Skip to content

Instantly share code, notes, and snippets.

@staaldraad
Created March 11, 2015 13:19
  • Star 24 You must be signed in to star a gist
  • Fork 12 You must be signed in to fork a gist
Star You must be signed in to star a gist
Save staaldraad/605a5e40abaaa5915bc7 to your computer and use it in GitHub Desktop.
Decrypt Huawei router/firewall passwords. Huawei stores passwords using DES encryption when the crypted option is enabled.
#!/usr/bin/python
"""
Simple tool to extract local users and passwords from most Huawei routers/firewalls config files.
Will extract plain-text passwords and crypted credentials. Huawei config files use DES encryption with
a known key. Using this information, the script will decrypt credentials found in the config file.
Author: Etienne Stalmans (etienne@sensepost.com)
Version: 1.0 (12/01/2014)
"""
from Crypto.Cipher import DES
import sys
import binascii
def decode_char(c):
if c == 'a':
r = '?'
else:
r = c
return ord(r) - ord('!')
def ascii_to_binary(s):
assert len(s) == 24
out = [0]*18
i = 0
j = 0
for i in range(0, len(s), 4):
y = decode_char(s[i + 0])
y = (y << 6) & 0xffffff
k = decode_char(s[i + 1])
y = (y | k) & 0xffffff
y = (y << 6) & 0xffffff
k = decode_char(s[i + 2])
y = (y | k) & 0xffffff
y = (y << 6) & 0xffffff
k = decode_char(s[i + 3])
y = (y | k) & 0xffffff
out[j+2] = chr(y & 0xff)
out[j+1] = chr((y>>8) & 0xff)
out[j+0] = chr((y>>16) & 0xff)
j += 3
return "".join(out)
def decrypt_password(p):
r = ascii_to_binary(p)
r = r[:16]
d = DES.new("\x01\x02\x03\x04\x05\x06\x07\x08", DES.MODE_ECB)
r = d.decrypt(r)
return r.rstrip("\x00")
f_in = open(sys.argv[1],'r')
print "[*] Huawei Password Decryptor"
for line in f_in:
if ('local-user' not in line) or ('password' not in line):
continue
inp = line.split()
print "[*]-----------------------"
print "\t[+] User: %s"%inp[1]
print "\t[+] Password type: %s"%inp[3]
if inp[3] == "cipher":
print "\t[+] Cipher: %s"%inp[4]
print "\t[+] Password: %s"%decrypt_password(inp[4])
else:
print "\t[+] Password: %s"%(inp[4])
@johnfee123
Copy link

did not work

@hk59775634
Copy link

Only for cipher.
Does not work on the new version of Ireversible cipher.

How to use: python2 huaweiDecrypt.py local_ user_ info.txt

local_ user_ info.txt Example:
local-user admin password cipher *******************
local-user admin1 password cipher *******************
local-user admin2 password cipher *******************

@nbctcp
Copy link

nbctcp commented Nov 24, 2020

How to decrypt the password?

python huaweiDecrypt.py vrpcfg.cfg

[] Huawei Password Decryptor
[
]-----------------------
[+] User: admin
[+] Password type: cipher
[+] Cipher: .]@use=B,53Q=^QMAF4<1!! [+] Password: admin [*]----------------------- [+] User: root [+] Password type: cipher [+] Cipher: %J!H+=68B8/Q=^QMAF4<1!!
[+] Password: root

@SwimmingTiger
Copy link

SwimmingTiger commented Mar 25, 2021

Hello staaldraad how i decrypt this
$1TF%1WjIPi@M)~\0rbOV%AZ.!$

Your password is 69698773.

Decrypted by Huawei configuration encryption and decryption tools.zip.

加解密

Usage:

  • The ciphertext at the beginning of $1 can be decrypted by clicking the first button at the bottom.
  • The ciphertext at the beginning of $2 can be decrypted by clicking the second button at the bottom.

@kri5h
Copy link

kri5h commented Mar 27, 2021

Hi SwimmingTiger,

Thanks for the great info.

Could you please help decrypt:

Password="$2z!6T>S:UnUf)Gj=p|2IShl%,T{ztA!&Yvh,0~,y':]DvT#&&B5(WE[.4=g!IR/Gj7`c#$VLV*['D-UAQ5)fR%yS\a'5xD:+ZQv^$" UserLevel="0" Enable="1" ModifyPasswordFlag="1" Salt="0235370c5d4dd1a57604b823" PassMode="3" Alias="cpe-2"/>

No luck with the decrypt tool $2.

