{"slug": "decrypt-huawei-router-firewall-passwords-huawei-stores-passwords-using-des-when", "title": "Decrypt Huawei router/firewall passwords. Huawei stores passwords using DES encryption when the crypted option is enabled.", "summary": "The article describes a Python tool called `huaweiDecrypt.py` that extracts local user credentials from Huawei router and firewall configuration files. It decrypts passwords stored with Huawei's DES encryption, which uses a known static key (`\\x01\\x02\\x03\\x04\\x05\\x06\\x07\\x08`) in ECB mode, allowing both plain-text and \"crypted\" passwords to be recovered. The script was authored by Etienne Stalmans in 2014.", "body_md": "-\n-\nSave staaldraad/605a5e40abaaa5915bc7 to your computer and use it in GitHub Desktop.\n\n[Learn more about bidirectional Unicode characters](https://github.co/hiddenchars)\n\n| #!/usr/bin/python | |\n| \"\"\" | |\n| Simple tool to extract local users and passwords from most Huawei routers/firewalls config files. | |\n| Will extract plain-text passwords and crypted credentials. Huawei config files use DES encryption with | |\n| a known key. Using this information, the script will decrypt credentials found in the config file. | |\n| Author: Etienne Stalmans (etienne@sensepost.com) | |\n| Version: 1.0 (12/01/2014) | |\n| \"\"\" | |\n| from Crypto.Cipher import DES | |\n| import sys | |\n| import binascii | |\n| def decode_char(c): | |\n| if c == 'a': | |\n| r = '?' | |\n| else: | |\n| r = c | |\n| return ord(r) - ord('!') | |\n| def ascii_to_binary(s): | |\n| assert len(s) == 24 | |\n| out = [0]*18 | |\n| i = 0 | |\n| j = 0 | |\n| for i in range(0, len(s), 4): | |\n| y = decode_char(s[i + 0]) | |\n| y = (y << 6) & 0xffffff | |\n| k = decode_char(s[i + 1]) | |\n| y = (y | k) & 0xffffff | |\n| y = (y << 6) & 0xffffff | |\n| k = decode_char(s[i + 2]) | |\n| y = (y | k) & 0xffffff | |\n| y = (y << 6) & 0xffffff | |\n| k = decode_char(s[i + 3]) | |\n| y = (y | k) & 0xffffff | |\n| out[j+2] = chr(y & 0xff) | |\n| out[j+1] = chr((y>>8) & 0xff) | |\n| out[j+0] = chr((y>>16) & 0xff) | |\n| j += 3 | |\n| return \"\".join(out) | |\n| def decrypt_password(p): | |\n| r = ascii_to_binary(p) | |\n| r = r[:16] | |\n| d = DES.new(\"\\x01\\x02\\x03\\x04\\x05\\x06\\x07\\x08\", DES.MODE_ECB) | |\n| r = d.decrypt(r) | |\n| return r.rstrip(\"\\x00\") | |\n| f_in = open(sys.argv[1],'r') | |\n| print \"[*] Huawei Password Decryptor\" | |\n| for line in f_in: | |\n| if ('local-user' not in line) or ('password' not in line): | |\n| continue | |\n| inp = line.split() | |\n| print \"[*]-----------------------\" | |\n| print \"\\t[+] User: %s\"%inp[1] | |\n| print \"\\t[+] Password type: %s\"%inp[3] | |\n| if inp[3] == \"cipher\": | |\n| print \"\\t[+] Cipher: %s\"%inp[4] | |\n| print \"\\t[+] Password: %s\"%decrypt_password(inp[4]) | |\n| else: | |\n| print \"\\t[+] Password: %s\"%(inp[4]) |\n\nHello!\n\nIt it possible to decrypt this one?\n\n$1c$nIyL.#{5F2$TzF'@\"gEaH_mJb*Vd>fBD\"px&M1'i1aOXF:ptG:E$\n\nThank you in advance!\n\nfor dg 8245\n\ni need Administrator user and password\n\ni search through notpade and this what i get\n\nUserName=\"vodadsl\" Password=\"41a69149e63df1ce83234fc39a70caeab11eed3d390629ca7cffc2dcd327480b\" UserLevel=\"0\" Enable=\"1\" ModifyPasswordFlag=\"0\"\n\ni need to decrypt the password\n\n$2GACZYhI-vIoR>v/Cdi:7dkP=;9/(HKvZ2UK[5,]AA9ALE\\Z%.S*`&iVCn216/StW,(M%`\n\n'bpB{@[jdL!1:Be=`9P*Ky}2(&|=jsR$\n\npls\n\ni tried the site, it doesnt give a good result:\n\n[https://andreluis034.github.io/huawei-utility-page/#cipher](https://andreluis034.github.io/huawei-utility-page/#cipher)\n\n$2#$A:[@i5s](https://github.com/i5s)+L7OAK/KQ.r9gfB`5v,-S%T=rz~&0[6I:Zt,<Rvhz):~~[v3(*\"K@(OMJMf<*a~~A1z#1KIlO4LUwr,FX$5D||9s)E#|%0$\n\nResult: bbf2073ca9c495606fe49628cffef83e0dfce8dc29270703b3c6709e14029911\n\nHey guys, i tried both the website [https://andreluis034.github.io/huawei-utility-page/#cipher](https://andreluis034.github.io/huawei-utility-page/#cipher) and the python script here, nothing seems to work. I'm using a HG8145X6-10 and the ISP (Nova Greece) is using a very restricted custom firmware on it. I managed to extract the config data and the admin user is:\n\nNova_admin\n\nPassword as per the config file is: $2z0m&BlvfqI'$Tw1grk@*!Gs46RKnm)]UmP\"9Z8c$CVHn*or<A/WHPI)X8SP!$\n\nI understand it contains html elements and after cleaning it it reads this:\n\n$2z$Z|9jwJWMO(S8,0)1%-pzg#;mH:-.[@vm](https://github.com/vm)|IBC@I2a2kN3x#J`XaMe4*.gkUL$\n\nI need to be able to bridge it to my router but none of the option work, can anyone assist?\n\nThanks!\n\nHey guys, i tried both the website\n\n[https://andreluis034.github.io/huawei-utility-page/#cipher]and the python script here, nothing seems to work. I'm using a HG8145X6-10 and the ISP (Nova Greece) is using a very restricted custom firmware on it. I managed to extract the config data and the admin user is: Nova_adminPassword as per the config file is: $2z0m&BlvfqI'$Tw1grk@_!Gs46RKnm)]UmP\"9Z8c$CVHn_or<A/WHPI)X8SP!$\n\nI understand it contains html elements and after cleaning it it reads this:\n\n$2z$Z|9jwJWMO(S8,0)1%-pzg#;mH:-.\n\n[@vm]|IBC@I2a2kN3x#J`XaMe4*.gkUL$I need to be able to bridge it to my router but none of the option work, can anyone assist?\n\nThanks!