Decrypt Huawei router/firewall passwords. Huawei stores passwords using DES encryption when the crypted option is enabled.

The article describes a Python tool called `huaweiDecrypt.py` that extracts local user credentials from Huawei router and firewall configuration files. It decrypts passwords stored with Huawei's DES encryption, which uses a known static key (`\x01\x02\x03\x04\x05\x06\x07\x08`) in ECB mode, allowing both plain-text and "crypted" passwords to be recovered. The script was authored by Etienne Stalmans in 2014.

- - Save staaldraad/605a5e40abaaa5915bc7 to your computer and use it in GitHub Desktop. Learn more about bidirectional Unicode characters https://github.co/hiddenchars | /usr/bin/python | | | """ | | | Simple tool to extract local users and passwords from most Huawei routers/firewalls config files. | | | Will extract plain-text passwords and crypted credentials. Huawei config files use DES encryption with | | | a known key. Using this information, the script will decrypt credentials found in the config file. | | | Author: Etienne Stalmans etienne@sensepost.com | | | Version: 1.0 12/01/2014 | | | """ | | | from Crypto.Cipher import DES | | | import sys | | | import binascii | | | def decode char c : | | | if c == 'a': | | | r = '?' | | | else: | | | r = c | | | return ord r - ord ' ' | | | def ascii to binary s : | | | assert len s == 24 | | | out = 0 18 | | | i = 0 | | | j = 0 | | | for i in range 0, len s , 4 : | | | y = decode char s i + 0 | | | y = y << 6 & 0xffffff | | | k = decode char s i + 1 | | | y = y | k & 0xffffff | | | y = y << 6 & 0xffffff | | | k = decode char s i + 2 | | | y = y | k & 0xffffff | | | y = y << 6 & 0xffffff | | | k = decode char s i + 3 | | | y = y | k & 0xffffff | | | out j+2 = chr y & 0xff | | | out j+1 = chr y 8 & 0xff | | | out j+0 = chr y 16 & 0xff | | | j += 3 | | | return "".join out | | | def decrypt password p : | | | r = ascii to binary p | | | r = r :16 | | | d = DES.new "\x01\x02\x03\x04\x05\x06\x07\x08", DES.MODE ECB | | | r = d.decrypt r | | | return r.rstrip "\x00" | | | f in = open sys.argv 1 ,'r' | | | print " Huawei Password Decryptor" | | | for line in f in: | | | if 'local-user' not in line or 'password' not in line : | | | continue | | | inp = line.split | | | print " -----------------------" | | | print "\t + User: %s"%inp 1 | | | print "\t + Password type: %s"%inp 3 | | | if inp 3 == "cipher": | | | print "\t + Cipher: %s"%inp 4 | | | print "\t + Password: %s"%decrypt password inp 4 | | | else: | | | print "\t + Password: %s"% inp 4 | Hello It it possible to decrypt this one? $1c$nIyL. {5F2$TzF'@"gEaH mJb Vd fBD"px&M1'i1aOXF:ptG:E$ Thank you in advance for dg 8245 i need Administrator user and password i search through notpade and this what i get UserName="vodadsl" Password="41a69149e63df1ce83234fc39a70caeab11eed3d390629ca7cffc2dcd327480b" UserLevel="0" Enable="1" ModifyPasswordFlag="0" i need to decrypt the password $2GACZYhI-vIoR v/Cdi:7dkP=;9/ HKvZ2UK 5, AA9ALE\Z%.S &iVCn216/StW, M% 'bpB{@ jdL 1:Be= 9P Ky}2 &|=jsR$ pls i tried the site, it doesnt give a good result: https://andreluis034.github.io/huawei-utility-page/ cipher https://andreluis034.github.io/huawei-utility-page/ cipher $2 $A: @i5s https://github.com/i5s +L7OAK/KQ.r9gfB 5v,-S%T=rz~&0 6I:Zt,<Rvhz :~~ v3 "K@ OMJMf< a~~A1z 1KIlO4LUwr,FX$5D||9s E |%0$ Result: bbf2073ca9c495606fe49628cffef83e0dfce8dc29270703b3c6709e14029911 Hey guys, i tried both the website https://andreluis034.github.io/huawei-utility-page/ cipher https://andreluis034.github.io/huawei-utility-page/ cipher and the python script here, nothing seems to work. I'm using a HG8145X6-10 and the ISP Nova Greece is using a very restricted custom firmware on it. I managed to extract the config data and the admin user is: Nova admin Password as per the config file is: $2z0m&BlvfqI'$Tw1grk@ Gs46RKnm UmP"9Z8c$CVHn or<A/WHPI X8SP $ I understand it contains html elements and after cleaning it it reads this: $2z$Z|9jwJWMO S8,0 1%-pzg ;mH:-. @vm https://github.com/vm |IBC@I2a2kN3x J XaMe4 .gkUL$ I need to be able to bridge it to my router but none of the option work, can anyone assist? Thanks Hey guys, i tried both the website https://andreluis034.github.io/huawei-utility-page/ cipher and the python script here, nothing seems to work. I'm using a HG8145X6-10 and the ISP Nova Greece is using a very restricted custom firmware on it. I managed to extract the config data and the admin user is: Nova adminPassword as per the config file is: $2z0m&BlvfqI'$Tw1grk@ Gs46RKnm UmP"9Z8c$CVHn or<A/WHPI X8SP $ I understand it contains html elements and after cleaning it it reads this: $2z$Z|9jwJWMO S8,0 1%-pzg ;mH:-. @vm |IBC@I2a2kN3x J XaMe4 .gkUL$I need to be able to bridge it to my router but none of the option work, can anyone assist? Thanks Please send me your Password= from <InterfaceInstance InstanceID="1" maybe a CLI or Webuser password which are salted and can't decrypt. You can