Dahua possible backdoors found???

[SkyLake]

Hey all,

I was inspecting some things and doing some SNMP walking on my Dahua SD49225T-HN, as i found some quite interesting things, that somehow made me think a little harder.

The complete system is isolated from the internet, as it is not physically connected to the internet or any internet router. Stand alone system.

UPnP is disabled in the camera. As i do with everything that has this functionality. The thing i have found out is, that the connection state on port 5000 (UPnP port) is still established on the localhost of the camera. It should be off, but still claims that it is established.

Then i have found two extra ports on where the camera is listening for connections. Those ports are:
9989 Port 9989 (tcp/udp) - Online TCP UDP port finder - adminsub.net
9990 Port 9990 (tcp/udp) - Online TCP UDP port finder - adminsub.net

Port 9989 is also used for trojans as it seems, but also as a Apple Quicktime streaming protocol.
Port 9990 seems to be for Apple Quicktime streaming also.

Do they serve as a streaming functionality for external viewing in remote viewers, or are they used as a backdoor? That keeps me thinking. They are running on the localhost, so at the moment there is no connection to the main IP subnet, but hmm...

Maybe other people have found this already, or have an explanation to this phenomenon

 

[aristobrat]

Googling for this, there are older (2014) search results that have URLs like "http://xx.xx.xx.xx:9989/onvif/media_service/snapshot?channel=0&subtype=0"...

Maybe this was something they deprecated by binding it to localhost only?

 

[alastairstevenson]

Port 9989 is also used for trojans as it seems, but also as a Apple Quicktime streaming protocol.
Port 9990 seems to be for Apple Quicktime streaming also.

For high ports, there isn't any effective assigned use.

You can confirm @aristobrat suggestion if you determine the 'ONVIF port' by seeing if ONVIF Device Manager discovers the device, and if so, check the port in the URL at the bottom of the 'Identification' page.

 

[SkyLake]

For high ports, there isn't any effective assigned use.

You can confirm @aristobrat suggestion if you determine the 'ONVIF port' by seeing if ONVIF Device Manager discovers the device, and if so, check the port in the URL at the bottom of the 'Identification' page.

Thanks,

When i try your suggestion in ONVIF device manager under the "identification" tab, it detects my camera's, but they all show http://x.x.x.x:xxxx/onvif/device_service (where xxxx is my manual configured port for accessing the camera)

So far i cannot find the ports mentioned previously anywhere, except in the SNMP walk. A Nmap scan did not show them either, so they are localhost at camera side, but I will inspect it further

On the other hand, Nmap still shows port 5000 as active and open, while UPnP is disabled in the camera. Well, it should be, but did not listen to my command. lol

 

[alastairstevenson]

Ok, so the ONVIF port is the same as the HTTP port you have customised, not to blame for the mystery port. I wonder if it's the 'command and control' port?

If you re-enable UPnP do you get another port?

 

[SkyLake]

Did you mean port 37777 and 37778?

If so, it aren't them. They are changed, but i've set them to another number. Still not the two ports i'm after for now.

I've enabled UPnP to test it, but the ports stay the same.

Googling for this, there are older (2014) search results that have URLs like "http://xx.xx.xx.xx:9989/onvif/media_service/snapshot?channel=0&subtype=0"...

Maybe this was something they deprecated by binding it to localhost only?

I'm slowly leaning to that suggestion, as i also find many Google answers to that port in regards to Dahua. So maybe they just "parked" it locally.

But it still makes me wonder

 

[reverend]

Have you disabled Bonjour support in the camera?

 

[SkyLake]

Yes, i disabled Bonjour.

I even disabled multicast, just for testing. Still the same. For now i narrowed it down to port 5000 still being active and port 9990, as i settle with port 9989 being a ONVIF port as it seems.

@edrikk Sorry, but i can't. It won't let me edit it.

 

[reverend]

Is snmpwalk just listing the listening local ports before iptables etc?

I've just run nmap against a couple of Dahua cameras here on latest firmwares and I don't see the 99xx ports here -this is the output I get:

59225-HNI on latest Dec 2017 firmware:

C:\Users\administrator>nmap -p1-65535 192.168.0.222
Starting Nmap 7.12 ( https://nmap.org ) at 2018-06-29 11:48 W. Europe Daylight Time
mass_dns: warning: Unable to determine any DNS servers. Reverse DNS is disabled. Try using --system-dns or specify valid servers with --dns-servers
Nmap scan report for 192.168.0.222
Host is up (0.0060s latency).
Not shown: 65531 closed ports
PORT      STATE SERVICE
80/tcp    open  http
554/tcp   open  rtsp
5000/tcp  open  upnp
37777/tcp open  unknown
MAC Address: E0:50:8B:C9:xx:xx (Unknown)
Nmap done: 1 IP address (1 host up) scanned in 7.89 seconds

5231-R on latest May 2018 firmware:

C:\Users\administrator>nmap -p1-65535 192.168.0.225
Starting Nmap 7.12 ( https://nmap.org ) at 2018-06-29 11:48 W. Europe Daylight Time
mass_dns: warning: Unable to determine any DNS servers. Reverse DNS is disabled. Try using --system-dns or specify valid servers with --dns-servers
Nmap scan report for 192.168.0.225
Host is up (0.0035s latency).
Not shown: 65530 closed ports
PORT      STATE SERVICE
80/tcp    open  http
554/tcp   open  rtsp
1935/tcp  open  rtmp
5000/tcp  open  upnp
37777/tcp open  unknown
MAC Address: 14:A7:8B:47:xx:xx (Unknown)
Nmap done: 1 IP address (1 host up) scanned in 35.21 seconds

Do those ports also show up in nmap too? May be worth adding the -A option to get it to do banner grabbing if so.