\n\nPlease send me your Password= from <InterfaceInstance InstanceID=\"1\" maybe a CLI or Webuser password which are salted and can't decrypt. You can modify the config to set root or default password as unencrypted then you get into the ONT.\n\nThanks,\n\nJ\n\nHey guys, i tried both the website\n\n[https://andreluis034.github.io/huawei-utility-page/#cipher]and the python script here, nothing seems to work. I'm using a HG8145X6-10 and the ISP (Nova Greece) is using a very restricted custom firmware on it. I managed to extract the config data and the admin user is: Nova_adminPassword as per the config file is: $2z0m&BlvfqI'$Tw1grk@_!Gs46RKnm)]UmP\"9Z8c$CVHn_or<A/WHPI)X8SP!$\n\nI understand it contains html elements and after cleaning it it reads this:\n\n$2z$Z|9jwJWMO(S8,0)1%-pzg#;mH:-.\n\n[@vm]|IBC@I2a2kN3x#J`XaMe4*.gkUL$I need to be able to bridge it to my router but none of the option work, can anyone assist?\n\nThanks!\n\nHey, I just received the HG8145X6-10 fiber modem from my ISP (Algérie Télécom). I need to access some advanced settings that are locked under the default user account. I saw that you managed to retrieve the configuration file—could you share how you did it? Also, were you able to decrypt the superadmin credentials? Did you use Telnet, SSH, or another method to gain full access? Any guidance would be greatly appreciated ! :) [@filipposxeil](https://github.com/filipposxeil)\n\nHello, can someone help me decrypt this?\n\n-->\n\nHey guys, i tried both the website\n\n[https://andreluis034.github.io/huawei-utility-page/#cipher]and the python script here, nothing seems to work. I'm using a HG8145X6-10 and the ISP (Nova Greece) is using a very restricted custom firmware on it. I managed to extract the config data and the admin user is: Nova_admin\n\nPassword as per the config file is: $2z0m&BlvfqI'$Tw1grk@_!Gs46RKnm)]UmP\"9Z8c$CVHn_or<A/WHPI)X8SP!$\n\nI understand it contains html elements and after cleaning it it reads this:\n\n$2z$Z|9jwJWMO(S8,0)1%-pzg#;mH:-.[@vm]|IBC@I2a2kN3x#J`XaMe4*.gkUL$\n\nI need to be able to bridge it to my router but none of the option work, can anyone assist?\n\nThanks!Hey, I just received the HG8145X6-10 fiber modem from my ISP (Algérie Télécom). I need to access some advanced settings that are locked under the default user account. I saw that you managed to retrieve the configuration file—could you share how you did it? Also, were you able to decrypt the superadmin credentials? Did you use Telnet, SSH, or another method to gain full access? Any guidance would be greatly appreciated ! :)\n\n[@filipposxeil]\n\nsame here, I tried messing with the network traffic on the config website (by setting cfgmode into an isp other than \"DZTELECOM\" in addition to some other things) which did make a download config button pop up, yet when clicked the router forbids the request\n\nI am trying to find some code/command execution bug but it seems like im going nowhere\n\nalso telnet/ssh/ftp are all filtered so no luck\n\ni did manage to find sql copyright data which contained a bunch of packages and their respective versions (some had vulnerabilities, yet after poking around it seems that none of them relate to this problem)\n\naaand firmware dumping or hardware debugging is not a valid option fr\n\nwbu? what did you try? and did you find anything relevant(i dont think so, this was written yesterday lmao)\n\nHey guys, i tried both the website\n\n[https://andreluis034.github.io/huawei-utility-page/#cipher]and the python script here, nothing seems to work. I'm using a HG8145X6-10 and the ISP (Nova Greece) is using a very restricted custom firmware on it. I managed to extract the config data and the admin user is: Nova_admin\n\nPassword as per the config file is: $2z0m&BlvfqI'$Tw1grk@_!Gs46RKnm)]UmP\"9Z8c$CVHn_or<A/WHPI)X8SP!$\n\nI understand it contains html elements and after cleaning it it reads this:\n\n$2z$Z|9jwJWMO(S8,0)1%-pzg#;mH:-.[@vm]|IBC@I2a2kN3x#J`XaMe4*.gkUL$\n\nI need to be able to bridge it to my router but none of the option work, can anyone assist?\n\nThanks!Hey, I just received the HG8145X6-10 fiber modem from my ISP (Algérie Télécom). I need to access some advanced settings that are locked under the default user account. I saw that you managed to retrieve the configuration file—could you share how you did it? Also, were you able to decrypt the superadmin credentials? Did you use Telnet, SSH, or another method to gain full access? Any guidance would be greatly appreciated ! :)\n\n[@filipposxeil]same here, I tried messing with the network traffic on the config website (by setting cfgmode into an isp other than \"DZTELECOM\" in addition to some other things) which did make a download config button pop up, yet when clicked the router forbids the request I am trying to find some code/command execution bug but it seems like im going nowhere\n\nalso telnet/ssh/ftp are all filtered so no luck\n\ni did manage to find sql copyright data which contained a bunch of packages and their respective versions (some had vulnerabilities, yet after poking around it seems that none of them relate to this problem)\n\naaand firmware dumping or hardware debugging is not a valid option fr\n\nwbu? what did you try? and did you find anything relevant(i dont think so, this was written yesterday lmao)\n\nI received the modem three days ago, so I haven’t had the chance to try anything yet. From what I’ve seen online, there don’t seem to be any exploitable vulnerabilities. For now, I’m considering simply requesting the ISP (Algérie Télécom) to switch it to bridge mode and pushing for it if necessary. We’ll see if they comply\n\nHey there.. check X_HW_WebUserInfoInstance factory pass..