Jump to content

haicen

Active Members
  • Posts

    23
  • Joined

  • Last visited

Posts posted by haicen

  1. There wasn't a huge amount of stuff available. The most concerning thing I found was an undocumented user with a visible password. I wrote a small write up at https://haicen.blogspot.com/2016/08/security-dvr-hacking.html. I have been super busy with life stuff, and haven't really had time to do much. I have a few ideas. I suspect there might be something going on with one of the open ports. I tried looking at it with wireshark and netcat, but didn't see anything happening. I might look at it some more soon.

     

    I couldn't get video to work at all in any browsers that aren't IE due to the reliance on ActiveX.

  2. I have created a python script to generate dahua hashes. These hashes are frequently found in security camera DVR units. It is an MD5 hash that is compressed into 8 characters. The code is available at https://github.com/haicen/DahuaHashCreator

     

    I did this as more of a learning exercise, but other people may find it useful. These hashes are easily cracked using John the Ripper, as long as the hash is in the right format. For the DVR I had, the passwords could be a max of 6 characters long, so a warning will be generated if a password is specified that is longer than 6 characters, but it will output the hash anyway.

  3. I have a bit of an odd question that I'm hoping someone here can point me in the right direction to figure out. I have been looking at a DVR which I purchased for the express purpose of poking around on. I was able to gain access to it via telnet, and found some interesting things. I found the password hashes for the web portal. The passwords themselves are hashed using an algorithm detected by JTR as "dahua". Outside of the source code for the JTR module located at http://fossies.org/linux/john/src/dahua_fmt_plug.c I cannot find any information about how this algorithm works. I spent several hours using my google-fu, but I haven't found anything yet.

     

    Here is what I have so far from reading the source code from above:

    The password is hashed using MD5, then compressed using the compress method included above. I don't know C well enough to be able to translate the rest of it, but that seems to be 99% of the work. I am getting hashes in the correct format using the code posted below, but they aren't correct. The code from the JTR module expects a 16 character hash, but MD5 returns a 32 character hash. I am quite rusty on C/C++, but I'm having a really hard time understanding the flow of the C program of the JTR module, particularly with pointers, and memory allocations. I know my python file has some errors in it, because it wasn't until I started writing this that I realized it was only checking the first 16 characters of the hash, not the full 32. It doesn't matter because the compressor as written only reduces the length by 2 anyway. 

    dahua_hash.py

  4. Its running busybox v1.16.1

     

    Using the hashed password won't work. They aren't hashed or encrypted on the client side. In fact, they are sent in the clear every time the user visits a different page of the interface as well as being stored as a cookie.

  5. Just as a followup, I was able to gain access to the device via telnet. Poking around the filesystem, I found a separate passwd file, which is different. This new passwd file contains the information for the web interface and local device login. I.E. the web viewing portal.

     

    Here is what I know:

    • The admin combo is admin:123456.
    • The passwords are not tied to a specific username. I created a few different user names with the same password. The hashes were constant.
    • The password cannot be longer than 6 characters, special characters are allowed

    At this stage, I am attempting to determine what method is being used to hash these passwords. I have tried a few variations using 612345, 000000, 123455, etc, but do not see a pattern directly. 

    format is pw - hash

    123456 - nTBCS19C
      5555 - QwZ3AbMB
    000000 - qAj0oSP1
    111111 - 9kwf1kHJ
    222222 - z7a10QFR
    612345 - gJJp8X7Q

    In the directory above this passwd file, there is a file called encrypt_info, but it only contains the MAC address of the device, a product number, and the following line:

    oem 000015

    Since the password is limited to 6 characters, this oem value seems of interest. I suspect the values are base64 encoded, but I've tried playing around with a b64 encoder/decoder, and can't find anything that matches.

     

  6. I picked up a cctv system from newegg for $50. Partly because I wanted to be able to keep an eye on my apartment when I'm away, and partly to play around with. Specifically, it is a Rosewill RSCM-0704B042. 

     

    The first thing I did was fire up nmap to see what ports were open. I see the following ports open: 23 (telnet),80 (web),554 (rtsp),8000 (web alt) ,49152 (unknown). My best guess for port 49152 is that it is for the custom viewing application. I tried to connect to the device via telnet with the usual password combos root/root, root/blank, root/toor, root/password, as well as the default password for the web interface admin/123456. None of these worked, which was surprising.

     

    My next step was to take a look at the firmware, so I pulled a copy from http://www.rosewill.com/media/downloadable/drivers/Shieldeye_PC-_CMS.zip to see if there was anything interesting. I unpacked the romfs and found etc/passwd files. There was a standard passwd, and "passwd-". I don't know what significance the "passwd-" has. I have included both hashes below.

