haicen Posted May 29, 2016 Share Posted May 29, 2016 I picked up a cctv system from newegg for $50. Partly because I wanted to be able to keep an eye on my apartment when I'm away, and partly to play around with. Specifically, it is a Rosewill RSCM-0704B042. The first thing I did was fire up nmap to see what ports were open. I see the following ports open: 23 (telnet),80 (web),554 (rtsp),8000 (web alt) ,49152 (unknown). My best guess for port 49152 is that it is for the custom viewing application. I tried to connect to the device via telnet with the usual password combos root/root, root/blank, root/toor, root/password, as well as the default password for the web interface admin/123456. None of these worked, which was surprising. My next step was to take a look at the firmware, so I pulled a copy from http://www.rosewill.com/media/downloadable/drivers/Shieldeye_PC-_CMS.zip to see if there was anything interesting. I unpacked the romfs and found etc/passwd files. There was a standard passwd, and "passwd-". I don't know what significance the "passwd-" has. I have included both hashes below. "passwd" root:$1$$64lU4r1qa6icjzK/sBmQo.:0:0::/root:/bin/sh "passwd-" root:ab8nBoH3mb8.g:0:0::/root:/bin/sh The first i immediately sent to jtr, but it has been running for >12 hours. I basically have 2 questions: Will jtr eventually crack the password? My assumption is that it will eventually be cracked. Is there a better tool for cracking the password? I am currently generating a rainbow table for 1-7 character lowercase alpha passwords. It has occurred to me that this probably isn't the correct keyspace to be searching. Quote Link to comment Share on other sites More sharing options...
digininja Posted May 29, 2016 Share Posted May 29, 2016 1. What dictionary/word list /rules are you using? If you've gone for a basic brute force then it probably will be cracked but could take years. 2. What type rainbow tables are you generating? Whether you've got the correct keyspace depends on what the password is. If it is 8 characters then you haven't, if it is a 6 character lower case alpha then it is. Generally rainbow tables aren't used much any more, good word lists and rules are considered better. Quote Link to comment Share on other sites More sharing options...
haicen Posted May 29, 2016 Author Share Posted May 29, 2016 I am doing a pure brute force attack. I am assuming since the password wasn't one of the usual defaults that it wouldn't be generated by a human. I don't have any details about what format the password is in. Quote Link to comment Share on other sites More sharing options...
digininja Posted May 29, 2016 Share Posted May 29, 2016 Just because you couldn't guess it in a couple of goes you assumed it wasn't created by a human? That is one of the daftest things I've heard in a long time. Did you try things like Shieldeye or letmein? And if you don't know the format, what rainbow tables are you generating? The format is crypt md5 https://en.m.wikipedia.org/wiki/Crypt_(C) If you want to try to crack the password then I'd go with word lists and rules (Google them) or you could try to modify the firmware you've got set a password you know then upload that. You may have to bypass CRC checks but that should be possible as you control things. If it is signed though it's unlikely you'll get anywhere. Quote Link to comment Share on other sites More sharing options...
haicen Posted May 29, 2016 Author Share Posted May 29, 2016 Nevermind. I decided to do a quick google search for the hash, and as it turns out, it has already been cracked. I don't know why I didn't try that first. Quote Link to comment Share on other sites More sharing options...
digininja Posted May 29, 2016 Share Posted May 29, 2016 That was going to be my next suggestion Quote Link to comment Share on other sites More sharing options...
haicen Posted May 29, 2016 Author Share Posted May 29, 2016 Thanks for the help. Quote Link to comment Share on other sites More sharing options...