modify the config to set root or default password as unencrypted then you get into the ONT. Thanks, J Hey guys, i tried both the website https://andreluis034.github.io/huawei-utility-page/ cipher and the python script here, nothing seems to work. I'm using a HG8145X6-10 and the ISP Nova Greece is using a very restricted custom firmware on it. I managed to extract the config data and the admin user is: Nova adminPassword as per the config file is: $2z0m&BlvfqI'$Tw1grk@ Gs46RKnm UmP"9Z8c$CVHn or<A/WHPI X8SP $ I understand it contains html elements and after cleaning it it reads this: $2z$Z|9jwJWMO S8,0 1%-pzg ;mH:-. @vm |IBC@I2a2kN3x J XaMe4 .gkUL$I need to be able to bridge it to my router but none of the option work, can anyone assist? Thanks Hey, I just received the HG8145X6-10 fiber modem from my ISP Algérie Télécom . I need to access some advanced settings that are locked under the default user account. I saw that you managed to retrieve the configuration file—could you share how you did it? Also, were you able to decrypt the superadmin credentials? Did you use Telnet, SSH, or another method to gain full access? Any guidance would be greatly appreciated : @filipposxeil https://github.com/filipposxeil Hello, can someone help me decrypt this? -- Hey guys, i tried both the website https://andreluis034.github.io/huawei-utility-page/ cipher and the python script here, nothing seems to work. I'm using a HG8145X6-10 and the ISP Nova Greece is using a very restricted custom firmware on it. I managed to extract the config data and the admin user is: Nova admin Password as per the config file is: $2z0m&BlvfqI'$Tw1grk@ Gs46RKnm UmP"9Z8c$CVHn or<A/WHPI X8SP $ I understand it contains html elements and after cleaning it it reads this: $2z$Z|9jwJWMO S8,0 1%-pzg ;mH:-. @vm |IBC@I2a2kN3x J XaMe4 .gkUL$ I need to be able to bridge it to my router but none of the option work, can anyone assist? Thanks Hey, I just received the HG8145X6-10 fiber modem from my ISP Algérie Télécom . I need to access some advanced settings that are locked under the default user account. I saw that you managed to retrieve the configuration file—could you share how you did it? Also, were you able to decrypt the superadmin credentials? Did you use Telnet, SSH, or another method to gain full access? Any guidance would be greatly appreciated : @filipposxeil same here, I tried messing with the network traffic on the config website by setting cfgmode into an isp other than "DZTELECOM" in addition to some other things which did make a download config button pop up, yet when clicked the router forbids the request I am trying to find some code/command execution bug but it seems like im going nowhere also telnet/ssh/ftp are all filtered so no luck i did manage to find sql copyright data which contained a bunch of packages and their respective versions some had vulnerabilities, yet after poking around it seems that none of them relate to this problem aaand firmware dumping or hardware debugging is not a valid option fr wbu? what did you try? and did you find anything relevant i dont think so, this was written yesterday lmao Hey guys, i tried both the website https://andreluis034.github.io/huawei-utility-page/ cipher and the python script here, nothing seems to work. I'm using a HG8145X6-10 and the ISP Nova Greece is using a very restricted custom firmware on it. I managed to extract the config data and the admin user is: Nova admin Password as per the config file is: $2z0m&BlvfqI'$Tw1grk@ Gs46RKnm UmP"9Z8c$CVHn or<A/WHPI X8SP $ I understand it contains html elements and after cleaning it it reads this: $2z$Z|9jwJWMO S8,0 1%-pzg ;mH:-. @vm |IBC@I2a2kN3x J XaMe4 .gkUL$ I need to be able to bridge it to my router but none of the option work, can anyone assist? Thanks Hey, I just received the HG8145X6-10 fiber modem from my ISP Algérie Télécom . I need to access some advanced settings that are locked under the default user account. I saw that you managed to retrieve the configuration file—could you share how you did it? Also, were you able to decrypt the superadmin credentials? Did you use Telnet, SSH, or another method to gain full access? Any guidance would be greatly appreciated : @filipposxeil same here, I tried messing with the network traffic on the config website by setting cfgmode into an isp other than "DZTELECOM" in addition to some other things which did make a download config button pop up, yet when clicked the router forbids the request I am trying to find some code/command execution bug but it seems like im going nowhere also telnet/ssh/ftp are all filtered so no luck i did manage to find sql copyright data which contained a bunch of packages and their respective versions some had vulnerabilities, yet after poking around it seems that none of them relate to this problem aaand firmware dumping or hardware debugging is not a valid option fr wbu? what did you try? and did you find anything relevant