Jump to content

haicen

Active Members
  • Posts

    23
  • Joined

  • Last visited

Everything posted by haicen

  1. There wasn't a huge amount of stuff available. The most concerning thing I found was an undocumented user with a visible password. I wrote a small write up at https://haicen.blogspot.com/2016/08/security-dvr-hacking.html. I have been super busy with life stuff, and haven't really had time to do much. I have a few ideas. I suspect there might be something going on with one of the open ports. I tried looking at it with wireshark and netcat, but didn't see anything happening. I might look at it some more soon. I couldn't get video to work at all in any browsers that aren't IE due to the reliance on ActiveX.
  2. I have created a python script to generate dahua hashes. These hashes are frequently found in security camera DVR units. It is an MD5 hash that is compressed into 8 characters. The code is available at https://github.com/haicen/DahuaHashCreator I did this as more of a learning exercise, but other people may find it useful. These hashes are easily cracked using John the Ripper, as long as the hash is in the right format. For the DVR I had, the passwords could be a max of 6 characters long, so a warning will be generated if a password is specified that is longer than 6 characters, but it will output the hash anyway.
  3. Thanks. I did that and got an answer.
  4. I have a bit of an odd question that I'm hoping someone here can point me in the right direction to figure out. I have been looking at a DVR which I purchased for the express purpose of poking around on. I was able to gain access to it via telnet, and found some interesting things. I found the password hashes for the web portal. The passwords themselves are hashed using an algorithm detected by JTR as "dahua". Outside of the source code for the JTR module located at http://fossies.org/linux/john/src/dahua_fmt_plug.c I cannot find any information about how this algorithm works. I spent several hours using my google-fu, but I haven't found anything yet. Here is what I have so far from reading the source code from above: The password is hashed using MD5, then compressed using the compress method included above. I don't know C well enough to be able to translate the rest of it, but that seems to be 99% of the work. I am getting hashes in the correct format using the code posted below, but they aren't correct. The code from the JTR module expects a 16 character hash, but MD5 returns a 32 character hash. I am quite rusty on C/C++, but I'm having a really hard time understanding the flow of the C program of the JTR module, particularly with pointers, and memory allocations. I know my python file has some errors in it, because it wasn't until I started writing this that I realized it was only checking the first 16 characters of the hash, not the full 32. It doesn't matter because the compressor as written only reduces the length by 2 anyway. dahua_hash.py
  5. I figured out the hashing algorithm used. It is dahua, which is easily cracked by JTR.
  6. Its running busybox v1.16.1 Using the hashed password won't work. They aren't hashed or encrypted on the client side. In fact, they are sent in the clear every time the user visits a different page of the interface as well as being stored as a cookie.
  7. Just as a followup, I was able to gain access to the device via telnet. Poking around the filesystem, I found a separate passwd file, which is different. This new passwd file contains the information for the web interface and local device login. I.E. the web viewing portal. Here is what I know: The admin combo is admin:123456. The passwords are not tied to a specific username. I created a few different user names with the same password. The hashes were constant. The password cannot be longer than 6 characters, special characters are allowed At this stage, I am attempting to determine what method is being used to hash these passwords. I have tried a few variations using 612345, 000000, 123455, etc, but do not see a pattern directly. format is pw - hash 123456 - nTBCS19C 5555 - QwZ3AbMB 000000 - qAj0oSP1 111111 - 9kwf1kHJ 222222 - z7a10QFR 612345 - gJJp8X7Q In the directory above this passwd file, there is a file called encrypt_info, but it only contains the MAC address of the device, a product number, and the following line: oem 000015 Since the password is limited to 6 characters, this oem value seems of interest. I suspect the values are base64 encoded, but I've tried playing around with a b64 encoder/decoder, and can't find anything that matches.