\n\nTry using this for the web interface as well on my case it worked..\n\nHey guys, i tried both the website\n\n[https://andreluis034.github.io/huawei-utility-page/#cipher]and the python script here, nothing seems to work. I'm using a HG8145X6-10 and the ISP (Nova Greece) is using a very restricted custom firmware on it. I managed to extract the config data and the admin user is: Nova_admin\n\nPassword as per the config file is: $2z0m&BlvfqI'$Tw1grk@_!Gs46RKnm)]UmP\"9Z8c$CVHn_or<A/WHPI)X8SP!$\n\nI understand it contains html elements and after cleaning it it reads this:\n\n$2z$Z|9jwJWMO(S8,0)1%-pzg#;mH:-.[@vm]|IBC@I2a2kN3x#J`XaMe4*.gkUL$\n\nI need to be able to bridge it to my router but none of the option work, can anyone assist?\n\nThanks!Hey, I just received the HG8145X6-10 fiber modem from my ISP (Algérie Télécom). I need to access some advanced settings that are locked under the default user account. I saw that you managed to retrieve the configuration file—could you share how you did it? Also, were you able to decrypt the superadmin credentials? Did you use Telnet, SSH, or another method to gain full access? Any guidance would be greatly appreciated ! :)\n\n[@filipposxeil]same here, I tried messing with the network traffic on the config website (by setting cfgmode into an isp other than \"DZTELECOM\" in addition to some other things) which did make a download config button pop up, yet when clicked the router forbids the request I am trying to find some code/command execution bug but it seems like im going nowhere\n\nalso telnet/ssh/ftp are all filtered so no luck\n\ni did manage to find sql copyright data which contained a bunch of packages and their respective versions (some had vulnerabilities, yet after poking around it seems that none of them relate to this problem)\n\naaand firmware dumping or hardware debugging is not a valid option fr\n\nwbu? what did you try? and did you find anything relevant(i dont think so, this was written yesterday lmao)I received the modem three days ago, so I haven’t had the chance to try anything yet. From what I’ve seen online, there don’t seem to be any exploitable vulnerabilities. For now, I’m considering simply requesting the ISP (Algérie Télécom) to switch it to bridge mode and pushing for it if necessary. We’ll see if they comply\n\nconsider asking them for the superadmin credentials, that way you can configure it at home without needing their support\n\nother than that extracting the credentials requires either firmware dumping or developing your own exploit, which may be troublesome\n\nlet me know if they give you any useful information\n\nHey guys, i tried both the website\n\n[https://andreluis034.github.io/huawei-utility-page/#cipher]and the python script here, nothing seems to work. I'm using a HG8145X6-10 and the ISP (Nova Greece) is using a very restricted custom firmware on it. I managed to extract the config data and the admin user is: Nova_admin\n\nPassword as per the config file is: $2z0m&BlvfqI'$Tw1grk@_!Gs46RKnm)]UmP\"9Z8c$CVHn_or<A/WHPI)X8SP!$\n\nI understand it contains html elements and after cleaning it it reads this:\n\n$2z$Z|9jwJWMO(S8,0)1%-pzg#;mH:-.[@vm]|IBC@I2a2kN3x#J`XaMe4*.gkUL$\n\nI need to be able to bridge it to my router but none of the option work, can anyone assist?\n\nThanks!Hey, I just received the HG8145X6-10 fiber modem from my ISP (Algérie Télécom). I need to access some advanced settings that are locked under the default user account. I saw that you managed to retrieve the configuration file—could you share how you did it? Also, were you able to decrypt the superadmin credentials? Did you use Telnet, SSH, or another method to gain full access? Any guidance would be greatly appreciated ! :)\n\n[@filipposxeil]same here, I tried messing with the network traffic on the config website (by setting cfgmode into an isp other than \"DZTELECOM\" in addition to some other things) which did make a download config button pop up, yet when clicked the router forbids the request I am trying to find some code/command execution bug but it seems like im going nowhere\n\nalso telnet/ssh/ftp are all filtered so no luck\n\ni did manage to find sql copyright data which contained a bunch of packages and their respective versions (some had vulnerabilities, yet after poking around it seems that none of them relate to this problem)\n\naaand firmware dumping or hardware debugging is not a valid option fr\n\nwbu? what did you try? and did you find anything relevant(i dont think so, this was written yesterday lmao)I received the modem three days ago, so I haven’t had the chance to try anything yet. From what I’ve seen online, there don’t seem to be any exploitable vulnerabilities. For now, I’m considering simply requesting the ISP (Algérie Télécom) to switch it to bridge mode and pushing for it if necessary. We’ll see if they comply\n\nconsider asking them for the superadmin credentials, that way you can configure it at home without needing their support other than that extracting the credentials requires either firmware dumping or developing your own exploit, which may be troublesome\n\nlet me know if they give you any useful information\n\ndo you have default superadmin creds ? or did you get your hands on the firmware files since i want to mess with them ?