[Tool] Change TP-LINK AC750 SMB User Password Without login to Admin page
This project is base on my previous project [Project] Small temporarily office network Part 2
I spend some time and create this tool which allows normal none-tech users can just run the program and change the smb user password easily.
First I have to analyst the login process and things ..etc
this is what i got from wireshark, the router use cookie as an authorization identity
# YWRtaW46YWRtaW42MjM0IQ==
# the router check cookie value to auth :/ and “admin6234!” is my pre-set password
Convert my python script into .exe executable file
1 Download https://bootstrap.pypa.io/get-pip.py and run it. so it will install pip for you 2. install pyinstaller ---> open cmd and type: pip install pyinstaller 3. change to pyinstaller folder ---> cd C:\Python27\Scripts 4. convert file with custom icon -> pyinstaller --onefile --icon=my.ico --clean C:\Python27\update.py
Result:
---------------------------------------- [1]. Change Document Password [2]. Change Audio Password ---------------------------------------- Please Enter Your Choice: 2 Audio new password ==> h4Mzit2i6u [*] Connecting to Default Gateway: 192.168.0.1 [*] Successfully Connected.. [*] Request has been sent! Press close to Exit
🙂
#!/usr/bin/python ################################## # 2017/6/29 Chako # # Description: allow users to change router's smb passwd # without login to router's admin page # # Router Model: TP-LINK AC750 Wireless Dual Band Gigabit Router # Model No. Archer C2 # ################################## import socket import os import sys import string import random Host = "192.168.0.1" Port = 80 PasswordSize = 10 Password = "" Account = "" Chars = string.letters + string.digits print "\n\n" print "----------------------------------------" print "[1]. Chnage Document Password" print "[2]. Chnage Audio Password" print "----------------------------------------" print "\n\n" var = raw_input("Please Enter Your Choice: ") print "\n\n" if var == "1": Password = "".join((random.choice(Chars)) for x in range(PasswordSize)) Account = "2" print "Document new password ==> " + Password print "\n\n\n" elif var == "2": Password = "".join((random.choice(Chars)) for x in range(PasswordSize)) Account = "3" print "Audio new password ==> " + Password print "\n\n\n" # YWRtaW46YWRtaW42MjM0IQ== <base64> --> admin:admin6234! # the router check cookie value to auth :/ and "admin6234!" is my pre-set password request = "POST /cgi?2 HTTP/1.1\r\n" request += "Host: " + Host + "\r\n" request += "User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:54.0) Gecko/20100101 Firefox/54.0\r\n" request += "Accept: */*\r\n" request += "Accept-Language: en-US,en;q=0.5\r\n" request += "Accept-Encoding: gzip, deflate\r\n" request += "Referer: http://" + Host + "/mainFrame.htm \r\n" request += "Content-Type: text/plain\r\n" request += "Content-Length: 70\r\n" request += "Cookie: Authorization=Basic YWRtaW46YWRtaW42MjM0IQ==\r\n" request += "Connection: keep-alive\r\n\r\n" request += "[USER_ACCOUNT#" + Account + ",0,0,0,0,0#0,0,0,0,0,0]0,1\r\n" request += "password=" + Password + "\r\n" #print request+"\n\n\n" print "[*] Connecting to Default Gateway: " + Host s=socket.socket(socket.AF_INET, socket.SOCK_STREAM) try: connect=s.connect((Host, Port)) print "[*] Successfully Connected.." except: print "[!] " + Host + " didn't respond\n" sys.exit(0) s.send(request + "\r\n\r\n") print "[*] Request has been sent!\n" s.close() k=input("Press close to Exit")
🙂
—————————————————————————————-
UPDATE: 2017/6/29
add function let allow users to change network connection password
UPDATE: 2017/6/30
Was trying to use Python + Qt to create GUI however it has some compatible problem when I was trying to
