DS-CD2035-1 password changed, hacked or a fault?

N

Nik Dixon

n3wb
Dec 23, 2017
4
1
Hi,

I've lost connection to a couple of Chinese DS-CD2035 (v5.4.0) camera's on my network. I'm not sure how but my password is no longer valid, I've also tried the default 12345 with no luck.

I've tried contacting HIKvision, but naturally they're not able to provide a code. Is there anything else i can do? And how does this happen, are there really folk out there with nothing better to do than mess with peoples passwords or is there a fault with the cameras?

Can anyone help?
 
Nik Dixon said:
I'm not sure how but my password is no longer valid
Click to expand...
If UPnP is enabled on both the router and the camera, or if you have configured 'port forwarding' for internet access, then it's pretty likely it's been hacked.
Nik Dixon said:
are there really folk out there with nothing better to do than mess with peoples passwords
Click to expand...
It's more likely an automated intrusion than an individual.
Lots can be done with a compromised camera.

On the R0 series, the 5.4.41 firmware is the first that has the 'backdoor' fixed - I'm not so sure about 5.4.0 on a DS-2CD2335xxx (G0 or G1)
However, suggestion :

First, just for fun, see if this works (but you'd need Linux for the decrypt) :
Pull a copy of the configuration file though the backdoor.
http://192.168.1.18/System/configurationFile?auth=YWRtaW46MTEK

Then this to decrypt it :
openssl enc -d -in configurationFile -out decryptedoutput -aes-128-ecb -K 279977f62f6cfd2d91cd75b889ce0c9a -nosalt -md md5

The end result still needs to be passed through a 4-byte XOR encode 0x738B5544
The XORViewThru of wxHexEditor works OK for that, allowing the save of the resultant file.
But iIf you get the config file, but can't process it, zip it up and attach it here and I'll look at it for you, it might be fun to see what the password was.


*edit*
Use SADP to find the IP address of the camera if you don't know it already.
And change the IP address reference above to match.


Second, try the updated version of the password reset tool here : Hikvision camera admin password reset tool

You might just still have the 'Hikvision backdoor' in your firmware.
 
  • Like
Reactions: e007 and fenderman
Wow, thanks for the quick response. I have two cameras with the problem, i don't have a linux machine, but here are the two config files. I did find the reset tool thread earlier and gave it a go with no luck. I got failed to reset password other: 2022. The page did suggest in need to 5.3.0 or earlier though.
 

Attachments

Attached are the decrypted / decoded configuration files for the DS-2CD2035-I cameras.
In both cases the admin password=1111aaaa

The password reset tool (the updated one as linked, the first post) should work OK, it also uses the same backdoor to do its work.
 

Attachments

  • Like
Reactions: Tolting Colt Acres
Thanks again! I'll get that changed. Thank you for returning my cameras to me. For completeness i've attached a .jpg of the password reset tool as i was using it, i could well be the problem (the start date for the cameras is today, and i did try with model number preceding the serial number as well).

I'm guessing with a chinese market camera i'm better sticking with the 5.4.0 despite it's weakness? I've been able to update my 2032 with your instructions (thank you very much for taking the time to publish that), but is there a better option for both models that'd remove the exploit?
 

Attachments

  • HIKvision password reset.jpg
    HIKvision password reset.jpg
    238.4 KB · Views: 53
Nik Dixon said:
For completeness i've attached a .jpg of the password reset tool as i was using it, i could well be the problem
Click to expand...
That's the Hikvision password reset export. As you discovered - they won't talk to you.
Did you try @bp2008 updated backdoor-based password reset tool here : Hikvision camera admin password reset tool
Not that relevant now, but worth knowing about for when you next get hacked - unless you fix the weak security. Did you intentionally port-forward? If not - disable UPnP in the router and the cameras.

Nik Dixon said:
Thanks again! I'll get that changed. Thank you for returning my cameras to me.
Click to expand...
Presumably therefore you've tested the extracted password and it works OK?
Nik Dixon said:
I'm guessing with a chinese market camera i'm better sticking with the 5.4.0 despite it's weakness?
Click to expand...
It may well be 'hacked to English' firmware on the cameras, so either it will resist any attempted update (I've seen this a couple of times) or it will brick the cameras.
Nik Dixon said:
but is there a better option for both models that'd remove the exploit?
Click to expand...
Don't allow internet access - or set up a VPN instead.
 
alastairstevenson said:
That's the Hikvision password reset export. As you discovered - they won't talk to you.
Did you try @bp2008 updated backdoor-based password reset tool here : Hikvision camera admin password reset tool
Not that relevant now, but worth knowing about for when you next get hacked - unless you fix the weak security. Did you intentionally port-forward? If not - disable UPnP in the router and the cameras.
Click to expand...

Got it now, and yes it works perfectly.

alastairstevenson said:
Presumably therefore you've tested the extracted password and it works OK?
Click to expand...

The password you extracted was correct too. :)

alastairstevenson said:
It may well be 'hacked to English' firmware on the cameras, so either it will resist any attempted update (I've seen this a couple of times) or it will brick the cameras.
Click to expand...

Don't allow internet access - or set up a VPN instead.[/QUOTE]

I did brick (and fix, thanks!) my 2032, so i think i'll leave well enough alone for now. I do access the cameras remotely myself using some pretty basic NAS security software, so i'd like to keep the link open. I've got the tools to put it right if i'm picked up again.

Thank you very much for your time, it's a valuable commodity and very much appreciated.
 
  • Like
Reactions: alastairstevenson
That error is just due to the file size, for this purpose it can be ignored.
If you can't manage the XOR next step, zip the file up and attach here and I'll look at it later.
 
That looks like the original configuration file is attached, unzipped.

It decrypts OK, and after doing the XOR decode, the password for admin is shown as
gg123456
for the HIKVISION DS-2CD3335D-I - 602593040

The decrypted, decoded file is attached.
 

Attachments

alastairstevenson said:
That looks like the original configuration file is attached, unzipped.

It decrypts OK, and after doing the XOR decode, the password for admin is shown as
gg123456
for the HIKVISION DS-2CD3335D-I - 602593040

The decrypted, decoded file is attached.
Click to expand...
I want to ask you to record a video, I want to know what went wrong.
It’s very interesting
 
Last edited:
FdFd said:
I want to know what went wrong.
Click to expand...
Nothing went wrong - the decryption and decoding was normal :

First :
openssl enc -d -in configurationFile -out decryptedoutput -aes-128-ecb -K 279977f62f6cfd2d91cd75b889ce0c9a -nosalt -md md5

And the 'final block' error can be ignored - it is due to the size of the file that the camera produced not being a proper multiple of the encryption block size.

Then:
The end result was passed through a 4-byte XOR encode 0x738B5544
The XORViewThru of wxHexEditor works OK for that, allowing the save of the resultant file.

Did the extracted password work OK?
 
Feel that the file is not working properly

@alastairstevenson

Unable to understand
The end result was passed through a 4-byte XOR encode 0x738B5544
The XORViewThru of wxHexEditor works OK for that, allowing the save of the resultant file.
Using Google Translate, some translations make me unable to understand
 

Attachments

  • 1.jpg
    1.jpg
    455 KB · Views: 37
Last edited:
You must log in or register to reply here.
Top Bottom