Wednesday, July 10, 2019

Extracting PPP Password from Router Config Backup


When Exetel posted me the ZTE ZXHN H268A home gateway router, they were also supposed to supply me the PPP username and password, but they never did. And I was not about to give them a call because their support number queue is almost always 90+-person long. I thought, how hard can it be to get the piece of information straight from the router itself?

For one, there are utilities out there that can supposedly reveal or unmask the password hidden under those asterisks. Don't want to risk downloading malware, so ditched that option. Then again, what worked 10 years ago doesn't mean it'll still work now. I'm sure the web designers have gotten wise to this. I tried looking at the page source. For some reason, the info is not there. Pretty sure the info was sent, but just not being displayed in the source. Took some packet captures using Wireshark. This time I managed to get the username, but not the password. Very strange. Maybe that particular parameter was not being sent at all, since it's not required to be displayed on the webpage anyway Was about to dig deeper when I thought of something. Instead of searching for the password parameter, why not generate a configuration dump/backup and focus on that instead. The password should definitely be present in the backup file.

I was hoping for a plaintext XML file. Unfortunately, it was a binary config.bin. Loading it in an ASCII/hex editor revealed nothing. Now, some guys have tried to crack ZTE's config.bin. The theory is that the config backup file is encrypted using AES ECB using the device serial number as the key.

Did some more digging and found a utility called RouterPassView that managed to decrypt config.bin. It's able to decrypt a whole lot of other formats, too! Ah, what would I do without the internet.

No comments:

Post a Comment