\n\nDisculpe las molestias.\n\n¿Cuál es la función del botón SU en la GUI? ¿Alguna vez probé solo $1 y $2?\n\nNo sé.\n\n¿Dónde puedo encontrar esta GUI?\n\nGracias\n\n$2M^7i5]ps.KDN0XI>kLtUo{cZ~\\ZMZ2R.*.POxM|2t-Z'6\"e{P~e6WM9D^[l)DtF8(_]48(b$v9WjPQ,&+0fO>c'Nb/_b||6$;,rR$\n\n¿Puedes ayudarme?\n\nListo espero aun te sirva: 1274380565c7e25acde5c9d28e2ef73677056a4efe2f4576973e79136e284aea\n\nespero aun te sirva: 1274380565c7e25acde5c9d28e2ef73677056a4efe2f4576973e79136e284aea\n\nHey guys, i tried both the website\n\n[https://andreluis034.github.io/huawei-utility-page/#cipher]and the python script here, nothing seems to work. I'm using a HG8145X6-10 and the ISP (Nova Greece) is using a very restricted custom firmware on it. I managed to extract the config data and the admin user is: Nova_admin\n\nPassword as per the config file is: $2z0m&BlvfqI'$Tw1grk@_!Gs46RKnm)]UmP\"9Z8c$CVHn_or<A/WHPI)X8SP!$\n\nI understand it contains html elements and after cleaning it it reads this:\n\n$2z$Z|9jwJWMO(S8,0)1%-pzg#;mH:-.[@vm]|IBC@I2a2kN3x#J`XaMe4*.gkUL$\n\nI need to be able to bridge it to my router but none of the option work, can anyone assist?\n\nThanks!Hey, I just received the HG8145X6-10 fiber modem from my ISP (Algérie Télécom). I need to access some advanced settings that are locked under the default user account. I saw that you managed to retrieve the configuration file—could you share how you did it? Also, were you able to decrypt the superadmin credentials? Did you use Telnet, SSH, or another method to gain full access? Any guidance would be greatly appreciated ! :)\n\n[@filipposxeil]same here, I tried messing with the network traffic on the config website (by setting cfgmode into an isp other than \"DZTELECOM\" in addition to some other things) which did make a download config button pop up, yet when clicked the router forbids the request I am trying to find some code/command execution bug but it seems like im going nowhere\n\nalso telnet/ssh/ftp are all filtered so no luck\n\ni did manage to find sql copyright data which contained a bunch of packages and their respective versions (some had vulnerabilities, yet after poking around it seems that none of them relate to this problem)\n\naaand firmware dumping or hardware debugging is not a valid option fr\n\nwbu? what did you try? and did you find anything relevant(i dont think so, this was written yesterday lmao)I received the modem three days ago, so I haven’t had the chance to try anything yet. From what I’ve seen online, there don’t seem to be any exploitable vulnerabilities. For now, I’m considering simply requesting the ISP (Algérie Télécom) to switch it to bridge mode and pushing for it if necessary. We’ll see if they comply\n\nAny update? [@arkali](https://github.com/arkali)\n\nJust writing in here the step by step that I followed in case it helps someone, as it helped me:\n\n-\nGet the password from \"X_HW_WebUserInfoInstance\" block in the xml, example:\n\n$2lG$uOG$C{D@pN\\8@F#'YAFX_46f~BKB\"Bn=pP@~6;_%U4pt6+8iM,s2K=u(E1$aK.!ZhcQk[elW<s<]+E,52WlXF@F]82y,^xzWU$ -\nUse that website to decipher:\n\n[https://andreluis034.github.io/huawei-utility-page/#cipher](https://andreluis034.github.io/huawei-utility-page/#cipher)\n\nResult: c8c64da7a21f52b2e214eb017eb8bde79a09f9c8950cb44b8b9c35ac28088add -\nConvert from HEX then the result to base64: yMZNp6IfUrLiFOsBfri955oJ+ciVDLRLi5w1rCgIit0=\n\n-\nMount the payload like that: pbkdf2_sha256$5000$SALT$RESULT_FROM_ABOVE\n\nWhich in that example was: pbkdf2_sha256$5000$1d74dc1baaed5c3a691bc0ce$yMZNp6IfUrLiFOsBfri955oJ+ciVDLRLi5w1rCgIit0= -\nThrow that in hashcat with a wordlist like so:\n\nhashcat -d 1 -a 0 -m 10000 'pbkdf2_sha256$5000$8f84c1d97b40afa6ec8d2341$6kvEhxQ4dwkr+YK3hp4F1amWtVddk1mQl6AAavEUFbY=' custom_wordlist.txt -o secret.txt\n\nFor that example, create a wordlist with the word \"admin\" in it, and it will work.\n\nAlso, one more information: I didn't have the full root access at first, I had a secondary account, but that account had access to telnet and in telnet I was able to print the config (had to do that because the web interface didn't allow me)\n\nAnother thing: if someone wants help of someone else to decrypt it, and its encrypted with PassMode 3, you have to also send the salt.\n\nJust writing in here the step by step that I followed in case it helps someone, as it helped me:\n\n```\n1. Get the password from \"X_HW_WebUserInfoInstance\" block in the xml, example:\n   $2lG$uOG$C{D@pN\\8@F#'YAFX_46f~BKB\"Bn=pP@~6;_%U4pt6+8iM,s2K=u(E1$aK.!ZhcQk[elW<s<]+E,52WlXF@F]82y,^xzWU$\n\n2. Use that website to decipher: https://andreluis034.github.io/huawei-utility-page/#cipher\n   Result: c8c64da7a21f52b2e214eb017eb8bde79a09f9c8950cb44b8b9c35ac28088add\n\n3. Convert from HEX then the result to base64: yMZNp6IfUrLiFOsBfri955oJ+ciVDLRLi5w1rCgIit0=\n\n4. Mount the payload like that: pbkdf2_sha256$5000$SALT$RESULT_FROM_ABOVE\n   Which in that example was: pbkdf2_sha256$5000$1d74dc1baaed5c3a691bc0ce$yMZNp6IfUrLiFOsBfri955oJ+ciVDLRLi5w1rCgIit0=\n\n5. Throw that in hashcat with a wordlist like so:\n   hashcat -d 1 -a 0 -m 10000 'pbkdf2_sha256$5000$8f84c1d97b40afa6ec8d2341$6kvEhxQ4dwkr+YK3hp4F1amWtVddk1mQl6AAavEUFbY=' custom_wordlist.txt -o secret.txt\n```\n\nFor that example, create a wordlist with the word \"admin\" in it, and it will work.