Jump to content

Is it possible to get "admin" password of a dvr like "twin evil"?


rlbug
 Share

Recommended Posts

55 minutes ago, haze1434 said:

DVR? Digital Video Recorder?

 have no idea what you mean by getting the admin password for a DVR.

  • DVRs generally don't give out any kind of wireless signal
  • DVRs don't really have an 'admin' password.

Unless you mean something else?

yeah, Dahua DVR (video surveillance ) which is connected to a router so it has a static LAN ip address consider 192.168.1.100 and i'm trying to kick out the dvr device from the lan and make my linux box is has 192.168.1.100 to fetch the login the details of the Dahua dvr. any suggestion ?

below is a default login details of dahua dvr 

Capture.PNG

Edited by rlbug
Link to comment
Share on other sites

I think it depends on the camera and DVR, and if they are only wifi based. If they are wired to the network, they you'd have to be on the same network to connect with them, or if mis-configured, connect to them over the internet, which sadly, a lot of cameras are open directly from the web, not just for viewing, but also to login to the admin panel of the cameras.

A lot of the cameras have built in web servers, but are still attached to the local network as clients, and you'd have to still be on the same LAN to connect with the camera in most cases. You can login to view remotely what is on the camera over wifi on many of them if they are configured this way, and some are configured for two different types of users, normal viewing only mode, and admin panel privs for setting up email alerts, motion activated capture, night vision settings, and offloading to storage for images or video. That is how one of mine is anyway.

Evil Twin, in this instances, might not work the way you're thinking though, as the DVR's are usually plugged in over the wired network side, not on wifi(just what I've seen, but doesn't mean they all work this way). While you could make the camera connect back to you with the evil twin, if it were an open network, but more than likely, the DVR, is somewhere attached over ethernet, and not wifi based alone, but I don't own a DVR, so can't say for sure that all of them work this way. I know at my wife's old work, the camera system was wireless, but the DVR for the security system, was wired to the network(was actually VHS, not digital), and the cameras were just clients of the same network over wifi and was easy to prevent the system from working by deauthing the cameras, the DVR would record nothing. Poor implementation in this case.

My camera is connected to the network over wifi, but can also be done over ethernet with wifi disabled, but for putting it outside or on edge of the house, I had to use wifi and it's a client of my network when I had it up. So while it has it's own web server built in, it's still a client of my network, and in order for me to reach it directly to record and save images, you need to setup a local server, which in the case of DVR's, they more or less are the storage server, and often, creds are for FTP to save out from the camera to the Storage server(this is just how mine worked, not sure if DVR's are any more secure than this). Mine I just setup filezilla at the time, and saved off over FTP, which is plain text in the clear passwords, and I don't recommend this if you can avoid it. So if you can make yourself the same SSID as the home network router, you may be able to see the camera's directly, but unless the DVR is wireless as well, you'd need to be on the same network to get access to the DVR itself.

Link to comment
Share on other sites

You know what one of my favourite apps for Android is? IP Webcam.

It's amazing. In almost every way.

Except anyone can see your stream by simply typing in your phone's IP in their browser. It's got some controls in there,  but the most frustrating one is the flashlight button. It's cool, if no one else finds your phone acting as a webcam and decide to spam the flashlight on and off. Incoming flat phone :(

Random little thought of the day :happy: Though not exactly relevant.

Anyway, back on topic, decent DVRs are usually wired which means you need to be on the same network as the camera (as stated above by digip and barry). If they are even better than decent cameras they will use HTTPS, which means accessing the data just got a fair bit harder. Cheap eBay/Amazon cameras tend to broadcast their data over a webserver instead of passing it to a controller. They are the easiest to hack because..well, you don't really have to hack them you just hit there IP and you're done. To see the data you need to be in the middle of a controller and a camera (or multiple cameras), but even then it could be encrypted or under HTTPS (so Wireshark isn't an option there).

Just explore your options, see where it's pushing the data, see what you can see with Wireshark or some other sniffing tool. If their WiFi you can try getting into the network via the SSID then see what's around with Nmap/Wireshark.

Edited by Dave-ee Jones
Link to comment
Share on other sites

Thanks for your replies

here is the setup of my network.

router IP: 192.168.1.1

 DVR IP : 192.168.1.99 ( DVR is connected to the router by wire )

  my IP  : 192.168.1.5

so i am on same network and i can able to get the login page. its Dahua device.

 I tried ettercap to sniff data between DVR and ROUTER. I found the 

DVR serial no 3D00082PE517877

DVR model no XVR4116HS

some data are 

DVR to dahua server on internet


GET /heartbeat/device/3D00082PE517877 HTTP/1.1.

As it says "hearbeat" of the device ping the dahua server on internet 

 

dahua server on internet to DVR


HTTP/1.1 200 OK.
CSeq: 0.

also some data


HTTP/1.1 200 OK.
Cache-Control: no-cache.
Pragma: no-cache.
Content-Type: text/html; charset=utf-8.
Expires: -1.
Server: Microsoft-IIS/8.5.
X-AspNet-Version: 2.0.50727.
X-Powered-By: ASP.NET.
Date: Mon, 2 Oct  2017 15:17:58 GMT.
Content-Length: 12.

 

<body><agentAddr><IP address :56871</agentAddr></body>POST /device/3D00082PE517877/p2p-channel HTTP/1.1.
CSeq: -1566585999.
Authorization: WSSE profile="UsernameToken".
X-WSSE: UsernameToken Username="P2PClient", PasswordDigest="TUmkcITSBvsSJmJYshXj7s1QTLo=", Nonce="1000919920", Created="2017-08-15T18:40:12+05:30".
Content-Type: .
Content-Length: 198.

open ports are 37777, 80, 554

the above data seems to be DVR is connected thru P2P dvr app and Auth thru WSSE.

so is it possible to extract admin password thru below data ? i am not sure, just asking.

UsernameToken Username="P2PClient", PasswordDigest="TUmkcITSBvsSJmJYshXj7s1QTLo=", Nonce="1000919920", Created="2017-08-15T18:40:12+05:30".

don't know how to sniff network using wireshark. give me some tutorial link about sniffing data between "DVR" and router or another user who is trying to access the dvr.

Thanks

Edited by rlbug
Link to comment
Share on other sites

I take it you are in India? Might want to edit your post, remove your public IP address. 

Link to comment
Share on other sites

On ‎06‎/‎10‎/‎2017 at 7:53 AM, rlbug said:

[..]
HTTP/1.1 200 OK.

[..]
HTTP/1.1 200 OK.

[..]

<body><agentAddr><IP address :*****</agentAddr></body>POST /device/3D00082PE517877/p2p-channel HTTP/1.1.

 

Everything appears to be in HTTP? Does wireshark/tshark capture the password in plain text?

Documentation on how to use this is here.

Edited by haze1434
Link to comment
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

 Share

  • Recently Browsing   0 members

    No registered users viewing this page.

×
×
  • Create New...