  8. Nevermind. I decided to do a quick google search for the hash, and as it turns out, it has already been cracked. I don't know why I didn't try that first.
  9. I am doing a pure brute force attack. I am assuming since the password wasn't one of the usual defaults that it wouldn't be generated by a human. I don't have any details about what format the password is in.
  10. I picked up a cctv system from newegg for $50. Partly because I wanted to be able to keep an eye on my apartment when I'm away, and partly to play around with. Specifically, it is a Rosewill RSCM-0704B042. The first thing I did was fire up nmap to see what ports were open. I see the following ports open: 23 (telnet),80 (web),554 (rtsp),8000 (web alt) ,49152 (unknown). My best guess for port 49152 is that it is for the custom viewing application. I tried to connect to the device via telnet with the usual password combos root/root, root/blank, root/toor, root/password, as well as the default password for the web interface admin/123456. None of these worked, which was surprising. My next step was to take a look at the firmware, so I pulled a copy from http://www.rosewill.com/media/downloadable/drivers/Shieldeye_PC-_CMS.zip to see if there was anything interesting. I unpacked the romfs and found etc/passwd files. There was a standard passwd, and "passwd-". I don't know what significance the "passwd-" has. I have included both hashes below. "passwd" root:$1$$64lU4r1qa6icjzK/sBmQo.:0:0::/root:/bin/sh "passwd-" root:ab8nBoH3mb8.g:0:0::/root:/bin/sh The first i immediately sent to jtr, but it has been running for >12 hours. I basically have 2 questions: Will jtr eventually crack the password? My assumption is that it will eventually be cracked. Is there a better tool for cracking the password? I am currently generating a rainbow table for 1-7 character lowercase alpha passwords. It has occurred to me that this probably isn't the correct keyspace to be searching.
  11. You don't need a 5th quote because it is included in the underlying php code that handles the query. From the DVWA code, $id = $_REQUEST[ 'id' ]; // Check database $query = "SELECT first_name, last_name FROM users WHERE user_id = '$id';"; In this case, $id is equal to whatever you put into the text box. So if you take your example a' OR '1'='1 the query will look like this: $query = "SELECT first_name, last_name FROM users WHERE user_id = 'a' OR '1'='1';"; As you can see, when your SQLi statement is given in the textbox, the quotes will be balenced. If you added another quote, the line would be like this: $query = "SELECT first_name, last_name FROM users WHERE user_id = 'a' OR '1'='1'';"; This won't work because there is an odd number of single quotes, and will cause the php code to have an error. Another thing to note, is that -- is the default comment operator for sql. This will cause whatever happens after the -- to not be evaluated by sql. For example, if you're target is a username/password combo, you may only need to try injecting the username field. Your test string would be a' OR 1=1 -- this interrupts the rest of the query string, unless there is something else going on in php, this is what the sql statement looks like: SELECT <whatever> from <database> WHERE 'a' OR 1=1 Also, note that you don't have to use '1'='1 in the previous examples either. Your test string could be: a' OR 1=1 OR ' The SQL statement will be: SELECT <whatever> from <database> WHERE 'a' OR 1=1 OR '' <rest of query> The end result is the same. I prefer to use as few quotes as possible to reduce confusion on my end. Hope this helps.
  12. I haven't quite given up yet. I have been comparing the contents of the folders before and after changing the password. The process I have been using is: tar the directory, output it to a writeable directory IE tar -c -f /var/etc1.tar etc change the password tar directory again IE tar -c -f /var/etc2.tar etc calculate md5 sum for both hashes Strangely, the two directories I expected to change /etc/ and /usr/www have not been modified. Can a minor change like a password be insignificant after being compressed to a tar file? Another interesting inconsistency is that the "WPS" default pin isn't really the default pin. The config.xml says it is 12345670, but it is something completely different. I don't even know how that could happen unless the developers never configured that option.
