Kitz ADSL Broadband Information
adsl spacer  
Support this site
Home Broadband ISPs Tech Routers Wiki Forum
 
     
   Compare ISP   Rate your ISP
 
Please login or register.

Login with username, password and session length
Advanced search  

News:

Pages: 1 ... 18 19 [20] 21 22 23

Author Topic: Vodafone (Huawei) HHG2500  (Read 21988 times)

bishbashbosh

  • Member
  • **
  • Posts: 47
Re: Vodafone (Huawei) HHG2500
« Reply #285 on: May 19, 2017, 09:30:11 AM »

Hi f948lan,

Before burning lots of GPU cycles on that can I suggest you create test data? use hexedit or something of that ilk.

In a binary file set the first byte to 03 set the next 8 bytes to a password of your choice and the rest to the challenge. Then create md5.

So this is what I get from your example.
the hex file with a password set to abcdefgh
036162636465666768d80c645ca2e979a1a2d13c896d5cebe8c1db6d7d1f9dfc0463f2
the md5
dc441c5c21f58e8874f126b0f1b3535a

I have CPU power but not GPU, not a gamer so I can't test that.
Good luck.


Logged

chriscwjd

  • Just arrived
  • *
  • Posts: 3
Re: Vodafone (Huawei) HHG2500
« Reply #286 on: May 19, 2017, 01:13:33 PM »

Hi bishbashbosh and f948lan

Can confirm the test data works with hashcat, however my real life attempt at getting my password did not. Ran this command on an AWS p2.8xlarge instance (~30000.0 MH/s):

./hashcat64.bin -m 0 -a 3 hash --hex-charset -1 ?d?u?l 0c?1?1?1?1?1?1?1?1ee3427483a81d06fdb17842ded6cfdf75c

But on completion after a couple of hours there was no crack. The hash file contained the response md5 obviously.

I'm pretty sure I put everything in correctly. The only thing I noticed is my wireshark output (screenshot attached with a couple of bits blanked out) is slightly different than what was in the 'billybob' example, for example the challenge name is 'JUNOS' and the success packet doesn't have 'Welcome' in the message.

My firmware version is 5.4.8.1.291.1.30.1.6 if that's at all relevant.

More than happy and eager to try other methods if there's work going on behind the scenes (wink wink!).
Logged

f948lan

  • Just arrived
  • *
  • Posts: 3
Re: Vodafone (Huawei) HHG2500
« Reply #287 on: May 19, 2017, 01:54:50 PM »

bishbashbosh,

I did indeed test it with a known password MD5 of this first and it worked. Didn't mind burning some GPU overnight, and the nice thing with the GPU accel is that my laptop is still 100% usable while it's doing this. Not a gamer either, laptop just happens to be dual GPU and the nVidia one doesn't see much use day to day.

If this doesn't work I think I'll capture a login from my own PPPoE server and to confirm all the logic tonight.

chriscwjd,

I also get JUNOS as the remote name and no Welcome message. My challenge is longer than others report too, at 26bytes (shows with ... on the end in wireshark and I have to read the last bytes out of the data 'manually').

Are you sure your session ID byte was correct? You have it as 0c in the hashcat command line, which I think you take from the PPPoE session ID, but I believe we should be using the CHAP Identifier (the byte after the Challenge instruction) - looks like e2 in your case.

So far no luck here with a UC first char, 50% through LC, so still not sure this is going to work...


Logged

f948lan

  • Just arrived
  • *
  • Posts: 3
Re: Vodafone (Huawei) HHG2500
« Reply #288 on: May 19, 2017, 02:14:26 PM »

Maybe I should have been more optimistic. Just got a match starting with lower.

Will try it tonight on my router and see if it actually works :-)

Will let you know.
Logged

4uture

  • Just arrived
  • *
  • Posts: 7
Re: Vodafone (Huawei) HHG2500
« Reply #289 on: May 19, 2017, 02:42:46 PM »

chriscwjd, session id is not correct. It is Identifier under the Point-to-Point Protocol section.
« Last Edit: May 19, 2017, 04:50:28 PM by 4uture »
Logged

ktz392837

  • Reg Member
  • ***
  • Posts: 199
Re: Vodafone (Huawei) HHG2500
« Reply #290 on: May 19, 2017, 03:14:49 PM »

Very interesting thread I hope someone finds their username and password soon.

How much did it cost to use the AWS instance and how long did it take using it to go through all combinations of any starting upper or lower letter and perhaps include numbers to be sure?

If you could get hashcat working with known values it would hopefully stop time being wasted.  Can some test data be provided for people giving it a try?
Logged

chriscwjd

  • Just arrived
  • *
  • Posts: 3
Re: Vodafone (Huawei) HHG2500
« Reply #291 on: May 19, 2017, 03:31:04 PM »

Good call f948lan and 4uture! Thank you for your help! Glad you have your password now f948lan.

ktz392837, for the p2.8xlarge instance I used (8 GPUs) the cost is about $7.50 an hour, and the process takes a couple of hours for upper and lower case first character (although hashcat wasn't happy with my Nvidia driver installation so it could potentially be quicker). Not much longer to include first character numbers as well. That's worst case obviously - if you get lucky and hashcat cracks your hash quickly then you could very well be shutting the instance down and throwing your HHG2500 out of the window in 10 minutes.

