[Project] Small temporarily office network Part 3

[Tool] Change TP-LINK AC750 SMB User Password Without login to Admin page

This project is base on my previous project [Project] Small temporarily office network Part 2
I spend some time and create this tool which allows normal none-tech users can just run the program and change the smb user password easily.

First I have to analyst the login process and things ..etc

this is what i got from wireshark, the router use cookie as an authorization identity
# YWRtaW46YWRtaW42MjM0IQ== –> admin:admin6234!
# the router check cookie value to auth :/ and “admin6234!” is my pre-set password

Convert my python script into .exe executable file

1 Download  https://bootstrap.pypa.io/get-pip.py and run it. so it will install pip for you
2. install pyinstaller   ---> open cmd and type:  pip install pyinstaller
3. change to pyinstaller folder   ---> cd C:\Python27\Scripts
4. convert file with custom icon  -> pyinstaller --onefile --icon=my.ico --clean C:\Python27\update.py

Result:

----------------------------------------
[1]. Change Document Password
[2]. Change Audio Password
----------------------------------------



Please Enter Your Choice: 2



Audio new password ==>  h4Mzit2i6u




[*] Connecting to Default Gateway: 192.168.0.1
[*] Successfully Connected..
[*] Request has been sent!

Press close to Exit

🙂

#!/usr/bin/python

##################################
#   2017/6/29  Chako
#
#   Description: allow users to change router's smb passwd 
#                without login to router's admin page
#   
#    Router Model: TP-LINK AC750 Wireless Dual Band Gigabit Router
#    Model No. Archer C2
#
##################################
 
 
import socket
import os
import sys
import string
import random

Host = "192.168.0.1"
Port = 80
PasswordSize = 10
Password = ""
Account  = ""
Chars = string.letters + string.digits


print "\n\n"
print "----------------------------------------"
print "[1]. Chnage Document Password"
print "[2]. Chnage Audio Password"
print "----------------------------------------"
print "\n\n" 
 

var = raw_input("Please Enter Your Choice: ")
print "\n\n"

if var == "1":
    Password = "".join((random.choice(Chars)) for x in range(PasswordSize))
    Account = "2"
    print "Document new password ==>  " + Password
    print "\n\n\n"
elif var == "2":
    Password = "".join((random.choice(Chars)) for x in range(PasswordSize))
    Account = "3"
    print "Audio new password ==>  " + Password
    print "\n\n\n"


# YWRtaW46YWRtaW42MjM0IQ==    <base64> --> admin:admin6234!
# the router check cookie value to auth :/   and "admin6234!" is my pre-set password
request = "POST /cgi?2 HTTP/1.1\r\n"
request += "Host: " + Host + "\r\n"
request += "User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:54.0) Gecko/20100101 Firefox/54.0\r\n"
request += "Accept: */*\r\n"
request += "Accept-Language: en-US,en;q=0.5\r\n"
request += "Accept-Encoding: gzip, deflate\r\n"
request += "Referer: http://" + Host + "/mainFrame.htm \r\n"
request += "Content-Type: text/plain\r\n"
request += "Content-Length: 70\r\n"
request += "Cookie: Authorization=Basic YWRtaW46YWRtaW42MjM0IQ==\r\n"
request += "Connection: keep-alive\r\n\r\n"
request += "[USER_ACCOUNT#" + Account + ",0,0,0,0,0#0,0,0,0,0,0]0,1\r\n"
request += "password=" + Password + "\r\n"
#print request+"\n\n\n"

 
print "[*] Connecting to Default Gateway: " + Host


 
s=socket.socket(socket.AF_INET, socket.SOCK_STREAM)
 
 
try:
    connect=s.connect((Host, Port))
    print "[*] Successfully Connected.."
except:
    print "[!] " + Host + " didn't respond\n"
    sys.exit(0)
 
 

s.send(request + "\r\n\r\n")
print "[*] Request has been sent!\n"
s.close()


k=input("Press close to Exit") 

🙂

—————————————————————————————-

UPDATE: 2017/6/29
add function let allow users to change network connection password

UPDATE: 2017/6/30
Was trying to use Python + Qt to create GUI however it has some compatible problem when I was trying to
convert .py to .exe. so i end up just build whole thing again in vb.net

Result:

#!/usr/bin/python

#!/usr/bin/python

##################################
#   2017/6/29  Chako
#
#   Description: allow users to change router's smb passwd 
#                without login to router's admin page
#   
#    Router Model: TP-LINK AC750 Wireless Dual Band Gigabit Router
#    Model No. Archer C2
#
##################################
 
 
import socket
import os
import sys
import string
import random

Host = "192.168.0.1"
Port = 80
PasswordSize = 10
Password = ""
Account  = ""
Network  = ""
Chars = string.letters + string.digits


print "\n\n"
print "----------------------------------------"
print "[1]. Change Document Password"
print "[2]. Change Audio Password"
print "[3]. Change Network Password (Network2.4G)"
print "[4]. Change Network Password (Network5G)"
print "----------------------------------------"
print "\n\n" 
 

var = raw_input("Please Enter Your Choice: ")
print "\n\n"

if var == "1":
    Password = "".join((random.choice(Chars)) for x in range(PasswordSize))
    Account = "2"
    print "Document new password ==>  " + Password
    print "\n\n\n"
elif var == "2":
    Password = "".join((random.choice(Chars)) for x in range(PasswordSize))
    Account = "3"
    print "Audio new password ==>  " + Password
    print "\n\n\n"
elif var == "3":
    Password = "".join((random.choice(Chars)) for x in range(PasswordSize))
    Network = "1"
    print "Network (Network2.4G) new password ==>  " + Password
    print "\n\n\n"
elif var == "4":
    Password = "".join((random.choice(Chars)) for x in range(PasswordSize))
    Network = "2"
    print "Network (Network5G) new password ==>  " + Password
    print "\n\n\n"



# YWRtaW46YWRtaW42MjM0IQ==    <base64> --> admin:admin6234!
# the router check cookie value to auth :/   and "admin6234!" is my pre-set password
if var == "1" or var == "2":
    request = "POST /cgi?2 HTTP/1.1\r\n"
    request += "Host: " + Host + "\r\n"
    request += "User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:54.0) Gecko/20100101 Firefox/54.0\r\n"
    request += "Accept: */*\r\n"
    request += "Accept-Language: en-US,en;q=0.5\r\n"
    request += "Accept-Encoding: gzip, deflate\r\n"
    request += "Referer: http://" + Host + "/mainFrame.htm \r\n"
    request += "Content-Type: text/plain\r\n"
    request += "Content-Length: 70\r\n"
    request += "Cookie: Authorization=Basic YWRtaW46YWRtaW42MjM0IQ==\r\n"
    request += "Connection: keep-alive\r\n\r\n"
    request += "[USER_ACCOUNT#" + Account + ",0,0,0,0,0#0,0,0,0,0,0]0,1\r\n"
    request += "password=" + Password + "\r\n"
elif var == "3" or var == "4":
    request = "POST /cgi?2 HTTP/1.1\r\n"
    request += "Host: " + Host + "\r\n"
    request += "User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:54.0) Gecko/20100101 Firefox/54.0\r\n"
    request += "Accept: */*\r\n"
    request += "Accept-Language: en-US,en;q=0.5\r\n"
    request += "Accept-Encoding: gzip, deflate\r\n"
    request += "Referer: http://" + Host + "/mainFrame.htm \r\n"
    request += "Content-Type: text/plain\r\n"
    request += "Content-Length: 197\r\n"
    request += "Cookie: Authorization=Basic YWRtaW46YWRtaW42MjM0IQ==\r\n"
    request += "Connection: keep-alive\r\n\r\n"
    request += "[LAN_WLAN#1," + Network + ",0,0,0,0#0,0,0,0,0,0]0,5\r\n"
    request += "BeaconType=11i\r\n"
    request += "IEEE11iAuthenticationMode=PSKAuthentication\r\n"
    request += "IEEE11iEncryptionModes=AESEncryption\r\n"
    request += "X_TP_PreSharedKey=" + Password + "\r\n"
    request += "X_TP_GroupKeyUpdateInterval=0\r\n"
	
#print request+"\n\n\n"

 
print "[*] Connecting to Default Gateway: " + Host


 
s=socket.socket(socket.AF_INET, socket.SOCK_STREAM)
 
 
try:
    connect=s.connect((Host, Port))
    print "[*] Successfully Connected.."
except:
    print "[!] " + Host + " didn't respond\n"
    sys.exit(0)
 
 

s.send(request + "\r\n\r\n")
print "[*] Request has been sent!\n"
s.close()


end=raw_input("Press Close to Exit") 
print "\n\n"