    "passwd"    root:$1$$64lU4r1qa6icjzK/sBmQo.:0:0::/root:/bin/sh
    "passwd-"   root:ab8nBoH3mb8.g:0:0::/root:/bin/sh

    The first i immediately sent to jtr, but it has been running for >12 hours. I basically have 2 questions:

    1. Will jtr eventually crack the password? My assumption is that it will eventually be cracked.
    2. Is there a better tool for cracking the password? I am currently generating a rainbow table for 1-7 character lowercase alpha passwords. It has occurred to me that this probably isn't the correct keyspace to be searching.

     

  7. You don't need a 5th quote because it is included in the underlying php code that handles the query.

    From the DVWA code,

    $id = $_REQUEST[ 'id' ];
    
        // Check database
        $query = "SELECT first_name, last_name FROM users WHERE user_id = '$id';";

    In this case, $id is equal to whatever you put into the text box. So if you take your example a' OR '1'='1 the query will look like this:

    $query = "SELECT first_name, last_name FROM users WHERE user_id = 'a' OR '1'='1';";

    As you can see, when your SQLi statement is given in the textbox, the quotes will be balenced. If you added another quote, the line would be like this:

    $query = "SELECT first_name, last_name FROM users WHERE user_id = 'a' OR '1'='1'';";

    This won't work because there is an odd number of single quotes, and will cause the php code to have an error.

    Another thing to note, is that -- is the default comment operator for sql. This will cause whatever happens after the -- to not be evaluated by sql. For example, if you're target is a username/password combo, you may only need to try injecting the username field. Your test string would be

    a' OR 1=1 --

    this interrupts the rest of the query string, unless there is something else going on in php, this is what the sql statement looks like:

    SELECT <whatever> from <database> WHERE 'a' OR 1=1

    Also, note that you don't have to use '1'='1 in the previous examples either. Your test string could be:

    a' OR 1=1 OR '

    The SQL statement will be:

    SELECT <whatever> from <database> WHERE 'a' OR 1=1 OR '' <rest of query>

    The end result is the same. I prefer to use as few quotes as possible to reduce confusion on my end.

    Hope this helps.

  8. I haven't quite given up yet. I have been comparing the contents of the folders before and after changing the password. The process I have been using is:

    1. tar the directory, output it to a writeable directory IE tar -c -f /var/etc1.tar etc
    2. change the password
    3. tar directory again IE tar -c -f /var/etc2.tar etc
    4. calculate md5 sum for both hashes

    Strangely, the two directories I expected to change /etc/ and /usr/www have not been modified. Can a minor change like a password be insignificant after being compressed to a tar file?

    Another interesting inconsistency is that the "WPS" default pin isn't really the default pin. The config.xml says it is 12345670, but it is something completely different. I don't even know how that could happen unless the developers never configured that option.

  9. No, I have access to everything as root. I'm 99% sure that the tw user was actually commented out in the passwd and shadow files. I believe them to be correct since I am able to log in as root. Modifying the firmware wasn't exactly the direction I wanted to go with since that is not a practical method for gaining admin access to the router. I was hoping it would uncover clues as to where the password was stored. I assume the admin password cannot be stored inside the webproc file itself. Reverse engineering is cool, but it just isn't part of my toolbox.

  10. I still don't understand writing to the binary. I installed bless, but it looks nothing like the disassembled output, and the addresses are different. I'm trying to understand this part:

    Alf@UNKNOWN:~/Downloads/PenTest$ cp webproc webproc-mypatch1
    Alf@UNKNOWN:~/Downloads/PenTest$ radare2 -e -b 32 -a mips webproc-mypatch1
    Warning: read (strtab) at 0x20
    Warning: Cannot initialize strings table
    [0x00401b70]> oo+
    File webproc-mypatch1 reopened in read-write mode
    [0x00401b70]> s 0x401fcc
    [0x00401fcc]> pd 1
            ,=< 0x00401fcc    10400026     beqz v0, 0x00402068
    [0x00401fcc]> wx 14400026
    [0x00401fcc]> pd 1
            ,=< 0x00401fcc    14400026     bnez v0, 0x00402068
    [0x00401fcc]> wx 10
    [0x00401fcc]> pd 1
            ,=< 0x00401fcc    10400026     beqz v0, 0x00402068
    [0x00401fcc]> wx 14
    [0x00401fcc]> pd 1
            ,=< 0x00401fcc    14400026     bnez v0, 0x00402068
    [0x00401fcc]> exit

    I understand that wx 14400026 writes 14400026 to address 0x00401fcc. What does wx 14 do? it doesn't write 14 to 0x00401fcc, so I'm not understanding what that operation does. I've worked with asm instructions before, but it was on a terrible spartan fpga, and was much simpler. Never disassembled anything.