i dont think so, this was written yesterday lmao I received the modem three days ago, so I haven’t had the chance to try anything yet. From what I’ve seen online, there don’t seem to be any exploitable vulnerabilities. For now, I’m considering simply requesting the ISP Algérie Télécom to switch it to bridge mode and pushing for it if necessary. We’ll see if they comply Hey there.. check X HW WebUserInfoInstance factory pass.. Try using this for the web interface as well on my case it worked.. Hey guys, i tried both the website https://andreluis034.github.io/huawei-utility-page/ cipher and the python script here, nothing seems to work. I'm using a HG8145X6-10 and the ISP Nova Greece is using a very restricted custom firmware on it. I managed to extract the config data and the admin user is: Nova admin Password as per the config file is: $2z0m&BlvfqI'$Tw1grk@ Gs46RKnm UmP"9Z8c$CVHn or<A/WHPI X8SP $ I understand it contains html elements and after cleaning it it reads this: $2z$Z|9jwJWMO S8,0 1%-pzg ;mH:-. @vm |IBC@I2a2kN3x J XaMe4 .gkUL$ I need to be able to bridge it to my router but none of the option work, can anyone assist? Thanks Hey, I just received the HG8145X6-10 fiber modem from my ISP Algérie Télécom . I need to access some advanced settings that are locked under the default user account. I saw that you managed to retrieve the configuration file—could you share how you did it? Also, were you able to decrypt the superadmin credentials? Did you use Telnet, SSH, or another method to gain full access? Any guidance would be greatly appreciated : @filipposxeil same here, I tried messing with the network traffic on the config website by setting cfgmode into an isp other than "DZTELECOM" in addition to some other things which did make a download config button pop up, yet when clicked the router forbids the request I am trying to find some code/command execution bug but it seems like im going nowhere also telnet/ssh/ftp are all filtered so no luck i did manage to find sql copyright data which contained a bunch of packages and their respective versions some had vulnerabilities, yet after poking around it seems that none of them relate to this problem aaand firmware dumping or hardware debugging is not a valid option fr wbu? what did you try? and did you find anything relevant i dont think so, this was written yesterday lmao I received the modem three days ago, so I haven’t had the chance to try anything yet. From what I’ve seen online, there don’t seem to be any exploitable vulnerabilities. For now, I’m considering simply requesting the ISP Algérie Télécom to switch it to bridge mode and pushing for it if necessary. We’ll see if they comply consider asking them for the superadmin credentials, that way you can configure it at home without needing their support other than that extracting the credentials requires either firmware dumping or developing your own exploit, which may be troublesome let me know if they give you any useful information Hey guys, i tried both the website https://andreluis034.github.io/huawei-utility-page/ cipher and the python script here, nothing seems to work. I'm using a HG8145X6-10 and the ISP Nova Greece is using a very restricted custom firmware on it. I managed to extract the config data and the admin user is: Nova admin Password as per the config file is: $2z0m&BlvfqI'$Tw1grk@ Gs46RKnm UmP"9Z8c$CVHn or<A/WHPI X8SP $ I understand it contains html elements and after cleaning it it reads this: $2z$Z|9jwJWMO S8,0 1%-pzg ;mH:-. @vm |IBC@I2a2kN3x J XaMe4 .gkUL$ I need to be able to bridge it to my router but none of the option work, can anyone assist? Thanks Hey, I just received the HG8145X6-10 fiber modem from my ISP Algérie Télécom . I need to access some advanced settings that are locked under the default user account. I saw that you managed to retrieve the configuration file—could you share how you did it? Also, were you able to decrypt the superadmin credentials? Did you use Telnet, SSH, or another method to gain full access? Any guidance would be greatly appreciated : @filipposxeil same here, I tried messing with the network traffic on the config website by setting cfgmode into an isp other than "DZTELECOM" in addition to some other things which did make a download config button pop up, yet when clicked the router forbids the request I am trying to find some code/command execution bug but it seems like im going nowhere also telnet/ssh/ftp are all filtered so no luck i did manage to find sql copyright data which contained a bunch of packages and their respective versions some had vulnerabilities, yet after poking around it seems that none of them relate to this problem aaand firmware dumping or hardware debugging is not a valid option fr wbu? what did you try? and did you find anything relevant i dont think so, this was written yesterday lmao I received the modem three days ago, so I haven’t had the chance to try anything yet. From