Dahua possible backdoors found???
- Thread starter SkyLake
- Start date
Thanks, appreciated.
One of my research tools worth to share and try to maintain, will update when there is something worth to update, would also be grateful for contributions.
Major rewrite:
- Implemented 'multicall' - big timesaver (!) (not 100% consistent usage for now, but working good as it is)
- 'SendCall()' wrapper around 'self.P2P()'. self.P2P() should not be used directly (unless you want raw data).
- 'console' Multiple simultaneous connections to devices, easy switching between active Console
- 'password manager', create/change Dahua hash and connection details for devices, saved in 'dhConsole.json'
- No fancy own encryption/decryption, we simply use the Dahua 'one way' format to save and pass on hashes.
- ./Dahua-JSON-Debug-Console-v2.py --rhost <RHOST> --proto <PROTO> --rport <RPORT> --auth <USERNAME>:<PASSWORD> --save
- Events/Alarm, scanning config and subscribing on all found events/alarm
- Listen for incoming event traffic on UDP from instances, accepting external TCP connections for relay of event traffic (only on 127.0.0.1)
- The listening UDP socket for incoming are literally directly connected to outgoing TCP socket, for speedy reasons.
- Meaning that output is unsorted, so the JSON needs to be fixed. Check fix_json() for details.
- Listen for some events internally to give some info, using like 'reboot' to automatically restart connection
- Added sending IP to JSON event to easily see where it came from
- Simple 'eventviewer' with: --eventviewer
- 'network wifi', WiFi scan/connect/enable/disable/reset
- TODO: Should use events for some status updates
- 'diag/pcap', Interim debug functions (pcap/NFS/logredirect) Note: Seems only to work with NVR
- 'rdiscover/ldiscover', remote/local discovery of devices (ldiscover support both DHIP and DVRIP)
- Consistent way to write and handle 'Usage'
- Continue to Console even if console.attach fails (NVR)
- Looks like to me that the thread is locked and do not accept any attach
- The 'fuzz()' function is an first attempt to fuzzing the '.factory.instance' w/ potential '.attach' to map needed params
- Not really accurate for now, but can still give an hint what's required
- Handle only one params for now, should handle two or more as well.
- 'debug' various internal debug commands