  13. No, I have access to everything as root. I'm 99% sure that the tw user was actually commented out in the passwd and shadow files. I believe them to be correct since I am able to log in as root. Modifying the firmware wasn't exactly the direction I wanted to go with since that is not a practical method for gaining admin access to the router. I was hoping it would uncover clues as to where the password was stored. I assume the admin password cannot be stored inside the webproc file itself. Reverse engineering is cool, but it just isn't part of my toolbox.
  14. I still don't understand writing to the binary. I installed bless, but it looks nothing like the disassembled output, and the addresses are different. I'm trying to understand this part: Alf@UNKNOWN:~/Downloads/PenTest$ cp webproc webproc-mypatch1 Alf@UNKNOWN:~/Downloads/PenTest$ radare2 -e -b 32 -a mips webproc-mypatch1 Warning: read (strtab) at 0x20 Warning: Cannot initialize strings table [0x00401b70]> oo+ File webproc-mypatch1 reopened in read-write mode [0x00401b70]> s 0x401fcc [0x00401fcc]> pd 1 ,=< 0x00401fcc 10400026 beqz v0, 0x00402068 [0x00401fcc]> wx 14400026 [0x00401fcc]> pd 1 ,=< 0x00401fcc 14400026 bnez v0, 0x00402068 [0x00401fcc]> wx 10 [0x00401fcc]> pd 1 ,=< 0x00401fcc 10400026 beqz v0, 0x00402068 [0x00401fcc]> wx 14 [0x00401fcc]> pd 1 ,=< 0x00401fcc 14400026 bnez v0, 0x00402068 [0x00401fcc]> exit I understand that wx 14400026 writes 14400026 to address 0x00401fcc. What does wx 14 do? it doesn't write 14 to 0x00401fcc, so I'm not understanding what that operation does. I've worked with asm instructions before, but it was on a terrible spartan fpga, and was much simpler. Never disassembled anything. The hashes have nothing to do with the admin console unfortunately. They are static across password changes. What I know about the hash itself is that it is MD5, salted with "TW". I can't get johnny to crack them. The only output I get is "Loaded 1 hash" followed by "No password hashes left to crack". I don't know if I've put the file in the wrong format or what. It is still a work in progress.
  15. I got the code to open in radare2, I'm at a loss as to how I would go about editing the binary myself. Could you explain how that process works? I tried running rasm2 -f webproc -b 32 -a mips -D No errors occur, but nothing happens, it just returns to the next console line. Back to the hashes mentioned: I plugged the router back in so I could check out the hashes again. I used johnny and set to work on cracking the hashes (which took all of 2 seconds). My hashes are different than the ones included in the device firmware. I wasn't able to crack the admin password on the manufacturer release, but I don't know why that one failed to crack. Maybe it is a slightly later version of the firmware and that got changed. I'll have to do some more investigating there. The user level account password was "user" so I find it unlikely that they would have changed one password but not the other. Or something may alter that once the firmware upgrade is applied.
  16. Wow. That was quite a read. I don't think I understand half of it, but I will have to re-read another day. As for the passphrase and hashes, the firmware I uploaded was not the actual firmware loaded on the device but was a fresh copy from the manufacturer. So that may in fact be the default password, but I think it is just a test value since the as-shipped version came up without a password and after a system reset reverts to an open network. On to the hashes: my memory is a bit fuzzy since I last looked at those a few days ago, but I was able to decrypt them. Unfortunately they weren't the correct ones. I also found those hashes lurking in the devices /etc/shadow file. I also remember them not changing after I modified the admin panel password. Also, the user those hashes are associated is "tw" and is commented out in /etc/passwd. My knowledge of how linux handles password hashing is fairly limited, but as I understand it, tw is the salt for these particular hashes. Again, there may also be some discrepancies since we aren't physically looking at the exact same binary since mine is on the device and the one I uploaded was from the manufacturer. If I have time tomorrow to poke around in the firmware some more, I will attempt to confirm the hash issue. I kinda have a handle on what is going on here, and I will definitely be trying to reproduce what you've done. I will let you know if I get it to work. Honestly I am blown away that you were able to figure all that out. Please accept this I.O.U redeemable for one (1) alcoholic beverage of your choice on the off chance we should ever meet.
  17. haicen

