Some time ago I wrote up a similar procedure to recover a password from an Actiontec M1000 back when Centurylink was known as Qwest (gotta love rebranding). Back then, Actiontec left the operating system a bit more open, actually placing the PPP credentials in a flat file in /var/tmp/. Nowdays, Actiontec tries to obfuscate/encrypt the password in a config XML, making it just difficult enough for most people to give up on the idea of recovering the password.
In addition to this, it would appear to the casual telnet console user that the commonplace busybox shell had been removed or made inaccessible, removing the ability to peer into the embedded linux operating system underneath, and replacing it with a stripped-down properietary shell with limited commands. However, dig a little deeper by trying the undocumented “sh” command, and you’ll find that busybox is alive and well on this device, exposing the configs and services that support the router’s functions. Since the configs contain the encrypted password, we can’t directly extract them from there, however fortunately for us, pppd (the service that authenticates and creates the DSL connection) requires the password to either be kept in plain text in a flat config file (not the case here) OR have the password specified on the command line. The “ps” command on these devices has been handicapped to only display 80 columns, leading to output similar to this:
1623 admin 1144 S pppd -c ppp0.1 -D 0 -i ptm0.0 -u “your___username@qwe
At first, when I saw this, I figured it was another dead end, until I realized that “/proc/(pid)/cmdline” displays the command line of any running process. And fortunately for us, Actiontec left “pidstat” enabled in busybox, making reading those command line arguments fairly simple with a single command:
> sh -c “/usr/bin/pidstat -l -C pppd”
Linux 2.6.30 ((none)) 05/23/13 _mips_ (2 CPU)
14:59:38 PID %usr %system %guest %CPU CPU Command
14:59:38 1623 0.00 0.01 0.00 0.01 1 pppd -c ppp0.1 -D 0 -i ptm0.0 -u “firstname.lastname@example.org” -p “AbCDEfgH” -f 0 -k -P “AbCDEfgH” -M 1492
And there you have it! In this case, I’ve altered the password output (shown as AbCDEfgH) to protect my own privacy, but it’ll look similarly like jumbled letters and numbers on your command line. Also note the “@qwest.net” username. Qwest used to be the LEC in my area, and likely the transition hasn’t been made to the newer branding in the back-end systems. Your situation may be different.
Also, in case you hadn’t figured it out by now, you’re going to need telnet console access. My modem’s console admin password was not the default “admin”, nor the admin password listed on the box. I had to log into the web UI, enable remote console, and (re)set the console password. After that, you should be able to log into the telnet console with “admin” and the password you’ve set.
Lastly, one might ask “Why would I want to obtain this password?”. My personal reason is that eventually I want to replace this leased modem with one I’ve purchased, and use it in transparent bridging mode (using RP-PPPOE to terminate the PPPoE connection and it’s leased static IP on my firewall). When that day comes, I’d like to be able to do the swap without interacting with Centurylink. Call them by whatever new brand they’ve been changed to, Ma’ Bell is always a pain to talk to.
Good luck to you!
If you found this helpful, maybe you’d like to send a thank you from my wishlist?