Created
March 11, 2015 13:19
-
-
Save staaldraad/605a5e40abaaa5915bc7 to your computer and use it in GitHub Desktop.
Decrypt Huawei router/firewall passwords. Huawei stores passwords using DES encryption when the crypted option is enabled.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| #!/usr/bin/python | |
| """ | |
| Simple tool to extract local users and passwords from most Huawei routers/firewalls config files. | |
| Will extract plain-text passwords and crypted credentials. Huawei config files use DES encryption with | |
| a known key. Using this information, the script will decrypt credentials found in the config file. | |
| Author: Etienne Stalmans (etienne@sensepost.com) | |
| Version: 1.0 (12/01/2014) | |
| """ | |
| from Crypto.Cipher import DES | |
| import sys | |
| import binascii | |
| def decode_char(c): | |
| if c == 'a': | |
| r = '?' | |
| else: | |
| r = c | |
| return ord(r) - ord('!') | |
| def ascii_to_binary(s): | |
| assert len(s) == 24 | |
| out = [0]*18 | |
| i = 0 | |
| j = 0 | |
| for i in range(0, len(s), 4): | |
| y = decode_char(s[i + 0]) | |
| y = (y << 6) & 0xffffff | |
| k = decode_char(s[i + 1]) | |
| y = (y | k) & 0xffffff | |
| y = (y << 6) & 0xffffff | |
| k = decode_char(s[i + 2]) | |
| y = (y | k) & 0xffffff | |
| y = (y << 6) & 0xffffff | |
| k = decode_char(s[i + 3]) | |
| y = (y | k) & 0xffffff | |
| out[j+2] = chr(y & 0xff) | |
| out[j+1] = chr((y>>8) & 0xff) | |
| out[j+0] = chr((y>>16) & 0xff) | |
| j += 3 | |
| return "".join(out) | |
| def decrypt_password(p): | |
| r = ascii_to_binary(p) | |
| r = r[:16] | |
| d = DES.new("\x01\x02\x03\x04\x05\x06\x07\x08", DES.MODE_ECB) | |
| r = d.decrypt(r) | |
| return r.rstrip("\x00") | |
| f_in = open(sys.argv[1],'r') | |
| print "[*] Huawei Password Decryptor" | |
| for line in f_in: | |
| if ('local-user' not in line) or ('password' not in line): | |
| continue | |
| inp = line.split() | |
| print "[*]-----------------------" | |
| print "\t[+] User: %s"%inp[1] | |
| print "\t[+] Password type: %s"%inp[3] | |
| if inp[3] == "cipher": | |
| print "\t[+] Cipher: %s"%inp[4] | |
| print "\t[+] Password: %s"%decrypt_password(inp[4]) | |
| else: | |
| print "\t[+] Password: %s"%(inp[4]) |
mbernar1
commented
Nov 15, 2025
via email
user root It does not have $Salt in xml.
Is it possible to decipher the key?
al ingresar a la web del ont no solicita credencial de autentificación como
puedo activar el login ?
greetings
martin
El sáb, 15 nov 2025, 09:09, David Kirsch ***@***.***>
escribió:
… ***@***.**** commented on this gist.
------------------------------
hi Where is the $SALT code generated?
it comes from the xml config of the router
—
Reply to this email directly, view it on GitHub
<https://gist.github.com/staaldraad/605a5e40abaaa5915bc7#gistcomment-5863865>
or unsubscribe
<https://github.com/notifications/unsubscribe-auth/B2DJOK5KKAOWSFGA2ZIFZPL344JXZBFHORZGSZ3HMVZKMY3SMVQXIZNMON2WE2TFMN2F65DZOBS2WR3JON2EG33NNVSW45FGORXXA2LDOOIYFJDUPFYGLJDHNFZXJJLWMFWHKZNIGIYDENBWHAZDBKTBOR2HE2LCOV2GK44TQKSXMYLMOVS2SMJVGM3DENBTGEYKI3TBNVS2QYLDORXXEX3JMSBKK5TBNR2WLJDUOJ2WLJDOMFWWLO3UNBZGKYLEL5YGC4TUNFRWS4DBNZ2F6YLDORUXM2LUPGBKK5TBNR2WLJDHNFZXJJDOMFWWLK3UNBZGKYLEL52HS4DF>
.
You are receiving this email because you commented on the thread.
Triage notifications on the go with GitHub Mobile for iOS
<https://apps.apple.com/app/apple-store/id1477376905?ct=notification-email&mt=8&pt=524675>
or Android
<https://play.google.com/store/apps/details?id=com.github.android&referrer=utm_campaign%3Dnotification-email%26utm_medium%3Demail%26utm_source%3Dgithub>
.
Is it still working?
I tested both the website and the tools there, but both only generate outrk code, like base64, when I try to decode the text in the PPPoE password files.
