Hikvision camera admin password reset tool

alastairstevenson

Staff member
Joined
Oct 28, 2014
Messages
14,737
Reaction score
5,734
Location
Scotland
I am not overly worried as its just a shot of my garage and nothing exciting happens there..
But - a hacked camera provides quite a neat foothold into your LAN, and all the devices and data on it.

But I am surprised anyone can connect to it as I am behind a NAT firewall have no open ports to my cameras
I'd be willing to bet that UPnP is enabled on the camera(s) - it used to be by default.
And that UPnP is enabled on your router.
That combination allows the camera (or other devices) to instruct the router to open ports inbound without your knowledge.

So are there any known hacks which allow someone to hack into the DVR and change the Camera passwords?
Plenty.
A common one is the 'Hikvision backdoor' which exists in firmware versions 5.4.0 or earlier.

A bit worrying really how they can explot a hack on the cameras when I don't have "routes" (atleast not directly) to them from the Internet.
You will - you just don't know it.
Before making changes, check with Shields Up"!
Use the 'all service ports' scan, and also check port 8000.
 

Jweaver

n3wb
Joined
Apr 14, 2016
Messages
23
Reaction score
1
I'd be willing to bet that UPnP is enabled on the camera(s) - it used to be by default.
And that UPnP is enabled on your router.
That combination allows the camera (or other devices) to instruct the router to open ports inbound without your knowledge.
I edited my post after writing it.. Looked at the UPnP settings on my router and had several ports to my IP Cameras open.. I have never trusted UPnP for this very reason and I am not sure why I turned it on, as I open my ports manually..

But that said, uPNP or not, my DVR is on the public internet (but using a random port) and its only running fw3.3.3 (Its fairly old and I didn't think there were any updates), so I guess this is a bad situation...

For now uPNP is off globally!
 

Jweaver

n3wb
Joined
Apr 14, 2016
Messages
23
Reaction score
1
I just looked at the cameras and whilst the DVR is using a random Port, the cameras are 8000.. I just tried to change them and the GUI is a bit of a mess.> You can't set manual unless uPNP is on.. And when you do you can change the port, and save.. But it goes back to 8000 again.. So I don't know how to change the port on the camera.. And whether there is still a risk now I have uPNP disabled on them (and globally on the router too)
 

alastairstevenson

Staff member
Joined
Oct 28, 2014
Messages
14,737
Reaction score
5,734
Location
Scotland
What did Shields Up! show as open inbound?

Worth stating is that obscuring the ports doesn't provide a lot of protection over leaving them as standard.
If you look at inbound probes you'll see they cover very wide ranges.
 

Ironside69

Getting the hang of it
Joined
Feb 20, 2020
Messages
136
Reaction score
45
Location
Trawler Town
When I click on "Get User List" a box comes up saying "the remote server returned an error (404) not found.
 

octav

n3wb
Joined
Feb 10, 2021
Messages
1
Reaction score
0
Location
romania
Hello, I have the DS-2CD2032-I20140715CCWR472070689 camera with Firmware version V5.4.41 build 170312, my problem is not the administrator password but the security code in this case ABCDEF which is not supported by HILOOK online with the following message: weak verification code is not allowed to add devices. Change the device verification code to a more powerful one. or the firmware version that is actually and last does not allow me to change the current decode code. Please help change it. Thanks!
 

BlueRaven

n3wb
Joined
Mar 3, 2021
Messages
2
Reaction score
2
Location
Australia
Hello all, I just registered an account specifically to say a huge THANK YOU to the person/s who created and posted these tools and related information.
I recently inherited a Hikvision DS-7332NI-SP NVR of unknown provenance and purchase date - "you're good with tech stuff, you'll be able to make it work" - but as somebody who has spent many years around IT generally and IP security devices in particular, I was extremely dubious about that claim. After a couple of hours of research and fiddling around, success! The NVR is now factory-defaulted! I was fully expecting to end up just pulling the drives from the thing and chucking it to e-waste recycling, which would have been a shame for a perfectly functional unit. :)

For others in a similar predicament, I'll describe exactly what I did and how I did it. Hopefully this additional info might help somebody else. Starting with specifics of the device...