\n\nAlso, one more information: I didn't have the full root access at first, I had a secondary account, but that account had access to telnet and in telnet I was able to print the config (had to do that because the web interface didn't allow me)\n\nAnother thing: if someone wants help of someone else to decrypt it, and its encrypted with PassMode 3, you have to also send the salt.\n\ngood work i try this methode and i have some quetions\n\nfirst salt value should be convert to base64 or not\n\ni try for this value\n\npassword decrypt (925d7ced11d07d01372b258930685c6765ca699c1de7fe0156784a1b72f60d82)\n\npassword base 64 ( kl187RHQfQE3KyWJMGhcZ2XKaZwd5/4BVnhKG3L2DYI=)\n\nsalt ( 38fa9b0625b6fdf11cf802c0 )\n\ni use this website for pbkdf2 [https://www.dcode.fr/pbkdf2-hash](https://www.dcode.fr/pbkdf2-hash)\n\nand the result was\n\n$pbkdf2-sha1$1000$MzhmYTliMDYyNWI2ZmRmMTFjZjgwMmMw$zXjXSIl5drOY41.ienQlbShrfN0\n\nthe user name for this password is Nova_admin\n\nany help will be fine\n\nJust writing in here the step by step that I followed in case it helps someone, as it helped me:\n\n```\n1. Get the password from \"X_HW_WebUserInfoInstance\" block in the xml, example:\n   $2lG$uOG$C{D@pN\\8@F#'YAFX_46f~BKB\"Bn=pP@~6;_%U4pt6+8iM,s2K=u(E1$aK.!ZhcQk[elW<s<]+E,52WlXF@F]82y,^xzWU$\n\n2. Use that website to decipher: https://andreluis034.github.io/huawei-utility-page/#cipher\n   Result: c8c64da7a21f52b2e214eb017eb8bde79a09f9c8950cb44b8b9c35ac28088add\n\n3. Convert from HEX then the result to base64: yMZNp6IfUrLiFOsBfri955oJ+ciVDLRLi5w1rCgIit0=\n\n4. Mount the payload like that: pbkdf2_sha256$5000$SALT$RESULT_FROM_ABOVE\n   Which in that example was: pbkdf2_sha256$5000$1d74dc1baaed5c3a691bc0ce$yMZNp6IfUrLiFOsBfri955oJ+ciVDLRLi5w1rCgIit0=\n\n5. Throw that in hashcat with a wordlist like so:\n   hashcat -d 1 -a 0 -m 10000 'pbkdf2_sha256$5000$8f84c1d97b40afa6ec8d2341$6kvEhxQ4dwkr+YK3hp4F1amWtVddk1mQl6AAavEUFbY=' custom_wordlist.txt -o secret.txt\n```\n\nFor that example, create a wordlist with the word \"admin\" in it, and it will work.\n\nAlso, one more information: I didn't have the full root access at first, I had a secondary account, but that account had access to telnet and in telnet I was able to print the config (had to do that because the web interface didn't allow me)\n\nAnother thing: if someone wants help of someone else to decrypt it, and its encrypted with PassMode 3, you have to also send the salt.good work i try this methode and i have some quetions first salt value should be convert to base64 or not i try for this value password decrypt (925d7ced11d07d01372b258930685c6765ca699c1de7fe0156784a1b72f60d82) password base 64 ( kl187RHQfQE3KyWJMGhcZ2XKaZwd5/4BVnhKG3L2DYI=) salt ( 38fa9b0625b6fdf11cf802c0 ) i use this website for pbkdf2\n\n[https://www.dcode.fr/pbkdf2-hash]and the result was $pbkdf2-sha1$1000$MzhmYTliMDYyNWI2ZmRmMTFjZjgwMmMw$zXjXSIl5drOY41.ienQlbShrfN0 the user name for this password is Nova_admin any help will be fine\n\nNo, the salt shouldn't be base64.\n\nDon't edit the beginning of the payload (you did \"$pbkdf2-sha1$1000$\", my example is \"pbkdf2_sha256$5000$\")\n\nYour final payload will look like that:\n\npbkdf2_sha256$5000$38fa9b0625b6fdf11cf802c0$kl187RHQfQE3KyWJMGhcZ2XKaZwd5/4BVnhKG3L2DYI=\n\nI have a gtx1660, tried all the passwords from seclists wordlists and didn't get a result, good luck\n\nyour command:\n\nhashcat -d 1 -a 0 -m 10000 'pbkdf2_sha256$5000$38fa9b0625b6fdf11cf802c0$kl187RHQfQE3KyWJMGhcZ2XKaZwd5/4BVnhKG3L2DYI=' mega_wordlist.txt\n\nJust writing in here the step by step that I followed in case it helps someone, as it helped me:\n\n```\n1. Get the password from \"X_HW_WebUserInfoInstance\" block in the xml, example:\n   $2lG$uOG$C{D@pN\\8@F#'YAFX_46f~BKB\"Bn=pP@~6;_%U4pt6+8iM,s2K=u(E1$aK.!ZhcQk[elW<s<]+E,52WlXF@F]82y,^xzWU$\n\n2. Use that website to decipher: https://andreluis034.github.io/huawei-utility-page/#cipher\n   Result: c8c64da7a21f52b2e214eb017eb8bde79a09f9c8950cb44b8b9c35ac28088add\n\n3. Convert from HEX then the result to base64: yMZNp6IfUrLiFOsBfri955oJ+ciVDLRLi5w1rCgIit0=\n\n4. Mount the payload like that: pbkdf2_sha256$5000$SALT$RESULT_FROM_ABOVE\n   Which in that example was: pbkdf2_sha256$5000$1d74dc1baaed5c3a691bc0ce$yMZNp6IfUrLiFOsBfri955oJ+ciVDLRLi5w1rCgIit0=\n\n5. Throw that in hashcat with a wordlist like so:\n   hashcat -d 1 -a 0 -m 10000 'pbkdf2_sha256$5000$8f84c1d97b40afa6ec8d2341$6kvEhxQ4dwkr+YK3hp4F1amWtVddk1mQl6AAavEUFbY=' custom_wordlist.txt -o secret.txt\n```\n\nFor that example, create a wordlist with the word \"admin\" in it, and it will work.