Why so apprently limited options to secure the admin account on Dahua cameras?

P

Perplexer

n3wb
Apr 15, 2023
28
10
Slovenia
I just watched the short video at and while checking my IP camera's user list I realized that the default admin user on Dahuas was really rather poorly protected, and I can't really do much about it, at least not as much as I can with other users.

We know that one half of an account is the username and the other half is the password. Then you can additionally protect accounts by editing their Restricted login (Authority) parameters and locking them to a specific IP or validity period / time range. I sometimes obfuscate the usernames by adding something like _200 at the end, to avoid dictionary attacks (for example John_200 ).

But with the default 'admin' account, you can't edit the username. It is fixed at 'admin' which every hacker will try. So essentially 50% of the account is already known. You also can't edit any Authority parameters for admin, locking it to a specific IP. You can't even disable it. I added a separate 'admin_200' account to serve as admin, but couldn't remove the default 'admin' one, nor could I make it any safer or harder to access. I kinda find it pointless to try to secure any of the other accounts when I know that hackers will by default logically only try to hack 'admin' since they know its username and they know it 100% exists since I can't change or disable it. I also can't IP block it. So if the camera is on the Internet, I can't do anything to make it more difficult for the hackers to hack this account. All I can basically do it set a really long and complex password. But still, it feels like a weak link in the whole chain.

Am I right here or did I miss something ?
 
In my case the users have to be able to access my camera from different IPs over the Internet. They do not have access to my network via VPN. Their IPs are static so I can lock their accounts to their specific IPs, but the admin account remains protected essentially only by a password. I have never considered or looked into that P2P thing so I don't really know what it is. Would it offer any benefit? I always thought it involves opening the camera to Dahua's services which I didn't like.
 
All things I have done before I tested my Devices to the internet lol.. I did it in a controlled area and I kept an eye to know when I was being attacked and in some cases the attackers were reported with log files to the ISP and or IP owners abuse emails.. Some took care of things and banned or stopped the attacks and others just ignored my reports but there are many things that can happen if you happen to add your devices Direct to the internet Don't DO IT and one of the main things is they can get your SN of your product because part of the search for that device that happens is it list everything that the device will openly give and now once you remove that device the attacks can keep going if P2P is enabled and if they use correct tools but they normally are only trying to gain access over WAN or your ISP Ip address.. There are alarming number of connected Dahua and Hikvision devices. Some knowingly and others have no clue and are only connected because they had the device connected over LAN with UPnP enabled and if your router is UPnP open it will then load that.. Your IP cameras are only as secure as your Weakest link... NVRs that are open to the WAN if they are trash or have ability to unlock RTSP login requirements can now make it so your very secure IP cameras are no longer secure.. P2P is very safe.. Not CLOUD but true IP camera P2P.. The attacker has to have DMSS, or App for your device know the Serial Number and then have to figure out your password... Using a normal GPU and 14700 CPU would take 22 years to learn my passwords so my testing has said.. Sure there are Crypto Miners that could get it maybe in 22 days but they not using it for that lol.. I have my password exposed and someone could figure it out for 1/2 of my devices ifi they knew where to find it under Social Engineering tactics but would need to have the first part of the puzzle and that is my devices SN.. Be Safe.
 
  • Like
Reactions: bigredfish
Correct.

If you can't do VPN then I would look into P2P built into most Dahua NVRs. FW should be updated to something on or after July of 2024
 
  • Like
Reactions: looney2ns
Perplexer said:
Don't Dahuas have a limited amount of password tries before they lock the account for a particular amount of time? Brute-forcing wouldn't really work well, would it?
Click to expand...


None of this would make much difference. Many Cameras have known exploits, and many of these allow hackers to circumvent the User Name / Password. Connecting any camera to the internet without a VPN is risking it being hacked and either botted, watched or bricked. eg On a Black Hat video I saw the researcher was able to get root in a camera through a known exploit and execute a command that got the camera to tell him the user name and password, thus rendering both ueless as he simply then entered these to gain full access!
 