Model: DS-7332NI-SP
Date of manufacture: unknown, probably around 2014/2015
Firmware: Software version as reported by SADP - V3.1.0 build 170725
DSP Version (probably doesn't matter for this reset procedure): V1.0 build 140611
Web GUI version 3 (I suppose, based off the software version... it didn't give a Forgot Password option in the web interface, only a login option)
Hik Connect support: No

Steps taken:
1. Downloaded latest version of SADP (V3.0.1.7), which allowed me to check that the device and network interface were functional, grab the serial number/start time and check the IP settings.
Note that this version of the software detected the device immediately, even though my PC was actually on a different subnet, which was very handy!
2. Input the Serial and Start Time fields into the password reset tool to generate a security code. Note that the model number prefix must be dropped from the start of the serial number as described on page 1 of this thread, otherwise the code will not work! So in my case, I entered all the characters after the "SP" in the model number.
3. Attempted to use this latest SADP software to reset Admin password via the "Forgot Password" option at the bottom of the network settings pane. This brought up a dialog box as described, but the only available option for resetting the password was to export a file to send to Hikvision support, with further fields below that to enter the key or import the key file that would be sent back. I tried entering the security code here, but the reset failed.
4.
Uninstalled latest SADP, then downloaded and installed SADP V2.0 from this link: Download SADP Tool for Hikvision — SecurityCamCenter.com
I have attached a copy of the V2.0 installer to this post (virus-checked, no nasty stuff). During installation, you need to step through the process of installing the 2008 Visual C++ redistributable, the WinpCap packet capture software, and then finally install SADP itself. This all automated, just keep the default options and click "Next" until done. Reboot your PC once completed.
5. Ensured the PC was in the same subnet as the NVR. If necessary, go to your Network->Ethernet Adaptor settings and manually change your IPv4 configuration to suit (tutorial here).
6. Fired up SADP 2.0, selected the device from the list, entered security code... SUCCESS! The password is reset to the default of 12345. You will be prompted to change it when you try to login from the web GUI or via a connected monitor.

Some tips and caveats:
  • I found a list of supported devices somewhere during this research, but I can't seem to locate it again right now. It was quite long though.
  • This SADP 2.0 procedure should work for pretty much all devices from the DS-7xxx series of NVRs and many others, as long as they are from the right era and have older V3.x firmware.
  • If your firmware version is V4.x or higher, this technique might still work but probably won't. If it's V5.x it almost certainly won't. You'll need to pursue other options.
  • As per Step 5, if your PC is on a different subnet to the NVR, this technique won't work. You definitely must know the current IP address of the NVR so you can configure your PC accordingly and allow SADP 2.0 to detect your device on the network.
  • You don't actually need to install the latest SADP first, just to get the NVR's IP address if you don't know it. You can get the address from your router's web interface (look under "Connected Devices", "Wired Devices" or some similarly named option), or there are numerous free software tools that can scan your network and report the addresses of connected devices. Overlook Fing is a good one that's available from the App store or Google play store, it's pretty convenient to have all the network info there on your phone while you're wrestling with the NVR software!
  • NEITHER MYSELF NOR THIS WEBSITE MAY BE HELD RESPONSIBLE IF YOU SOMEHOW MANAGE TO BRICK YOUR NVR, BREAK YOUR NETWORK, SCREW UP YOUR PC, OR ANYTHING ELSE.
  • USE THIS ADVICE AT YOUR OWN RISK. GOOD LUCK!
 

Attachments

Last edited:

cloneman

n3wb
Joined
Mar 31, 2021
Messages
4
Reaction score
0
Location
Canada
I'm trying to reset the password for my HikVision system but it's gray market device with no help from hikvision support. The firmware is too new for the old password tool to work.

I have attached my XML file and screenshot.

Can anything be done? If not , is opening up the unit the easiest way to get factory defaults?
The Date Time is accurate and set to Eastern Standard Time.

1617169027256.png
 

Attachments

alastairstevenson

Staff member
Joined
Oct 28, 2014
Messages
14,737
Reaction score
5,734
Location
Scotland
I have attached my XML file
Unfortunately - only the Hikvision support system can generate the reset response file for that reset request.