what I’ve seen online, there don’t seem to be any exploitable vulnerabilities. For now, I’m considering simply requesting the ISP Algérie Télécom to switch it to bridge mode and pushing for it if necessary. We’ll see if they comply consider asking them for the superadmin credentials, that way you can configure it at home without needing their support other than that extracting the credentials requires either firmware dumping or developing your own exploit, which may be troublesome let me know if they give you any useful information do you have default superadmin creds ? or did you get your hands on the firmware files since i want to mess with them ? Disculpe las molestias. ¿Cuál es la función del botón SU en la GUI? ¿Alguna vez probé solo $1 y $2? No sé. ¿Dónde puedo encontrar esta GUI? Gracias $2M^7i5 ps.KDN0XI kLtUo{cZ~\ZMZ2R. .POxM|2t-Z'6"e{P~e6WM9D^ l DtF8 48 b$v9WjPQ,&+0fO c'Nb/ b||6$;,rR$ ¿Puedes ayudarme? Listo espero aun te sirva: 1274380565c7e25acde5c9d28e2ef73677056a4efe2f4576973e79136e284aea espero aun te sirva: 1274380565c7e25acde5c9d28e2ef73677056a4efe2f4576973e79136e284aea Hey guys, i tried both the website https://andreluis034.github.io/huawei-utility-page/ cipher and the python script here, nothing seems to work. I'm using a HG8145X6-10 and the ISP Nova Greece is using a very restricted custom firmware on it. I managed to extract the config data and the admin user is: Nova admin Password as per the config file is: $2z0m&BlvfqI'$Tw1grk@ Gs46RKnm UmP"9Z8c$CVHn or<A/WHPI X8SP $ I understand it contains html elements and after cleaning it it reads this: $2z$Z|9jwJWMO S8,0 1%-pzg ;mH:-. @vm |IBC@I2a2kN3x J XaMe4 .gkUL$ I need to be able to bridge it to my router but none of the option work, can anyone assist? Thanks Hey, I just received the HG8145X6-10 fiber modem from my ISP Algérie Télécom . I need to access some advanced settings that are locked under the default user account. I saw that you managed to retrieve the configuration file—could you share how you did it? Also, were you able to decrypt the superadmin credentials? Did you use Telnet, SSH, or another method to gain full access? Any guidance would be greatly appreciated : @filipposxeil same here, I tried messing with the network traffic on the config website by setting cfgmode into an isp other than "DZTELECOM" in addition to some other things which did make a download config button pop up, yet when clicked the router forbids the request I am trying to find some code/command execution bug but it seems like im going nowhere also telnet/ssh/ftp are all filtered so no luck i did manage to find sql copyright data which contained a bunch of packages and their respective versions some had vulnerabilities, yet after poking around it seems that none of them relate to this problem aaand firmware dumping or hardware debugging is not a valid option fr wbu? what did you try? and did you find anything relevant i dont think so, this was written yesterday lmao I received the modem three days ago, so I haven’t had the chance to try anything yet. From what I’ve seen online, there don’t seem to be any exploitable vulnerabilities. For now, I’m considering simply requesting the ISP Algérie Télécom to switch it to bridge mode and pushing for it if necessary. We’ll see if they comply Any update? @arkali https://github.com/arkali Just writing in here the step by step that I followed in case it helps someone, as it helped me: - Get the password from "X HW WebUserInfoInstance" block in the xml, example: $2lG$uOG$C{D@pN\8@F 'YAFX 46f~BKB"Bn=pP@~6; %U4pt6+8iM,s2K=u E1$aK. ZhcQk elW<s< +E,52WlXF@F 82y,^xzWU$ - Use that website to decipher: https://andreluis034.github.io/huawei-utility-page/ cipher https://andreluis034.github.io/huawei-utility-page/ cipher Result: c8c64da7a21f52b2e214eb017eb8bde79a09f9c8950cb44b8b9c35ac28088add - Convert from HEX then the result to base64: yMZNp6IfUrLiFOsBfri955oJ+ciVDLRLi5w1rCgIit0= - Mount the payload like that: pbkdf2 sha256$5000$SALT$RESULT FROM ABOVE Which in that example was: pbkdf2 sha256$5000$1d74dc1baaed5c3a691bc0ce$yMZNp6IfUrLiFOsBfri955oJ+ciVDLRLi5w1rCgIit0= - Throw that in hashcat with a wordlist like so: hashcat -d 1 -a 0 -m 10000 'pbkdf2 sha256$5000$8f84c1d97b40afa6ec8d2341$6kvEhxQ4dwkr+YK3hp4F1amWtVddk1mQl6AAavEUFbY=' custom wordlist.txt -o secret.txt For that example, create a wordlist with the word "admin" in it, and it will work. Also, one more information: I didn't have the full root access at first, I had a secondary account, but that account had access to telnet and in telnet I was able to print the config had to do that because the web interface didn't allow me Another thing: if someone wants help of someone else to decrypt it, and its encrypted with PassMode 3, you have to also send the salt. Just writing in here the step by step that I followed in case it helps someone, as it helped me: 1. Get the password from "X HW WebUserInfoInstance" block in the xml, example: $2lG$uOG$C{D@pN\8@F 'YAFX 46f~BKB"Bn=pP@~6; %U4pt6+8iM,s2K=u E1$aK. ZhcQk elW<s< +E,52WlXF@F 82y,^xzWU$ 2. Use that website to decipher: https://andreluis034.github.io/huawei-utility-page/ cipher Result: c8c64da7a21f52b2e214eb017eb8bde79a09f9c8950cb44b8b9c35ac28088add 3. Convert from HEX then the result to base64: yMZNp6IfUrLiFOsBfri955oJ+ciVDLRLi5w1rCgIit0= 4. Mount the payload like that: pbkdf2 sha256$5000$SALT$RESULT FROM ABOVE Which in that example was: pbkdf2 sha256$5000$1d74dc1baaed5c3a691bc0ce$yMZNp6IfUrLiFOsBfri955oJ+ciVDLRLi5w1rCgIit0= 5. Throw that in hashcat with a wordlist like so: hashcat -d 1 -a 0 -m 10000 'pbkdf2 sha256$5000$8f84c1d97b40afa6ec8d2341$6kvEhxQ4dwkr+YK3hp4F1amWtVddk1mQl6AAavEUFbY=' custom wordlist.txt -o secret.txt For that example, create a wordlist with the word "admin" in it, and it will work. Also, one more information: I didn't have the full root access at first, I had a secondary account, but that account had access to telnet and in telnet I was able to print the config had to do that because the web interface didn't allow me Another thing: if someone wants help of someone else to decrypt it, and its encrypted with PassMode 3, you have to also send the salt. good work i try this methode and i have some quetions first salt value should be convert to base64 or not i try for this value password decrypt 925d7ced11d07d01372b258930685c6765ca699c1de7fe0156784a1b72f60d82 password base 64 kl187RHQfQE3KyWJMGhcZ2XKaZwd5/4BVnhKG3L2DYI= salt 38fa9b0625b6fdf11cf802c0 i use this website for pbkdf2 https://www.dcode.fr/pbkdf2-hash https://www.dcode.fr/pbkdf2-hash and the result was $pbkdf2-sha1$1000$MzhmYTliMDYyNWI2ZmRmMTFjZjgwMmMw$zXjXSIl5drOY41.ienQlbShrfN0 the user name for this password is Nova admin any help will be fine Just writing in here the step by step that I followed in case it helps someone, as it helped me: 1. Get the password from "X HW WebUserInfoInstance" block in the xml, example: $2lG$uOG$C{D@pN\8@F 'YAFX 46f~BKB"Bn=pP@~6; %U4pt6+8iM,s2K=u E1$aK. ZhcQk elW<s< +E,52WlXF@F 82y,^xzWU$ 2. Use that website to decipher: https://andreluis034.github.io/huawei-utility-page/ cipher Result: c8c64da7a21f52b2e214eb017eb8bde79a09f9c8950cb44b8b9c35ac28088add 3. Convert from HEX then the result to base64: yMZNp6IfUrLiFOsBfri955oJ+ciVDLRLi5w1rCgIit0= 4. Mount the payload like that: pbkdf2 sha256$5000$SALT$RESULT FROM ABOVE Which in that example was: pbkdf2 sha256$5000$1d74dc1baaed5c3a691bc0ce$yMZNp6IfUrLiFOsBfri955oJ+ciVDLRLi5w1rCgIit0= 5. Throw that in hashcat with a wordlist like so: hashcat -d 1 -a 0 -m 10000 'pbkdf2 sha256$5000$8f84c1d97b40afa6ec8d2341$6kvEhxQ4dwkr+YK3hp4F1amWtVddk1mQl6AAavEUFbY=' custom wordlist.txt -o secret.txt For that example, create a wordlist with the word "admin" in it, and it will work. Also, one more information: I didn't have the full root access at first, I had a secondary account, but that account had access to telnet and in telnet I was able to print the config had to do that because the web interface didn't allow me Another thing: if someone wants help of someone else to decrypt it, and its encrypted with PassMode 3, you have to also send the salt.good work i try this methode and i have some quetions first salt value should be convert to base64 or not i try for this value password decrypt 925d7ced11d07d01372b258930685c6765ca699c1de7fe0156784a1b72f60d82 password base 64 kl187RHQfQE3KyWJMGhcZ2XKaZwd5/4BVnhKG3L2DYI= salt 38fa9b0625b6fdf11cf802c0 i use this website for pbkdf2 https://www.dcode.fr/pbkdf2-hash and the result was $pbkdf2-sha1$1000$MzhmYTliMDYyNWI2ZmRmMTFjZjgwMmMw$zXjXSIl5drOY41.ienQlbShrfN0 the user name for this password is Nova admin any help will be fine No, the salt shouldn't be base64. Don't edit the beginning of the payload you did "$pbkdf2-sha1$1000$", my example is "pbkdf2 sha256$5000$" Your final payload will look like that: pbkdf2 sha256$5000$38fa9b0625b6fdf11cf802c0$kl187RHQfQE3KyWJMGhcZ2XKaZwd5/4BVnhKG3L2DYI= I have a gtx1660, tried all the passwords from seclists wordlists and didn't get a result, good luck your command: hashcat -d 1 -a 0 -m 10000 'pbkdf2 sha256$5000$38fa9b0625b6fdf11cf802c0$kl187RHQfQE3KyWJMGhcZ2XKaZwd5/4BVnhKG3L2DYI=' mega wordlist.txt Just writing in here the step by step that I followed in case it helps someone, as it helped me: 1. Get the password from "X HW WebUserInfoInstance" block in the xml, example: $2lG$uOG$C{D@pN\8@F 'YAFX 46f~BKB"Bn=pP@~6; %U4pt6+8iM,s2K=u E1$aK. ZhcQk elW<s< +E,52WlXF@F 82y,^xzWU$ 2. Use that website to decipher: https://andreluis034.github.io/huawei-utility-page/ cipher Result: c8c64da7a21f52b2e214eb017eb8bde79a09f9c8950cb44b8b9c35ac28088add 3. Convert from HEX then the result to base64: yMZNp6IfUrLiFOsBfri955oJ+ciVDLRLi5w1rCgIit0= 4. Mount the payload like that: pbkdf2 sha256$5000$SALT$RESULT FROM ABOVE Which in that example was: pbkdf2 sha256$5000$1d74dc1baaed5c3a691bc0ce$yMZNp6IfUrLiFOsBfri955oJ+ciVDLRLi5w1rCgIit0= 5. Throw