Thanks,

Kri5h

@SwimmingTiger
Copy link

SwimmingTiger commented Mar 28, 2021

$2 decoding will get:

4d02e1e78dd9�� *f684220d5b50dc0e2c566715330dfb8423ca11e113658772t�k�t�k�

It is correct, but not what you want. No one can get the result you want: the original text of the password. Because PassMode="3" and non-empty Salt means that the password is recorded as a salted hash, and this kind of hash is usually irreversible (such as sha256).

So, if you get a non-empty Salt, you don't have to try to decrypt it. Instead, you can directly try to replace the password with known text, and then upload the configuration file to update.

Password="123456" UserLevel="0" Enable="1" ModifyPasswordFlag="1" Salt="" PassMode="0" Alias="cpe-2"/>

This will set the password to 123456. PassMode="0" means clear text password.


Then, if you really want to get the original text of a salted hash, brute-force cracking is the only way:
Try every possible original text, calculate its salted hash, and compare with the result.
This may take years or even longer.

Querying known hash databases or rainbow table attacks cannot crack a salted hash.

Or, you can use social engineering methods - search the Internet to see if anyone knows the correct password.


Why salted hash is irreversible - Wikipedia

https://en.wikipedia.org/wiki/Salt_(cryptography)

@kri5h
Copy link

kri5h commented Mar 28, 2021

Thanks a lot SwimmingTiger,

I guess bruteforce is not the way to go.

The ISP disabled/limited access to the GUI so I cant upload the new cleartext password with a new XML

I have telnet access to the box with su access.

Do you have any way to configure the new pass with the CLI?

SU_WAP>set userpasswd admin
old password:

The old password is what i don't have, and cant see any other commands too.

Thanks to help

Cheers

@LestaTexe
Copy link

sorry for the stupid question, where to insert the pass cipher into script?

@Godovic
Copy link

Godovic commented Sep 17, 2021

How can I decrypt PPPoE password from Huawei ONT?

@markroblesphp
Copy link

can anyone decrypt this?
$2)PskWu$y1BYTy2Ox\O'+dd*pP<Y/kQ^{.c(j05J($

the password is: 486236687

@nbctcp
Copy link

nbctcp commented Sep 21, 2021

What is SU button function on GUI
I ever try $1 and $2 only

Hello staaldraad how i decrypt this
$1TF%1WjIPi@M)~\0rbOV%AZ.!$

Your password is 69698773.

Decrypted by Huawei configuration encryption and decryption tools.zip.

加解密

Usage:

  • The ciphertext at the beginning of $1 can be decrypted by clicking the first button at the bottom.
  • The ciphertext at the beginning of $2 can be decrypted by clicking the second button at the bottom.

@LestaTexe
Copy link

LestaTexe commented Nov 19, 2021 via email

@nbctcp
Copy link

nbctcp commented Nov 28, 2021

HW: Huawei WLC AC6005 Version 5.160 (AC6005-8-PWR V200R006C10SPC200
STEPS CREATE PASSWORD
aaa]local-user tes2 password cipher Admin@xxx.com
aaa]display current-configuration | i tes2
local-user tes2 password cipher %^%#HF(@>Gl&Y@ddK%>C0fe5TVNyX\TzF'$R,nFRKDJ,%^%
aaa]display current-configuration | i cipher
ssh server secure-algorithms cipher aes256_ctr aes128_ctr aes256_cbc aes128 3des
ssh client secure-algorithms cipher aes256_ctr aes128_ctr aes256_cbc aes128 3des

When I try to use your app to decrypt, it give error
it seems the cipher password no longer $1 or $2
maybe you can add your app feature
tq

@fardanarif
Copy link

does anyone know how to decrypt the password with irreversible-cipher ?
Thanks in advance :)

@wickum
Copy link

wickum commented Apr 13, 2022

Hi SwimmingTiger,

Kindly help me to decrypt this password ?

$2KliKKwAYRPj(8~'/xt'7/um5~HyA-9xaa{DT8F+%$

the tool didn't help on this one ..

thank you very much.

