mooooon

i already know the password but i just want a way to get it from the page .

i can't get the wifi password from the router page because it's masked with stars and when i convert the type from password to text using inspect elements it gives me a wrong password "@1GV)Z<!" and while looking into this path http://192.168.1.1/html/network/wlan.asp in another similar model helped me finding the password !! but in this model http://192.168.1.1/html/ntwkall/wlan.asp all i found was that the ssids and the wrong passwords "@1GV)Z<!" and while looking in the network tab i found this while submitting a new password it sends the password to this url http://192.168.1.1/html/ntwkall/setcfg.cgi?x=InternetGatewayDevice.LANDevice.1&y=InternetGatewayDevice.LANDevice.1.WLANConfiguration.1&k=InternetGatewayDevice.LANDevice.1.WLANConfiguration.1.PreSharedKey.1&z=InternetGatewayDevice.LANDevice.1.WLANConfiguration.1.WPS&RequestFile=/html/ntwkall/wlan.asp with this --data "csrf_token=XGusO59EJlYEVQ0sWpMA7ftQo7JH5gQN&y.Standard=b%2Fg%2Fn&y.MaxBitRate=Auto&y.X_Wlan11NHtMcs=33&y.Enable=1&y.AutoChannelEnable=1&y.Channel=6&y.SSIDAdvertisementEnabled=1&y.X_WlanIsolateControl=0&y.WMMEnable=1&y.X_Wlan11NBWControl=20%2F40&y.X_Wlan11NGIControl=long&y.SSID=wifisucks&y.X_AssociateDeviceNum=32&y.X_PowerValue=20&y.BeaconType=11i&z.Enable=1&z.X_WPSMode=ap-pbc&k.PreSharedKey=thepasswordyouno&y.IEEE11iEncryptionModes=AESEncryption&x.X_WLANEnable=1" is there any way to extract the password from that setcfg.cgi ? and i tried to decrypt the router backup config file but niresoft router pass view failed to decrypt it .. When i looked into the page file from the firmware and searched PreSharedKey i found those if they make any sense and i have tried to open the page with javascript turned off but still the password didn't show up ! the wrong password after trying the inspect elements trick the wrong passwords from the page source code any ideas other than getting it through wps would be very useful !

curl the headers from network tab The response cookies from network tab i have tried sending no SessionID_R3 in the header but didn't work and tried to send empty SessionID_R3 but didn't work and finally tried a random same length SessionID_R3 but still didn't work !! is there a way i can generate these ids myself ? here is some SessionIDs if anyone can see a pattern rXsf8YsgKTTNVFCvlB6Wf0oIomaXegUNrcqZx4xvH4KrgmjSVBBx7z6mb624K9uyoo65l48KqOmLdFkljRavW7bVw1XdQxHh9kkLXupkL6hcWnNM3R8nPqjGCWLaI8GU Kax7v0ZbJEOVTIQpmJcXR8WiUclYJd24kDcMrlk4ptJhT1LnrR1HKx63BujfJeHFQvFqXQNRqxCN1nEbWmHUQZXDrFE2RP64h3kiQ4iETCA0iQVeYxClNz8LWg9NAMAr UbKIhLK9Moa3TAcNvqLtL84WqA7or8YFpoYAyrvYVCVxbowx586ubXFEM4qcKZ01uIPh756cVLzqtASyfUzKzTOInYUft1Tlqsj4lUubTIRPZWAaYDfyJQsmmPflqeCQ GsScuVNrowZ8jQIRoTtm69Pq9SuuFh71cI9DZEv9pHQLiVzwf1yn3QmTTSFSL4NMB0A5cmSwXq7tsBxOU0u7by7pNOSe2ujNyciyTzkkeeQJpiA62QYUdkamN2ioATfK FazV7yHxU3cszPI8YuCjJvCbm2ObhNNVaMLI9ePQzPmLEdDudg0BHW1lFXSbHRfEabXEaeSgW8jXIG4p2E2ntN52m3TbuDiX9Ku1wlQSvAoezb7C9QWPowXTqn16gftk tWRYlzaeblz0eroMMlhMKihpQ9MZ4plQbh4Bf6aPEMorEBqFA3QBVRjwRHOygGHMpGkOyAoSuZt8myTg1OiqSWn05POj1K8yvyfOgbaKqxr15ZS1Ly9H5XokxEqgpnQJ HeHMgwdWJuSZo3d7tSrXXgNTZcsqfVYRD5Gx9dqPU02UqPEiSzlS97wKIoH3mc8g4I9QUjWE6B5Y7LUH2tQNcA5Mhw0zksOkZM4ULewAUIPwZLS31fL9iUueBJU1QIVq 7sdsPPel47kSuxSnuQgzbUCVrLcE1dZM0b9mEoJfoLEe44E1TqYFQEvh2i2HnJSx8EAjuNC3h5PUeRR9z2l2iZvRxkrhcNmmY9Oa64UY95DtTu15FQH25wqNk5qdLmb0 kd3coEgEjutjs4GgMlYSI15uR8jmtKqxeDpdb9kxMB9jIpzAe0hCQJHGTMiPcAHmwKolU0b05Qidsuce0hFyabl5oDnR3hBFSPonbNRlLvIhE2l3f2pm3LFYiFvMasSP XVTLX1CXSmpJA14dS5Yp1CZg3HvV9YBHoaNz0OSMezBS1fuYmtamTPAjTEZ6KVj25ATL35Jd1vzVINy1ZbfVlYUaFYsHilV86FXyhsZ9NnwvFf0V3nMLTzHQSV5FiS3c

the SessionID_R3 isn't necessary to login but necessary to view auth required pages and it gives you a new one when you successful login the working command curl "http://192.168.1.1/index/login.cgi" -H "Cookie: Language=en" --data "Username=user&Password=16e1c03a0075fa68ddca3398b5cd6342692cb9868b68a4c9c0a92b89311667a8&challange=KCoMUJ4u3SEf7bfDJ3o9" i would have removed the cookies from it but it's required . the problem was additional space in the forth step that resulted in a wrong hashed 'password+challange'

the problem that i tried the curl command from chrome network tab and it didn't work ! so i looked in the page html and found that it does this 1- Encrypt the password to sha256 2- then base64 encode the sha256 hash 3- then add the hash to the challange ( that it gets from another page ) 4- then sha 256 the outputthese code lines var dbpass = base64encode(SHA256(Password.value)); var realpass = dbpass + challange; form.addParameter('Password', SHA256(realpass)); i tried to that step by step and it still doesn't work ! the curl command from chrome without cleaning curl "http://192.168.1.1/index/login.cgi" -H "Connection: keep-alive" -H "Cache-Control: max-age=0" -H "Origin: http://192.168.1.1" -H "Upgrade-Insecure-Requests: 1" -H "DNT: 1" -H "Content-Type: application/x-www-form-urlencoded" -H "User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/75.0.3770.100 Safari/537.36" -H "Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3" -H "Referer: http://192.168.1.1/html/index.asp" -H "Accept-Encoding: gzip, deflate" -H "Accept-Language: en-US,en;q=0.9,ar;q=0.8" -H "Cookie: Language=en; SessionID_R3=7EGmyRl6PcjZyCodTPl8zshYtbagRfUEIYm4njyVzkHAjoRgfeg8OLYerWewZlUwo5r4FeTPnsbRyB7eeCiVNf22aoU6E7eDAqAXc4w8iINkdt3srn3pdKYCDjvXmZw5; FirstMenu=Admin_0; SecondMenu=Admin_0_0; ThirdMenu=Admin_0_0_0" --data "Username=admin&Password=3bacd54fb595f90906feb6c68659c96bee5a2f4a594aea3fc50a56c306a04cb5&challange=IkYo7bcXU68FzOOzCPBg" --compressed --insecure the command after cleaning it up a little bit curl "http://192.168.1.1/index/login.cgi" -H "Cookie: Language=en; FirstMenu=Admin_0; SecondMenu=Admin_0_0; ThirdMenu=Admin_0_0_0" --data "Username=user&Password=16e1c03a0075fa68ddca3398b5cd6342692cb9868b68a4c9c0a92b89311667a8&challange=KCoMUJ4u3SEf7bfDJ3o9" i have removed SessionID_R3 from it as i think it's not necessary and tried the command with it and it didn't make any difference. a succeed connection in wireshark image and the chrome network tab

That sounds amazing! But i am really thinking that the TOTOLINK A2000UA will do better with it's longer antenna and newer generation of speed.

.

So what's yours range ?

TL-WN822N N300 v1 or v2 https://www.amazon.com/dp/B00416Q5KI?tag=wiki085-20&th=1&psc=1 TOTOLINK A2000UA https://ru.aliexpress.com/item/TOTOLINK-A2000UA-AC1200-Wi-Fi-USB-2/32857503833.html Toto link n300ua https://www.amazon.co.uk/TOTOLINK-N300UA-300Mbps-Wireless-USB-Adapter/dp/B01ER86XEC Ubiquiti Wifistation http://www.wlanparts.com/ubiquiti-networks/accessories/ubiquiti-wifistation-usb-adapter-802-11g-n-up-to-1000mw/ and maybe a used AWUS036H Alfa ... as no new Alfas are available in my area !

i found it ... but not from the firmware-file .... it was the land line phone number plus the isp name ! is there a way to decrypt the config file

Why ?

Is there any signs of password yet ? I think the password is in the encrypt defaultcfg.XML file

Thanks. What do you want to do with a Supermodel ? She's so fiiiiine And maybe too much for a one man to take ... Do I come with you in that date ?😅

i want to get the admin password from this firmware.bin file and extract the telnet password too https://www.file-up.org/1gdnvgit3fgx or https://www.file-up.org/afo7y3b07v7e