This applies to most cameras, not just HIK.
alastairstevenson

Thread 'Hikvision Honeypot Hackathon'

We get quite a lot of posts about port forwarding - and quite a lot of good advice in response about the risks, and pointers to more secure remote access methods.
And we still get posts related to the Hikvision backdoor vulnerability, where camera passwords are mysteriously lost, or cameras disappear from the network.
So I thought it might be interesting to relieve a bit of the lockdown boredom and see how well a Hikvision camera survives being accessible from the internet.
The short answer - it doesn't.

I set up port forwarding and exposed to the internet a DS-2CD2432F-IW cube camera...
  • Like
  • Wow
 
Perplexer said:
Don't Dahuas have a limited amount of password tries before they lock the account for a particular amount of time? Brute-forcing wouldn't really work well, would it?
Click to expand...
That is a good point but here is what I found that some do. They setup a script and try 3 or 5 if they were locked out first time trying 5 seeing most of mine I can change to 3 so I do.. Anyway after that they try 1 less then your lock out and then pause for 30 min and do it again.. However one person was doing something else because I had over 236 attacks within minutes.. With that attack I found they were setup for a different type of attack that tricks the device into believing that it returned an ok and some how it keeps going..

So this was taken from while back I am not actively testing any of my devices on the WAN side these days I have other things that are keeping me busy lol.. This was someone trying to attack my Amcrest 4108-A2 NVR.. I put the NVR on the WAN for testing. I do my own testing before I put any of my device on the WAN..
Code: 
[LAN access from remote] from XXX.XX.161.244:15646 to 10.0.0.245:80, Monday, Mar 18,2024 22:53:05
[LAN access from remote] from XXX.XX.161.244:15644 to 10.0.0.245:80, Monday, Mar 18,2024 22:53:04
[LAN access from remote] from XXX.XX.161.244:15642 to 10.0.0.245:80, Monday, Mar 18,2024 22:53:04
[LAN access from remote] from XXX.XX.161.244:15638 to 10.0.0.245:80, Monday, Mar 18,2024 22:53:04
[LAN access from remote] from XXX.XX.161.244:15636 to 10.0.0.245:80, Monday, Mar 18,2024 22:53:04
[LAN access from remote] from XXX.XX.161.244:15634 to 10.0.0.245:80, Monday, Mar 18,2024 22:53:04
[LAN access from remote] from XXX.XX.161.244:15628 to 10.0.0.245:80, Monday, Mar 18,2024 22:53:04
[LAN access from remote] from XXX.XX.161.244:15614 to 10.0.0.245:80, Monday, Mar 18,2024 22:53:04
[LAN access from remote] from XXX.XX.161.244:15608 to 10.0.0.245:80, Monday, Mar 18,2024 22:53:04
[LAN access from remote] from XXX.XX.161.244:15604 to 10.0.0.245:80, Monday, Mar 18,2024 22:53:04
[LAN access from remote] from XXX.XX.161.244:15602 to 10.0.0.245:80, Monday, Mar 18,2024 22:53:04
[LAN access from remote] from XXX.XX.161.244:15598 to 10.0.0.245:80, Monday, Mar 18,2024 22:53:03
[LAN access from remote] from XXX.XX.161.244:15594 to 10.0.0.245:80, Monday, Mar 18,2024 22:53:03
