haicen Posted August 3, 2016 Share Posted August 3, 2016 I have a bit of an odd question that I'm hoping someone here can point me in the right direction to figure out. I have been looking at a DVR which I purchased for the express purpose of poking around on. I was able to gain access to it via telnet, and found some interesting things. I found the password hashes for the web portal. The passwords themselves are hashed using an algorithm detected by JTR as "dahua". Outside of the source code for the JTR module located at http://fossies.org/linux/john/src/dahua_fmt_plug.c I cannot find any information about how this algorithm works. I spent several hours using my google-fu, but I haven't found anything yet. Here is what I have so far from reading the source code from above: The password is hashed using MD5, then compressed using the compress method included above. I don't know C well enough to be able to translate the rest of it, but that seems to be 99% of the work. I am getting hashes in the correct format using the code posted below, but they aren't correct. The code from the JTR module expects a 16 character hash, but MD5 returns a 32 character hash. I am quite rusty on C/C++, but I'm having a really hard time understanding the flow of the C program of the JTR module, particularly with pointers, and memory allocations. I know my python file has some errors in it, because it wasn't until I started writing this that I realized it was only checking the first 16 characters of the hash, not the full 32. It doesn't matter because the compressor as written only reduces the length by 2 anyway. dahua_hash.py Quote Link to comment Share on other sites More sharing options...
digininja Posted August 3, 2016 Share Posted August 3, 2016 Ask on the jtr mailing list, you'll probably get the person who wrote the code to help you. http://www.openwall.com/lists/john-users Quote Link to comment Share on other sites More sharing options...
haicen Posted August 3, 2016 Author Share Posted August 3, 2016 Thanks. I did that and got an answer. Quote Link to comment Share on other sites More sharing options...
digininja Posted August 3, 2016 Share Posted August 3, 2016 always better to go direct to the source Quote Link to comment Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.