sha256$5000$SALT$RESULT_FROM_ABOVE
   Which in that example was: pbkdf2_sha256$5000$1d74dc1baaed5c3a691bc0ce$yMZNp6IfUrLiFOsBfri955oJ+ciVDLRLi5w1rCgIit0=

5. Throw that in hashcat with a wordlist like so:
   hashcat -d 1 -a 0 -m 10000 'pbkdf2_sha256$5000$8f84c1d97b40afa6ec8d2341$6kvEhxQ4dwkr+YK3hp4F1amWtVddk1mQl6AAavEUFbY=' custom_wordlist.txt -o secret.txt

For that example, create a wordlist with the word "admin" in it, and it will work.
Also, one more information: I didn't have the full root access at first, I had a secondary account, but that account had access to telnet and in telnet I was able to print the config (had to do that because the web interface didn't allow me)
Another thing: if someone wants help of someone else to decrypt it, and its encrypted with PassMode 3, you have to also send the salt.

I need to create a script that, based on an existing configuration file from a Huawei ONT, creates a new configuration file for new devices. Can you tell me if it's possible to encrypt the passwords so that they're compatible with the Huawei device configuration file? So that I can simply edit the passwords in a configuration file and send that file to a new device?

Thanks in advance for any help!

I don't know honestly.