@edmundsca
Copy link

edmundsca commented May 25, 2022

Hi everyone,
I really appreciate the work that has gone into these tools. I have successfully- I say "successfully" because when I upload the altered configuration file to the modem (HG8145V5), it gives me a green check mark, reboots and in the log there is no mention of the modem reverting back to another configuration file- the problem is that if I download the config file, decrypt that file and look at it, it's the same as the original config file set by the ISP. None of my new passwords/access level privilege changes have have been retained. My goal is to setup my on VOIP ATA behind my router using the ISP's credentials (they provide internet and VOIP service), as well as have my modem in bridge mode. Any recommendations on forcing the modem to retain the new configuration file? Thank you.

@Cristhian213
Copy link

esto se puede desencriptar
$1c$Pv9J)NUMS4$~&,vCnflu5t<=]Ur(Lk10.XY3+5uM.E6N0TXG"v&$

@alhajiry
Copy link

alhajiry commented Nov 8, 2022

Hi SwimmingTiger or anyone in this forum,

Can someone kindly help me to decrpyt this :
$2RW!aHei\s+NgXGkJJ1EJE><2[4w7Hm)0>ZnNHVMkh'|~E=r4-G5ME-5bm4)60{(<<:|1:p"N.TAi+Y7"{I<MQeM@@:Da.4:8wK$

My goal is to setup a bridge connection as the default ONT from ISP is not good enough for my usage. Currently setting up a bridge is not possible right now since myISP refuse to give the PPoE password.

@Boboaung-Myanmar
Copy link

$2+;wH~c[O-#PvA#-.\V]&quot;&apos;VC41$++18_%${$-O2k&gt;$

@HolyRoses
Copy link

you can use this web page also to decipher these passwords. https://andreluis034.github.io/huawei-utility-page/#cipher

@techfordummiesmm
Copy link

Hello all, how i decrypt this
Password="$2f00n$%u8[D|>9n5LiO8D&yvrL)YH)O]TcMW,MLi>$"

@edwinsunder
Copy link

@techfordummiesmm - I could be wrong but I think your password is ndg3347

@edwinsunder
Copy link

edwinsunder commented May 19, 2023

@qatar2030
Looks like
AuthPassword = P9285FEHE
DNS Passwrod: Doha@202�"�#'��Kt�k� ,��t�k����
OR: Doha@202

No success on other three passwords, will try something later but have you already tried anything - if yes do let me know so i can have a head start on that. Also first try the above and see if that works.

@edwinsunder
Copy link

@Boboaung-Myanmar - Try this 18855117

@ESMP
Copy link

ESMP commented Jun 11, 2023

you can use this web page also to decipher these passwords. https://andreluis034.github.io/huawei-utility-page/#cipher

You, good sir, are my hero for pointing out that fabulous website. I was finally able to obtain the PPPoE password from my ISP provided router in order to bridge it to my ASUS one.

@killereye
Copy link

killereye commented Sep 1, 2023

I used these two: https://andreluis034.github.io/huawei-utility-page/#cipher and Huawei configuration encryption and decryption tools.zip

However I cannot see the plain text of both results

This is my prompt: $2]Au-Q_}&gt;09cV[jYab^xM2/S#MNQV}-ii&apos;,5EGw*LN5Sz8u1S$)PMm%7)6)z4mTO~Q(Mg&apos;3M@{$1#3XaBaM;z&lt;&lt;M)-38[u!~6$Y&lt;&lt;$

and these are the results:
Web App: 00c8999ba600700b82d6432d0b8eb15764d5fbe54d4f8dde5be1b33bb44c24ef
Downloaded Tool: 00c8999ba600700b82d6432d0b8eb15764d5fbe54d4f8dde5be1b33bb44c24eft�k�

They seems like giving true decryption but it can't give the plain text.

Can anyone help me?

