Thursday, May 5, 2011

Obtaining administrator account credentials of Huawei HG520C

Huawei HG520 Telmex modems use by default this account:

Password: WEP Key default of the equipment

The possible WEP keys can be obtained by its SSID.

We have generated a script ( that allows us generate a rainbow table with the SSID and corresponding WEP Key of 3 Huawei OUI (001E10, 002568 y 6416F0) [This would not have been possible without the work of: -]

The obtained SSID is then introduced to “” which queries the previously generated database and writes a file (words.txt) with the list of 768 possible WEP Keys (words.txt) that can be introduced to tools like Brutus to make a dictionary attack.

768 possible WEP Keys are obtained because in each OUI the same SSID is repeated 256.
Thus, 256 WEP Keys * 3 OUIs = 768 WEP Keys

Example of the attack:

To obtain the SSID from a remote modem we will use the vulnerability “HUAWEI ECHOLIFE HG520C Revelation of Information” published by HKM that consists on opening the page:
http://<REMOTE IP>/Listadeparametros.html


Then we introduce the obtained SSID to

Python Script

We configure Brutus with this list of passwords with the user “TELMEX”.



Generated rainbowtable:

Part 1
Part 2
Part 3
Part 4
Part 5

No comments:

Post a Comment