Presuming this is an NVR with PoE ports - do you by any chance have a Hikvision camera connected that has 5.4.0 or earlier firmware?
If so - the camera configuration file can be extracted using a security vulnerability, and a plaintext password exposed after decryption and decoding.
By default, the camera password is the same as the NVR password.

 

cloneman

n3wb
Joined
Mar 31, 2021
Messages
4
Reaction score
0
Location
Canada
Thanks.

It's this exact system so I think the cameras are analog. so no go there.

I'll have to open it up and see if there's a reset switch inside
 
Joined
Apr 9, 2021
Messages
1
Reaction score
0
Location
UK
I'm trying to reset the password on a DS-7316HQHI-SH1620151202AAWR560361751WCVU
I am using v2 of the SADP tool and have input the SN into the password generator in the following ways-
1620151202AAWR560361751WCVU
SH1620151202AAWR560361751WCVU
DS-7316HQHI-SH1620151202AAWR560361751WCVU

I'm still getting 'password recovery failed', I have checked the day, month and year are correct.
Software versions-
V3.3.4
DSP V5.0

If anyone has any bright ideas I would greatly appreciate it!
Thanks!
 

BlueRaven

n3wb
Joined
Mar 3, 2021
Messages
2
Reaction score
2
Location
Australia
I'm trying to reset the password on a DS-7316HQHI-SH1620151202AAWR560361751WCVU
I am using v2 of the SADP tool and have input the SN into the password generator in the following ways-
1620151202AAWR560361751WCVU
This is the correct serial number format.

I'm still getting 'password recovery failed', I have checked the day, month and year are correct.
Software versions-
V3.3.4
DSP V5.0
Seems like maybe Hikvision's HD-TVI units use a different firmware, or else they plugged the security hole post V3.1
Not sure how to solve this.
Have you tried later versions of SADP to see what password recovery options are offered when connecting to this specific unit?
I suspect you'll be stuck with trying to get a response out of HV support team though... sorry :(
 

ISpyOnU

n3wb
Joined
Jun 20, 2020
Messages
8
Reaction score
0
Location
Australia Mate
having issues resetting the password on a Hikvision NVR DS-7608NI-SE

I set my PC IP address to 192.0.0.1 and the NVR is 192.0.0.64. The SADP tool can see the NVR and when I double click on it it brings up the web page.

I have tried all combinations of the serial number in the reset form, with model number, without model number, only the serial number, serial number and date and time, tried all the different combinations i could think of, tried it without the "dashes and slashes".

Date and time are correct, I have even power cycled the NVR a few times.

Is there a issue with no PORT or HTTP PORT?

When I try the Password Reset Tool I get this error:



Any help much appreciated. I seen by browsing through the first 10 or so pages a few others with the same model NVR having issues, is there a way to search a thread I tried advanced search but it does not seem to search a selected thread only.

 

cloneman

n3wb
Joined
Mar 31, 2021
Messages
4
Reaction score
0
Location
Canada
On the mainboard it says my system is Hikvision DS-80295 _P Rev 1.0 . I can't find any info on this gray market unit. Which firmware should I try to load on it? It's 16CH analog DVR as pictured here:
 

m41k

n3wb
Joined
Jul 20, 2021
Messages
5
Reaction score
1
Location
Canada
Hi there,

Just signed up and very new to the topic. Bought a house with a camera system, which I would like to get on my cell through HikConnect. (8 cameras)

Seems like I need the admin password for that, which I only have an incorrect one from the previous owner and I was very surprised to learn the Hikvision does not support my system.

Thankfully the cameras are working and things are recording and I have access to the terminal through the unlock pattern. However I can still not change the PW on the terminal. If I try to change the admin password through the SADP tool as described here, I get an error message "Device Denied". I can see all information in the SADP tool though, so I assume it sees the NVR ok.

I also tried to get in through the standard IP address to extract the config file, but I am getting a 404 access not found error using or
My device type is ACE-NVR328
Software version 3.4 .92 build 170224
DSP version 5.0 build 170123


I was also thinking if I can just create a new user in the system, but I the options there did not show admin, so I guess I still need to get the password.

Any help is appreciated.