\n\nAlso, one more information: I didn't have the full root access at first, I had a secondary account, but that account had access to telnet and in telnet I was able to print the config (had to do that because the web interface didn't allow me)\n\nAnother thing: if someone wants help of someone else to decrypt it, and its encrypted with PassMode 3, you have to also send the salt.\n\nI need to create a script that, based on an existing configuration file from a Huawei ONT, creates a new configuration file for new devices. Can you tell me if it's possible to encrypt the passwords so that they're compatible with the Huawei device configuration file? So that I can simply edit the passwords in a configuration file and send that file to a new device?\n\nThanks in advance for any help!\n\nJust writing in here the step by step that I followed in case it helps someone, as it helped me:\n\n- Get the password from \"X_HW_WebUserInfoInstance\" block in the xml, example:\n\n$2lG$uOG$C{D@pN\\8@F#'YAFX_46f~BKB\"Bn=pP@~6;_%U4pt6+8iM,s2K=u(E1$aK.!ZhcQk[elW<s<]+E,52WlXF@F]82y,^xzWU$- Use that website to decipher:\n[https://andreluis034.github.io/huawei-utility-page/#cipher]\n\nResult: c8c64da7a21f52b2e214eb017eb8bde79a09f9c8950cb44b8b9c35ac28088add- Convert from HEX then the result to base64: yMZNp6IfUrLiFOsBfri955oJ+ciVDLRLi5w1rCgIit0=\n- Mount the payload like that: pbkdf2_sha256$5000$SALT$RESULT_FROM_ABOVE\n\nWhich in that example was: pbkdf2_sha256$5000$1d74dc1baaed5c3a691bc0ce$yMZNp6IfUrLiFOsBfri955oJ+ciVDLRLi5w1rCgIit0=- Throw that in hashcat with a wordlist like so:\n\nhashcat -d 1 -a 0 -m 10000 'pbkdf2_sha256$5000$8f84c1d97b40afa6ec8d2341$6kvEhxQ4dwkr+YK3hp4F1amWtVddk1mQl6AAavEUFbY=' custom_wordlist.txt -o secret.txtFor that example, create a wordlist with the word \"admin\" in it, and it will work.\n\nAlso, one more information: I didn't have the full root access at first, I had a secondary account, but that account had access to telnet and in telnet I was able to print the config (had to do that because the web interface didn't allow me)\n\nAnother thing: if someone wants help of someone else to decrypt it, and its encrypted with PassMode 3, you have to also send the salt.\n\nI couldn't understand step 4 and this is what i did:\n\nUsername: admin\n\nPassword: $2%h#wXS,`{G3~~uLS6pDAO~~AH>7Ah=p+{l/MX&Z|![@9](https://github.com/9)&OECgMGY<VG';/v(0f+;sBS(.=:BSma\\FG{^2[IUoe-6T)$m3}t=f25*c;*$\n\nSalt: a37f3a20a4e49477cc24c1e8\n\n5d700f268adff09a6e9af11d19a6ab59c346c64e243728a5a81c17b3dfe8232c\n\nLDrcoAws4Cz9VJolJcaJW7VSMGJvbCnJk1jWewHrpro=\n\nUsername: telecomadmin\n\nPassword: $2zQaAAx+a\"QGUyp@B^n=QuDNOB4[%{Y)0_m$w>N+E\\4NY6wUAj0bsfTQ$P*u;T^]-U{yJg49TAhB.[^=S-fs~>.oB{YV2>/3rjtFA$\n\nSalt: f69f0d7ab9a13a97c12afa93\n\n95478664f2d8d9d5930cf88461f17a0ba391b9cd53431f966fecfe5142271c37\n\nEG37m1YyD9Cv20nB16DHPUOkIHS9ji9ntXAKdscQ50Y=\n\nUsername:root\n\nPassword: $28e[BSri]&bL|,/rGm6Z.GPNQTtkHE(f4FAbjtxEU0$AT1u!B\"'Z/=/w\"ZM,&<WSGGv'(2\"kNkH%2ppJ7JLOK3jiuGctpHJ#+dl9$\n\nSalt: 8c06e92ac8c69c9aab9d3ce3\n\n240fa47edb3bddaf12a7a8b4d26582063160613399b94c12f378c9c34fad3bee\n\nqY4537Yc7HBdn32TJPht2WCR0AZ6hMcrf2LNYgdKt44=\n\nis that correct? and how to do step 4? regards\n\nJust writing in here the step by step that I followed in case it helps someone, as it helped me:\n\n- Get the password from \"X_HW_WebUserInfoInstance\" block in the xml, example:\n\n$2lG$uOG$C{D@pN\\8@F#'YAFX_46f~BKB\"Bn=pP@~6;_%U4pt6+8iM,s2K=u(E1$aK.!ZhcQk[elW<s<]+E,52WlXF@F]82y,^xzWU$- Use that website to decipher:\n[https://andreluis034.github.io/huawei-utility-page/#cipher]\n\nResult: c8c64da7a21f52b2e214eb017eb8bde79a09f9c8950cb44b8b9c35ac28088add- Convert from HEX then the result to base64: yMZNp6IfUrLiFOsBfri955oJ+ciVDLRLi5w1rCgIit0=\n- Mount the payload like that: pbkdf2_sha256$5000$SALT$RESULT_FROM_ABOVE\n\nWhich in that example was: pbkdf2_sha256$5000$1d74dc1baaed5c3a691bc0ce$yMZNp6IfUrLiFOsBfri955oJ+ciVDLRLi5w1rCgIit0=- Throw that in hashcat with a wordlist like so:\n\nhashcat -d 1 -a 0 -m 10000 'pbkdf2_sha256$5000$8f84c1d97b40afa6ec8d2341$6kvEhxQ4dwkr+YK3hp4F1amWtVddk1mQl6AAavEUFbY=' custom_wordlist.txt -o secret.txtFor that example, create a wordlist with the word \"admin\" in it, and it will work.\n\nAlso, one more information: I didn't have the full root access at first, I had a secondary account, but that account had access to telnet and in telnet I was able to print the config (had to do that because the web interface didn't allow me)\n\nAnother thing: if someone wants help of someone else to decrypt it, and its encrypted with PassMode 3, you have to also send the salt.I couldn't understand step 4 and this is what i did: Username: admin Password: $2%h#wXS,`{G3\n\n~~uLS6pDAO~~AH>7Ah=p+{l/MX&Z|![@9]&OECgMGY<VG';/v(0f+;sBS(.=:BSma\\FG{^2[IUoe-6T)$m3}t=f25_c;_$ Salt: a37f3a20a4e49477cc24c1e85d700f268adff09a6e9af11d19a6ab59c346c64e243728a5a81c17b3dfe8232c\n\nLDrcoAws4Cz9VJolJcaJW7VSMGJvbCnJk1jWewHrpro=\n\nUsername: telecomadmin Password: $2zQaAAx+a\"QGUyp@B^n=QuDNOB4[%{Y)0_m$w>N+E\\4NY6wUAj0bsfTQ$P*u;T^]-U{yJg49TAhB.[^=S-fs~>.oB{YV2>/3rjtFA$ Salt: f69f0d7ab9a13a97c12afa93\n\n95478664f2d8d9d5930cf88461f17a0ba391b9cd53431f966fecfe5142271c37\n\nEG37m1YyD9Cv20nB16DHPUOkIHS9ji9ntXAKdscQ50Y=\n\nUsername:root Password: $28e[BSri]&bL|,/rGm6Z.GPNQTtkHE(f4FAbjtxEU0$AT1u!B\"'Z/=/w\"ZM,&<WSGGv'(2\"kNkH%2ppJ7JLOK3jiuGctpHJ#+dl9$ Salt: 8c06e92ac8c69c9aab9d3ce3\n\n240fa47edb3bddaf12a7a8b4d26582063160613399b94c12f378c9c34fad3bee\n\nqY4537Yc7HBdn32TJPht2WCR0AZ6hMcrf2LNYgdKt44= is that correct? and how to do step 4? regards\n\nin the step 4 just take the string that I sent and replace SALT with the salt and RESULT_FROM_ABOVE with the result from the step above, like that:\n\n```\nUsername: admin\nPassword: $2%h#wXS,`{G3uLS6pDAOAH>7Ah=p+{l/MX&Z|!