[LAN access from remote] from XXX.XX.161.244:15588 to 10.0.0.245:80, Monday, Mar 18,2024 22:53:03
[LAN access from remote] from XXX.XX.161.244:15586 to 10.0.0.245:80, Monday, Mar 18,2024 22:53:03
[LAN access from remote] from XXX.XX.161.244:15584 to 10.0.0.245:80, Monday, Mar 18,2024 22:53:03
[LAN access from remote] from XXX.XX.161.244:15582 to 10.0.0.245:80, Monday, Mar 18,2024 22:53:03
[LAN access from remote] from XXX.XX.161.244:15578 to 10.0.0.245:80, Monday, Mar 18,2024 22:53:03
[LAN access from remote] from XXX.XX.161.244:15562 to 10.0.0.245:80, Monday, Mar 18,2024 22:53:03
[LAN access from remote] from XXX.XX.161.244:15556 to 10.0.0.245:80, Monday, Mar 18,2024 22:53:03
[LAN access from remote] from XXX.XX.161.244:15554 to 10.0.0.245:80, Monday, Mar 18,2024 22:53:03
[LAN access from remote] from XXX.XX.161.244:15552 to 10.0.0.245:80, Monday, Mar 18,2024 22:53:03
[LAN access from remote] from XXX.XX.161.244:15550 to 10.0.0.245:80, Monday, Mar 18,2024 22:53:02
[LAN access from remote] from XXX.XX.161.244:15546 to 10.0.0.245:80, Monday, Mar 18,2024 22:53:02
[LAN access from remote] from XXX.XX.161.244:15542 to 10.0.0.245:80, Monday, Mar 18,2024 22:53:02
[LAN access from remote] from XXX.XX.161.244:15538 to 10.0.0.245:80, Monday, Mar 18,2024 22:53:02
[LAN access from remote] from XXX.XX.161.244:15536 to 10.0.0.245:80, Monday, Mar 18,2024 22:53:02
[LAN access from remote] from XXX.XX.161.244:15530 to 10.0.0.245:80, Monday, Mar 18,2024 22:53:02
[LAN access from remote] from XXX.XX.161.244:15518 to 10.0.0.245:80, Monday, Mar 18,2024 22:53:02
[LAN access from remote] from XXX.XX.161.244:15506 to 10.0.0.245:80, Monday, Mar 18,2024 22:53:02
[LAN access from remote] from XXX.XX.161.244:15370 to 10.0.0.245:80, Monday, Mar 18,2024 22:53:02
[LAN access from remote] from XXX.XX.161.244:15280 to 10.0.0.245:80, Monday, Mar 18,2024 22:53:02
[LAN access from remote] from XXX.XX.161.244:15278 to 10.0.0.245:80, Monday, Mar 18,2024 22:53:02
[LAN access from remote] from XXX.XX.161.244:15276 to 10.0.0.245:80, Monday, Mar 18,2024 22:53:01
[LAN access from remote] from XXX.XX.161.244:15274 to 10.0.0.245:80, Monday, Mar 18,2024 22:53:01
[LAN access from remote] from XXX.XX.161.244:15268 to 10.0.0.245:80, Monday, Mar 18,2024 22:53:01
[LAN access from remote] from XXX.XX.161.244:15264 to 10.0.0.245:80, Monday, Mar 18,2024 22:53:01
[LAN access from remote] from XXX.XX.161.244:15260 to 10.0.0.245:80, Monday, Mar 18,2024 22:53:01
[LAN access from remote] from XXX.XX.161.244:15252 to 10.0.0.245:80, Monday, Mar 18,2024 22:53:01
[LAN access from remote] from XXX.XX.161.244:15234 to 10.0.0.245:80, Monday, Mar 18,2024 22:53:01
[LAN access from remote] from XXX.XX.161.244:15232 to 10.0.0.245:80, Monday, Mar 18,2024 22:53:01
[LAN access from remote] from XXX.XX.161.244:15230 to 10.0.0.245:80, Monday, Mar 18,2024 22:53:01
[LAN access from remote] from XXX.XX.161.244:15228 to 10.0.0.245:80, Monday, Mar 18,2024 22:53:01
[LAN access from remote] from XXX.XX.161.244:15226 to 10.0.0.245:80, Monday, Mar 18,2024 22:53:00
