Login into the VMG1312-B10A device as "supervisor". Issue a "sh" command to the " > " prompt. (Note the changed prompt.) Look at the contents of the
/etc/passwd file. The first & second fields on each line are the username & passwords, respectively. The password is encrypted with
DES crypt (usage is strongly deprecated) where the first two characters (out of the total of thirteen) is the
salt (taken from the
base64 character set) and the remaining eleven characters is the encrypted
password.
Exit from the Bourne shell back to the " > " prompt with a <Ctl>-D key press. Issue a "dumpcfg" command and capture the output. Search for, and examine, the
<AdminPassword>_ZEncrypted_blah-blah</AdminPassword> line. That is the encrypted supervisor password. Search for, and examine, the two consecutive lines
<UserName>admin</UserName> &
<Password>_ZEncrypted_different-blah-blah</Password> lines. The latter is the encrypted admin password.
Now power-cycle that VMG1312-B10A device and look, once again, at the contents of the
/etc/passwd file. Perform another "dumpcfg" command and capture the output. Find the three lines, as above.
The
blah-blah and
different-blah-blah sections of the two lines (i.e. that which follows the
_ZEncrypted_ string) is the
base64 representations of those two passwords.
The plain-text passwords are (clearly) unchanged. The salt is changed, hence the change in the second field of each line in the
/etc/passwd file.
Finally -- and I do not have the time to find the relevant link --
TJ has posted about how ZyXEL manipulate such strings so that some are revealed and some are not, depending upon how they are viewed. Sorry, I know what I mean but I'm having a problem in expressing the information in words. Perhaps take a look through
TJ's
git repository for inspiration . . .