Skip to content
 

Recovering PPP password from Actiontec GT701

I have an Actiontec GT701 router for my Qwest DSL internet, and in the web-interface it masks the PPP password. Now I want to use the actiontec as a bridge and run PPPoE on my Buffalo WHR-G125 running Tomato, and I can’t find my PPP password anywhere. Here’s how I recovered my password:

Login to the modem using telnet. Typically this is going to be ‘telnet 192.168.0.1’ from a command line. Use the same username and password that you use to login to the web interface.

Now run the ‘ps’ command and look for the line containing pppd:


# ps
...
123 admin 2376 S /usr/sbin/pppd plugin pppoa 0.32 user YOURUSERNAME pas
...

Sadly the busybox ps won’t display a longer line, so the password is cut off. However now we have the PID – the first number on the line, 123 in the example.

To get the full pppd command line we can look in /proc:

# cat /proc/123/cmdline

Replace 123 with the PID you find in the previous step. The spaces are missing, but it should be pretty easy to parse out your password.

I was unable to find my password in any of the config files – I’d be curious to know if anyone found where it’s stored. It doesn’t help that there is no editor installed.

As an aside OpenWRT has experimental support for the Actiontec GT701-WG, which I think is nearly identical to the GT701. This might be a better option than bridging to another router…

10 Comments

  1. Scott Lindner says:

    I think it’s important to note that the password is found between “password” and “node”. In my case it was exactly 8 characters following “password”, but I’m not sure if all passwords are 8 characters.

  2. ZzZ says:

    Thanks!

  3. Ben says:

    Thanks much – used your method on my Actiontec GT724WGR and it worked perfectly. Sincerely appreciate the help.

  4. tbnorth says:

    Thanks – very helpful. For me the work following the password was ‘nodetach’, in case that helps people see what they’re looking at.

  5. Mikethe3DGuy says:

    Thanks so much! This worked on an Actiontec PK5000 – also 8 chars.

  6. Anders says:

    Brilliant, for the Actiontec GT784WN I had to go into busybox (from telnet, enter sh), then instead of PS which didn’t show the PID that I needed, I used top instead to find the PID. From there I followed your instructions concatonate the file destination and it worked like a charm. One thought, you used command promt telnet client to do this. Perhaps downloading putty and using that to telnet into the modem will give you better results? Thanks again!

  7. JJ says:

    I have to say thank you! This worked perfectly!

  8. John "S" says:

    Hey thank you very much! Just used this to recover my password from my ActionTec Q1000

  9. Kenny says:

    If busybox on your device is compiled with tr, you can use tr to translate null bytes into spaces for easier reading:

    tr ‘\0’ ‘ ‘ </proc/123/cmdline

    Alternatives include:

    sed 's/\x0/ /g' /proc/123/cmdline
    awk '{gsub("\0", " ");print}' /proc/123/cmdline
    awk -F"\0" '{print$7}' /proc/123/cmdline

    That last one prints only the 7th argument which is probably the password.

  10. geekmaster says:

    This worked on the Zyxel Q1000 as well. Here is a little linux script that does the work for you:

    #!/usr/bin/expect
    set timeout 2
    set hostname [lindex $argv 0]
    set password [lindex $argv 1]
    log_user 0

    if {[llength $argv] == 0} {
    puts “Usage: qwauth backdoor_ipaddr admin_password”
    puts “(note: backdoor_ipaddr is DSL modem ip+256 = a.b.c+1.d)\n”

    exit 1
    }

    puts “\nQwest Q1000 DSL authentication credentials:\n”

    spawn nc $hostname 23

    expect “*ogin”
    send “admin\r”
    expect “*assword”
    send “$password\r”
    expect “>”
    send “ps\r”

    expect -re {.*\r\n\s*(.*?)\s(.*)pppd(.*)}
    set output $expect_out(1,string)
    send “cat /proc/$output/cmdline\r”
    expect -re {.*-u(.*?)-p(.*?)-(.*)}
    set username $expect_out(1,string)
    set password $expect_out(2,string)
    puts “\rusername : $username”
    puts “\rpassword : $password\n”

    send “exit\r”

    close

    My router IP is 192.168.10.1, so its backdoor IP is 192.168.11.1.
    I changed my netmask to 255.255.0.0 so it can see more LAN subnets.
    My router web page has password ‘xyzzy’.

    Example (run as root):

    $ ./qwauth
    Usage: qwauth backdoor_ipaddr admin_password
    (note: backdoor_ipaddr is DSL modem ip+256 = a.b.c+1.d)

    $ ./qwauth 192.168.11.1 qyzzy

    Qwest Q1000 DSL authentication credentials:

    username : myname@qwest.net
    password : iuy9UxPZ

Leave a Reply