    The hashes have nothing to do with the admin console unfortunately. They are static across password changes. What I know about the hash itself is that it is MD5, salted with "TW". I can't get johnny to crack them. The only output I get is "Loaded 1 hash" followed by "No password hashes left to crack". I don't know if I've put the file in the wrong format or what. It is still a work in progress.

  11. I got the code to open in radare2, I'm at a loss as to how I would go about editing the binary myself. Could you explain how that process works?

    I tried running rasm2 -f webproc -b 32 -a mips -D

    No errors occur, but nothing happens, it just returns to the next console line.

    Back to the hashes mentioned: I plugged the router back in so I could check out the hashes again. I used johnny and set to work on cracking the hashes (which took all of 2 seconds). My hashes are different than the ones included in the device firmware. I wasn't able to crack the admin password on the manufacturer release, but I don't know why that one failed to crack. Maybe it is a slightly later version of the firmware and that got changed. I'll have to do some more investigating there. The user level account password was "user" so I find it unlikely that they would have changed one password but not the other. Or something may alter that once the firmware upgrade is applied.

  12. Wow. That was quite a read. I don't think I understand half of it, but I will have to re-read another day.

    As for the passphrase and hashes, the firmware I uploaded was not the actual firmware loaded on the device but was a fresh copy from the manufacturer. So that may in fact be the default password, but I think it is just a test value since the as-shipped version came up without a password and after a system reset reverts to an open network.

    On to the hashes: my memory is a bit fuzzy since I last looked at those a few days ago, but I was able to decrypt them. Unfortunately they weren't the correct ones. I also found those hashes lurking in the devices /etc/shadow file. I also remember them not changing after I modified the admin panel password. Also, the user those hashes are associated is "tw" and is commented out in /etc/passwd. My knowledge of how linux handles password hashing is fairly limited, but as I understand it, tw is the salt for these particular hashes. Again, there may also be some discrepancies since we aren't physically looking at the exact same binary since mine is on the device and the one I uploaded was from the manufacturer. If I have time tomorrow to poke around in the firmware some more, I will attempt to confirm the hash issue.

    I kinda have a handle on what is going on here, and I will definitely be trying to reproduce what you've done. I will let you know if I get it to work. Honestly I am blown away that you were able to figure all that out.

    Please accept this I.O.U redeemable for one (1) alcoholic beverage of your choice on the off chance we should ever meet.

  13. I like python. It is easy to learn, especially for a beginner. With that said, a lot of the websites claiming to teach programming don't teach you how to think logically about things, which is really the whole point. C, C++, and Java are great languages to learn, but I find python to be easy to read and the syntax is pretty easy to follow. Makes things much easier to read through and debug. I have used codeacademy, but I found it to be more like cookbook learning. Then again, I started with C++ and have kinda been going in reverse order.

  14. On another note I figured out what the architecture is :smile:

    Alf@UNKNOWN:~/Downloads/PenTest$ readelf -a -W webproc
    ELF Header:
      Magic:   7f 45 4c 46 01 02 01 00 00 00 00 00 00 00 00 00
      Class:                             ELF32
      Data:                              2's complement, big endian
      Version:                           1 (current)
      OS/ABI:                            UNIX - System V
      ABI Version:                       0
      Type:                              EXEC (Executable file)
      Machine:                           MIPS R3000
      Version:                           0x1
      Entry point address:               0x401b70
      Start of program headers:          52 (bytes into file)
      Start of section headers:          0 (bytes into file)
      Flags:                             0x1007, noreorder, pic, cpic, o32, mips1
      Size of this header:               52 (bytes)
      Size of program headers:           32 (bytes)
      Number of program headers:         7
      Size of section headers:           0 (bytes)
      Number of section headers:         0
      Section header string table index: 0

    A MIPS R3000 big endian and an ELF32 binary! MIPS I haven't reverse engineered before, but this should be fun! Of course it wasn't going to be x86 or ARM but I now at least know how I need to look at it as! I also determined that your disassembled output was just of one function not the whole executable and it looks more like it tried to decompile it rather than disassemble so it's more like pseudo code. I'm at least looking at the actual MIPS code now!

    What tool did you use to look at the code? Is it the same readelf command? I'd be interested to see what it looks like.

