Recovering the PPP Username and Password from a Centurylink Actiontec C1000A

Some time ago I wrote up a similar procedure to recover a password from an Actiontec M1000 back when Centurylink was known as Qwest (gotta love rebranding). Back then, Actiontec left the operating system a bit more open, actually placing the PPP credentials in a flat file in /var/tmp/. Nowdays, Actiontec tries to obfuscate/encrypt the password in a config XML, making it just difficult enough for most people to give up on the idea of recovering the password.

In addition to this, it would appear to the casual telnet console user that the commonplace busybox shell had been removed or made inaccessible, removing the ability to peer into the embedded linux operating system underneath, and replacing it with a stripped-down properietary shell with limited commands. However, dig a little deeper by trying the undocumented "sh" command, and you'll find that busybox is alive and well on this device, exposing the configs and services that support the router's functions. Since the configs contain the encrypted password, we can't directly extract them from there, however fortunately for us, pppd (the service that authenticates and creates the DSL connection) requires the password to either be kept in plain text in a flat config file (not the case here) OR have the password specified on the command line. The "ps" command on these devices has been handicapped to only display 80 columns, leading to output similar to this:

1623 admin      1144 S   pppd -c ppp0.1 -D 0 -i ptm0.0 -u "your___username@qwe

At first, when I saw this, I figured it was another dead end, until I realized that "/proc/(pid)/cmdline" displays the command line of any running process. And fortunately for us, Actiontec left "pidstat" enabled in busybox, making reading those command line arguments fairly simple with a single command:

 > sh -c "/usr/bin/pidstat -l -C pppd"
Linux 2.6.30 ((none))   05/23/13        _mips_  (2 CPU)

14:59:38          PID    %usr %system  %guest    %CPU   CPU  Command
14:59:38         1623    0.00    0.01    0.00    0.01     1  pppd -c ppp0.1 -D 0 -i ptm0.0 -u "" -p "AbCDEfgH" -f 0 -k -P "AbCDEfgH" -M 1492

And there you have it! In this case, I've altered the password output (shown as AbCDEfgH) to protect my own privacy, but it'll look similarly like jumbled letters and numbers on your command line. Also note the "" username. Qwest used to be the LEC in my area, and likely the transition hasn't been made to the newer branding in the back-end systems. Your situation may be different.

Also, in case you hadn't figured it out by now, you're going to need telnet console access. My modem's console admin password was not the default "admin", nor the admin password listed on the box. I had to log into the web UI, enable remote console, and (re)set the console password. After that, you should be able to log into the telnet console with "admin" and the password you've set.

Lastly, one might ask "Why would I want to obtain this password?". My personal reason is that eventually I want to replace this leased modem with one I've purchased, and use it in transparent bridging mode (using RP-PPPOE to terminate the PPPoE connection and it's leased static IP on my firewall). When that day comes, I'd like to be able to do the swap without interacting with Centurylink. Call them by whatever new brand they've been changed to, Ma' Bell is always a pain to talk to.

Good luck to you!

If you found this helpful, maybe you'd like to send a thank you from my wishlist?

5 thoughts on “Recovering the PPP Username and Password from a Centurylink Actiontec C1000A”

  1. I discovered a far greater wealth of options after you indicated I could use the undocumented sh command once I logged into the Telnet CLI interface.

    Do a "cd webs" command...that puts you into the webs directory, where all the webpages for the modem live...if not all, than most of them for sure.

    Do an "ls -al" command and you will be overwhelmed by the pages you see that you can get to through the web browser, that you cannot get to through the normal web interface as there is no link to them.

    Truly overwhelming.

    I was impressed.

  2. Thank you so much! This saved me a long and annoying hold with centurylink's "Well trained" reps.
    Also; minor item, but just wanted to point out that the change from Qwest to Centurylink isn't a rebrand- Centurylink completely bought out and subsumed Qwest; it's a full-on takeover, unlike "Xfinity" from Comcast.

  3. You are correct. At the time I wrote this, I was still under the impression that Qwest was the big fish, and CenturyLink was the podunk carrier and that Qwest had simply reused their branding after the merger.

    Glad to hear the how-to was of help.

  4. I have a Q1000, which doesn't seem to have /usr/bin/pidstat. However, one can go to shell, use ps to find the pid of the pppd process, then run

    # cat proc/26393/cmdline

    where 26393 is the pid of your pppd process, and get the same information.