that in hashcat with a wordlist like so: hashcat -d 1 -a 0 -m 10000 'pbkdf2 sha256$5000$8f84c1d97b40afa6ec8d2341$6kvEhxQ4dwkr+YK3hp4F1amWtVddk1mQl6AAavEUFbY=' custom wordlist.txt -o secret.txt For that example, create a wordlist with the word "admin" in it, and it will work. Also, one more information: I didn't have the full root access at first, I had a secondary account, but that account had access to telnet and in telnet I was able to print the config had to do that because the web interface didn't allow me Another thing: if someone wants help of someone else to decrypt it, and its encrypted with PassMode 3, you have to also send the salt. I need to create a script that, based on an existing configuration file from a Huawei ONT, creates a new configuration file for new devices. Can you tell me if it's possible to encrypt the passwords so that they're compatible with the Huawei device configuration file? So that I can simply edit the passwords in a configuration file and send that file to a new device? Thanks in advance for any help Just writing in here the step by step that I followed in case it helps someone, as it helped me: - Get the password from "X HW WebUserInfoInstance" block in the xml, example: $2lG$uOG$C{D@pN\8@F 'YAFX 46f~BKB"Bn=pP@~6; %U4pt6+8iM,s2K=u E1$aK. ZhcQk elW<s< +E,52WlXF@F 82y,^xzWU$- Use that website to decipher: https://andreluis034.github.io/huawei-utility-page/ cipher Result: c8c64da7a21f52b2e214eb017eb8bde79a09f9c8950cb44b8b9c35ac28088add- Convert from HEX then the result to base64: yMZNp6IfUrLiFOsBfri955oJ+ciVDLRLi5w1rCgIit0= - Mount the payload like that: pbkdf2 sha256$5000$SALT$RESULT FROM ABOVE Which in that example was: pbkdf2 sha256$5000$1d74dc1baaed5c3a691bc0ce$yMZNp6IfUrLiFOsBfri955oJ+ciVDLRLi5w1rCgIit0=- Throw that in hashcat with a wordlist like so: hashcat -d 1 -a 0 -m 10000 'pbkdf2 sha256$5000$8f84c1d97b40afa6ec8d2341$6kvEhxQ4dwkr+YK3hp4F1amWtVddk1mQl6AAavEUFbY=' custom wordlist.txt -o secret.txtFor that example, create a wordlist with the word "admin" in it, and it will work. Also, one more information: I didn't have the full root access at first, I had a secondary account, but that account had access to telnet and in telnet I was able to print the config had to do that because the web interface didn't allow me Another thing: if someone wants help of someone else to decrypt it, and its encrypted with PassMode 3, you have to also send the salt. I couldn't understand step 4 and this is what i did: Username: admin Password: $2%h wXS, {G3~~uLS6pDAO~~AH 7Ah=p+{l/MX&Z| @9 https://github.com/9 &OECgMGY<VG';/v 0f+;sBS .=:BSma\FG{^2 IUoe-6T $m3}t=f25 c; $ Salt: a37f3a20a4e49477cc24c1e8 5d700f268adff09a6e9af11d19a6ab59c346c64e243728a5a81c17b3dfe8232c LDrcoAws4Cz9VJolJcaJW7VSMGJvbCnJk1jWewHrpro= Username: telecomadmin Password: $2zQaAAx+a"QGUyp@B^n=QuDNOB4 %{Y 0 m$w N+E\4NY6wUAj0bsfTQ$P u;T^ -U{yJg49TAhB. ^=S-fs~ .oB{YV2 /3rjtFA$ Salt: f69f0d7ab9a13a97c12afa93 95478664f2d8d9d5930cf88461f17a0ba391b9cd53431f966fecfe5142271c37 EG37m1YyD9Cv20nB16DHPUOkIHS9ji9ntXAKdscQ50Y= Username:root Password: $28e BSri &bL|,/rGm6Z.GPNQTtkHE f4FAbjtxEU0$AT1u B"'Z/=/w"ZM,&<WSGGv' 2"kNkH%2ppJ7JLOK3jiuGctpHJ +dl9$ Salt: 8c06e92ac8c69c9aab9d3ce3 240fa47edb3bddaf12a7a8b4d26582063160613399b94c12f378c9c34fad3bee qY4537Yc7HBdn32TJPht2WCR0AZ6hMcrf2LNYgdKt44= is that correct? and how to do step 4? regards Just writing in here the step by step that I followed in case it helps someone, as it helped me: - Get the password from "X HW WebUserInfoInstance" block in the xml, example: $2lG$uOG$C{D@pN\8@F 'YAFX 46f~BKB"Bn=pP@~6; %U4pt6+8iM,s2K=u E1$aK. ZhcQk elW<s< +E,52WlXF@F 82y,^xzWU$- Use that website to decipher: https://andreluis034.github.io/huawei-utility-page/ cipher Result: c8c64da7a21f52b2e214eb017eb8bde79a09f9c8950cb44b8b9c35ac28088add- Convert from HEX then the result to base64: yMZNp6IfUrLiFOsBfri955oJ+ciVDLRLi5w1rCgIit0= - Mount the payload like that: pbkdf2 sha256$5000$SALT$RESULT FROM ABOVE Which in that example was: pbkdf2 sha256$5000$1d74dc1baaed5c3a691bc0ce$yMZNp6IfUrLiFOsBfri955oJ+ciVDLRLi5w1rCgIit0=- Throw that in hashcat with a wordlist like so: hashcat -d 1 -a 0 -m 10000 'pbkdf2 sha256$5000$8f84c1d97b40afa6ec8d2341$6kvEhxQ4dwkr+YK3hp4F1amWtVddk1mQl6AAavEUFbY=' custom wordlist.txt -o secret.txtFor that example, create a wordlist with the word "admin" in it, and it will work. Also, one more information: I didn't have the full root access at first, I had a secondary account, but that account had access to telnet and in telnet I was able to print the config had to do that because the web interface didn't allow me Another thing: if someone wants help of someone else to decrypt it, and its encrypted with PassMode 3, you have to also send the salt.I couldn't understand step 4 and this is what i did: Username: admin Password: $2%h wXS, {G3 ~~uLS6pDAO~~AH 7Ah=p+{l/MX&Z| @9 &OECgMGY<VG';/v 0f+;sBS .