惯性聚合 高效追踪和阅读你感兴趣的博客、新闻、科技资讯
阅读原文 在惯性聚合中打开

推荐订阅源

Exploit-DB.com RSS Feed
Exploit-DB.com RSS Feed
S
SegmentFault 最新的问题
Recent Commits to openclaw:main
Recent Commits to openclaw:main
Attack and Defense Labs
Attack and Defense Labs
F
Full Disclosure
Vercel News
Vercel News
N
News | PayPal Newsroom
The GitHub Blog
The GitHub Blog
H
Hacker News: Front Page
H
Heimdal Security Blog
P
Privacy International News Feed
博客园 - 司徒正美
Google DeepMind News
Google DeepMind News
N
Netflix TechBlog - Medium
Threat Intelligence Blog | Flashpoint
Threat Intelligence Blog | Flashpoint
C
Cisco Blogs
L
Lohrmann on Cybersecurity
D
Docker
Recent Announcements
Recent Announcements
Security Archives - TechRepublic
Security Archives - TechRepublic
人人都是产品经理
人人都是产品经理
C
CXSECURITY Database RSS Feed - CXSecurity.com
P
Proofpoint News Feed
T
Tailwind CSS Blog
C
Check Point Blog
博客园 - 叶小钗
Google Online Security Blog
Google Online Security Blog
Martin Fowler
Martin Fowler
Stack Overflow Blog
Stack Overflow Blog
博客园 - 聂微东
S
Secure Thoughts
博客园 - Franky
博客园_首页
阮一峰的网络日志
阮一峰的网络日志
P
Palo Alto Networks Blog
Latest news
Latest news
量子位
让小产品的独立变现更简单 - ezindie.com
让小产品的独立变现更简单 - ezindie.com
博客园 - 三生石上(FineUI控件)
The Cloudflare Blog
Last Week in AI
Last Week in AI
K
KPMG report finds enterprise disconnect between AI and its ROI | CIO
Cyberwarzone
Cyberwarzone
小众软件
小众软件
Cisco Talos Blog
Cisco Talos Blog
Hacker News: Ask HN
Hacker News: Ask HN
T
Threatpost
T
Tenable Blog
P
Privacy & Cybersecurity Law Blog
WordPress大学
WordPress大学

Posts on Loong's Blog

长春之行 记录2025年的国庆 长期规划 异地组网联机游戏 对2024年的总结 使用Git进行团队合作 使用DDNS访问内网设备 开发环境管理工具 博客迁移 合肥两个月生活体验 黑群晖使用体验 通过Jenkins自动化构建
破解光猫超级用户密码
2022-06-18 · via Posts on Loong's Blog

Featured image of post 破解光猫超级用户密码

破解光猫超级用户密码

 首先我强调光猫型号为HS8545M5,软件版本为V5R020C00S200

 由于需要光猫出场时默认为路由模式,我需要将其修改为桥接模式,而光猫背面的user用户没有权限修改,因此需要获取超级用户权限。

1

光猫telnet使能

 光猫没有开启telnet服务,需要工具进行破解,破解工具的下载链接在最后;

 先下载破解工具,接着拔掉光纤,重启光猫,通过宽带线把电脑与光猫连接,打开ONT维修使能工具;

 选择维修使能,点击刷新,然后启动;  当“当前成功总数”变为1后,点击停止,结果类似下面截图;

2

 打开命令行,测试telnet能否连接成功,当出现找不到命令时,开启windows的telnet服务;

 然后输入用户名root;密码尝试下Hw8@cMcc或者adminHW,成功的话结果如下:

3

获取用户名及密码密文

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
WAP>su
success!
SU_WAP>shell

BusyBox v1.30.1 () built-in shell (ash)
Enter 'help' for a list of built-in commands.

profile close core dump
WAP(Dopra Linux) # ls
bin      dev      init     linuxrc  root     sys      var
boot     etc      lib      mnt      sbin     tmp
bundle   html     libexec  proc     share    usr
WAP(Dopra Linux) # cd /mnt/jffs2/
WAP(Dopra Linux) # ls
CfgFile_Backup         dypack_debug           mount_ok
CfgwithoutlineD        factory_file           mount_osgi_ok
DHCPlasterrwan1        fsok                   nffruntimes
DHCPlasterrwan5        ftvoipcfgstate         oldcrc
FTCRC                  hard_version           onlinecounter
InformFlag             hw_boardinfo           ontstatusfile
TelnetEnable           hw_boardinfo.bak       optic_init_par.bin
Updateflag_bak         hw_bootcfg.xml         ppplasterr258
UpnpExpandFirstInit    hw_ctree.xml           ppplasterr259
V5_TypeWord_FLAG       hw_ctree_bak.xml       reboot_bind_tag
app                    hw_default_ctree.xml   reboot_info
asan_test              hw_default_ctree2.xml  recovername
backup_ok              hw_hardinfo_feature    request_ddr
board_type             hwflashlog.bin         request_ddr_inner
bob_type               hwkeyinfogetlog.bin    resetkey
ceaseadv.conf          hwnfflog.bin           restore
certs                  hwontdebuglogctrl.bin  result_ddr
customize              hwontdebuglogdata.bin  scflie_0
customize.txt          hwontlog.bin           scflie_1
customizepara.txt      keyreleasecount.txt    smooth_finish
cwmp_rebootsave        kmc_need_backup        typeword
dhcp6c                 kmc_store_A            upgrade_info.xml_back
dhcp_data_a            kmc_store_B            xmlcfgerrorcode
dhcp_lastip            lastsysinfo.tar.gz
dhcpc                  main_version
WAP(Dopra Linux) # cp /mnt/jffs2/hw_ctree.xml /mnt/jffs2/mycfg.xml.gz
WAP(Dopra Linux) # aescrypt2 1 mycfg.xml.gz tem
WAP(Dopra Linux) # gzip -d mycfg.xml.gz
WAP(Dopra Linux) # grep WebUserInfoInstance mycfg.xml
<X_HW_WebUserInfoInstance InstanceID="1" ModifyPasswordFlag="0" UserName="user" Password="$2sN}QKqrgY(,w8^GHpW7)$|L3MQ)tWIkZv5Na2Z1E$" UserLevel="1" Enable="1" Alias="cpe-1"/>
<X_HW_WebUserInfoInstance InstanceID="2" ModifyPasswordFlag="1" UserName="CMCCAdmin" Password="$2I3^R(k3[.)B9I4E8:S!DF!Q$ULd6S(U7RRH^2]2-=Nxs&amp;S`J6))+2$S8&quot;&apos;j&amp;$" UserLevel="0" Enable="1" Alias="cpe-2" PassMode="0"/>
WAP(Dopra Linux) #
success!
SU_WAP>

 找到关键字user与password部分;

4

 上图中CMCCAdmin用户密码密文为:$2I3^R(k3[.)B9I4E8:S!DF!Q$ULd6S(U7RRH^2]2-=Nxs&amp;S`J6))+2$S8&quot;&apos;j&amp;$

 打开华为二次密码破解工具S1S2语音全鉴密.zip中的huawei.exe,在密文解密中输入,尝试3种解密,得出密码为CMCCAdminFf2IrXFt

使用超级用户登录光猫

 用户名CMCCAdmin,密码CMCCAdminFf2IrXFt,发现可以修改连接模式了;

5

 文件链接:https://pan.baidu.com/s/101GrTj53T4RaIpc0h4KAoQ

 提取码:adja

参考

  1. https://www.eaglemoe.com/archives/216

2022-06-18 更新