Skip to content

Instantly share code, notes, and snippets.

@staaldraad
Created March 11, 2015 13:19
Show Gist options
  • Star 27 You must be signed in to star a gist
  • Fork 12 You must be signed in to fork a gist
  • Save staaldraad/605a5e40abaaa5915bc7 to your computer and use it in GitHub Desktop.
Save staaldraad/605a5e40abaaa5915bc7 to your computer and use it in GitHub Desktop.
Decrypt Huawei router/firewall passwords. Huawei stores passwords using DES encryption when the crypted option is enabled.
#!/usr/bin/python
"""
Simple tool to extract local users and passwords from most Huawei routers/firewalls config files.
Will extract plain-text passwords and crypted credentials. Huawei config files use DES encryption with
a known key. Using this information, the script will decrypt credentials found in the config file.
Author: Etienne Stalmans (etienne@sensepost.com)
Version: 1.0 (12/01/2014)
"""
from Crypto.Cipher import DES
import sys
import binascii
def decode_char(c):
if c == 'a':
r = '?'
else:
r = c
return ord(r) - ord('!')
def ascii_to_binary(s):
assert len(s) == 24
out = [0]*18
i = 0
j = 0
for i in range(0, len(s), 4):
y = decode_char(s[i + 0])
y = (y << 6) & 0xffffff
k = decode_char(s[i + 1])
y = (y | k) & 0xffffff
y = (y << 6) & 0xffffff
k = decode_char(s[i + 2])
y = (y | k) & 0xffffff
y = (y << 6) & 0xffffff
k = decode_char(s[i + 3])
y = (y | k) & 0xffffff
out[j+2] = chr(y & 0xff)
out[j+1] = chr((y>>8) & 0xff)
out[j+0] = chr((y>>16) & 0xff)
j += 3
return "".join(out)
def decrypt_password(p):
r = ascii_to_binary(p)
r = r[:16]
d = DES.new("\x01\x02\x03\x04\x05\x06\x07\x08", DES.MODE_ECB)
r = d.decrypt(r)
return r.rstrip("\x00")
f_in = open(sys.argv[1],'r')
print "[*] Huawei Password Decryptor"
for line in f_in:
if ('local-user' not in line) or ('password' not in line):
continue
inp = line.split()
print "[*]-----------------------"
print "\t[+] User: %s"%inp[1]
print "\t[+] Password type: %s"%inp[3]
if inp[3] == "cipher":
print "\t[+] Cipher: %s"%inp[4]
print "\t[+] Password: %s"%decrypt_password(inp[4])
else:
print "\t[+] Password: %s"%(inp[4])
@GMengZhi
Copy link

Due I used this tool but it can't decode my cipher password. It's HUAWEI switch console password. I rebooted it and got the logfile and extract the code have has been ciphered it shows $1a$[i9,QN\e<5$;^C{ChNsREuO-HT%G!];Q;=V3(^}TP4Hh}Qn{8w*$ and I tried every tool etc. bee-san and cipyed. The result of the decodings are always trash. So is there any chance to decode my password from above or else an usefull tools can do this. Thx

@muffrank
Copy link

Can anybody decrypt this please: 30fdf15fd513fd69085f9344ff2d5d716254aa367bcac88e78ee60ad0298d606

@qatar2030
Copy link

Hi SwimmingTiger or anyone in this forum,

Can someone kindly help me to decrpyt this : $2RW!aHei\s+Ng_XGkJJ1EJE&gt;&lt;2[4w7Hm)0&gt;ZnNHVMkh'|~E=r4_-G5ME-5bm4)60{(&lt;&lt;:|1:p"N.TAi+Y7"{I&lt;MQeM@@:Da.4:8wK$

My goal is to setup a bridge connection as the default ONT from ISP is not good enough for my usage. Currently setting up a bridge is not possible right now since myISP refuse to give the PPoE password.

I can do it for you for free but i have to visiting you i leve in qatar بني هاجر

@ahmedoozziee
Copy link

ahmedoozziee commented Dec 26, 2023

Hi SwimmingTiger or anyone in this forum,
Can someone kindly help me to decrpyt this : Unable to render expression.

    $2RW!aHei\s+Ng_XGkJJ1EJE&gt;&lt;2[4w7Hm)0&gt;ZnNHVMkh'|~E=r4_-G5ME-5bm4)60{(&lt;&lt;:|1:p"N.TAi+Y7"{I&lt;MQeM@@:Da.4:8wK$

My goal is to setup a bridge connection as the default ONT from ISP is not good enough for my usage. Currently setting up a bridge is not possible right now since myISP refuse to give the PPoE password.

I can do it for you for free but i have to visiting you i leve in qatar بني هاجر

Hello @qatar2030 Please share your contact details i'm intersted or whatsapp me on +201123547811

@ochere
Copy link

ochere commented Jan 7, 2024

Hello,
Can someone decrypt this
%$%$Tr_3Df|s6VDf6|1)A&{("KB9%$%$
%$%$N\VpOW$0S9]y*Hk\d#/>bYP%$%$
%$%$7k"P64W3S#_ZoB3nb3'.vKB9%$%$
%$%$oR:@125YZLqM,41mdg"DE
6-%$%$
%$%$TyIDAD_l6Hk[vx<Z5fQPYpg^%$%$
%$%$HIWgCp$,qHg).|3(&Eb<{6-%$%$
%$%$HP.RQA%Ba
kzE@*4j70WhWNE%$%$

from a Eudemon1000E-X5

@mammuthus
Copy link

Hello, Can someone decrypt this

Hi there! Any reason you're not decrypting it yourself?

@AlbertEinsteinGlitchPoint

Hi guys has anyone teste Encryption and Decryption on Huawei AX2 wifi6 routers? it seems the user is allways the same: admin.. just password on input menu login screen.. i have managed to analyze with F12 network traffic.. and it has 2 requests.. user_login_nonce, and user_login_proof which returns a RSAE : 010001 and RSA_N public modulus and RSA signature and Server signature keys , together with CSRF tokens for security protection.. on the user_login_nonce the password seems to be encripted.. and we can only see a SALT key info

@daniedj
Copy link

daniedj commented Jan 11, 2024

hello, can anyone decript this?
local-user admin password irreversible-cipher $1c$xkWr)4aqh7$-)UV=T].KVW+B{Wg&JdD6tc.Nn</N1lsZWA$ysy5$
thanks

@swapnil6127
Copy link

swapnil6127 commented Jan 17, 2024

hello, can anyone decript this?
local-user root password irreversible-cipher $1c$g-1CeT32Y$..R"-F[fW<;W15,m-yn>.Y.-J>{wC@@Q|,!+Q&G$

@MatiM72737
Copy link

can anyone decrypt that:
$2Rr}bG&amp;*mnJMmVcBHW/,55\u@KJg~(0e6Wh2d#)HA:|iOV]W%7S|980Twf}=8v@VD,YX&gt;fK0ub'94;DIBk7#!Gbc8bPVRk@1HhD`V$

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment