A way to extract admin credentials from a ZTE router
Don’t mess with ISP provided equipment, it is not yours, and you are not naughty, right???
This was tested on a
ZXHN H298Q V7.0 at the time of writing, your mileage may vary.
Dump the configuration
- Log in with normal user credentials.
- Go to “Management & Diagnosis” tab.
- Select “System Management” page.
- Choose “User Configuration Management” option.
- Click “Backup Configuration” button. A file named
config.binshould appear in your downloads.
Analyze the configuration
Make sure you have Python 3 and pip installed.
Go to the GitHub page and download ZIP of the repository.
Extract the downloaded archive and open a terminal in the extracted directory.
pip install --user .to install the tool and its dependencies.
Run the following command to decode the configuration:
python3 -m examples.decode "<PATH-TO-DOWNLOADS>/config.bin" "<PATH-TO-DOWNLOADS>/config.xml"
config.xmlfrom your downloads directory in any text editor.
Find a table named
In that table, you are interested in entries named
Go back to all notes