convert .py to .exe. so i end up just build whole thing again in vb.net
Result:
#!/usr/bin/python #!/usr/bin/python ################################## # 2017/6/29 Chako # # Description: allow users to change router's smb passwd # without login to router's admin page # # Router Model: TP-LINK AC750 Wireless Dual Band Gigabit Router # Model No. Archer C2 # ################################## import socket import os import sys import string import random Host = "192.168.0.1" Port = 80 PasswordSize = 10 Password = "" Account = "" Network = "" Chars = string.letters + string.digits print "\n\n" print "----------------------------------------" print "[1]. Change Document Password" print "[2]. Change Audio Password" print "[3]. Change Network Password (Network2.4G)" print "[4]. Change Network Password (Network5G)" print "----------------------------------------" print "\n\n" var = raw_input("Please Enter Your Choice: ") print "\n\n" if var == "1": Password = "".join((random.choice(Chars)) for x in range(PasswordSize)) Account = "2" print "Document new password ==> " + Password print "\n\n\n" elif var == "2": Password = "".join((random.choice(Chars)) for x in range(PasswordSize)) Account = "3" print "Audio new password ==> " + Password print "\n\n\n" elif var == "3": Password = "".join((random.choice(Chars)) for x in range(PasswordSize)) Network = "1" print "Network (Network2.4G) new password ==> " + Password print "\n\n\n" elif var == "4": Password = "".join((random.choice(Chars)) for x in range(PasswordSize)) Network = "2" print "Network (Network5G) new password ==> " + Password print "\n\n\n" # YWRtaW46YWRtaW42MjM0IQ== <base64> --> admin:admin6234! # the router check cookie value to auth :/ and "admin6234!" is my pre-set password if var == "1" or var == "2": request = "POST /cgi?2 HTTP/1.1\r\n" request += "Host: " + Host + "\r\n" request += "User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:54.0) Gecko/20100101 Firefox/54.0\r\n" request += "Accept: */*\r\n" request += "Accept-Language: en-US,en;q=0.5\r\n" request += "Accept-Encoding: gzip, deflate\r\n" request += "Referer: http://" + Host + "/mainFrame.htm \r\n" request += "Content-Type: text/plain\r\n" request += "Content-Length: 70\r\n" request += "Cookie: Authorization=Basic YWRtaW46YWRtaW42MjM0IQ==\r\n" request += "Connection: keep-alive\r\n\r\n" request += "[USER_ACCOUNT#" + Account + ",0,0,0,0,0#0,0,0,0,0,0]0,1\r\n" request += "password=" + Password + "\r\n" elif var == "3" or var == "4": request = "POST /cgi?2 HTTP/1.1\r\n" request += "Host: " + Host + "\r\n" request += "User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:54.0) Gecko/20100101 Firefox/54.0\r\n" request += "Accept: */*\r\n" request += "Accept-Language: en-US,en;q=0.5\r\n" request += "Accept-Encoding: gzip, deflate\r\n" request += "Referer: http://" + Host + "/mainFrame.htm \r\n" request += "Content-Type: text/plain\r\n" request += "Content-Length: 197\r\n" request += "Cookie: Authorization=Basic YWRtaW46YWRtaW42MjM0IQ==\r\n" request += "Connection: keep-alive\r\n\r\n" request += "[LAN_WLAN#1," + Network + ",0,0,0,0#0,0,0,0,0,0]0,5\r\n" request += "BeaconType=11i\r\n" request += "IEEE11iAuthenticationMode=PSKAuthentication\r\n" request += "IEEE11iEncryptionModes=AESEncryption\r\n" request += "X_TP_PreSharedKey=" + Password + "\r\n" request += "X_TP_GroupKeyUpdateInterval=0\r\n" #print request+"\n\n\n" print "[*] Connecting to Default Gateway: " + Host s=socket.socket(socket.AF_INET, socket.SOCK_STREAM) try: connect=s.connect((Host, Port)) print "[*] Successfully Connected.." except: print "[!] " + Host + " didn't respond\n" sys.exit(0) s.send(request + "\r\n\r\n") print "[*] Request has been sent!\n" s.close() end=raw_input("Press Close to Exit") print "\n\n"