  15. I have uploaded the wireshark packet capture to the same dropbox folder as router.pcapng. https://www.dropbox.com/s/kcq65ita76a7oo8/RequestPassword.txt?dl=0

    Frame 138 is a sending a wrong password. Number 146 is what I assume to be the response, which is 200-ok.

    Frame 189 is is a the correct password.

    I have wordlists, thats not an issue. I don't need to brute force telnet either. I already have access to that since it is by default set to root:root. The problem is that I don't understand what I can do now that I have that access to be able to determine the password.

  16. Since I'm a new user, I can only make one more post until later today, so I will have to lump everything in this reply.

    Here is a link to my dropbox folder with the cgi binary, embedded file system (not exact copy, but same version from mfg), and some output and http requests. https://www.dropbox.com/sh/lso259hi7nmhkp9/AAAWyxx5hKOwUOLQjx9GGcTIa?dl=0

    press the little red reset button on the machine...

    As for a brute force. Start up wireshark and attempt a login, copy the POST request and paste here... you can also record the same login attempt for telnet...root:root

    there is alot more to a brute force then just starting up hydra...

    Those exploits don't seem useful in your situation

    While I could reset it that way, I am attempting to simulate a scenario where I have gained access to the router and would like to make changes to the router's configuration. Enable guest network, connect to a transparent proxy, etc. Its more for my own education than anything else.

    I've included the http-post request with the correct password below. The password is "secret". As you can see, the password is encoded in base64 by the client before it is sent. Maybe there's an option to do that in hydra, but I didn't find one.

    POST /cgi-bin/webproc?getpage=html/page/loginajax.js&var:page=*&timestamp=1455458360087 HTTP/1.1 (application/x-www-form-urlencoded)

    Frame 148: 917 bytes on wire (7336 bits), 917 bytes captured (7336 bits) on interface 0
    Ethernet II, Src: AskeyCom_23:5c:02 (00:21:63:23:5c:02), Dst: BelkinIn_ed:88:98 (94:10:3e:ed:88:98)
    Internet Protocol Version 4, Src: 192.168.2.9 (192.168.2.9), Dst: 192.168.2.1 (192.168.2.1)
    Transmission Control Protocol, Src Port: 54611 (54611), Dst Port: 80 (80), Seq: 1, Ack: 1, Len: 851
    Hypertext Transfer Protocol
    HTML Form URL Encoded: application/x-www-form-urlencoded
    Form item: "var:login" = "true"
    Form item: "obj-action" = "auth"
    Form item: ":username" = "admin"
    Form item: ":password" = "c2VjcmV0"
    Form item: ":hostname" = "a2FsaQ=="
    Form item: ":action" = "login"
    Form item: ":ip" = "192.168.2.9"
    Form item: ":sessionid" = "54452c2d"

    Pretty amazing yea haicen? I mean you have root access, but yet you still feel somewhat powerless in terms of resetting or grabbing the password for the administration web interface! l8igmac will help you with what he said, and I'll see about reverse engineering that C cgi-bin binary. That is if it is a cgi-bin binary written in C. cgi-bin's can also be scripts like in perl (.pl files) but in this case it does appear to be a C binary instead as you've mentioned.

    You're going to have to figure out how the password is being stored and retrieved to check against. Could it be stored in an sql database for example and the binary grabs it from there or maybe a hashed version of the password. So are there actual web page files or does the router itself actually just return html back from requests it gets?

    You say it does an http POST/GET(you didn't clarify but I assume it's a POST) with the password passed to a cgi-bin C binary. In a C compiled version of a cgi-bin there are two ways that it uses to get the POST or GET data. In a GET request received a "getenv("QUERY_STRING");" (function of stdlib) retrieves the passed string and in the case of a POST request received, getenv("CONTENT_LENGTH"); retrieves the length of the posted data, and stdin (standard input) will get the posted data!

    So in either case looking for the function "getenv" being called in the disassembled code is a good starting point of seeing where it's initially taking the posted data and following what it does with it. (since it has to base64 decode the input and then most likely hash the passed in password and get the stored hashed admin password to compare it to). If and since it does seem to be an older router it might have the password stored in plaintext even.

    It may even be possible to make the admin control panel accept any password at all by patching only 1 single byte of the binary, but that might be a little dangerous to play with, but as long as you back up the original binary you should always still be able to telnet back over the original and everything will be back to normal.

