Obtain and Decrypt Cambium WiFi Router Password

By default the passwords are “encrypted” so you can not tell what the password is.

No way to view cnPilot WiFi password in the Web UI

We covered decrypting the passwords from the config file from cambium cloud. But what about a local router that is not connected to the cloud. What then?

Thankfully everything you need is on the router. We’ll need to use the command line tools.

1. Enable SSH

First verify that SSH is enabled.

Enable SSH n cnPilot

2. SSH into router

You may need to specify the “diffie-hellman-group1” option if it throws an error.

ssh admin@192.168.11.1 -o KexAlgorithms=+diffie-hellman-group1-sha1

3. Extract Encrypted WiFi Password from config

The config file is stored in “etc/cambium/bkup-config.txt”

cat etc/cambium/bkup-config.txt | grep 

This should dump the encrypted password(s).

Example Output.

WPAPSK1=[c760ba8ffe65c669]
RTDEV_WPAPSK1=[c760ba8ffe65c669]

4. Decrypt WiFi Password

Now we can decrypt the password. Replace the string at the end with the encrypted string

3des_hex -d c760ba8ffe65c669

It should now display the decrypted password

# 3des_hex -d c760ba8ffe65c669
12345678#

Note that it puts the # symbol after the password and if you try to type something in, it clears the line. you can use the following to have cleaner output.

echo $(3des_hex -d c760ba8ffe65c669 )

That will print the password on it’s own line

# echo $(3des_hex -d c760ba8ffe65c669 )
12345678
#

Cambium R195W cnPilot Routers Randomly Dropping

The Problem

We have been experiencing a problem with our Cambium routers where they randomly drop and are unresponsive till a reboot. They’ll also stop handing out addresses on the LAN side.

A reboot “fixes” the problem, until it does it again. You can trigger the behavior by running a port scan against the router. Wondering if the CPU/Memory get overloaded?

nmap -T4 -A -v 192.168.11.1

While running a scan on the LAN side, the web interface slows down, but doesn’t seem to take it down as fast as a scan on the WAN side.

goahead.sh is a script that may be maxing out the cpu, but could be completely unrelated.

Resolution

Configuring the “Allowed Remote IP(IP1;IP2;)” to limit WAN access effectively blocks port scans and resolves the issue. Setting is under Administration -> Management -> Web Settings. You can add multiple ranges with

10.0.0.0/8;172.16.0.0/12;192.168.0.0/16
Configure Allowed Remote IP cnPilot R195W

It looks like the public ip ranges are limited to /24’s so if you you have a block of public IP addresses larger than a /24, you’ll need to break it down into 24’s to work properly.

Template for cnMaestro

You can also create a template in the Cambium Cloud so you can apply the change to multiple routers fairly easily.

Go to Configuration -> Templates and add a new template.

WebRemoteLegalIP=10.0.0.0/8;192.168.0.0/16;172.16.0.0/12
WebRemoteLegalIP template for cnMaestro

And then you can go to your device -> Configuration and apply your new config.

Apply Allowed WAN IPs Template

Do note that if you run a scan from an allowed range, it still seems to cause problems. But at least setting the Allowed Remote IPs will keep others from scanning your network and causing problems on your R195’s.