I have a Huawei HG8145V5-V2 router, and its backup is generated in .xml.html.
ok good. i do it
reset factory is disabling
root user haven't salt code and not is possible decrypt.
file config xml not permitted upgrade in root huawei HG8145X6.
the device is full protect for ISP.
greetings
MB.
El mié, 19 nov 2025, 18:11, kino ***@***.***> escribió:
… ***@***.**** commented on this gist.
------------------------------
Is it still working?
I tested both the website and the tools there, but both only generate
outrk code, like base64, when I try to decode the text in the PPPoE
password files.
I have a Huawei HG8145V5-V2 router, and its backup is generated in
.xml.html.
—
Reply to this email directly, view it on GitHub
<https://gist.github.com/staaldraad/605a5e40abaaa5915bc7#gistcomment-5871596>
or unsubscribe
<https://github.com/notifications/unsubscribe-auth/B2DJOK7ZFN7FCXPIXDTGJ2335TMHXBFHORZGSZ3HMVZKMY3SMVQXIZNMON2WE2TFMN2F65DZOBS2WR3JON2EG33NNVSW45FGORXXA2LDOOIYFJDUPFYGLJDHNFZXJJLWMFWHKZNIGIYDENBWHAZDBKTBOR2HE2LCOV2GK44TQKSXMYLMOVS2SMJXGQ3TKNRRGE4KI3TBNVS2QYLDORXXEX3JMSBKK5TBNR2WLJDUOJ2WLJDOMFWWLO3UNBZGKYLEL5YGC4TUNFRWS4DBNZ2F6YLDORUXM2LUPGBKK5TBNR2WLJDHNFZXJJDOMFWWLK3UNBZGKYLEL52HS4DF>
.
You are receiving this email because you commented on the thread.
Triage notifications on the go with GitHub Mobile for iOS
<https://apps.apple.com/app/apple-store/id1477376905?ct=notification-email&mt=8&pt=524675>
or Android
<https://play.google.com/store/apps/details?id=com.github.android&referrer=utm_campaign%3Dnotification-email%26utm_medium%3Demail%26utm_source%3Dgithub>
.
Just writing in here the step by step that I followed in case it helps someone, as it helped me:
- Get the password from "X_HW_WebUserInfoInstance" block in the xml, example:
$2lG$uOG$C{D@pN\8@F#'YAFX_46f~BKB"Bn=pP@~6;_%U4pt6+8iM,s2K=u(E1$aK.!ZhcQk[elW<s<]+E,52WlXF@F]82y,^xzWU$- Use that website to decipher: https://andreluis034.github.io/huawei-utility-page/#cipher
Result: c8c64da7a21f52b2e214eb017eb8bde79a09f9c8950cb44b8b9c35ac28088add- Convert from HEX then the result to base64: yMZNp6IfUrLiFOsBfri955oJ+ciVDLRLi5w1rCgIit0=
- Mount the payload like that: pbkdf2_sha256$5000$SALT$RESULT_FROM_ABOVE
Which in that example was: pbkdf2_sha256$5000$1d74dc1baaed5c3a691bc0ce$yMZNp6IfUrLiFOsBfri955oJ+ciVDLRLi5w1rCgIit0=- Throw that in hashcat with a wordlist like so:
hashcat -d 1 -a 0 -m 10000 'pbkdf2_sha256$5000$8f84c1d97b40afa6ec8d2341$6kvEhxQ4dwkr+YK3hp4F1amWtVddk1mQl6AAavEUFbY=' custom_wordlist.txt -o secret.tx
Hello,
I need help decrypting the password
password in xml: $2Etj3I"8BbUvf@D,2Yi)0J<e@R3Q@6@WIFZLdq.{HK1(H*wGY]!*CjM/{ctN"(XA5Y7txU-]lsvEVm.*8_mGQAAtr$EkID'7K`0"Q$
password: $2Etj3I"8BbUvf@D,2Yi)0J<e@R3Q@6@WIFZLdq.{HK1(H*wGY]!*CjM/{ctN"(XA5Y7txU-]lsvEVm.*8_mGQAAtr$EkID'7K`0"Q$
salt: 61f3f528e255a2dfb5799a27
PassMode: 3
HEX: cc79cb92e8161ef4895b9c3601096b0665aaa8ef651c0652312e6153f7de5505
BASE64: zHnLkugWHvSJW5w2AQlrBmWqqO9lHAZSMS5hU/feVQU=
Salt: 61f3f528e255a2dfb5799a27
Payload: pbkdf2_sha256$5000$61f3f528e255a2dfb5799a27$zHnLkugWHvSJW5w2AQlrBmWqqO9lHAZSMS5hU/feVQU=
hashcat -d 1 -a 0 -m 10000 'pbkdf2_sha256$5000$61f3f528e255a2dfb5799a27$zHnLkugWHvSJW5w2AQlrBmWqqO9lHAZSMS5hU/feVQU=' wordlist.txt -o secret.txt
I tried using hashcat but it failed.
Also I am a newbie, where do I get the wordlist from? I just found one online and I don't know if it helped or not.
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment