Extract user/password etc information from a backup file generated by a Zyxel router or modem
This is a script to extract information such as Wifi SSID and Password (currently only WPA-PSK(2) supported), PPPoE username and password, as well as passwords for the default users 'admin' and 'root' on these devices.
- The configuration file is obtained from performing a "backup" from the router's user interface.
- The file (
configuration-backupsettings.conf) has a 60-byte "header" followed by an LZW-compressed XML tree. - The header has the format "<compressed alg=lzw len=<data_length>> <crc=>". Ie,
which is then padded to 60-bytes, after which the "data" segment begins.
<compressed alg=lzw len=23309>^@^@^@^@^@^@^@^@^@^@<crc=0x93c8de2> - The (unmarked) "data" segment is a compressed LZW stream which contains an XML tree which contains the configuration data.
- The passwords in the XML tree are not plain text, they are
base64-encoded.
This script relies on the python-lzw package for decompressing the LZW data. See the project page at https://github.com/joeatwork/python-lzw for how to install it.
It additionally requires the lxml package which can be installed by:
$ pip install lxml
The script is implemented in Python 3 (fwiw).
$ python ./zyxel-extract.py configuration-backupsettings.conf
Users configured on router:
Username: root Password: 3peV!Nb1$54 [DISABLED]
Username: admin Password: turktelekom
PPP configuration:
Username: xyz824095721@ttnet Password: 6b88OF73
Wifi info:
SSID: 'My Wifi' Authentication: psk psk2 Password: 'mysecret123'
$ python ./zyxel-extract.py --help
usage: zyxel-extract.py [-h] [-v] [--config | --users | --ppp | --wifi] filename
Extract Username and Password information from ZyXel Modem backup file.
positional arguments:
filename Name of the backup file saved from the router. E.g. 'configuration-backupsettings.conf'
optional arguments:
-h, --help show this help message and exit
-v, --verbose Provide more verbose output
--config Dump XML tree of configuration
--users Only show router user accounts
--ppp Only show PPP information
--wifi Only show Wifi information
Ths script has been tested using the configuration backup from a Zyxel VMG3313-B10A VDSL modem (and a VMG3312-B10A). Until it gets further exposure, I can't guarantee that it will work on yours. Send me your configuration file if it isn't working for you.
Also, I haven't (yet) had the opportunity to implement extracting WEP keys. If people are using WEP and need this functionality, send me a copy of your backup file and I'll add the code.
See this very informative post: https://abrazalaweb.net/2018/11/descomprimir-archivos-de-configuracion-lzw/