What is your TruVision Navigator Software version? Also can you post the hashed password here?
Alternative way of recovering HikVision NVR password
- Thread starter Pjlord
- Start date
alastairstevenson
Staff member
Is that a Hikvision OEM model? It's not one I'm familiar with.
For the 'trojan horse' method of extracting the NVR password using a camera with the Hikvision backdoor vulnerability, the camera firmware needs to be new enough (5.3.0 or later) that a 'reset to defaults' sets it in the 'Inactive' state. Also, the firmware should not be too new that the backdoor vulnerability has been fixed, ie 5.4.5 or newer.
That way, the NVR must 'Activate' it with a password, usually the NVR password.
For a camera that when reset it goes to default passwords, such as 1234 12345 123456789abc the NVR tries them and if one works, it uses it, unchanged.
I am using Version 7.1 of the TruVision Navigator Software.
This is the export of the User table
[User.csv]
UserId,UserName,PasswordHash,ChallengeQuestionID,ChallengeAnswer,FailedLoginCount,AccountStatusCode,IsTempUserName,IsTempPassword,FirstName,LastName,Email,Phone,PhoneExt,ConnectionPriority,PreviousPasswordHash,ExpiryDate,Comments,SystemAccount,IsLoggedIn,LastSeen,_Active,_RlmUserName,_RlmDateTime,IsForceLoggedOut
1,1e0900021c1161606566796166,,1,,0,Active,0,0,SystemAccount,,,,,1, ,,,1,,,1,Admin,2017-10-05 19:45:45,0
2,0c141e1f17,RBL8P41KFA9M+Xj3KTUI7FWD+yY=,2,313a060c0b020014541f1b09,0,Active,0,0,Admin,Admin,,,,1,fIdUH9Pz71AW4S1BGQDIemBGqOg=,,,0,1,2023-02-28 09:28:42,1,Admin,2021-02-22 09:08:34,0
[/User.csv]
Attached file is renamed dot txt to get it attached.
The NVR is a TruVision 10s. I believe it is a rebranded Hikvision of some sorts. It was made by Interlogix which is out of business from what I can tell. Of the 8 cameras on the system, only 3 have the admin password of 1234. The other 5 are unknown.
I thought I'd try the 'trojan horse' method on the cameras that I did know the password to since the URL did produce a valid configurationFile.
This User table is for Truvision Software, not for the devices inside it. So I need EtherNetPassword value on the Device table. Can you export the Device table?
Your admin password is Pr0c0mm5555
Last edited:
That is it!!!!
Thank you sooooo much! That was amazing. I am now able to get in from the web as well as right on the NVR console.
Hello,
Thanks for this wonderful write-up. Really neat trick!
I would love to add this trick to my "toolbox" for instances where I get called to service a system and the admin password is unknown.
I found laying around the shop a KT&C KNC-p3TR3XIR, which is HikVision OEM seemingly similar to the DS-2CD2332-I.
SADP is showing the firmware as V5.3.0 build 151027.
When I use the link with auth code it works to pull the ConfigurationFile.
However, I can't seem to get the camera to show as Inactive in SADP. There is no physical reset button as far as I can tell. I did reset it by logging in to GUI, and the config did reset, but still showing as active in SADP, and defaulting to admin 12345 login.
Does firmware need to be newer than 5.3.0? Does anyone have a way of providing V5.3.3 for this brand?
Alternatively, would anyone know if these can be cross-flashed to HikVision firmware?
Thank you!
Thanks for this wonderful write-up. Really neat trick!
I would love to add this trick to my "toolbox" for instances where I get called to service a system and the admin password is unknown.
I found laying around the shop a KT&C KNC-p3TR3XIR, which is HikVision OEM seemingly similar to the DS-2CD2332-I.
SADP is showing the firmware as V5.3.0 build 151027.
When I use the link with auth code it works to pull the ConfigurationFile.
However, I can't seem to get the camera to show as Inactive in SADP. There is no physical reset button as far as I can tell. I did reset it by logging in to GUI, and the config did reset, but still showing as active in SADP, and defaulting to admin 12345 login.
Does firmware need to be newer than 5.3.0? Does anyone have a way of providing V5.3.3 for this brand?
Alternatively, would anyone know if these can be cross-flashed to HikVision firmware?
Thank you!
alastairstevenson
Staff member
Yes, it's been good fun using it!
But be aware, Hikvision did and still do read IPcamtalk and often react to publicly exposed tricks and exploits by fixing up their firmware.
So to counter this 'trojan horse' method of pulling an NVR password they introduced initially an optional and later a mandatory separate password for activating cameras in Plug&Play mode.