A guide that was handy for AWS:

https://medium.com/@iraklis/running-hashcat-in-amazons-aws-new-16-gpu-p2-16xlarge-instance-9963f607164c

To be honest I'm only using AWS because I'm impatient and I'm using my work account. If you have a nice GPU like f948lan then you won't be waiting too long. For reference my ageing laptop with an Nvidia 600M GPU reported it would take ~6 days for upper/lower first character, which isn't too bad really.
Logged

bishbashbosh

  • Member
  • **
  • Posts: 47
Re: Vodafone (Huawei) HHG2500
« Reply #292 on: May 19, 2017, 03:59:50 PM »

Just to state the obvious. 'JUNOS' is Juniper OS so not renamed from default I would suspect and is issued by VF. If you see .... at the end of your challenge value it's because it's truncated in the capture and you'll have to collect a fresh capture to crack with. That value wont work.

I'm really impressed with the whole MD5 crack with GPUs. Makes my 45.1 days completely pointless  :lol:

I wonder if the router could be made to authenticate with your own ACS using ARP poisoning. Mine always complained that it could not see the ACS so if others are experiencing the same repeating entries in the logs then maybe that is also an angle.

Logged

kieran0065

  • Just arrived
  • *
  • Posts: 19
Re: Vodafone (Huawei) HHG2500
« Reply #293 on: May 19, 2017, 10:06:34 PM »

Hello,

I have been trying to figure out how im meant to brute force the password, i have the .pcap file and ive got my Username and the password string (i think) but im not sure what to do after that...

Any Advice?

Logged

burakkucat

  • Global Moderator
  • Senior Kitizen
  • *
  • Posts: 18960
  • Over the Rainbow
    • The ELRepo Project
Re: Vodafone (Huawei) HHG2500
« Reply #294 on: May 19, 2017, 10:59:31 PM »

I have been trying to figure out how im meant to brute force the password, i have the .pcap file and ive got my Username and the password string (i think) but im not sure what to do after that...

Any Advice?

From the Wireshark capture, you currently have your user name and the md5 hash of your password.

You now need to use hashcat to recover the plain-text password string.
Logged
:cat:  100% Linux and, previously, Unix. Co-founder of the ELRepo Project.

Please consider making a donation to support the running of this site.

kieran0065

  • Just arrived
  • *
  • Posts: 19
Re: Vodafone (Huawei) HHG2500
« Reply #295 on: May 19, 2017, 11:29:32 PM »

From the Wireshark capture, you currently have your user name and the md5 hash of your password.

You now need to use hashcat to recover the plain-text password string.

What code would i run in the hashcat? Sorry, im not fluent in Software as i am in hardware..

My password sring is: e18a61c7b625418abdc4f79*ac467e382dee478fc3bc572e2e

On Windows 10 Pro
« Last Edit: May 20, 2017, 07:20:40 AM by kieran0065 »
Logged

burakkucat

  • Global Moderator
  • Senior Kitizen
  • *
  • Posts: 18960
  • Over the Rainbow
    • The ELRepo Project
Re: Vodafone (Huawei) HHG2500
« Reply #296 on: May 20, 2017, 12:11:26 AM »

Never having used hashcat, I'm not too sure of the relevant syntax. So rather than me confusing things with a totally nonsense suggestion, it might be best to wait for one of the other above adventurers to give you some guidance.
Logged
:cat:  100% Linux and, previously, Unix. Co-founder of the ELRepo Project.

Please consider making a donation to support the running of this site.

kieran0065

  • Just arrived
  • *
  • Posts: 19
Re: Vodafone (Huawei) HHG2500
« Reply #297 on: May 20, 2017, 12:12:57 AM »

Okay, thanks!
Logged

4uture

  • Just arrived
  • *
  • Posts: 7
Re: Vodafone (Huawei) HHG2500
« Reply #298 on: May 20, 2017, 02:38:26 AM »

Success! I have done it. Kudos to f948lan and chriscwjd for the hashcat knowledge. I guess I was lucky in that my pass was cracked within 30mins!
Logged

bishbashbosh

  • Member
  • **
  • Posts: 47
Re: Vodafone (Huawei) HHG2500
« Reply #299 on: May 20, 2017, 07:35:17 AM »

Superb. That's really good to know that you can use hashcat with the standard MD5 and a mask to crack the pass.

Everyone with a good GPU, the game is on. Get crackin'

Pun intended.

Well done.
Logged
Pages: 1 ... 18 19 [20] 21 22 23