ISAPI Unauthorized?

[SBBcarl]

I am trying to follow some of the many scripts that have been posted on this site for connecting to Hikvision cameras via CURL so that I can eventually toggle the day/night profiles.

I feel like I have tried all of them and nothing seems to be working.

From a camera directly, I can access the URL directly like so:

http://192.168.30.3:65001/ISAPI/Image/channels/1/ISPMode

I have tried both authentication method settings on the camera (digest and digest/basic).

It seems like no matter what I try, I am getting:

<!DOCTYPE html>
<html><head><title>Document Error: Unauthorized</title></head>
<body><h2>Access Error: 401 -- Unauthorized</h2>
<p>Authentication Error</p>
</body>
</html>

Does this have something to do with the virtual access to the cameras via NVRIP:CameraPort?

The camera I am trying this with currently is: DS-2CD2042WD-I @ V5.5.53 build 180730

 

[alastairstevenson]

Given virtual host is active, as you have proven, you should be able to access the NVR PoE-connected cameras directly with a small change to your network routing, instead of going via the NATed connection.
This should work better.

3 things required:

The PoE-connected camera needs to have the NVR PoE interface IP address set as its default gateway.
By default this is usually 192.168.254.1 assuming a Hikvision NVR. But check via the VGA/HDMI interface if you are not sure.
You can make this change directly on the camera web GUI over Virtual Host - but set the channel in question into Manual Mode instead of Plug&Play to stop the NVR changing the gateway back.

Virtual Host active. You already have this.
This implicitly activates the NVR Linux kernel 'ip_forward' (not to be confused with port forwarding) internal configuration setting such that it passes packets between the LAN and PoE interfaces.

A static route in your LAN gateway (usually your router) to inform LAN clients that packets for the devices on the NVR PoE address range must be forwarded to the NVR LAN interface.
Something like
"For network 192.168.254.0/24 (ie subnet mask 255.255.255.0) use 192.168.30.3 as gateway"

When you've done that, you should be able to access the NVR PoE-connected cameras on their native 192.168.254.x addresses.

 

[SBBcarl]

Thank you for this detailed post! I actually have a new router coming tomorrow so I will give this a try then so I'm not wasting time setting up configurations twice. I will report back as soon as I give it a try.

 

[Tolting Colt Acres]

http://usernameassword@192.168.30.3:65001/ISAPI/Image/channels/1/ISPMode

= colon P

damn smileys

also see:

Hikvision IPC Firmware 5.5.0 - released 24 Sept 2017

 

[SBBcarl]

I got one of the cameras set up and the routes working correctly (I can ping it from my network).
However, I am still getting unauthorized when trying to CURL into it. I tried with both digest and basic/digest in the WEB and RTSP settings of the camera.

I am able to however access the link directly, much like when I was doing it via NAT. (http://admin:password@192.168.254.2/ISAPI/Image/channels/1/ISPMode) <- returns the XML assuming I am already authorized in the browser.

LM:~ ch$

traceroute 192.168.254.2
traceroute to 192.168.254.2 (192.168.254.2), 64 hops max, 52 byte packets
 1  192.168.10.1 (192.168.10.1)  1.672 ms  1.436 ms  1.239 ms
 2  192.168.30.3 (192.168.30.3)  2.532 ms  2.767 ms  2.900 ms
 3  192.168.254.2 (192.168.254.2)  3.100 ms  2.573 ms  2.959 ms


LM:~ ch$ curl --digest -X PUT -T ~/Desktop/ss.xml "http://admin:password@192.168.254.2/ISAPI/Image/channels/1/ISPMode"
<!DOCTYPE html>
<html><head><title>Document Error: Unauthorized</title></head>
<body><h2>Access Error: 401 -- Unauthorized</h2>
<p>Authentication Error</p>
</body>
</html>

LM:~ ch$ curl --basic -X PUT -T ~/Desktop/ss.xml "http://admin:password@192.168.254.2/ISAPI/Image/channels/1/ISPMode"
<!DOCTYPE html>
<html><head><title>Document Error: Unauthorized</title></head>
<body><h2>Access Error: 401 -- Unauthorized</h2>
<p>Authentication Error</p>
</body>
</html>

I ran a HTTP monitor when I logged into the camera from the web ui and got the following response.

GET http://username:password@192.168.254.3/ISAPI/Security/sessionLogin/capabilities?username=admin
Accept: */*
DNT: 1
X-Requested-With: XMLHttpRequest
If-Modified-Since: 0
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/71.0.3578.98 Safari/537.36
Referer: http://192.168.254.3/doc/page/login.asp
Accept-Encoding: gzip, deflate
Accept-Language: en-US,en;q=0.9
Cookie: language=en; sdMarkTab_1_0=0%3AsettingBasic; sdMarkTab_1_2=0%3AsecurityAuth; sdMarkMenu=4%3Aimage; szLastPageName=image; sdMarkTab_4=0%3Adisplay

HTTP/1.1 200 OK
Date: Tue, 05 Feb 2019 12:57:26 GMT
Server: webserver
Content-Length: 392
Connection: keep-alive
Keep-Alive: timeout=10, max=97
Content-Type: application/xml
http://192.168.254.3/ISAPI/Security/sessionLogin?timeStamp=1549396713584