=:BSma\FG{^2 IUoe-6T $m3}t=f25 c; $ Salt: a37f3a20a4e49477cc24c1e85d700f268adff09a6e9af11d19a6ab59c346c64e243728a5a81c17b3dfe8232c LDrcoAws4Cz9VJolJcaJW7VSMGJvbCnJk1jWewHrpro= Username: telecomadmin Password: $2zQaAAx+a"QGUyp@B^n=QuDNOB4 %{Y 0 m$w N+E\4NY6wUAj0bsfTQ$P u;T^ -U{yJg49TAhB. ^=S-fs~ .oB{YV2 /3rjtFA$ Salt: f69f0d7ab9a13a97c12afa93 95478664f2d8d9d5930cf88461f17a0ba391b9cd53431f966fecfe5142271c37 EG37m1YyD9Cv20nB16DHPUOkIHS9ji9ntXAKdscQ50Y= Username:root Password: $28e BSri &bL|,/rGm6Z.GPNQTtkHE f4FAbjtxEU0$AT1u B"'Z/=/w"ZM,&<WSGGv' 2"kNkH%2ppJ7JLOK3jiuGctpHJ +dl9$ Salt: 8c06e92ac8c69c9aab9d3ce3 240fa47edb3bddaf12a7a8b4d26582063160613399b94c12f378c9c34fad3bee qY4537Yc7HBdn32TJPht2WCR0AZ6hMcrf2LNYgdKt44= is that correct? and how to do step 4? regards in the step 4 just take the string that I sent and replace SALT with the salt and RESULT FROM ABOVE with the result from the step above, like that: Username: admin Password: $2%h wXS, {G3uLS6pDAOAH 7Ah=p+{l/MX&Z| @9&OECgMGY<VG';/v 0f+;sBS .=:BSma\FG{^2 IUoe-6T $m3}t=f25c;$ Salt: a37f3a20a4e49477cc24c1e8 5d700f268adff09a6e9af11d19a6ab59c346c64e243728a5a81c17b3dfe8232c LDrcoAws4Cz9VJolJcaJW7VSMGJvbCnJk1jWewHrpro= pbkdf2 sha256$5000$a37f3a20a4e49477cc24c1e8$LDrcoAws4Cz9VJolJcaJW7VSMGJvbCnJk1jWewHrpro= hashcat -d 1 -a 0 -m 10000 'pbkdf2 sha256$5000$a37f3a20a4e49477cc24c1e8$LDrcoAws4Cz9VJolJcaJW7VSMGJvbCnJk1jWewHrpro=' wordlist.txt -o result.txt Username: telecomadmin Password: $2zQaAAx+a"QGUyp@B^n=QuDNOB4 %{Y 0 m$w N+E\4NY6wUAj0bsfTQ$P u;T^ -U{yJg49TAhB. ^=S-fs~ .oB{YV2 /3rjtFA$ Salt: f69f0d7ab9a13a97c12afa93 95478664f2d8d9d5930cf88461f17a0ba391b9cd53431f966fecfe5142271c37 EG37m1YyD9Cv20nB16DHPUOkIHS9ji9ntXAKdscQ50Y= pbkdf2 sha256$5000$f69f0d7ab9a13a97c12afa93$EG37m1YyD9Cv20nB16DHPUOkIHS9ji9ntXAKdscQ50Y= hashcat -d 1 -a 0 -m 10000 'pbkdf2 sha256$5000$f69f0d7ab9a13a97c12afa93$EG37m1YyD9Cv20nB16DHPUOkIHS9ji9ntXAKdscQ50Y=' wordlist.txt -o result.txt Username:root Password: $28e BSri &bL|,/rGm6Z.GPNQTtkHE f4FAbjtxEU0$AT1u B"'Z/=/w"ZM,&<WSGGv' 2"kNkH%2ppJ7JLOK3jiuGctpHJ +dl9$ Salt: 8c06e92ac8c69c9aab9d3ce3 240fa47edb3bddaf12a7a8b4d26582063160613399b94c12f378c9c34fad3bee qY4537Yc7HBdn32TJPht2WCR0AZ6hMcrf2LNYgdKt44= pbkdf2 sha256$5000$8c06e92ac8c69c9aab9d3ce3$qY4537Yc7HBdn32TJPht2WCR0AZ6hMcrf2LNYgdKt44= hashcat -d 1 -a 0 -m 10000 'pbkdf2 sha256$5000$8c06e92ac8c69c9aab9d3ce3$qY4537Yc7HBdn32TJPht2WCR0AZ6hMcrf2LNYgdKt44=' wordlist.txt -o result.txt Just writing in here the step by step that I followed in case it helps someone, as it helped me: 1. Get the password from "X HW WebUserInfoInstance" block in the xml, example: $2lG$uOG$C{D@pN\8@F 'YAFX 46f~BKB"Bn=pP@~6; %U4pt6+8iM,s2K=u E1$aK. ZhcQk elW<s< +E,52WlXF@F 82y,^xzWU$ 2. Use that website to decipher: https://andreluis034.github.io/huawei-utility-page/ cipher Result: c8c64da7a21f52b2e214eb017eb8bde79a09f9c8950cb44b8b9c35ac28088add 3. Convert from HEX then the result to base64: yMZNp6IfUrLiFOsBfri955oJ+ciVDLRLi5w1rCgIit0= 4. Mount the payload like that: pbkdf2 sha256$5000$SALT$RESULT FROM ABOVE Which in that example was: pbkdf2 sha256$5000$1d74dc1baaed5c3a691bc0ce$yMZNp6IfUrLiFOsBfri955oJ+ciVDLRLi5w1rCgIit0= 5. Throw that in hashcat with a wordlist like so: hashcat -d 1 -a 0 -m 10000 'pbkdf2 sha256$5000$8f84c1d97b40afa6ec8d2341$6kvEhxQ4dwkr+YK3hp4F1amWtVddk1mQl6AAavEUFbY=' custom wordlist.txt -o secret.txt For that example, create a wordlist with the word "admin" in it, and it will work. Also, one more information: I didn't have the full root access at first, I had a secondary account, but that account had access to telnet and in telnet I was able to print the config had to do that because the web interface didn't allow me Another thing: if someone wants help of someone else to decrypt it, and its encrypted with PassMode 3, you have to also send the salt.I need to create a script that, based on an existing configuration file from a Huawei ONT, creates a new configuration file for new devices. Can you tell me if it's possible to encrypt the passwords so that they're compatible with the Huawei device configuration file? So that I can simply edit the passwords in a configuration file and send that file to a new device? Thanks in advance for any help I don't know honestly. hi Where is the $SALT code generated? hi Where is the $SALT code generated? it comes from the xml config of the router … https://gist.github.com/staaldraad/605a5e40abaaa5915bc7 gistcomment-5863865 https://gist.github.com/staaldraad/605a5e40abaaa5915bc7 gistcomment-5863865 or unsubscribe < https://github.com/notifications/unsubscribe-auth/B2DJOK5KKAOWSFGA2ZIFZPL344JXZBFHORZGSZ3HMVZKMY3SMVQXIZNMON2WE2TFMN2F65DZOBS2WR3JON2EG33NNVSW45FGORXXA2LDOOIYFJDUPFYGLJDHNFZXJJLWMFWHKZNIGIYDENBWHAZDBKTBOR2HE2LCOV2GK44TQKSXMYLMOVS2SMJVGM3DENBTGEYKI3TBNVS2QYLDORXXEX3JMSBKK5TBNR2WLJDUOJ2WLJDOMFWWLO3UNBZGKYLEL5YGC4TUNFRWS4DBNZ2F6YLDORUXM2LUPGBKK5TBNR2WLJDHNFZXJJDOMFWWLK3UNBZGKYLEL52HS4DF