embedded device password cracking

[haicen]

I picked up a cctv system from newegg for $50. Partly because I wanted to be able to keep an eye on my apartment when I'm away, and partly to play around with. Specifically, it is a Rosewill RSCM-0704B042. 

 

The first thing I did was fire up nmap to see what ports were open. I see the following ports open: 23 (telnet),80 (web),554 (rtsp),8000 (web alt) ,49152 (unknown). My best guess for port 49152 is that it is for the custom viewing application. I tried to connect to the device via telnet with the usual password combos root/root, root/blank, root/toor, root/password, as well as the default password for the web interface admin/123456. None of these worked, which was surprising.

 

My next step was to take a look at the firmware, so I pulled a copy from http://www.rosewill.com/media/downloadable/drivers/Shieldeye_PC-_CMS.zip to see if there was anything interesting. I unpacked the romfs and found etc/passwd files. There was a standard passwd, and "passwd-". I don't know what significance the "passwd-" has. I have included both hashes below.

"passwd"    root:$1$$64lU4r1qa6icjzK/sBmQo.:0:0::/root:/bin/sh
"passwd-"   root:ab8nBoH3mb8.g:0:0::/root:/bin/sh

The first i immediately sent to jtr, but it has been running for >12 hours. I basically have 2 questions:

1. Will jtr eventually crack the password? My assumption is that it will eventually be cracked.
2. Is there a better tool for cracking the password? I am currently generating a rainbow table for 1-7 character lowercase alpha passwords. It has occurred to me that this probably isn't the correct keyspace to be searching.

 

[digininja]

1. What dictionary/word list /rules are you using? If you've gone for a basic brute force then it probably will be cracked but could take years.

 

2. What type rainbow tables are you generating? Whether you've got the correct keyspace depends on what the password is. If it is 8 characters then you haven't, if it is a 6 character lower case alpha then it is.

 

Generally rainbow tables aren't used much any more, good word lists and rules are considered better.

[haicen]

I am doing a pure brute force attack. I am assuming since the password wasn't one of the usual defaults that it wouldn't be generated by a human. I don't have any details about what format the password is in.

[digininja]

Just because you couldn't guess it in a couple of goes you assumed it wasn't created by a human? That is one of the daftest things I've heard in a long time. Did you try things like Shieldeye or letmein?

And if you don't know the format, what rainbow tables are you generating?

The format is crypt md5 https://en.m.wikipedia.org/wiki/Crypt_(C)

If you want to try to crack the password then I'd go with word lists and rules (Google them) or you could try to modify the firmware you've got set a password you know then upload that. You may have to bypass CRC checks but that should be possible as you control things. If it is signed though it's unlikely you'll get anywhere.

 

 

[haicen]

Nevermind. I decided to do a quick google search for the hash, and as it turns out, it has already been cracked. I don't know why I didn't try that first.

[digininja]

That was going to be my next suggestion

[haicen]

Thanks for the help.

[haicen]

Just as a followup, I was able to gain access to the device via telnet. Poking around the filesystem, I found a separate passwd file, which is different. This new passwd file contains the information for the web interface and local device login. I.E. the web viewing portal.

 

Here is what I know:

• The admin combo is admin:123456.
• The passwords are not tied to a specific username. I created a few different user names with the same password. The hashes were constant.
• The password cannot be longer than 6 characters, special characters are allowed

At this stage, I am attempting to determine what method is being used to hash these passwords. I have tried a few variations using 612345, 000000, 123455, etc, but do not see a pattern directly. 

format is pw - hash

123456 - nTBCS19C
  5555 - QwZ3AbMB
000000 - qAj0oSP1
111111 - 9kwf1kHJ
222222 - z7a10QFR
612345 - gJJp8X7Q

In the directory above this passwd file, there is a file called encrypt_info, but it only contains the MAC address of the device, a product number, and the following line:

oem 000015

Since the password is limited to 6 characters, this oem value seems of interest. I suspect the values are base64 encoded, but I've tried playing around with a b64 encoder/decoder, and can't find anything that matches.

 

[Captain]

3 hours ago, haicen said:

Just as a followup, I was able to gain access to the device via telnet. Poking around the filesystem, I found a separate passwd file, which is different. This new passwd file contains the information for the web interface and local device login. I.E. the web viewing portal.

 

Here is what I know:

• The admin combo is admin:123456.
• The passwords are not tied to a specific username. I created a few different user names with the same password. The hashes were constant.
• The password cannot be longer than 6 characters, special characters are allowed

At this stage, I am attempting to determine what method is being used to hash these passwords. I have tried a few variations using 612345, 000000, 123455, etc, but do not see a pattern directly. 

format is pw - hash

123456 - nTBCS19C
  5555 - QwZ3AbMB
000000 - qAj0oSP1
111111 - 9kwf1kHJ
222222 - z7a10QFR
612345 - gJJp8X7Q

In the directory above this passwd file, there is a file called encrypt_info, but it only contains the MAC address of the device, a product number, and the following line:

oem 000015

Since the password is limited to 6 characters, this oem value seems of interest. I suspect the values are base64 encoded, but I've tried playing around with a b64 encoder/decoder, and can't find anything that matches.

 

What OS is the device running? Also, can you try pastng the hashed password into the password input? I've seen some really poorly embedded device actually accept the hash :eyeroll: 

[haicen]

Its running busybox v1.16.1

 

Using the hashed password won't work. They aren't hashed or encrypted on the client side. In fact, they are sent in the clear every time the user visits a different page of the interface as well as being stored as a cookie.

[Captain]

4 hours ago, haicen said:

Its running busybox v1.16.1

 

Using the hashed password won't work. They aren't hashed or encrypted on the client side. In fact, they are sent in the clear every time the user visits a different page of the interface as well as being stored as a cookie.

Wow . . I feel like I just traveled back to 2001

Edited June 3, 2016 by Captain

[haicen]

I figured out the hashing algorithm used. It is dahua, which is easily cracked by JTR.

[Rainman_34]

I would be interested in hearing what else you found and were you eventually able to hack into the cameras and get a video feed on your computer without using your dvr box?

[haicen]

There wasn't a huge amount of stuff available. The most concerning thing I found was an undocumented user with a visible password. I wrote a small write up at https://haicen.blogspot.com/2016/08/security-dvr-hacking.html. I have been super busy with life stuff, and haven't really had time to do much. I have a few ideas. I suspect there might be something going on with one of the open ports. I tried looking at it with wireshark and netcat, but didn't see anything happening. I might look at it some more soon.

 

I couldn't get video to work at all in any browsers that aren't IE due to the reliance on ActiveX.