[LAN access from remote] from XXX.XX.161.244:15222 to 10.0.0.245:80, Monday, Mar 18,2024 22:53:00
[LAN access from remote] from XXX.XX.161.244:15220 to 10.0.0.245:80, Monday, Mar 18,2024 22:53:00
[LAN access from remote] from XXX.XX.161.244:15218 to 10.0.0.245:80, Monday, Mar 18,2024 22:53:00
[LAN access from remote] from XXX.XX.161.244:15216 to 10.0.0.245:80, Monday, Mar 18,2024 22:53:00
[LAN access from remote] from XXX.XX.161.244:15214 to 10.0.0.245:80, Monday, Mar 18,2024 22:53:00
[LAN access from remote] from XXX.XX.161.244:15206 to 10.0.0.245:80, Monday, Mar 18,2024 22:53:00
[LAN access from remote] from XXX.XX.161.244:15198 to 10.0.0.245:80, Monday, Mar 18,2024 22:53:00
[LAN access from remote] from XXX.XX.161.244:15196 to 10.0.0.245:80, Monday, Mar 18,2024 22:53:00
[LAN access from remote] from XXX.XX.161.244:15194 to 10.0.0.245:80, Monday, Mar 18,2024 22:53:00
[LAN access from remote] from XXX.XX.161.244:15190 to 10.0.0.245:80, Monday, Mar 18,2024 22:53:00
[LAN access from remote] from XXX.XX.161.244:15188 to 10.0.0.245:80, Monday, Mar 18,2024 22:52:59
[LAN access from remote] from XXX.XX.161.244:15186 to 10.0.0.245:80, Monday, Mar 18,2024 22:52:59
[LAN access from remote] from XXX.XX.161.244:15182 to 10.0.0.245:80, Monday, Mar 18,2024 22:52:59
[LAN access from remote] from XXX.XX.161.244:15180 to 10.0.0.245:80, Monday, Mar 18,2024 22:52:59
[LAN access from remote] from XXX.XX.161.244:15178 to 10.0.0.245:80, Monday, Mar 18,2024 22:52:59
[LAN access from remote] from XXX.XX.161.244:15168 to 10.0.0.245:80, Monday, Mar 18,2024 22:52:59
[LAN access from remote] from XXX.XX.161.244:15164 to 10.0.0.245:80, Monday, Mar 18,2024 22:52:59
[LAN access from remote] from XXX.XX.161.244:15144 to 10.0.0.245:80, Monday, Mar 18,2024 22:52:59
[LAN access from remote] from XXX.XX.161.244:14902 to 10.0.0.245:80, Monday, Mar 18,2024 22:52:59
[LAN access from remote] from XXX.XX.161.244:14900 to 10.0.0.245:80, Monday, Mar 18,2024 22:52:59
[LAN access from remote] from XXX.XX.161.244:14898 to 10.0.0.245:80, Monday, Mar 18,2024 22:52:59
[LAN access from remote] from XXX.XX.161.244:14896 to 10.0.0.245:80, Monday, Mar 18,2024 22:52:58
[LAN access from remote] from XXX.XX.161.244:14894 to 10.0.0.245:80, Monday, Mar 18,2024 22:52:58
[LAN access from remote] from XXX.XX.161.244:14888 to 10.0.0.245:80, Monday, Mar 18,2024 22:52:58
[LAN access from remote] from XXX.XX.161.244:14886 to 10.0.0.245:80, Monday, Mar 18,2024 22:52:58
[LAN access from remote] from XXX.XX.161.244:14884 to 10.0.0.245:80, Monday, Mar 18,2024 22:52:58
[LAN access from remote] from XXX.XX.161.244:14880 to 10.0.0.245:80, Monday, Mar 18,2024 22:52:58
[LAN access from remote] from XXX.XX.161.244:14868 to 10.0.0.245:80, Monday, Mar 18,2024 22:52:58
[LAN access from remote] from XXX.XX.161.244:14856 to 10.0.0.245:80, Monday, Mar 18,2024 22:52:58
[LAN access from remote] from XXX.XX.161.244:14854 to 10.0.0.245:80, Monday, Mar 18,2024 22:52:58