Thank you,
MIke
 

kbarb

n3wb
Joined
Aug 25, 2014
Messages
8
Reaction score
2
Just signed up and very new to the topic. Bought a house with a camera system, which I would like to get on my cell through HikConnect. (8 cameras)

Seems like I need the admin password for that, which I only have an incorrect one from the previous owner and I was very surprised to learn the Hikvision does not support my system.

[snip]

My device type is ACE-NVR328
Software version 3.4 .92 build 170224
DSP version 5.0 build 170123
I'm not sure I totally understand the setup and what's going on . . .

You're trying to use HikConnect on your phone to view some Hikvision cameras , but need an admin password for that ?

But you also want to change the password on the "Terminal " ?
By "Terminal", you mean ACE-NVR328 ?

What is ACE-NVR328 ? I don't find it on a Google search.
You're saying "Hikvision does not support my system" . . . what is meant by that ?
Is the ACE-NVR328 a Hikvision NVR rebrand ?

Btw I take it you know all the IPs of the cameras and the NVR, by using the SADP tool ?
If not you could do a scan for that using AngryIPScanner network scanner - which sounds bad but I use it all the time - it's just a basic network scanner.

Anyway, perhaps you could clear up some of what's going on.
 
Last edited:

alastairstevenson

Staff member
Joined
Oct 28, 2014
Messages
14,737
Reaction score
5,734
Location
Scotland
Any help is appreciated.
Suggestion - and assumptions :
  • That the NVR and the cameras are Hikvision OEM products.
  • That the cameras are connected to NVR PoE ports.

Connect the PC to an unused NVR PoE port, and use SADP to show the cameras, their model numbers and status - and the firmware versions and IP addresses.
If you are very lucky, the cameras may be running firmware versions of 3.4.0 or earlier, in which case the backdoor method of anonymously extracting the camera configuration file should work.
If so - change the IP address of the PC to be in the same range as that of the cameras as shown by SADP.
This is usually 192.168.254.x in which case use 192.168.254.100 for example.
Then try the same URL as you tried already, using the IP address of a camera with firmware of 3.4.0 or older, for example :
http://192.168.254.x/System/configurationFile?auth=YWRtaW46MTEK
If that works OK, zip up the extracted configuration file and attach it here, it can be decrypted and decoded to extract the camera password, which by default will be the same as the NVR.

Good luck!
 

m41k

n3wb
Joined
Jul 20, 2021
Messages
5
Reaction score
1
Location
Canada
Hi there,

Thank you for your help and patience with my very basic questions! I will try your suggestions this week. (I need to buy an ethernet adaptor for my laptop)

To clarify some of the questions:

Main goal: get my camera access going remotely, for example with Hikconnect. Hikconnect iOS app sees my system but wants a user and password to log in. Unfortunately the previous owner gave me an incorrect password. (username is set to admin) My assumption is as soon as User and PW are correct, I can use the Liveview of the app. (Side effect is also peace of mind in case the previous owner still has access through old credentials)

I have full access to the system through a code unlock (Android style draw a shape) but I can't change the admin password as the one that I have seems to be incorrect and separate from the unlock pattern. (numbers of unlock pattern don't work as PW)

  • ACE-NVR328 is what I see in the SADP tool under device, so I assume that's what it sees as the NVR (I googled it too and couldn't find anything 0_o)
  • correct the cameras are connected via PoE ports
  • Sorry Terminal is the wrong term - I meant the NVR. I have a monitor connected to it in my living room
  • I had an alarm company here for my system and they took a look at the UI and NVR and mentioned it's a Hikvision system. I find it very hard to identify. There is nothing in the UI that seems to give that away
  • the SADP tool shows that my system supports HikConnect. HikConnect Status is Off
  • I only see 1 device in the SADP tool, not several cameras unfortunately. That said, I can see all camera IPs directly through the NVR system (192.168.254.2 up to 192.168.254.9). It doesn't seem to display the Firmware of the cameras within the NVR software
  • I've attached a sample screenshot of what I see in the SADP tool
Clicking through the system, I can access maintenance and it shows an export function for a config file. Could that be used for a password reset?

Apologies for being this clueless. Would have been great if the previous owner gave me the right credentials. :rolleyes:

Cheers,
Mike
 

Attachments

Top