Accessing HG8245Q Shell Through Telnet

By | November 19, 2017

Accessing HG8245Q Shell: in this article, you will learn how to access HG8245Q shell through Telnet, using default credentials, and how to solve the challenge for SU password using a simple Python script.

HG8245Q Home Router

This is a short story, about accessing HG8245Q shell through Telnet, the whole process took me less than 15 minutes to finish.

In this article, I will show you how to:

  • Scan for open ports using nmap (searching for telnet).
  • Connect to the CLI via telnet, using default credentials.
  • Access the configuration mode, and solve the challenge string.
  • Access the shell of the router.

Note: the time on the snapshots in this article, is not accurate, so please ignore it.

Scanning and Discovery

Using IPCONFIG to obtain the IP address of the machine and the gateway IP address.

Using ipconfig command to get the gateway address.

To get the gateway IP address, you can use the IPCONFIG command, or ifconfig command in care you are using Linux/Unix, the snapshot above illustrates my results.

Using nmap to scan for open TCP ports, we can see that port 23 is open and that telnet is listening on that port..

Using nmap to scan for open TCP ports.

Once you get the gateway IP address, you can scan for open ports, I recommend using nmap (TCP/first 1000 ports), where -sT option is for TCP port scanning, and -T5 option means insane (fast) scan, we don’t care about the traffic or being detected, once the scan is finished, you should see that port 23 was open.

Solving the Telnet Riddle

Use telnet command to connect to the AP, you should see a banner that reads: “Welcome Visiting Huawei Home Gateway”, I believe that it would be really rude not to enter, especially after this generous invitation, we don’t want to be rude now, do we?

However, we need the credentials, so let’s try the default username and password, which is very easy to guess, and you can even search for it online.

Username: root

Password: admin

Telnet access using default credentials.

Telnet access using default credentials.

Once you are logged in, you can list all the available command by using the ‘/?’ Command, you will find two commands that are interesting: su and shell.

Now, to become su, you be asked to solve a challenge string, I didn’t know the algorithm, so I searched for the frameware first, thinking that I may be able to find it there, but instead, I found a script on GitHub: https://github.com/abrdiaz/router-scripts/blob/master/huawei/gpons/hgsupass.py, that you will need to solve the challenge and eventually, accessing HG8245Q shell.

Solving the SU Challenge

To get the challenge string, use the su command, as shown in the snapshot below.

Access the configuration mode (su).

Access the configuration mode (su).

Copy the challenge string, and solve it using the python script, as shown in the snapshot below, and this is it, you should be in now.

Solving the challenge using the python script.

Solving the challenge using the python script.

Accessing HG8245Q Shell

The rest is easy, all you need to do is to issue the shell command and voila, access granted.

Accessing HG8245Q shell.

Shell access.

Now, you should notice that BusyBox/Shell commands are disabled, there are only two “useless” scripts, that I didn’t have time to be interested in them, but I believe that it is critical enough to be in the configuration mode, because you can gain total control of the AP , just check the commands and use your imagination.

Conclusion

Accessing HG8245Q shell not magic, nevertheless, I don’t think that the above is an effective exploit/attack, I was just exploring, and I didn’t try to tamper with the configuration or anything, the point is, you should never trust your ISP, and don’t trust any vendors, to secure your network, you must check the configuration, and believe me, I found many back-doors, and security flaws in home devices and IoT, so many, that I am utterly and ridiculously bored.

Finally, don’t forget to share your thoughts with us, so please leave your comments or questions if you have any, and I will try my best to answer them as soon as possible.

Thanks.

15 thoughts on “Accessing HG8245Q Shell Through Telnet

  1. Edward Gates

    Following another classic maneuver adeptly executed by the infamous Ligeti, a yawn like that of a great, mighty champion escapes the legend as he gazes into the horizon and ponders the challenges that lay beyond.

    Reply
    1. Ligeti Post author

      ED! I am speechless indeed, this is nothing compared of what we did in the old days, wow! Just thinking about how long has it been makes me feel really dizzy! I hope history will repeat itself one day soon, I miss that spirit we had, but I still have faith.
      Thank you, you can’t imagine how happy I am to see you here 🙂

      Reply
  2. yume

    How to use phyton code to solve challange?
    I’m sorry, I’m confused eheh

    Reply
  3. Siddharth

    Hello… Thanks alot for this writeup. I was struggling to get some access to my ONT for last 2 days and finally I am in the shell. I have a IT background but not of networking and am good at unix, so feels fine now.

    My problem is that I was not able to login to the ONT (Huawei HG8546M) after my provider did a factory reset. Now that I am in the shell, can you guide me further? I will explore the files in the shell, but your response will be quick solution for me. I have already asked for a new ONT. If this gets working I can save some bucks!

    Thanks again.

    Reply
  4. Paolo

    Hi

    I have a HG8245q that seems to be factory unlocked. I mean: I had the access to root telnet busybox shell (with only exit and getcustominfo.sh) without doing the challenge unlock.

    As of now, the busybox cli has only these 2 commands, but I need to find the voip plaintext password provided via tr-069 from my provider.

    From the downloaded hw_ctree.xml file (unencrypted by default) all the passwords are encoded in a “$1[24char]$” format that seems to be like AES-256-CBC encryption.

    Do you know how to see the plaintext passwords inside the NVRAM or maybe how to escape from the limited busybox of this router?

    Thank you

    Reply
    1. Ligeti Post author

      Hello Paolo
      I got the same results (I think I mentioned that in my post), but to be honest, I didn’t get a chance to go any further as I didn’t have enough time to explore, I don’t have access to HG8245Q right now, so I can’t really help much with that.
      I don’t think that your goal is easy to achieve, unless you find another way to get in (backdoor, or a web-shell maybe), not from Telnet/shell as there are not much you can do there, I am most probably wrong, because, and again, I didn’t have enough time to explore.

      Reply
      1. paolo

        Thank you for the reply,

        As of now I’m trying to access via serial console, but the pins are disabled. In the next days I’ll manage to solder the necessary resistence to try accessing

        Reply
        1. Ligeti Post author

          Interesting, please let me know how it goes, I am really interested to know, and good luck.

          Reply
  5. Noz

    So what’s the general direction of “complete control of the AP”? My imagination must be a bit limited 🙂

    Reply
  6. Yousef Howmy

    Unfortunately default user and pass for telnet did not work for me!
    Is there a way to change/reset them?

    Reply
  7. Taariq Hosanoo

    I cannot solve the challenge to access the shell. Can you help me?
    After running the script, I got blank answers.

    Reply

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.