haicen Posted June 3, 2016 Author Share Posted June 3, 2016 Just as a followup, I was able to gain access to the device via telnet. Poking around the filesystem, I found a separate passwd file, which is different. This new passwd file contains the information for the web interface and local device login. I.E. the web viewing portal. Here is what I know: The admin combo is admin:123456. The passwords are not tied to a specific username. I created a few different user names with the same password. The hashes were constant. The password cannot be longer than 6 characters, special characters are allowed At this stage, I am attempting to determine what method is being used to hash these passwords. I have tried a few variations using 612345, 000000, 123455, etc, but do not see a pattern directly. format is pw - hash 123456 - nTBCS19C 5555 - QwZ3AbMB 000000 - qAj0oSP1 111111 - 9kwf1kHJ 222222 - z7a10QFR 612345 - gJJp8X7Q In the directory above this passwd file, there is a file called encrypt_info, but it only contains the MAC address of the device, a product number, and the following line: oem 000015 Since the password is limited to 6 characters, this oem value seems of interest. I suspect the values are base64 encoded, but I've tried playing around with a b64 encoder/decoder, and can't find anything that matches. Quote Link to comment Share on other sites More sharing options...
Captain Posted June 3, 2016 Share Posted June 3, 2016 3 hours ago, haicen said: Just as a followup, I was able to gain access to the device via telnet. Poking around the filesystem, I found a separate passwd file, which is different. This new passwd file contains the information for the web interface and local device login. I.E. the web viewing portal. Here is what I know: The admin combo is admin:123456. The passwords are not tied to a specific username. I created a few different user names with the same password. The hashes were constant. The password cannot be longer than 6 characters, special characters are allowed At this stage, I am attempting to determine what method is being used to hash these passwords. I have tried a few variations using 612345, 000000, 123455, etc, but do not see a pattern directly. format is pw - hash 123456 - nTBCS19C 5555 - QwZ3AbMB 000000 - qAj0oSP1 111111 - 9kwf1kHJ 222222 - z7a10QFR 612345 - gJJp8X7Q In the directory above this passwd file, there is a file called encrypt_info, but it only contains the MAC address of the device, a product number, and the following line: oem 000015 Since the password is limited to 6 characters, this oem value seems of interest. I suspect the values are base64 encoded, but I've tried playing around with a b64 encoder/decoder, and can't find anything that matches. What OS is the device running? Also, can you try pastng the hashed password into the password input? I've seen some really poorly embedded device actually accept the hash :eyeroll: Quote Link to comment Share on other sites More sharing options...
haicen Posted June 3, 2016 Author Share Posted June 3, 2016 Its running busybox v1.16.1 Using the hashed password won't work. They aren't hashed or encrypted on the client side. In fact, they are sent in the clear every time the user visits a different page of the interface as well as being stored as a cookie. Quote Link to comment Share on other sites More sharing options...
Captain Posted June 3, 2016 Share Posted June 3, 2016 (edited) 4 hours ago, haicen said: Its running busybox v1.16.1 Using the hashed password won't work. They aren't hashed or encrypted on the client side. In fact, they are sent in the clear every time the user visits a different page of the interface as well as being stored as a cookie. Wow . . I feel like I just traveled back to 2001 Edited June 3, 2016 by Captain Quote Link to comment Share on other sites More sharing options...
haicen Posted August 1, 2016 Author Share Posted August 1, 2016 I figured out the hashing algorithm used. It is dahua, which is easily cracked by JTR. Quote Link to comment Share on other sites More sharing options...
Rainman_34 Posted September 28, 2016 Share Posted September 28, 2016 I would be interested in hearing what else you found and were you eventually able to hack into the cameras and get a video feed on your computer without using your dvr box? Quote Link to comment Share on other sites More sharing options...
haicen Posted January 24, 2017 Author Share Posted January 24, 2017 There wasn't a huge amount of stuff available. The most concerning thing I found was an undocumented user with a visible password. I wrote a small write up at https://haicen.blogspot.com/2016/08/security-dvr-hacking.html. I have been super busy with life stuff, and haven't really had time to do much. I have a few ideas. I suspect there might be something going on with one of the open ports. I tried looking at it with wireshark and netcat, but didn't see anything happening. I might look at it some more soon. I couldn't get video to work at all in any browsers that aren't IE due to the reliance on ActiveX. Quote Link to comment Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.