[LAN access from remote] from XXX.XX.161.244:14852 to 10.0.0.245:80, Monday, Mar 18,2024 22:52:58
[LAN access from remote] from XXX.XX.161.244:14850 to 10.0.0.245:80, Monday, Mar 18,2024 22:52:57
[LAN access from remote] from XXX.XX.161.244:14848 to 10.0.0.245:80, Monday, Mar 18,2024 22:52:57
[LAN access from remote] from XXX.XX.161.244:14846 to 10.0.0.245:80, Monday, Mar 18,2024 22:52:57
[LAN access from remote] from XXX.XX.161.244:14844 to 10.0.0.245:80, Monday, Mar 18,2024 22:52:57
[LAN access from remote] from XXX.XX.161.244:14842 to 10.0.0.245:80, Monday, Mar 18,2024 22:52:57
[LAN access from remote] from XXX.XX.161.244:14840 to 10.0.0.245:80, Monday, Mar 18,2024 22:52:57
[LAN access from remote] from XXX.XX.161.244:14838 to 10.0.0.245:80, Monday, Mar 18,2024 22:52:57
[LAN access from remote] from XXX.XX.161.244:14832 to 10.0.0.245:80, Monday, Mar 18,2024 22:52:57
[LAN access from remote] from XXX.XX.161.244:14828 to 10.0.0.245:80, Monday, Mar 18,2024 22:52:57
[LAN access from remote] from XXX.XX.161.244:14826 to 10.0.0.245:80, Monday, Mar 18,2024 22:52:57
[LAN access from remote] from XXX.XX.161.244:14824 to 10.0.0.245:80, Monday, Mar 18,2024 22:52:57
[LAN access from remote] from XXX.XX.161.244:14822 to 10.0.0.245:80, Monday, Mar 18,2024 22:52:56
[LAN access from remote] from XXX.XX.161.244:14820 to 10.0.0.245:80, Monday, Mar 18,2024 22:52:56
[LAN access from remote] from XXX.XX.161.244:14816 to 10.0.0.245:80, Monday, Mar 18,2024 22:52:56
[LAN access from remote] from XXX.XX.161.244:14814 to 10.0.0.245:80, Monday, Mar 18,2024 22:52:56
[LAN access from remote] from XXX.XX.161.244:14812 to 10.0.0.245:80, Monday, Mar 18,2024 22:52:56
[LAN access from remote] from XXX.XX.161.244:14810 to 10.0.0.245:80, Monday, Mar 18,2024 22:52:56
[LAN access from remote] from XXX.XX.161.244:14802 to 10.0.0.245:80, Monday, Mar 18,2024 22:52:56
[LAN access from remote] from XXX.XX.161.244:14794 to 10.0.0.245:80, Monday, Mar 18,2024 22:52:56
[LAN access from remote] from XXX.XX.161.244:14606 to 10.0.0.245:80, Monday, Mar 18,2024 22:52:56
[LAN access from remote] from XXX.XX.161.244:14544 to 10.0.0.245:80, Monday, Mar 18,2024 22:52:56
[LAN access from remote] from XXX.XX.161.244:14542 to 10.0.0.245:80, Monday, Mar 18,2024 22:52:56
[LAN access from remote] from XXX.XX.161.244:14540 to 10.0.0.245:80, Monday, Mar 18,2024 22:52:55
[LAN access from remote] from XXX.XX.161.244:14538 to 10.0.0.245:80, Monday, Mar 18,2024 22:52:55
[LAN access from remote] from XXX.XX.161.244:14530 to 10.0.0.245:80, Monday, Mar 18,2024 22:52:55
[LAN access from remote] from XXX.XX.161.244:14528 to 10.0.0.245:80, Monday, Mar 18,2024 22:52:55
[LAN access from remote] from XXX.XX.161.244:14524 to 10.0.0.245:80, Monday, Mar 18,2024 22:52:55
[LAN access from remote] from XXX.XX.161.244:14516 to 10.0.0.245:80, Monday, Mar 18,2024 22:52:55
[LAN access from remote] from XXX.XX.161.244:14510 to 10.0.0.245:80, Monday, Mar 18,2024 22:52:55
[LAN access from remote] from XXX.XX.161.244:14496 to 10.0.0.245:80, Monday, Mar 18,2024 22:52:55
