Getting clear (or not) password from Hikvision Cam root

I

Ivan848484

n3wb
Jul 18, 2024
6
0
Viena
Hello everyone.
I have root access to the Hikvision camera through exploit and would like to recover admin password.
Most likely it's encrypted in the /etc/passwd file. Does anybody know what type of hash (or combination of hashes) is used there?
I'm asking about hash, because in my case I have double-digit salt Instead of 8 digits for md5:
admin:$1$yi$xYzfgrVW7rmlj.tO2e5F.9:0:0:root:/:/bin/psh

Can you put here own TEST list from Hik Cam /etc/passwd for reverse engineering? I mean pass and hash at the same time.

Or is there another way to find the password in plain text from configuration files?

Dev_info:
{
"dev_status": 1,
"dev_subserial": "E001943964",
"dev_verification_code": "COLLOD",
"dev_serial": "DS-2CDVT-SFCMPTCN-S0120191218AAWRE43287690",
"dev_firmwareversion": "V5.5.95 build 190560",
"dev_type": "DS-2CDVT-SFCMPTCN-S",
"dev_typedisplay": "DS-2CD2456G5-I",
"dev_mac": "98:df:82:56:b6:6f",
"dev_nickname": "",
"dev_firmwareidentificationcode": "",
"dev_oeminfo": 0
}
 
Last edited:
Ivan848484 said:
I have root access to the Hikvision camera through exploit and would like to recover admin password.
Most likely it's encrypted in the /etc/passwd file.
Click to expand...
That's the Linux access credentials.

Depending on the model of camera and the firmware version, the access credentials and capabilities for admin and other users for camera operations are held in a SQLlite database /davinci/ipc_db in hashed form.

Here is an example of the sec_user_mana_info table in ipc_db from a DS-2CD2347G2-LU camera with V5.5.150 build 200927 firmware

1721464661156.png
 
I got it, thank you.

Do you have any experience in brut a password from the hashes, contained in the database? Maybe there is information about which fields mean what?

sql.jpg
 
Ivan848484 said:
Do you have any experience in brut a password from the hashes, contained in the database? Maybe there is information about which fields mean what?
Click to expand...
I've never attempted to brute-force any SHA-256 hashes, not realistically feasible.
If you want to gain access to the camera web GUI etc you can simply delete or rename ipc_db and ipc_db_backup and on the next bootup the camera firmware will recreate the configuration database with default values, the camera will be 'inactive' and need to be 'activated'. SADP is easy to use for that if the default IP address 192.168.1.64 is not convenient.
 
Ivan848484 said:
I need to find out the admin password to try to log in to other cameras on the same network.
Click to expand...

Are you able to reboot the other cameras by cycling their power?
 
Last edited:
Authorize your company as installer on HikPartnerPro, make password reset case. It is highly unlikely you will gain password this way.

Second option is sending a reset xml file to hikvision from your NVR, they do answer end users quite alot. And using this file on NVR will automaticly give you an option to reset cameras in same hit.

Third option is using watchful_ip RCE , once you gain shell access(if it works), run paramReset cmd, this will make camera state inactive.

Fourth option is flashing camera using TFTP + uart port via serial connection or ssh with same or bellow version firmware, this will reset camera to factory.

Ivan848484 said:
No, I can't.
Click to expand...
Do you have some smart PoE switch that can restart PoE?

Good luck, if you find cool stuff, let us know, thats why we are all here :D
 
You must log in or register to reply here.
Top Bottom