Nurettin Alp
n3wb
- Joined
- Mar 28, 2015
- Messages
- 5
- Reaction score
- 1
when try password system saying: trying too hard, take some coffee and wait for a while!
i can accessed with this password on this models but there is no access to "shell" with this qr code and domain account that requests password and get verify code....what's the matter?Greetings!
How do I login via SSH to the following units:
- VTH1550CH
- VHT5221DW
I tried 7ujMko0(ADMIN PASSWORD), but it tells me that the password is invalid.
Any other options?
Thank you.
access to ssh is not efficient when there is no way to shellHi Guys, you will be never get the right answer.
The generated QR Code, is for DAHUA employees, so you get only Access with there Accounts.
For SSH the Password is for default 7ujMko0(YOUR ADMIN PASSWORD)
$ ssh admin@192.168.7.200 "set shell=/bin/sh"
admin@192.168.7.200's password:
warning: setsid failed.
: Operation not permitted
Date&Time: Dec 1 2020 15:45:02
Revision: 64981
Enter 'help' for a list of commands (dsh)
tcgetattr failed!
#
how did you get the dsh, I use GitHub - BotoX/Dahua-Firmware-Mod-Kit: Unpack and repack Dahua IP camera firmware upgrade images. but the unzipped firmware only get romfs-x.squashfs file (encrypted or encoded ) not full file systemSo I pulled the dsh binary off a firmware image and disassembled it with Ghidra to take a look at this whole Domain Account thing.
Long story short, it uses public key encryption so unless Dahua's private certificate leaks, there's no way to calculate valid check codes.
What happens is that when you run the "shell" command, it collects a bunch of data, mostly random numbers and the current time, as well as the device's MAC address and serial number. This gets encrypted with Dahua's public key, and is passed as the "t" parameter in that URL you get from the QR code.
Dahua decrypt the value, use the third byte in the MAC address (mod 0x18) as an offset, then read four bytes at that offset. They convert those bytes into an 8-digit ASCII hex string and return that, which is what you type in to the "check codes" prompt.
If those eight characters/four bytes match the value originally calculated, and not too much time has passed since the QR code was generated, then it will launch /bin/busybox. It also appears to do some other stuff around alerting as well - maybe just recording the login attempt in the logs or something.
Unfortunately since it is using public key cryptography, it's impractical to decode the values needed from the QR code URL. If we had Dahua's private key then it could be done, but no doubt they guard that very closely.
EDIT: Also, it confirmed that the "diagnose 7" command does nothing. They just have an off-by-one error when they check whether the parameter is valid. The diagnose commands also don't pass any user input into the actual system() call, so there are no injection vulnerabilities available there.