@Godovic
Copy link

Godovic commented Sep 1, 2023

so please, what is my PPPoE pass?
64cd2624aa74439caad2c157534d296a2e3e1da229ef08d2aa5f88e0b4e12254

@miecz1993
Copy link

Hi can descript my PPPoE pass?

e46bd311bf46da89763b2859bbe47652353b37fe6fb5c19ee2ce661f1a397888

@GMengZhi
Copy link

Due I used this tool but it can't decode my cipher password. It's HUAWEI switch console password. I rebooted it and got the logfile and extract the code have has been ciphered it shows $1a$[i9,QN\e<5$;^C{ChNsREuO-HT%G!];Q;=V3(^}TP4Hh}Qn{8w*$ and I tried every tool etc. bee-san and cipyed. The result of the decodings are always trash. So is there any chance to decode my password from above or else an usefull tools can do this. Thx

@muffrank
Copy link

Can anybody decrypt this please: 30fdf15fd513fd69085f9344ff2d5d716254aa367bcac88e78ee60ad0298d606

@qatar2030
Copy link

Hi SwimmingTiger or anyone in this forum,

Can someone kindly help me to decrpyt this : $2RW!aHei\s+Ng_XGkJJ1EJE&gt;&lt;2[4w7Hm)0&gt;ZnNHVMkh'|~E=r4_-G5ME-5bm4)60{(&lt;&lt;:|1:p"N.TAi+Y7"{I&lt;MQeM@@:Da.4:8wK$

My goal is to setup a bridge connection as the default ONT from ISP is not good enough for my usage. Currently setting up a bridge is not possible right now since myISP refuse to give the PPoE password.

I can do it for you for free but i have to visiting you i leve in qatar بني هاجر

@ahmedoozziee
Copy link

ahmedoozziee commented Dec 26, 2023

Hi SwimmingTiger or anyone in this forum,
Can someone kindly help me to decrpyt this : Unable to render expression.

    $2RW!aHei\s+Ng_XGkJJ1EJE&gt;&lt;2[4w7Hm)0&gt;ZnNHVMkh'|~E=r4_-G5ME-5bm4)60{(&lt;&lt;:|1:p"N.TAi+Y7"{I&lt;MQeM@@:Da.4:8wK$

My goal is to setup a bridge connection as the default ONT from ISP is not good enough for my usage. Currently setting up a bridge is not possible right now since myISP refuse to give the PPoE password.

I can do it for you for free but i have to visiting you i leve in qatar بني هاجر

Hello @qatar2030 Please share your contact details i'm intersted or whatsapp me on +201123547811

@ochere
Copy link

ochere commented Jan 7, 2024

Hello,
Can someone decrypt this
%$%$Tr_3Df|s6VDf6|1)A&{("KB9%$%$
%$%$N\VpOW$0S9]y*Hk\d#/>bYP%$%$
%$%$7k"P64W3S#_ZoB3nb3'.vKB9%$%$
%$%$oR:@125YZLqM,41mdg"DE
6-%$%$
%$%$TyIDAD_l6Hk[vx<Z5fQPYpg^%$%$
%$%$HIWgCp$,qHg).|3(&Eb<{6-%$%$
%$%$HP.RQA%Ba
kzE@*4j70WhWNE%$%$

from a Eudemon1000E-X5

@mammuthus
Copy link

Hello, Can someone decrypt this

Hi there! Any reason you're not decrypting it yourself?

@AlbertEinsteinGlitchPoint

Hi guys has anyone teste Encryption and Decryption on Huawei AX2 wifi6 routers? it seems the user is allways the same: admin.. just password on input menu login screen.. i have managed to analyze with F12 network traffic.. and it has 2 requests.. user_login_nonce, and user_login_proof which returns a RSAE : 010001 and RSA_N public modulus and RSA signature and Server signature keys , together with CSRF tokens for security protection.. on the user_login_nonce the password seems to be encripted.. and we can only see a SALT key info

@daniedj
Copy link

daniedj commented Jan 11, 2024

hello, can anyone decript this?
local-user admin password irreversible-cipher $1c$xkWr)4aqh7$-)UV=T].KVW+B{Wg&JdD6tc.Nn</N1lsZWA$ysy5$
thanks

@swapnil6127
Copy link

swapnil6127 commented Jan 17, 2024

hello, can anyone decript this?
local-user root password irreversible-cipher $1c$g-1CeT32Y$..R"-F[fW<;W15,m-yn>.Y.-J>{wC@@Q|,!+Q&G$

@MatiM72737
Copy link

can anyone decrypt that:
$2Rr}bG&amp;*mnJMmVcBHW/,55\u@KJg~(0e6Wh2d#)HA:|iOV]W%7S|980Twf}=8v@VD,YX&gt;fK0ub'94;DIBk7#!Gbc8bPVRk@1HhD`V$

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment