Getting clear (or not) password from Hikvision Cam root

Ivan848484 · 2024-07-20T01:18:55-0400

Hello everyone.
I have root access to the Hikvision camera through exploit and would like to recover admin password.
Most likely it's encrypted in the /etc/passwd file. Does anybody know what type of hash (or combination of hashes) is used there?
I'm asking about hash, because in my case I have double-digit salt Instead of 8 digits for md5:
admin:$1$yi$xYzhdxVW7rmlj.tO2e/9F1:0:0:root:/:/bin/psh

Can you put here own TEST list from Hik Cam /etc/passwd for reverse engineering? I mean pass and hash at the same time.

Or is there another way to find the password in plain text from configuration files?

Dev_info:
{
"dev_status": 1,
"dev_subserial": "E00198701",
"dev_verification_code": "COLSAX",
"dev_serial": "DS-2CDVT-SFCMPTCN-S0120191218AAWRE00198701",
"dev_firmwareversion": "V5.5.95 build 190925",
"dev_type": "DS-2CDVT-SFCMPTCN-S",
"dev_typedisplay": "DS-2CD2421G0-I",
"dev_mac": "98:df:82:53:c1:df",
"dev_nickname": "",
"dev_firmwareidentificationcode": "",
"dev_oeminfo": 0
}

alastairstevenson · 2024-07-20T04:40:58-0400

Ivan848484 said:
I have root access to the Hikvision camera through exploit and would like to recover admin password.
Most likely it's encrypted in the /etc/passwd file.

That's the Linux access credentials.

Depending on the model of camera and the firmware version, the access credentials and capabilities for admin and other users for camera operations are held in a SQLlite database /davinci/ipc_db in hashed form.

Here is an example of the sec_user_mana_info table in ipc_db from a DS-2CD2347G2-LU camera with V5.5.150 build 200927 firmware

Ivan848484 · 2024-07-20T05:12:16-0400

I got it, thank you.

Do you have any experience in brut a password from the hashes, contained in the database? Maybe there is information about which fields mean what?

alastairstevenson · 2024-07-20T05:18:00-0400

Ivan848484 said:
Do you have any experience in brut a password from the hashes, contained in the database? Maybe there is information about which fields mean what?

I've never attempted to brute-force any SHA-256 hashes, not realistically feasible.
If you want to gain access to the camera web GUI etc you can simply delete or rename ipc_db and ipc_db_backup and on the next bootup the camera firmware will recreate the configuration database with default values, the camera will be 'inactive' and need to be 'activated'. SADP is easy to use for that if the default IP address 192.168.1.64 is not convenient.

Ivan848484 · 2024-07-20T06:24:16-0400

I need to find out the admin password to try to log in to other cameras on the same network.

alastairstevenson · 2024-07-20T07:27:33-0400

Ivan848484 said:
I need to find out the admin password to try to log in to other cameras on the same network.

Are any of the other cameras older models with firmware 5.4.4 or older? SADP reveals the firmware version.
If so - there is an exploit that can extract a plaintext password.

watchful_ip · 2024-07-20T07:36:55-0400

Ivan848484 said:
I need to find out the admin password to try to log in to other cameras on the same network.

Are you able to reboot the other cameras by cycling their power?

Ivan848484 · 2024-07-20T08:02:37-0400

alastairstevenson said:
Are any of the other cameras older models with firmware 5.4.4 or older? SADP reveals the firmware version.
If so - there is an exploit that can extract a plaintext password.

No. Only one camera is vulnerable.

Ivan848484 · 2024-07-20T08:03:38-0400

watchful_ip said:
Are you able to reboot the other cameras by cycling their power?

No, I can't.

watchful_ip · 2024-07-20T08:05:48-0400

Ivan848484 said:
No, I can't.

May I ask why? Just unplug the power and power back on

Search

Getting clear (or not) password from Hikvision Cam root

Ivan848484

n3wb

alastairstevenson

Ivan848484

n3wb

alastairstevenson

Ivan848484

n3wb

alastairstevenson

watchful_ip

Pulling my weight

Ivan848484

n3wb

Ivan848484

n3wb

watchful_ip

Pulling my weight