SSH Dahua

OnePunch

n3wb
Joined
Mar 31, 2018
Messages
20
Reaction score
4
Anyone know why I cannot SSH into my IPC-HDW5231R-ZE after I enabled SSH?


Code:
ssh admin@yardcam.CQF.local
admin@yardcam.cqf.local's password:
Permission denied, please try again.
 

tangent

IPCT Contributor
Joined
May 12, 2016
Messages
3,870
Reaction score
2,590
You have to prepend the password with 7ujMko0
like this: 7ujMko0PASSWORD

Once you're in you're greeted by the dsh dahua protected shell which only lets you run a small list of prechosen commands. It isn't very useful. I put about 10 minutes to effort in to poking a hole in this sandbox without success. There are ways around it, some of which require opening the camera. Getting a full shell takes more effort than most people will want to put in.

I did recently manage to crash some of the camera software on a dahua camera by accident. Trust me there are plenty more bugs and security vulnerabilities in the software.
Remember kids, most of computer security can be boiled down to one thing: input validation.

Code:
Commands in dsh
help:
Support Commands:
shell    help    getDateInfo    diagnose    gethwid


diagnose 1:    cat /proc/interrupts
diagnose 2:    cat /proc/meminfo
diagnose 3:    cat /proc/devices
diagnose 4:    cat /proc/net/dev
diagnose 5:    cat /proc/uptime
diagnose 6:    route -n

gethwid [option 0-22]
        productGetName        = 0
        HWID_VERSION            = 1
        CATEGORY            = 2
        SUB_CATEGORY            = 3
        FVIDEO_CHIP            = 4
        DSP_CHIP            = 5
        BVIDEO_CHIP            = 6
        VIDEO_CHANNEL            = 7
        ANALOG_AUDIO_MODE        = 8
        AUDIO_IN_CHANNEL        = 9
        AUDIO_OUT_CHANNEL        = 10
        STORE_INTERFACE            = 11
        CPU_COUNT            = 12
        ALARM_MODE            = 13
        WIRELESS_INTERFACE        = 14
        HD_ENCODE            = 15
        VD_INTERFACE            = 16
        NET_INTERFACE            = 17
        INTE_ANALYSE            = 18
        HD_VERSION            = 19
        VIDEO_STAND            = 20
        HAS_SD_CARD            = 21
        PHY_MEMSIZE            = 22


and getDateInfo which displays the wrong date.

the shell command asks for a password.
 
Last edited:

alastairstevenson

Staff member
Joined
Oct 28, 2014
Messages
14,321
Reaction score
5,379
Location
Scotland
Getting a full shell takes more effort than most people will want to put in.
I have a recollection that the 'shell' command takes you to a full shell and that helpme was the password - but I can't check as I don't have the device any more.
 

tangent

IPCT Contributor
Joined
May 12, 2016
Messages
3,870
Reaction score
2,590
I have a recollection that the 'shell' command takes you to a full shell and that helpme was the password - but I can't check as I don't have the device any more.
helpme doesn't work. After you type in shell the prompt is "Domain Accounts:"
hik used zhimakaimen in their shell for something, i don't remember exactly what that did.
 

alastairstevenson

Staff member
Joined
Oct 28, 2014
Messages
14,321
Reaction score
5,379
Location
Scotland
helpme doesn't work. After you type in shell the prompt is "Domain Accounts:"
I do recall getting to a full command access - but I didn't write down the detail and don't remember it, apart from being surprised that it was possible.
Presumably you've tried the usual 888888 666666 and the admin password? I think that's what I would have done when trying it.

hik used zhimakaimen in their shell for something, i don't remember exactly what that did
This is a challenge / response command to bypass the 'psh' restricted shell, but I never figured how to get through it, just past it.
 

tangent

IPCT Contributor
Joined
May 12, 2016
Messages
3,870
Reaction score
2,590
I do recall getting to a full command access - but I didn't write down the detail and don't remember it, apart from being surprised that it was possible.
Presumably you've tried the usual 888888 666666 and the admin password? I think that's what I would have done when trying it.


This is a challenge / response command to bypass the 'psh' restricted shell, but I never figured how to get through it, just past it.
I know way to get past it, so also didn't put too much effort into getting through it. 888888 for the 'domain account' spews some gibberish (I tried a few charsets but don't have that sorted), then prompts "Check codes:"
 

tangent

IPCT Contributor
Joined
May 12, 2016
Messages
3,870
Reaction score
2,590
I know way to get past it, so also didn't put too much effort into getting through it. 888888 for the 'domain account' spews some gibberish (I tried a few charsets but don't have that sorted), then prompts "Check codes:"
So I changed some settings on my ssh client, and as I suspected the gibberish is a QR code. It contains a URL that gets passed some hashed or otherwise encoded strings.
 

mifrey

n3wb
Joined
Dec 20, 2018
Messages
14
Reaction score
6
Location
Belgium
I tried on my VTO2111. I typed 888888 for the Domain accounts and yes I got a QR code that contains the url
https://svsh.dahuatech.com/svsh.html?v=2&u=888888&t=xxxxxxxxxxxxxxxxxx

where xxxxxx is a string of 64 characters.

The web page says

Agent 888888.
To get a Authent code, You must verify your identity first.Enter your domain password below:

And there I do not know what to type...
 
Last edited:

Dahuacamcctv

Getting the hang of it
Joined
Jun 6, 2018
Messages
55
Reaction score
26
Location
Chicago
How do you enable ssh on a dahua camera? Do you have to use an http command like with telnet?
 

catcamstar

Known around here
Joined
Jan 28, 2018
Messages
1,626
Reaction score
1,133
How do you enable ssh on a dahua camera? Do you have to use an http command like with telnet?
From my "dahua scrapbook":
http://<ip-address>/cgi-bin/configManager.cgi?action=setConfig&Telnet.Enable=true

Login: telnet <ip-address>
Username: admin
Password: 7ujMko0<YOURADMINPASSWORD>
example: admin password ipcamtalk then use the password: 7ujMko0ipcamtalk
 

afddwfadwfadwf

Young grasshopper
Joined
Mar 28, 2016
Messages
81
Reaction score
11
any news on Domain accounts? The QR code goes to dahua's website asking for domain password
 

intelcom

n3wb
Joined
Oct 12, 2016
Messages
6
Reaction score
0

Lanaii

n3wb
Joined
Sep 9, 2019
Messages
13
Reaction score
1
Location
Austria
Hi Guys, you will be never get the right answer.

The generated QR Code, is for DAHUA employees, so you get only Access with there Accounts.

For SSH the Password is for default 7ujMko0(YOUR ADMIN PASSWORD)
 

AKazak

n3wb
Joined
Mar 20, 2020
Messages
1
Reaction score
1
Location
Moscow, Russia
Greetings!

How do I login via SSH to the following units:
  • VTH1550CH
  • VHT5221DW

I tried 7ujMko0(ADMIN PASSWORD), but it tells me that the password is invalid.
Any other options?

Thank you.
 
Top