So it's less likely to work on newer NVR firmware.
However - I'm a bit vague on when 'activation' was introduced, but my recollection was 5.3.0 and later. Which conflicts with what you've discovered.
I keep a DS-2CD2432 with the 5.4.0 firmware ie still has the backdoor vulnerability allowing pulling the configuration with no credentials for any NVRs I buy off eBay that I don't want to just reset.
It's not a brand I've come across.
But I've generally found the stock Hikvision firmware works for the OEM models.
If you're lucky, you may be able to get your OEM camera to take the 5.4.0 firmware from here :
And here :
But if you really want to try the 5.3.3 first, there are multiple builds, see one attached.
Thank you!
I didn't specifically want 5.3.3, just figured I'd take it one at a time...
I tried the 5.4.0 from the link you so kindly provided, via the web GUI, and it gave an error that "The type of upgrade file mismatches"
Same for the 5.3.3
Was I supposed to be using the web GUI? Or TFTP...
Thanks!
I didn't specifically want 5.3.3, just figured I'd take it one at a time...
I tried the 5.4.0 from the link you so kindly provided, via the web GUI, and it gave an error that "The type of upgrade file mismatches"
Same for the 5.3.3
Was I supposed to be using the web GUI? Or TFTP...
Thanks!
Hello. I'm hoping someone can decrypt this file so that I can get the user name and password. It is version 5.2.5. It gave up the config file OK as an .xlsx but I can't find any plain language in it. Thanks
alastairstevenson
Staff member
The file is encrypted in the usual way.
The decrypted format for that version of firmware is a little different from that of later versions, however :
For the HIKVISION DS-2CD2132F-IS - 514493307 camera, the file holds an admin password=12345
Thankyou! I was told the tech had tried the defaults - I didn't even think to check that.
sfitz527
Getting the hang of it
- Apr 25, 2016
- 24
- 34
@alastairstevenson If you are still up for it, would you be able to decrypt the attached file for the password? I picked up a locked NVR on eBay, but I was able to use this old trick to have a camera pull the password from the NVR. Any help would be greatly appreciated.
sfitz527
Getting the hang of it
- Apr 25, 2016
- 24
- 34
Thanks. My interpretation of the output is the password would be Ipc123456. I was able to get into the camera with that, but not the NVR. Am I missing an alternate, or maybe the NVR didn't assign the camera the same password as the NVR itself? I guess I'll try a few different NVR ports to see if I get anything different.
alastairstevenson
Staff member
Agreed.
It seems to be so.
Hikvision introduced the new NVR feature 'alternate activation password for cameras' after they'd seen on IPCamTalk the ease with which people were recovering NVR admin passwords using this 'trojan horse' method of leveraging their insecure camera firmware.
What's the model of NVR, and firmware version?
The next easiest method to use would be to re-apply the same version of firmware using the tftp updater. Generally, this will result in a reset to default settings.
For an E-series NVR, the Hikvision tftp updater would do, the firmware size isn't above its 32MB size limit.
For an I-series or K-series you'd need to use the Scottt Lamb Python2 clone of it :
GitHub - scottlamb/hikvision-tftpd: Unbrick a Hikvision device (NVR or camera) via TFTP
Unbrick a Hikvision device (NVR or camera) via TFTP - scottlamb/hikvision-tftpd
github.com
Good luck!
sfitz527
Getting the hang of it
- Apr 25, 2016
- 24
- 34
Thanks for all the help! The NVR is a Hik rebranded as Alibi. Before I went down the rabbit hole of firmware, I decided to call the Alibi tech support. They were surprisingly fast, and I got the NVR reset on a 2-minute call. Much better experience than I had dealing directly with the Hikvision tech support in the past, where I had a crazy wait time and the quiz on how the equipment was purchased.Agreed.
It seems to be so.
Hikvision introduced the new NVR feature 'alternate activation password for cameras' after they'd seen on IPCamTalk the ease with which people were recovering NVR admin passwords using this 'trojan horse' method of leveraging their insecure camera firmware.
What's the model of NVR, and firmware version?
The next easiest method to use would be to re-apply the same version of firmware using the tftp updater. Generally, this will result in a reset to default settings.
For an E-series NVR, the Hikvision tftp updater would do, the firmware size isn't above its 32MB size limit.
For an I-series or K-series you'd need to use the Scottt Lamb Python2 clone of it :
GitHub - scottlamb/hikvision-tftpd: Unbrick a Hikvision device (NVR or camera) via TFTP
Unbrick a Hikvision device (NVR or camera) via TFTP - scottlamb/hikvision-tftpd
Good luck!