https://github.com/notifications/unsubscribe-auth/B2DJOK5KKAOWSFGA2ZIFZPL344JXZBFHORZGSZ3HMVZKMY3SMVQXIZNMON2WE2TFMN2F65DZOBS2WR3JON2EG33NNVSW45FGORXXA2LDOOIYFJDUPFYGLJDHNFZXJJLWMFWHKZNIGIYDENBWHAZDBKTBOR2HE2LCOV2GK44TQKSXMYLMOVS2SMJVGM3DENBTGEYKI3TBNVS2QYLDORXXEX3JMSBKK5TBNR2WLJDUOJ2WLJDOMFWWLO3UNBZGKYLEL5YGC4TUNFRWS4DBNZ2F6YLDORUXM2LUPGBKK5TBNR2WLJDHNFZXJJDOMFWWLK3UNBZGKYLEL52HS4DF . You are receiving this email because you commented on the thread. Triage notifications on the go with GitHub Mobile for iOS < https://apps.apple.com/app/apple-store/id1477376905?ct=notification-email&mt=8&pt=524675 https://apps.apple.com/app/apple-store/id1477376905?ct=notification-email&mt=8&pt=524675 or Android < https://play.google.com/store/apps/details?id=com.github.android&referrer=utm campaign%3Dnotification-email%26utm medium%3Demail%26utm source%3Dgithub https://play.google.com/store/apps/details?id=com.github.android&referrer=utm campaign%3Dnotification-email%26utm medium%3Demail%26utm source%3Dgithub . Is it still working? I tested both the website and the tools there, but both only generate outrk code, like base64, when I try to decode the text in the PPPoE password files. I have a Huawei HG8145V5-V2 router, and its backup is generated in .xml.html. … https://gist.github.com/staaldraad/605a5e40abaaa5915bc7 gistcomment-5871596 https://gist.github.com/staaldraad/605a5e40abaaa5915bc7 gistcomment-5871596 or unsubscribe < https://github.com/notifications/unsubscribe-auth/B2DJOK7ZFN7FCXPIXDTGJ2335TMHXBFHORZGSZ3HMVZKMY3SMVQXIZNMON2WE2TFMN2F65DZOBS2WR3JON2EG33NNVSW45FGORXXA2LDOOIYFJDUPFYGLJDHNFZXJJLWMFWHKZNIGIYDENBWHAZDBKTBOR2HE2LCOV2GK44TQKSXMYLMOVS2SMJXGQ3TKNRRGE4KI3TBNVS2QYLDORXXEX3JMSBKK5TBNR2WLJDUOJ2WLJDOMFWWLO3UNBZGKYLEL5YGC4TUNFRWS4DBNZ2F6YLDORUXM2LUPGBKK5TBNR2WLJDHNFZXJJDOMFWWLK3UNBZGKYLEL52HS4DF https://github.com/notifications/unsubscribe-auth/B2DJOK7ZFN7FCXPIXDTGJ2335TMHXBFHORZGSZ3HMVZKMY3SMVQXIZNMON2WE2TFMN2F65DZOBS2WR3JON2EG33NNVSW45FGORXXA2LDOOIYFJDUPFYGLJDHNFZXJJLWMFWHKZNIGIYDENBWHAZDBKTBOR2HE2LCOV2GK44TQKSXMYLMOVS2SMJXGQ3TKNRRGE4KI3TBNVS2QYLDORXXEX3JMSBKK5TBNR2WLJDUOJ2WLJDOMFWWLO3UNBZGKYLEL5YGC4TUNFRWS4DBNZ2F6YLDORUXM2LUPGBKK5TBNR2WLJDHNFZXJJDOMFWWLK3UNBZGKYLEL52HS4DF . You are receiving this email because you commented on the thread. Triage notifications on the go with GitHub Mobile for iOS < https://apps.apple.com/app/apple-store/id1477376905?ct=notification-email&mt=8&pt=524675 https://apps.apple.com/app/apple-store/id1477376905?ct=notification-email&mt=8&pt=524675 or Android < https://play.google.com/store/apps/details?id=com.github.android&referrer=utm campaign%3Dnotification-email%26utm medium%3Demail%26utm source%3Dgithub https://play.google.com/store/apps/details?id=com.github.android&referrer=utm campaign%3Dnotification-email%26utm medium%3Demail%26utm source%3Dgithub . Just writing in here the step by step that I followed in case it helps someone, as it helped me: - Get the password from "X HW WebUserInfoInstance" block in the xml, example: $2lG$uOG$C{D@pN\8@F 'YAFX 46f~BKB"Bn=pP@~6; %U4pt6+8iM,s2K=u E1$aK. ZhcQk elW<s< +E,52WlXF@F 82y,^xzWU$- Use that website to decipher: https://andreluis034.github.io/huawei-utility-page/ cipher Result: c8c64da7a21f52b2e214eb017eb8bde79a09f9c8950cb44b8b9c35ac28088add- Convert from HEX then the result to base64: yMZNp6IfUrLiFOsBfri955oJ+ciVDLRLi5w1rCgIit0= - Mount the payload like that: pbkdf2 sha256$5000$SALT$RESULT FROM ABOVE Which in that example was: pbkdf2 sha256$5000$1d74dc1baaed5c3a691bc0ce$yMZNp6IfUrLiFOsBfri955oJ+ciVDLRLi5w1rCgIit0=- Throw that in hashcat with a wordlist like so: hashcat -d 1 -a 0 -m 10000 'pbkdf2 sha256$5000$8f84c1d97b40afa6ec8d2341$6kvEhxQ4dwkr+YK3hp4F1amWtVddk1mQl6AAavEUFbY=' custom wordlist.txt -o secret.tx Hello, I need help decrypting the password password in xml: $2Etj3I"8BbUvf@D,2Yi 0J<e@R3Q@6@WIFZLdq.{HK1 H wGY CjM/{ctN" XA5Y7txU- lsvEVm. 8 mGQAAtr$EkID'7K 0"Q$ password: $2Etj3I"8BbUvf@D,2Yi 0J<e@R3Q@6@WIFZLdq.{HK1 H wGY CjM/{ctN" XA5Y7txU- lsvEVm. 8 mGQAAtr$EkID'7K 0"Q$ salt: 61f3f528e255a2dfb5799a27 PassMode: 3 HEX: cc79cb92e8161ef4895b9c3601096b0665aaa8ef651c0652312e6153f7de5505 BASE64: zHnLkugWHvSJW5w2AQlrBmWqqO9lHAZSMS5hU/feVQU= Salt: 61f3f528e255a2dfb5799a27 Payload: pbkdf2 sha256$5000$61f3f528e255a2dfb5799a27$zHnLkugWHvSJW5w2AQlrBmWqqO9lHAZSMS5hU/feVQU= hashcat -d 1 -a 0 -m 10000 'pbkdf2 sha256$5000$61f3f528e255a2dfb5799a27$zHnLkugWHvSJW5w2AQlrBmWqqO9lHAZSMS5hU/feVQU=' wordlist.txt -o secret.txt I tried using hashcat but it failed. Also I am a newbie, where do I get the wordlist from? I just found one online and I don't know if it helped or not. UserName="user" Password="4124e2661fb9a63511c3881c8caedb0d5e6bbcfe89e2435a843f5ed0fb8ef0ed" UserLevel="1" Enable="1" ModifyPasswordFlag="1" Alias="cpe-1" Salt="f16a98b5c24ce643ec2df5f7" PassMode="3"/ UserName="gDlLh2xobOZY" Password="69357d9948b1e82d57bbb092cd988a9c6041c1d6351d06cde679a428298ab1c5" UserLevel="0" Enable="1" ModifyPasswordFlag="1" Alias="cpe-2" Salt="7de9dedc93e1de6a71aaee6a" PassMode="3"/ Help me plz