 

[SkyLake]

Dahua 49225T-HN on latest firmware.

Starting Nmap 7.70 ( https://nmap.org ) at 2018-06-29 12:21 W. Europe Daylight Time
Nmap scan report for 192.168.2.20
Host is up (0.028s latency).
Not shown: 65530 closed ports
PORT      STATE SERVICE
443/tcp   open  https
554/tcp   open  rtsp
5000/tcp  open  upnp
38181/tcp open  unknown
53339/tcp open  unknown (My HTTP port)
MAC Address: xx:xx:xx:xx:xx:xx (Zhejiang Dahua Technology)

Nmap done: 1 IP address (1 host up) scanned in 79.74 seconds

Nmap does not show those two ports, so that's good for now as they run locally on the camera. But i wonder why port 5000 is still open, while UPnP is disabled.
Normally if you disable a service or a port, you would not find that port active when doing a scan.

Ah well, the system is not internet active, so it's not that bad for gaining illegal access, but my daily work has to do with doing research and setting up networks etc, so i guess it's normal when you find something that you cannot place at first, and in my work the Onvif protocol is not so common

 

[riogrande75]

Dunno if this thread is still active, but I noticed that port 5000 seems to be activly used for management purposes of dahua devices.
When I open my door via the fingerprint reader (VTO2000A + VTO2000A-F), the device opens a session to port 5000 of its server (in my case the SIP server) and transmit a message like this:

DHIP¢¢{ "id" : 1, "method" : "global.login", "params" : { "clientType" : "GUI", "ipAddr" : "192.168.x.xx", "password" : "*******", "userName" : "30" }, "session" : 0 }

So I guess port 5000 will be used for a dahua management suites like SmartPSS.

 

[SouthernYankee]

If your cameras have access to the internet you are an idiot. All cameras must be blocked from the internet, all IP devices from China more than likely have been hacked. Wake up to the real world .

 

[riogrande75]

YES off course, none of my chinese devices has access to internet! Btw. there is no need for that.
They are almost as "bad" as devices from the US, like everything from a**le, g**gle and am***n.
But that has nothing to do with port 5000.

 

[bashis]

Some more info about DHIP.

mcw0/PoC

Enjoy, bashis

 

[alastairstevenson]

Impressive!

 

[reverend]

That's very cool thank-you, it works fine on a mixture of cameras here - 5231s on an older firmware, and works great on the two PTZs I have, the 59225 and 1A225-IRA on latest firmwares.

It throws an error ironically on the cameras which are having microSD errors.

Here's some output:

DH-SD59225-HNI


PTZ1A225-IRA-N with microSD issues:


IPC-HDW5231R-Z:


Amcrest IP2M-841B-UK (Dahua manufactured)


It's interesting how much more free memory there is on the 59225 currently vs the 1A225.

 

[bashis]

My pleasure, and many thanks for the feedback, very much appreciated!

The SD error, it's always come on the 'PTZ1A225-IRA-N' ?

I have noted that all stuff don't work 1st time, one or two retries is sometimes needed... :/
But I don't think I could report bug on functionality back to Dahua in this case...

 

[bashis]

Impressive!

Thx, stuff I started to look at back in 2017, some time after the backdoor... but when I lost my Telnet after upgrade few weeks back, I restarted this research in my attempts to regain the shell w/o dissecting the cam.. still no luck on that, so I guess HW is the way for the moment..

 

[bashis]

Dahua-JSON-Debug-Console-v2.py

• Ported to Python 3
• Fixed some bugs and code adjustment
• Added support for DVRIP (TCP/37777) [Note: Some JSON commands that working with DHIP return nothing with DVRIP]
• encode/decode in latin-1, we might need untouched chars between 0x00 - 0xff
• Better 'debug' with hexdump as option

GitHub - mcw0/Tools: Some tools

Some tools. Contribute to mcw0/Tools development by creating an account on GitHub.

github.com

 

[bashis]

Updated: Dahua-JSON-Debug-Console-v2.py

• Added option 'setDebug', Should start produce output from Debug Console in VTO/VTH
• Added '--discover', Multicast search of devices or direct probe (--rhost 192.168.57.20) of device via UDP/37810
• Added '--dump {config,service}' for dumping config or services on remote host w/o entering Debug Console

mcw0/Tools

Some tools. Contribute to mcw0/Tools development by creating an account on GitHub.

github.com

I also updated my HW lab with:

• iMOU Bullet Lite 4MP IPC-G42P
• NVR4108HS-4KS2
• DH-IPC-HFW1120SP-W
• DHI-VTO2101E-P-S1
• DHI-VTH2421FW