Hikvision camera admin password reset tool

thelawnet

n3wb
Joined
May 4, 2019
Messages
5
Reaction score
0
Location
indonesia
I am looking at a DS-7604NI-Q1/4P NVR someone is selling. There is a photo of the box code with firmware 3.4.100_180310, though this might have been updated obviously.

They are selling it with the warning 'forgotten password'.

I am wondering if this is risky to buy, or can I for sure unlock it?
 

Skyking

n3wb
Joined
Jan 2, 2016
Messages
15
Reaction score
3
All,

I have quite a curious development. I have two identical HIKVISION DS-2CD2032-I cameras connected to my LAN. They have worked flawlessly for several years. Suddenly I cannot log into one of them. I get a message that the password is incorrect when I try via a browser and iPhone apps will not load that camera. Here is the really curious part - It loads fine on a computer running it through Blue Iris. So Blue Iris somehow gets into it, but browsers and iPhone apps will not.

I have downloaded the latest SADP tool and get all the info OK:

DS-2CD2032-I20150618CCCH525283946
V5.2.5build 141201
5/22/2019 12:28:00 PM

When I go to the page to generate a password reset I enter just the serial number (20150618CCCH525283946) and using that and the date (which matches the date above) it generates a code of RyyRS9RRSQ. When I enter that code I get the error message that the "Password recovery failed." My serial number is good, I have firmware that is old enough that it should work in this manner, but it is not. Other than climbing a ladder and opening it up to hit the reset switch, in the process losing all of the other info, can anyone suggest an option? And can anyone explain why Blue Iris works just fine in playing and recording the stream?...

Much thanks,

Phillip
 

alastairstevenson

Staff member
Joined
Oct 28, 2014
Messages
15,929
Reaction score
6,777
Location
Scotland
Suddenly I cannot log into one of them. I get a message that the password is incorrect when I try via a browser and iPhone apps will not load that camera.
That's been quite a common experience with Hikvision cameras running old firmware that has the 'Hikvision backdoor' and having a router that has UPnP enabled.
They may have been hacked ...

There are a couple of things you could do:
Here are 2 passwords to try that have been commonly set on hacked cameras : 1111aaaa and asdf1234

And if they don't work - the camera configuration file can be extracted with no credentials needed.
And I could decrypt and decode the file for you, and extract the password.
All you'd need to do is point this URL at the camera using your browser, changing the IP address to suit.
Then zip up the resulting file and attach it here -
http://<camera_IP_address>/System/configurationFile?auth=YWRtaW46MTEK
 

Skyking

n3wb
Joined
Jan 2, 2016
Messages
15
Reaction score
3
That's been quite a common experience with Hikvision cameras running old firmware that has the 'Hikvision backdoor' and having a router that has UPnP enabled.
They may have been hacked ...

There are a couple of things you could do:
Here are 2 passwords to try that have been commonly set on hacked cameras : 1111aaaa and asdf1234

And if they don't work - the camera configuration file can be extracted with no credentials needed.
And I could decrypt and decode the file for you, and extract the password.
All you'd need to do is point this URL at the camera using your browser, changing the IP address to suit.
Then zip up the resulting file and attach it here -
http://<camera_IP_address>/System/configurationFile?auth=YWRtaW46MTEK
alastairstevenson,

I have to say, you are a genius. OK, it was hacked and the second password above was the one they reset it to. What do I need to change in my router to keep this from happening again? I am stunned to near disbelief that someone found my camera and did that to it. And I use the same password on a lot of my networked gear, so how can I block them from doing this to all of my other non-HIKVISION cameras? Wow... THANK YOU!

Added: And here is a curious observation - Only one camera had its password changed...

Phillip
 
Last edited:

alastairstevenson

Staff member
Joined
Oct 28, 2014
Messages
15,929
Reaction score
6,777
Location
Scotland
What do I need to change in my router to keep this from happening again?
As indicated in the useful link that @bp2008 supplied above -
If you are not deliberately doing 'port forwarding' (a very insecure thing to configure) on your router to provide access when you are away, then the cameras will have configured it themselves via UPnP.
This is often enabled by default on routers, and also on the cameras.
Go into the router admin and camera admin and disable UPnP.
I am stunned to near disbelief that someone found my camera and did that to it.
The scanning, and the changes when a vulnerable target is found, is automated, using 'bots'.

Added: And here is a curious observation - Only one camera had its password changed...
That could be more worrying.
When the password on a vulnerable, accessible camera is changed, at least you know it has happened.
The other camera may be just as accessible, and available as a foothold into your LAN to quietly do bad things on the devices and their data that are on it.

Check for inbound open ports using a full port scan with services such as ShieldsUp! GRC | ShieldsUP! — Internet Vulnerability Profiling  
 

Skyking

n3wb
Joined
Jan 2, 2016
Messages
15
Reaction score
3
alastairstevenson, OK, those are all interesting points. Even my DSC alarm system requires ports to be opened to function correctly, so essentially every convenience for attaching devices that need two-way access open up the door to these nefarious types. It is still unclear to me why the Blue Iris access to this camera continued to work while nothing else did... I am of course leaving on an extended business trip right now and have zero time to do any further investigation. LOL Thanks for all the info. I will start looking into it upon my return. - Phillip
 

alastairstevenson

Staff member
Joined
Oct 28, 2014
Messages
15,929
Reaction score
6,777
Location
Scotland
Even my DSC alarm system requires ports to be opened to function correctly,
Really? Is this to provide an intentional remote access?

t is still unclear to me why the Blue Iris access to this camera continued to work while nothing else did...
I think this means that the video stream that BI has requested doesn't get periodically re-authorised after the initial stream setup.
In other words, authorisation is negotiated at the stream startup, and is not challenged again while the stream continues with no tear-downs.
 

W124

n3wb
Joined
May 29, 2019
Messages
2
Reaction score
0
Location
Bulgaria
Hi,
I need a help . I forgot the password of my dvr and can't reset it . DS-7616NI-K2 ser.num.: K21620170625CCRR783975707WCVU . Generated code is SQQ9RdRdd , but nothing happend......
 

alastairstevenson

Staff member
Joined
Oct 28, 2014
Messages
15,929
Reaction score
6,777
Location
Scotland
I need a help . I forgot the password of my dvr and can't reset it
Assuming that you did not configure the security questions / answers for the 'forgot password' link on the web GUI login page when you set the NVR up -
If you set the unlock code on the HDMI/VGA interface - use that to reset the NVR to default settings.
 

W124

n3wb
Joined
May 29, 2019
Messages
2
Reaction score
0
Location
Bulgaria
that's genereted from SADPTool
Assuming that you did not configure the security questions / answers for the 'forgot password' link on the web GUI login page when you set the NVR up -
If you set the unlock code on the HDMI/VGA interface - use that to reset the NVR to default settings.
Thanks a lot !!! I'l try
 

Attachments

sickfinga

n3wb
Joined
Jun 4, 2019
Messages
2
Reaction score
0
Location
Canada
I have DS-7316HQHI-SH with a software version V3.1.14 I'm trying to reset the admin password using the SADP tool, but there is no Serial code / Security Code box. There is only export / import method. I was under the impression that this is used on the V5.3 and higher devices. I emailed Hikvision before(different device), but was turned down since the device was not bought through an authorized reseller. What are my options?
 

toldo

n3wb
Joined
Jun 5, 2019
Messages
1
Reaction score
0
Location
Moscow
That's been quite a common experience with Hikvision cameras running old firmware that has the 'Hikvision backdoor' and having a router that has UPnP enabled.
They may have been hacked ...

There are a couple of things you could do:
Here are 2 passwords to try that have been commonly set on hacked cameras : 1111aaaa and asdf1234

And if they don't work - the camera configuration file can be extracted with no credentials needed.
And I could decrypt and decode the file for you, and extract the password.
All you'd need to do is point this URL at the camera using your browser, changing the IP address to suit.
Then zip up the resulting file and attach it here -
http://<camera_IP_address>/System/configurationFile?auth=YWRtaW46MTEK
Dear alastairstevenson,

Can you help me to recover password I've set to camera, please. I can reset it with backdoor tool, but I set same password to NVR which I need to use)
I attached conf file here.
Thank you in advance!
 

Attachments

Skyking

n3wb
Joined
Jan 2, 2016
Messages
15
Reaction score
3
Really? Is this to provide an intentional remote access?
My alarm system has two-way IP communication. If the normal path fails it rolls over to a cellular communicator (think cell phone) link to the central station. I do not know many details of how my system and the central station communicate, but it is a very high profile manufacturer and a very common configuration.
 
Top