@9&OECgMGY<VG';/v(0f+;sBS(.=:BSma\\FG{^2[IUoe-6T)$m3}t=f25c;$\nSalt: a37f3a20a4e49477cc24c1e8\n\n5d700f268adff09a6e9af11d19a6ab59c346c64e243728a5a81c17b3dfe8232c\n\nLDrcoAws4Cz9VJolJcaJW7VSMGJvbCnJk1jWewHrpro=\n\npbkdf2_sha256$5000$a37f3a20a4e49477cc24c1e8$LDrcoAws4Cz9VJolJcaJW7VSMGJvbCnJk1jWewHrpro=\n\nhashcat -d 1 -a 0 -m 10000 'pbkdf2_sha256$5000$a37f3a20a4e49477cc24c1e8$LDrcoAws4Cz9VJolJcaJW7VSMGJvbCnJk1jWewHrpro=' wordlist.txt -o result.txt\n\nUsername: telecomadmin\nPassword: $2zQaAAx+a\"QGUyp@B^n=QuDNOB4[%{Y)0_m$w>N+E\\4NY6wUAj0bsfTQ$P*u;T^]-U{yJg49TAhB.[^=S-fs~>.oB{YV2>/3rjtFA$\nSalt: f69f0d7ab9a13a97c12afa93\n\n95478664f2d8d9d5930cf88461f17a0ba391b9cd53431f966fecfe5142271c37\n\nEG37m1YyD9Cv20nB16DHPUOkIHS9ji9ntXAKdscQ50Y=\n\npbkdf2_sha256$5000$f69f0d7ab9a13a97c12afa93$EG37m1YyD9Cv20nB16DHPUOkIHS9ji9ntXAKdscQ50Y=\nhashcat -d 1 -a 0 -m 10000 'pbkdf2_sha256$5000$f69f0d7ab9a13a97c12afa93$EG37m1YyD9Cv20nB16DHPUOkIHS9ji9ntXAKdscQ50Y=' wordlist.txt -o result.txt\n\nUsername:root\nPassword: $28e[BSri]&bL|,/rGm6Z.GPNQTtkHE(f4FAbjtxEU0$AT1u!B\"'Z/=/w\"ZM,&<WSGGv'(2\"kNkH%2ppJ7JLOK3jiuGctpHJ#+dl9$\nSalt: 8c06e92ac8c69c9aab9d3ce3\n\n240fa47edb3bddaf12a7a8b4d26582063160613399b94c12f378c9c34fad3bee\n\nqY4537Yc7HBdn32TJPht2WCR0AZ6hMcrf2LNYgdKt44=\n\npbkdf2_sha256$5000$8c06e92ac8c69c9aab9d3ce3$qY4537Yc7HBdn32TJPht2WCR0AZ6hMcrf2LNYgdKt44=\nhashcat -d 1 -a 0 -m 10000 'pbkdf2_sha256$5000$8c06e92ac8c69c9aab9d3ce3$qY4537Yc7HBdn32TJPht2WCR0AZ6hMcrf2LNYgdKt44=' wordlist.txt -o result.txt\n```\n\nJust writing in here the step by step that I followed in case it helps someone, as it helped me:\n\n```\n1. Get the password from \"X_HW_WebUserInfoInstance\" block in the xml, example:\n   $2lG$uOG$C{D@pN\\8@F#'YAFX_46f~BKB\"Bn=pP@~6;_%U4pt6+8iM,s2K=u(E1$aK.!ZhcQk[elW<s<]+E,52WlXF@F]82y,^xzWU$\n\n2. Use that website to decipher: https://andreluis034.github.io/huawei-utility-page/#cipher\n   Result: c8c64da7a21f52b2e214eb017eb8bde79a09f9c8950cb44b8b9c35ac28088add\n\n3. Convert from HEX then the result to base64: yMZNp6IfUrLiFOsBfri955oJ+ciVDLRLi5w1rCgIit0=\n\n4. Mount the payload like that: pbkdf2_sha256$5000$SALT$RESULT_FROM_ABOVE\n   Which in that example was: pbkdf2_sha256$5000$1d74dc1baaed5c3a691bc0ce$yMZNp6IfUrLiFOsBfri955oJ+ciVDLRLi5w1rCgIit0=\n\n5. Throw that in hashcat with a wordlist like so:\n   hashcat -d 1 -a 0 -m 10000 'pbkdf2_sha256$5000$8f84c1d97b40afa6ec8d2341$6kvEhxQ4dwkr+YK3hp4F1amWtVddk1mQl6AAavEUFbY=' custom_wordlist.txt -o secret.txt\n```\n\nFor that example, create a wordlist with the word \"admin\" in it, and it will work.\n\nAlso, one more information: I didn't have the full root access at first, I had a secondary account, but that account had access to telnet and in telnet I was able to print the config (had to do that because the web interface didn't allow me)\n\nAnother thing: if someone wants help of someone else to decrypt it, and its encrypted with PassMode 3, you have to also send the salt.I need to create a script that, based on an existing configuration file from a Huawei ONT, creates a new configuration file for new devices. Can you tell me if it's possible to encrypt the passwords so that they're compatible with the Huawei device configuration file? So that I can simply edit the passwords in a configuration file and send that file to a new device?\n\nThanks in advance for any help!\n\nI don't know honestly.\n\nhi Where is the $SALT code generated?\n\nhi Where is the $SALT code generated?\n\nit comes from the xml config of the router\n\n[…](#)\n\n[https://gist.github.com/staaldraad/605a5e40abaaa5915bc7#gistcomment-5863865](https://gist.github.com/staaldraad/605a5e40abaaa5915bc7#gistcomment-5863865)> or unsubscribe <\n\n[https://github.com/notifications/unsubscribe-auth/B2DJOK5KKAOWSFGA2ZIFZPL344JXZBFHORZGSZ3HMVZKMY3SMVQXIZNMON2WE2TFMN2F65DZOBS2WR3JON2EG33NNVSW45FGORXXA2LDOOIYFJDUPFYGLJDHNFZXJJLWMFWHKZNIGIYDENBWHAZDBKTBOR2HE2LCOV2GK44TQKSXMYLMOVS2SMJVGM3DENBTGEYKI3TBNVS2QYLDORXXEX3JMSBKK5TBNR2WLJDUOJ2WLJDOMFWWLO3UNBZGKYLEL5YGC4TUNFRWS4DBNZ2F6YLDORUXM2LUPGBKK5TBNR2WLJDHNFZXJJDOMFWWLK3UNBZGKYLEL52HS4DF](https://github.com/notifications/unsubscribe-auth/B2DJOK5KKAOWSFGA2ZIFZPL344JXZBFHORZGSZ3HMVZKMY3SMVQXIZNMON2WE2TFMN2F65DZOBS2WR3JON2EG33NNVSW45FGORXXA2LDOOIYFJDUPFYGLJDHNFZXJJLWMFWHKZNIGIYDENBWHAZDBKTBOR2HE2LCOV2GK44TQKSXMYLMOVS2SMJVGM3DENBTGEYKI3TBNVS2QYLDORXXEX3JMSBKK5TBNR2WLJDUOJ2WLJDOMFWWLO3UNBZGKYLEL5YGC4TUNFRWS4DBNZ2F6YLDORUXM2LUPGBKK5TBNR2WLJDHNFZXJJDOMFWWLK3UNBZGKYLEL52HS4DF)> . You are receiving this email because you commented on the thread. Triage notifications on the go with GitHub Mobile for iOS <\n\n[https://apps.apple.com/app/apple-store/id1477376905?ct=notification-email&mt=8&pt=524675](https://apps.apple.com/app/apple-store/id1477376905?ct=notification-email&mt=8&pt=524675)> or Android <\n\n[https://play.google.com/store/apps/details?id=com.github.android&referrer=utm_campaign%3Dnotification-email%26utm_medium%3Demail%26utm_source%3Dgithub](https://play.google.com/store/apps/details?id=com.github.android&referrer=utm_campaign%3Dnotification-email%26utm_medium%3Demail%26utm_source%3Dgithub)> .