    You said you can upload the firmware if that's helpful sure that indeed might be, but I'd be more interested in the cgi-bin binary and having a look at that if you would upload that. (since I have an idea of where to start looking) :smile:

    EDIT: Also I just thought of another way you should be able to determine where the password for the admin cp is being stored. -> Do a CRC or MD5 of every file you have access to (since you're root pretty much everything) then quickly change or reset the password (just changing it is probably better unless you start with a resetted and only password changed device, since resetting is also going to change other things back to default) then CRC or MD5 everything again and check for which files have changed and what is still the same. Probably less will be going on if it isn't connected to the internet and routing packets as well so that would probably be the better time to try this. You'll get some files that happened to change but you should also be able to determine which file contains the password!

    What kind of architecture is the router? x86 or ARM or etc? I did a brief search but couldn't determine what your router's architecture actually is. For the above mentioned you'll need either a bash script or perl script or compiled binary for that architecture with a way to CRC or MD5 complete files of all files in "/" and enough space to hold those CRC's temporarily to compare against the new CRCs once the password has been changed.

    It shouldn't take up much space for that, but I know routers like yours can be very limited in memory and available space and might already be packed pretty tightly. In which case it would benefit to not store the hashes on the router but send them over the telnet connection or another port to be stored and compared against on your end (basically like a DIFF)

    This has been very frustrating. I have the keys to the kingdom so to speak, but there is nothing here. Most of the file system is write protected except a few directories. I may try the md5 checksum idea manually after I determine which ones are writable.

    I agree that it is most likely a C binary. I found a file called "My_getenv" in the disassembly from RecStudio. Unfortunately I don't understand what the file does. I see some if/else statements, an infinite while loop with breaks and goto's, but none of it means anything to me. My programming knowledge is heavy on python and ultralight on C. I don't see any references to sql in the file system. I uploaded the binary. It's in the dropbox folder and the file is called "webproc"

    I have no idea what sort of architecture it has, nor really any idea on how to figure that out. I don't think perl is installed on the system. I didn't see perl in /sbin or /bin, so I think it would have to be a compiled binary (which I don't have the knowledge to do currently).

    Is it just the challenge of getting the password for you or are you trying to do something else once you have it?

    It is the challenge of getting the password. I don't use the router for anything, and Belkin tends to be lacking in terms of security. Other than the unsecured telnet interface, it appears that this router is somewhat secure.

  17. Apologies for the duplicate post. I originally posted this under hacks and mods, but realized that wasn't the right place.



    I have a Belkin N150 router, which has a few known vulnerabilities. https://www.exploit-...exploits/38840/



    Based on the vulnerabilities listed, the best option seems to be the root telnet access. The method works, and a root shell is obtained. I am able to view directories and execute commands. The router itself runs a version of busybox. I understand everything up to this point, but I'm not sure where to go from here. I would like to be able to either obtain the admin page password or be able to reset the password to the default. I am at an utter loss as to how to accomplish this task. The admin web app relies heavily on javascript and a cgi-bin script. I think the cgi-bin script handles all of the authentication through a JSON string.




    My attempts to recover the password so far have been attempting to decompile the cgi-bin script using recstudio, but i can only get what looks like assembly code, which i can't read. I have also tried using hydra to brute force the password, but I can't seem to get the parameters correct. I don't know if hydra will even work on this web page since the http-get parameters are encoded in base64 and sent directly to the cgi script. I ran the cgi binary through strings, but didn't find anything that jumped out at me.



    I don't see any shell scripts or commands that could be used to reset the password via telnet.



    Any help or suggestions are very appreciated.



    I can provide a copy of the firmware if that is helpful.


  18. I have a Belkin N150 router, which has a few known vulnerabilities. https://www.exploit-db.com/exploits/38840/

    Based on the vulnerabilities listed, the best option seems to be the root telnet access. The method works, and a root shell is obtained. I am able to view directories and execute commands. The router itself runs a version of busybox. I understand everything up to this point, but I'm not sure where to go from here. I would like to be able to either obtain the admin page password or be able to reset the password to the default. I am at an utter loss as to how to accomplish this task. The admin web app relies heavily on javascript and a cgi-bin script. I think the cgi-bin script handles all of the authentication through a JSON string.

    My attempts to recover the password so far have been attempting to decompile the cgi-bin script using recstudio, but i can only get what looks like assembly code, which i can't read. I have also tried using hydra to brute force the password, but I can't seem to get the parameters correct. I don't know if hydra will even work on this web page since the http-get parameters are encoded in base64 and sent directly to the cgi script.

    I don't see any shell scripts or commands that could be used to reset the password via telnet.

    Any help or suggestions are very appreciated.

×
×
  • Create New...