POST http://192.168.254.3/ISAPI/Security/sessionLogin?timeStamp=1549396713584
Origin: http://192.168.254.3
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/71.0.3578.98 Safari/537.36
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
Accept: */*
X-Requested-With: XMLHttpRequest
If-Modified-Since: 0
DNT: 1
Referer: http://192.168.254.3/doc/page/login.asp
Accept-Encoding: gzip, deflate
Accept-Language: en-US,en;q=0.9
Cookie: language=en; sdMarkTab_1_0=0%3AsettingBasic; sdMarkTab_1_2=0%3AsecurityAuth; sdMarkMenu=4%3Aimage; szLastPageName=image; sdMarkTab_4=0%3Adisplay

HTTP/1.1 200 OK
Date: Tue, 05 Feb 2019 12:57:26 GMT
Server: webserver
Content-Length: 183
Connection: keep-alive
Keep-Alive: timeout=10, max=96
Content-Type: application/xml

Is there anything else I need to be sending along with this CURL request to get the login to work?

 

[SBBcarl]

I figured this out.
I had to create a new user on the camera using an operator role and selecting the roles.
I wonder if this is a security limitation where it doesn't allow you go login using "admin" through this method.

LM~ ch$ curl --digest http://script:password@192.168.254.2/ISAPI/Image/channels/1/ISPMode
<?xml version="1.0" encoding="UTF-8"?>
<ISPMode version="2.0" xmlns="http://www.hikvision.com/ver20/XMLSchema">
<mode>auto</mode>
<Schedule>
<scheduleType>day</scheduleType>
<TimeRange>
<beginTime>06:00:00</beginTime>
<endTime>18:00:00</endTime>
</TimeRange>
</Schedule>
</ISPMode>

 

[Tolting Colt Acres]

II wonder if this is a security limitation where it doesn't allow you go login using "admin" through this method.

No issues here.

 

[MrSman]

I figured this out.
I had to create a new user on the camera using an operator role and selecting the roles.
I wonder if this is a security limitation where it doesn't allow you go login using "admin" through this method.

I'm using Java to send HTTP Requests and my authentication is with "Admin" user and I don't get any error. I'm using a iDS-2CD6810F/C camera but configured by Hikvision Team so.. I don't know if they do something special for that

 

[SBBcarl]

Hmm, maybe i just am the unlucky one

I will try the same url, just with the admin user and see what happens.

 

[MrSman]

You can try it in Postman first that is a tool for send diferent type of requests.. and with the same tool you can export you request to diferent lenguages including CURL.

Hmm, maybe i just am the unlucky one

I will try the same url, just with the admin user and see what happens.

 

[SBBcarl]

You can try it in Postman first that is a tool for send diferent type of requests.. and with the same tool you can export you request to diferent lenguages including CURL.

Looks like my issue was not escaping symbols correctly in CURL. I had a $ sign in my password and I needed to put a \$ before it.

That being said, I was able to login with the admin account with this change.

Doesn't work
curl --digest -X PUT -T backyard_night.xml http://test:password$@192.168.254.7/ISAPI/Image/channels/1

Works
curl --digest -X PUT -T backyard_night.xml http://test:password\$@192.168.254.7/ISAPI/Image/channels/1

 

[essentialz]

I'm having an issue, I am trying to set up live streams on DGlux. I've read through countless post for hikvision API and I am not sure how to go about this. if I add the streams directly into dgLux it causes user to have to login every time the page is refreshed for each camera. adding the credentials prefix to the URL is no longer an option it seems as most browsers do not support this any more and has been deprecated. I was able to use postman to create a get request that passes credentials in the header and returns the video feed. However, this does me little good to me in dglux. Is there a way for me to open a session using a post request or something to send credentials that would inturn allow me to access the different feeds without having to continuously log in to the cameras?

 

[johnnygill]

Found this while trying to work out why my Alarm A1 output relay on my new Hik NVR wasn't working - with identical ISAPI URL

Found I have to change my CURL syntax to include --digest
otherwise I was getting 401 Authorization failed.
Figured it worth appending to this thread!

 

[trempa92]

Well if operator wont let u enough options, you can always enable ssh on camera and use root/password for various options, some not even possible with ISAPI

 

[johnnygill]

Well if operator wont let u enough options, you can always enable ssh on camera and use root/password for various options, some not even possible with ISAPI

Sorry mate, I'm talking about a Hikvision NVR.

WIth ISAPI I can trigger the alarm output relay on the NVR via a HTTP xml posting. I was only really posting to provide a solution for those (like me) who stumbled upon the thread, not asking for further help, cheers though

 

[surfzoid]

Hi, you can use and modify my script :

GitHub - surfzoid/HikNetExtractor: Provides functionality to extract periodically record event from Hikvion camera or NVR with ISAPI and HTTPDigestAuth enable. Add this script to an schedule task and you will keep records during the number of day you put in the config.

Provides functionality to extract periodically record event from Hikvion camera or NVR with ISAPI and HTTPDigestAuth enable. Add this script to an schedule task and you will keep records during t...

github.com