[LAN access from remote] from XXX.XX.161.244:14492 to 10.0.0.245:80, Monday, Mar 18,2024 22:52:55
[LAN access from remote] from XXX.XX.161.244:14490 to 10.0.0.245:80, Monday, Mar 18,2024 22:52:55
[LAN access from remote] from XXX.XX.161.244:14484 to 10.0.0.245:80, Monday, Mar 18,2024 22:52:55
[LAN access from remote] from XXX.XX.161.244:14480 to 10.0.0.245:80, Monday, Mar 18,2024 22:52:54
[LAN access from remote] from XXX.XX.161.244:14478 to 10.0.0.245:80, Monday, Mar 18,2024 22:52:54
[LAN access from remote] from XXX.XX.161.244:14474 to 10.0.0.245:80, Monday, Mar 18,2024 22:52:54
[LAN access from remote] from XXX.XX.161.244:14472 to 10.0.0.245:80, Monday, Mar 18,2024 22:52:54
[LAN access from remote] from XXX.XX.161.244:14470 to 10.0.0.245:80, Monday, Mar 18,2024 22:52:54
[LAN access from remote] from XXX.XX.161.244:14466 to 10.0.0.245:80, Monday, Mar 18,2024 22:52:54
[LAN access from remote] from XXX.XX.161.244:14464 to 10.0.0.245:80, Monday, Mar 18,2024 22:52:54
[LAN access from remote] from XXX.XX.161.244:14454 to 10.0.0.245:80, Monday, Mar 18,2024 22:52:54
[LAN access from remote] from XXX.XX.161.244:14452 to 10.0.0.245:80, Monday, Mar 18,2024 22:52:54
[LAN access from remote] from XXX.XX.161.244:14450 to 10.0.0.245:80, Monday, Mar 18,2024 22:52:54
[LAN access from remote] from XXX.XX.161.244:14446 to 10.0.0.245:80, Monday, Mar 18,2024 22:52:54
[LAN access from remote] from XXX.XX.161.244:14444 to 10.0.0.245:80, Monday, Mar 18,2024 22:52:53
[LAN access from remote] from XXX.XX.161.244:14440 to 10.0.0.245:80, Monday, Mar 18,2024 22:52:53
[LAN access from remote] from XXX.XX.161.244:14438 to 10.0.0.245:80, Monday, Mar 18,2024 22:52:53
[LAN access from remote] from XXX.XX.161.244:14436 to 10.0.0.245:80, Monday, Mar 18,2024 22:52:53
[LAN access from remote] from XXX.XX.161.244:14432 to 10.0.0.245:80, Monday, Mar 18,2024 22:52:53
[LAN access from remote] from XXX.XX.161.244:14426 to 10.0.0.245:80, Monday, Mar 18,2024 22:52:53
[LAN access from remote] from XXX.XX.161.244:14420 to 10.0.0.245:80, Monday, Mar 18,2024 22:52:53
[LAN access from remote] from XXX.XX.161.244:14412 to 10.0.0.245:80, Monday, Mar 18,2024 22:52:53
[LAN access from remote] from XXX.XX.161.244:14386 to 10.0.0.245:80, Monday, Mar 18,2024 22:52:53
 
CCTVCam said:
None of this would make much difference. Many Cameras have known exploits, and many of these allow hackers to circumvent the User Name / Password. Connecting any camera to the internet without a VPN is risking it being hacked and either botted, watched or bricked. eg On a Black Hat video I saw the researcher was able to get root in a camera through a known exploit and execute a command that got the camera to tell him the user name and password, thus rendering both ueless as he simply then entered these to gain full access!
Click to expand...

Dont port forward. use the PoE ports on a Dahua NVR.
Use Dahua P2P OR a VPN

They can't exploit what they can't get to

This isn't hard
 
  • Like
Reactions: Revo2Maxx
You must log in or register to reply here.
Top Bottom