\n\nIs it still working?\n\nI tested both the website and the tools there, but both only generate outrk code, like base64, when I try to decode the text in the PPPoE password files.\n\nI have a Huawei HG8145V5-V2 router, and its backup is generated in .xml.html.\n\n[…](#)\n\n[https://gist.github.com/staaldraad/605a5e40abaaa5915bc7#gistcomment-5871596](https://gist.github.com/staaldraad/605a5e40abaaa5915bc7#gistcomment-5871596)> or unsubscribe <\n\n[https://github.com/notifications/unsubscribe-auth/B2DJOK7ZFN7FCXPIXDTGJ2335TMHXBFHORZGSZ3HMVZKMY3SMVQXIZNMON2WE2TFMN2F65DZOBS2WR3JON2EG33NNVSW45FGORXXA2LDOOIYFJDUPFYGLJDHNFZXJJLWMFWHKZNIGIYDENBWHAZDBKTBOR2HE2LCOV2GK44TQKSXMYLMOVS2SMJXGQ3TKNRRGE4KI3TBNVS2QYLDORXXEX3JMSBKK5TBNR2WLJDUOJ2WLJDOMFWWLO3UNBZGKYLEL5YGC4TUNFRWS4DBNZ2F6YLDORUXM2LUPGBKK5TBNR2WLJDHNFZXJJDOMFWWLK3UNBZGKYLEL52HS4DF](https://github.com/notifications/unsubscribe-auth/B2DJOK7ZFN7FCXPIXDTGJ2335TMHXBFHORZGSZ3HMVZKMY3SMVQXIZNMON2WE2TFMN2F65DZOBS2WR3JON2EG33NNVSW45FGORXXA2LDOOIYFJDUPFYGLJDHNFZXJJLWMFWHKZNIGIYDENBWHAZDBKTBOR2HE2LCOV2GK44TQKSXMYLMOVS2SMJXGQ3TKNRRGE4KI3TBNVS2QYLDORXXEX3JMSBKK5TBNR2WLJDUOJ2WLJDOMFWWLO3UNBZGKYLEL5YGC4TUNFRWS4DBNZ2F6YLDORUXM2LUPGBKK5TBNR2WLJDHNFZXJJDOMFWWLK3UNBZGKYLEL52HS4DF)> . You are receiving this email because you commented on the thread. Triage notifications on the go with GitHub Mobile for iOS <\n\n[https://apps.apple.com/app/apple-store/id1477376905?ct=notification-email&mt=8&pt=524675](https://apps.apple.com/app/apple-store/id1477376905?ct=notification-email&mt=8&pt=524675)> or Android <\n\n[https://play.google.com/store/apps/details?id=com.github.android&referrer=utm_campaign%3Dnotification-email%26utm_medium%3Demail%26utm_source%3Dgithub](https://play.google.com/store/apps/details?id=com.github.android&referrer=utm_campaign%3Dnotification-email%26utm_medium%3Demail%26utm_source%3Dgithub)> .\n\nJust writing in here the step by step that I followed in case it helps someone, as it helped me:\n\n- Get the password from \"X_HW_WebUserInfoInstance\" block in the xml, example:\n\n$2lG$uOG$C{D@pN\\8@F#'YAFX_46f~BKB\"Bn=pP@~6;_%U4pt6+8iM,s2K=u(E1$aK.!ZhcQk[elW<s<]+E,52WlXF@F]82y,^xzWU$- Use that website to decipher:\n[https://andreluis034.github.io/huawei-utility-page/#cipher]\n\nResult: c8c64da7a21f52b2e214eb017eb8bde79a09f9c8950cb44b8b9c35ac28088add- Convert from HEX then the result to base64: yMZNp6IfUrLiFOsBfri955oJ+ciVDLRLi5w1rCgIit0=\n- Mount the payload like that: pbkdf2_sha256$5000$SALT$RESULT_FROM_ABOVE\n\nWhich in that example was: pbkdf2_sha256$5000$1d74dc1baaed5c3a691bc0ce$yMZNp6IfUrLiFOsBfri955oJ+ciVDLRLi5w1rCgIit0=- Throw that in hashcat with a wordlist like so:\n\nhashcat -d 1 -a 0 -m 10000 'pbkdf2_sha256$5000$8f84c1d97b40afa6ec8d2341$6kvEhxQ4dwkr+YK3hp4F1amWtVddk1mQl6AAavEUFbY=' custom_wordlist.txt -o secret.tx\n\nHello,\n\nI need help decrypting the password\n\npassword in xml: $2Etj3I\"8BbUvf@D,2Yi)0J<e@R3Q@6@WIFZLdq.{HK1(H*wGY]!*CjM/{ctN\"(XA5Y7txU-]lsvEVm.*8_mGQAAtr$EkID'7K`0\"Q$\n\npassword: $2Etj3I\"8BbUvf@D,2Yi)0J<e@R3Q@6@WIFZLdq.{HK1(H*wGY]!*CjM/{ctN\"(XA5Y7txU-]lsvEVm.*8_mGQAAtr$EkID'7K`0\"Q$\n\nsalt: 61f3f528e255a2dfb5799a27\n\nPassMode: 3\n\nHEX: cc79cb92e8161ef4895b9c3601096b0665aaa8ef651c0652312e6153f7de5505\n\nBASE64: zHnLkugWHvSJW5w2AQlrBmWqqO9lHAZSMS5hU/feVQU=\n\nSalt: 61f3f528e255a2dfb5799a27\n\nPayload: pbkdf2_sha256$5000$61f3f528e255a2dfb5799a27$zHnLkugWHvSJW5w2AQlrBmWqqO9lHAZSMS5hU/feVQU=\n\nhashcat -d 1 -a 0 -m 10000 'pbkdf2_sha256$5000$61f3f528e255a2dfb5799a27$zHnLkugWHvSJW5w2AQlrBmWqqO9lHAZSMS5hU/feVQU=' wordlist.txt -o secret.txt\n\nI tried using hashcat but it failed.\n\nAlso I am a newbie, where do I get the wordlist from? I just found one online and I don't know if it helped or not.\n\nUserName=\"user\" Password=\"4124e2661fb9a63511c3881c8caedb0d5e6bbcfe89e2435a843f5ed0fb8ef0ed\" UserLevel=\"1\" Enable=\"1\" ModifyPasswordFlag=\"1\" Alias=\"cpe-1\" Salt=\"f16a98b5c24ce643ec2df5f7\" PassMode=\"3\"/>\n\nUserName=\"gDlLh2xobOZY\" Password=\"69357d9948b1e82d57bbb092cd988a9c6041c1d6351d06cde679a428298ab1c5\" UserLevel=\"0\" Enable=\"1\" ModifyPasswordFlag=\"1\" Alias=\"cpe-2\" Salt=\"7de9dedc93e1de6a71aaee6a\" PassMode=\"3\"/>\n\nHelp me plz", "url": "https://wpnews.pro/news/decrypt-huawei-router-firewall-passwords-huawei-stores-passwords-using-des-when", "canonical_source": "https://gist.github.com/staaldraad/605a5e40abaaa5915bc7", "published_at": "2015-03-11 13:19:20+00:00", "updated_at": "2026-05-22 20:08:47.918742+00:00", "lang": "en", "topics": ["cybersecurity", "open-source", "developer-tools"], "entities": ["Huawei", "Etienne Stalmans", "SensePost"], "alternates": {"html": "https://wpnews.pro/news/decrypt-huawei-router-firewall-passwords-huawei-stores-passwords-using-des-when", "markdown": "https://wpnews.pro/news/decrypt-huawei-router-firewall-passwords-huawei-stores-passwords-using-des-when.md", "text": "https://wpnews.pro/news/decrypt-huawei-router-firewall-passwords-huawei-stores-passwords-using-des-when.txt", "jsonld": "https://wpnews.pro/news/decrypt-huawei-router-firewall-passwords-huawei-stores-passwords-using-des-when.jsonld"}}