rlbug Posted October 5, 2017 Share Posted October 5, 2017 (edited) hello Is it possible to get "admin" password of a dvr like "evil twin" used in wifi password ? just a idea. Any suggestions, thanks Edited October 5, 2017 by rlbug Quote Link to comment Share on other sites More sharing options...
0phoi5 Posted October 5, 2017 Share Posted October 5, 2017 DVR? Digital Video Recorder? I have no idea what you mean by getting the admin password for a DVR. DVRs generally don't give out any kind of wireless signal DVRs don't really have an 'admin' password. Unless you mean something else? Quote Link to comment Share on other sites More sharing options...
rlbug Posted October 5, 2017 Author Share Posted October 5, 2017 (edited) 55 minutes ago, haze1434 said: DVR? Digital Video Recorder? have no idea what you mean by getting the admin password for a DVR. DVRs generally don't give out any kind of wireless signal DVRs don't really have an 'admin' password. Unless you mean something else? yeah, Dahua DVR (video surveillance ) which is connected to a router so it has a static LAN ip address consider 192.168.1.100 and i'm trying to kick out the dvr device from the lan and make my linux box is has 192.168.1.100 to fetch the login the details of the Dahua dvr. any suggestion ? below is a default login details of dahua dvr Edited October 5, 2017 by rlbug Quote Link to comment Share on other sites More sharing options...
barry99705 Posted October 5, 2017 Share Posted October 5, 2017 Usually it's the dvr that connects to the cameras. At least the three systems I work with do it that way. You might be able to put a network tap in between and wireshark the creds, but most of the newer cameras connect over https. Quote Link to comment Share on other sites More sharing options...
digip Posted October 6, 2017 Share Posted October 6, 2017 I think it depends on the camera and DVR, and if they are only wifi based. If they are wired to the network, they you'd have to be on the same network to connect with them, or if mis-configured, connect to them over the internet, which sadly, a lot of cameras are open directly from the web, not just for viewing, but also to login to the admin panel of the cameras. A lot of the cameras have built in web servers, but are still attached to the local network as clients, and you'd have to still be on the same LAN to connect with the camera in most cases. You can login to view remotely what is on the camera over wifi on many of them if they are configured this way, and some are configured for two different types of users, normal viewing only mode, and admin panel privs for setting up email alerts, motion activated capture, night vision settings, and offloading to storage for images or video. That is how one of mine is anyway. Evil Twin, in this instances, might not work the way you're thinking though, as the DVR's are usually plugged in over the wired network side, not on wifi(just what I've seen, but doesn't mean they all work this way). While you could make the camera connect back to you with the evil twin, if it were an open network, but more than likely, the DVR, is somewhere attached over ethernet, and not wifi based alone, but I don't own a DVR, so can't say for sure that all of them work this way. I know at my wife's old work, the camera system was wireless, but the DVR for the security system, was wired to the network(was actually VHS, not digital), and the cameras were just clients of the same network over wifi and was easy to prevent the system from working by deauthing the cameras, the DVR would record nothing. Poor implementation in this case. My camera is connected to the network over wifi, but can also be done over ethernet with wifi disabled, but for putting it outside or on edge of the house, I had to use wifi and it's a client of my network when I had it up. So while it has it's own web server built in, it's still a client of my network, and in order for me to reach it directly to record and save images, you need to setup a local server, which in the case of DVR's, they more or less are the storage server, and often, creds are for FTP to save out from the camera to the Storage server(this is just how mine worked, not sure if DVR's are any more secure than this). Mine I just setup filezilla at the time, and saved off over FTP, which is plain text in the clear passwords, and I don't recommend this if you can avoid it. So if you can make yourself the same SSID as the home network router, you may be able to see the camera's directly, but unless the DVR is wireless as well, you'd need to be on the same network to get access to the DVR itself. Quote Link to comment Share on other sites More sharing options...
Dave-ee Jones Posted October 6, 2017 Share Posted October 6, 2017 (edited) You know what one of my favourite apps for Android is? IP Webcam. It's amazing. In almost every way. Except anyone can see your stream by simply typing in your phone's IP in their browser. It's got some controls in there, but the most frustrating one is the flashlight button. It's cool, if no one else finds your phone acting as a webcam and decide to spam the flashlight on and off. Incoming flat phone :( Random little thought of the day Though not exactly relevant. Anyway, back on topic, decent DVRs are usually wired which means you need to be on the same network as the camera (as stated above by digip and barry). If they are even better than decent cameras they will use HTTPS, which means accessing the data just got a fair bit harder. Cheap eBay/Amazon cameras tend to broadcast their data over a webserver instead of passing it to a controller. They are the easiest to hack because..well, you don't really have to hack them you just hit there IP and you're done. To see the data you need to be in the middle of a controller and a camera (or multiple cameras), but even then it could be encrypted or under HTTPS (so Wireshark isn't an option there). Just explore your options, see where it's pushing the data, see what you can see with Wireshark or some other sniffing tool. If their WiFi you can try getting into the network via the SSID then see what's around with Nmap/Wireshark. Edited October 6, 2017 by Dave-ee Jones Quote Link to comment Share on other sites More sharing options...
rlbug Posted October 6, 2017 Author Share Posted October 6, 2017 (edited) Thanks for your replies here is the setup of my network. router IP: 192.168.1.1 DVR IP : 192.168.1.99 ( DVR is connected to the router by wire ) my IP : 192.168.1.5 so i am on same network and i can able to get the login page. its Dahua device. I tried ettercap to sniff data between DVR and ROUTER. I found the DVR serial no 3D00082PE517877 DVR model no XVR4116HS some data are DVR to dahua server on internet GET /heartbeat/device/3D00082PE517877 HTTP/1.1. As it says "hearbeat" of the device ping the dahua server on internet dahua server on internet to DVR HTTP/1.1 200 OK. CSeq: 0. also some data HTTP/1.1 200 OK. Cache-Control: no-cache. Pragma: no-cache. Content-Type: text/html; charset=utf-8. Expires: -1. Server: Microsoft-IIS/8.5. X-AspNet-Version: 2.0.50727. X-Powered-By: ASP.NET. Date: Mon, 2 Oct 2017 15:17:58 GMT. Content-Length: 12. <body><agentAddr><IP address :56871</agentAddr></body>POST /device/3D00082PE517877/p2p-channel HTTP/1.1. CSeq: -1566585999. Authorization: WSSE profile="UsernameToken". X-WSSE: UsernameToken Username="P2PClient", PasswordDigest="TUmkcITSBvsSJmJYshXj7s1QTLo=", Nonce="1000919920", Created="2017-08-15T18:40:12+05:30". Content-Type: . Content-Length: 198. open ports are 37777, 80, 554 the above data seems to be DVR is connected thru P2P dvr app and Auth thru WSSE. so is it possible to extract admin password thru below data ? i am not sure, just asking. UsernameToken Username="P2PClient", PasswordDigest="TUmkcITSBvsSJmJYshXj7s1QTLo=", Nonce="1000919920", Created="2017-08-15T18:40:12+05:30". don't know how to sniff network using wireshark. give me some tutorial link about sniffing data between "DVR" and router or another user who is trying to access the dvr. Thanks Edited October 6, 2017 by rlbug Quote Link to comment Share on other sites More sharing options...
digip Posted October 6, 2017 Share Posted October 6, 2017 I take it you are in India? Might want to edit your post, remove your public IP address. Quote Link to comment Share on other sites More sharing options...
0phoi5 Posted October 9, 2017 Share Posted October 9, 2017 (edited) On 06/10/2017 at 7:53 AM, rlbug said: [..] HTTP/1.1 200 OK. [..] HTTP/1.1 200 OK. [..] <body><agentAddr><IP address :*****</agentAddr></body>POST /device/3D00082PE517877/p2p-channel HTTP/1.1. Everything appears to be in HTTP? Does wireshark/tshark capture the password in plain text? Documentation on how to use this is here. Edited October 9, 2017 by haze1434 Quote Link to comment Share on other sites More sharing options...
0phoi5 Posted October 9, 2017 Share Posted October 9, 2017 (edited) TUmkcITSBvsSJmJYshXj7s1QTLo appears to be Base64. Username: P2PClient Password: MIp&bXPL Here is some info on how WSSE works. Also read Using Burp Suite to Test Web Services with WS-Security (you need nonce and timestamp as well as the above). See also this. Edited October 9, 2017 by haze1434 Quote Link to comment Share on other sites More sharing options...
Forkish Posted October 11, 2017 Share Posted October 11, 2017 Maybe relevant? https://depthsecurity.com/blog/unauthorized-flir-cloud-access Quote Link to comment Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.