    Python or?

    I like python. It is easy to learn, especially for a beginner. With that said, a lot of the websites claiming to teach programming don't teach you how to think logically about things, which is really the whole point. C, C++, and Java are great languages to learn, but I find python to be easy to read and the syntax is pretty easy to follow. Makes things much easier to read through and debug. I have used codeacademy, but I found it to be more like cookbook learning. Then again, I started with C++ and have kinda been going in reverse order.
  18. What tool did you use to look at the code? Is it the same readelf command? I'd be interested to see what it looks like.
  19. I have uploaded the wireshark packet capture to the same dropbox folder as router.pcapng. https://www.dropbox.com/s/kcq65ita76a7oo8/RequestPassword.txt?dl=0 Frame 138 is a sending a wrong password. Number 146 is what I assume to be the response, which is 200-ok. Frame 189 is is a the correct password. I have wordlists, thats not an issue. I don't need to brute force telnet either. I already have access to that since it is by default set to root:root. The problem is that I don't understand what I can do now that I have that access to be able to determine the password.
  20. Since I'm a new user, I can only make one more post until later today, so I will have to lump everything in this reply. Here is a link to my dropbox folder with the cgi binary, embedded file system (not exact copy, but same version from mfg), and some output and http requests. https://www.dropbox.com/sh/lso259hi7nmhkp9/AAAWyxx5hKOwUOLQjx9GGcTIa?dl=0 While I could reset it that way, I am attempting to simulate a scenario where I have gained access to the router and would like to make changes to the router's configuration. Enable guest network, connect to a transparent proxy, etc. Its more for my own education than anything else. I've included the http-post request with the correct password below. The password is "secret". As you can see, the password is encoded in base64 by the client before it is sent. Maybe there's an option to do that in hydra, but I didn't find one. POST /cgi-bin/webproc?getpage=html/page/loginajax.js&var:page=*&timestamp=1455458360087 HTTP/1.1 (application/x-www-form-urlencoded) Frame 148: 917 bytes on wire (7336 bits), 917 bytes captured (7336 bits) on interface 0 Ethernet II, Src: AskeyCom_23:5c:02 (00:21:63:23:5c:02), Dst: BelkinIn_ed:88:98 (94:10:3e:ed:88:98) Internet Protocol Version 4, Src: 192.168.2.9 (192.168.2.9), Dst: 192.168.2.1 (192.168.2.1) Transmission Control Protocol, Src Port: 54611 (54611), Dst Port: 80 (80), Seq: 1, Ack: 1, Len: 851 Hypertext Transfer Protocol HTML Form URL Encoded: application/x-www-form-urlencoded Form item: "var:login" = "true" Form item: "obj-action" = "auth" Form item: ":username" = "admin" Form item: ":password" = "c2VjcmV0" Form item: ":hostname" = "a2FsaQ==" Form item: ":action" = "login" Form item: ":ip" = "192.168.2.9" Form item: ":sessionid" = "54452c2d" This has been very frustrating. I have the keys to the kingdom so to speak, but there is nothing here. Most of the file system is write protected except a few directories. I may try the md5 checksum idea manually after I determine which ones are writable. I agree that it is most likely a C binary. I found a file called "My_getenv" in the disassembly from RecStudio. Unfortunately I don't understand what the file does. I see some if/else statements, an infinite while loop with breaks and goto's, but none of it means anything to me. My programming knowledge is heavy on python and ultralight on C. I don't see any references to sql in the file system. I uploaded the binary. It's in the dropbox folder and the file is called "webproc" I have no idea what sort of architecture it has, nor really any idea on how to figure that out. I don't think perl is installed on the system. I didn't see perl in /sbin or /bin, so I think it would have to be a compiled binary (which I don't have the knowledge to do currently). It is the challenge of getting the password. I don't use the router for anything, and Belkin tends to be lacking in terms of security. Other than the unsecured telnet interface, it appears that this router is somewhat secure.
  21. Apologies for the duplicate post. I originally posted this under hacks and mods, but realized that wasn't the right place. I have a Belkin N150 router, which has a few known vulnerabilities. https://www.exploit-...exploits/38840/ Based on the vulnerabilities listed, the best option seems to be the root telnet access. The method works, and a root shell is obtained. I am able to view directories and execute commands. The router itself runs a version of busybox. I understand everything up to this point, but I'm not sure where to go from here. I would like to be able to either obtain the admin page password or be able to reset the password to the default. I am at an utter loss as to how to accomplish this task. The admin web app relies heavily on javascript and a cgi-bin script. I think the cgi-bin script handles all of the authentication through a JSON string. My attempts to recover the password so far have been attempting to decompile the cgi-bin script using recstudio, but i can only get what looks like assembly code, which i can't read. I have also tried using hydra to brute force the password, but I can't seem to get the parameters correct. I don't know if hydra will even work on this web page since the http-get parameters are encoded in base64 and sent directly to the cgi script. I ran the cgi binary through strings, but didn't find anything that jumped out at me. I don't see any shell scripts or commands that could be used to reset the password via telnet. Any help or suggestions are very appreciated. I can provide a copy of the firmware if that is helpful.
  22. I have a Belkin N150 router, which has a few known vulnerabilities. https://www.exploit-db.com/exploits/38840/ Based on the vulnerabilities listed, the best option seems to be the root telnet access. The method works, and a root shell is obtained. I am able to view directories and execute commands. The router itself runs a version of busybox. I understand everything up to this point, but I'm not sure where to go from here. I would like to be able to either obtain the admin page password or be able to reset the password to the default. I am at an utter loss as to how to accomplish this task. The admin web app relies heavily on javascript and a cgi-bin script. I think the cgi-bin script handles all of the authentication through a JSON string. My attempts to recover the password so far have been attempting to decompile the cgi-bin script using recstudio, but i can only get what looks like assembly code, which i can't read. I have also tried using hydra to brute force the password, but I can't seem to get the parameters correct. I don't know if hydra will even work on this web page since the http-get parameters are encoded in base64 and sent directly to the cgi script. I don't see any shell scripts or commands that could be used to reset the password via telnet. Any help or suggestions are very appreciated.
×
×
  • Create New...