SSH Dahua

Discussion in 'Dahua' started by OnePunch, May 12, 2018.

Share This Page

  1. OnePunch

    OnePunch n3wb

    Joined:
    Mar 31, 2018
    Messages:
    18
    Likes Received:
    3
    Anyone know why I cannot SSH into my IPC-HDW5231R-ZE after I enabled SSH?


    Code:
    ssh admin@yardcam.CQF.local
    admin@yardcam.cqf.local's password:
    Permission denied, please try again.
    
     
    mat200 likes this.
  2. aristobrat

    aristobrat IPCT Contributor

    Joined:
    Dec 5, 2016
    Messages:
    2,275
    Likes Received:
    2,005
  3. tangent

    tangent IPCT Contributor

    Joined:
    May 12, 2016
    Messages:
    3,858
    Likes Received:
    2,527
    You have to prepend the password with 7ujMko0
    like this: 7ujMko0PASSWORD

    Once you're in you're greeted by the dsh dahua protected shell which only lets you run a small list of prechosen commands. It isn't very useful. I put about 10 minutes to effort in to poking a hole in this sandbox without success. There are ways around it, some of which require opening the camera. Getting a full shell takes more effort than most people will want to put in.

    I did recently manage to crash some of the camera software on a dahua camera by accident. Trust me there are plenty more bugs and security vulnerabilities in the software.
    Remember kids, most of computer security can be boiled down to one thing: input validation.

    Code:
    Commands in dsh
    help:
    Support Commands:
    shell    help    getDateInfo    diagnose    gethwid
    
    
    diagnose 1:    cat /proc/interrupts
    diagnose 2:    cat /proc/meminfo
    diagnose 3:    cat /proc/devices
    diagnose 4:    cat /proc/net/dev
    diagnose 5:    cat /proc/uptime
    diagnose 6:    route -n
    
    gethwid [option 0-22]
            productGetName        = 0
            HWID_VERSION            = 1
            CATEGORY            = 2
            SUB_CATEGORY            = 3
            FVIDEO_CHIP            = 4
            DSP_CHIP            = 5
            BVIDEO_CHIP            = 6
            VIDEO_CHANNEL            = 7
            ANALOG_AUDIO_MODE        = 8
            AUDIO_IN_CHANNEL        = 9
            AUDIO_OUT_CHANNEL        = 10
            STORE_INTERFACE            = 11
            CPU_COUNT            = 12
            ALARM_MODE            = 13
            WIRELESS_INTERFACE        = 14
            HD_ENCODE            = 15
            VD_INTERFACE            = 16
            NET_INTERFACE            = 17
            INTE_ANALYSE            = 18
            HD_VERSION            = 19
            VIDEO_STAND            = 20
            HAS_SD_CARD            = 21
            PHY_MEMSIZE            = 22
    
    
    and getDateInfo which displays the wrong date.
    
    the shell command asks for a password.
    
    
     
    Last edited: May 13, 2018
    carbonita and mat200 like this.
  4. alastairstevenson

    alastairstevenson Staff Member

    Joined:
    Oct 28, 2014
    Messages:
    11,252
    Likes Received:
    3,578
    Location:
    Scotland
    I have a recollection that the 'shell' command takes you to a full shell and that helpme was the password - but I can't check as I don't have the device any more.
     
  5. tangent

    tangent IPCT Contributor

    Joined:
    May 12, 2016
    Messages:
    3,858
    Likes Received:
    2,527
    helpme doesn't work. After you type in shell the prompt is "Domain Accounts:"
    hik used zhimakaimen in their shell for something, i don't remember exactly what that did.
     
  6. alastairstevenson

    alastairstevenson Staff Member

    Joined:
    Oct 28, 2014
    Messages:
    11,252
    Likes Received:
    3,578
    Location:
    Scotland
    I do recall getting to a full command access - but I didn't write down the detail and don't remember it, apart from being surprised that it was possible.
    Presumably you've tried the usual 888888 666666 and the admin password? I think that's what I would have done when trying it.

    This is a challenge / response command to bypass the 'psh' restricted shell, but I never figured how to get through it, just past it.
     
  7. tangent

    tangent IPCT Contributor

    Joined:
    May 12, 2016
    Messages:
    3,858
    Likes Received:
    2,527
    I know way to get past it, so also didn't put too much effort into getting through it. 888888 for the 'domain account' spews some gibberish (I tried a few charsets but don't have that sorted), then prompts "Check codes:"
     
  8. alastairstevenson

    alastairstevenson Staff Member

    Joined:
    Oct 28, 2014
    Messages:
    11,252
    Likes Received:
    3,578
    Location:
    Scotland
    I'm annoyed that I don't recall the detail or write it down. Oh, well, never mind.
     
  9. tangent

    tangent IPCT Contributor

    Joined:
    May 12, 2016
    Messages:
    3,858
    Likes Received:
    2,527
    So I changed some settings on my ssh client, and as I suspected the gibberish is a QR code. It contains a URL that gets passed some hashed or otherwise encoded strings.
     
  10. mifrey

    mifrey n3wb

    Joined:
    Dec 20, 2018
    Messages:
    14
    Likes Received:
    5
    Location:
    Belgium
    I tried on my VTO2111. I typed 888888 for the Domain accounts and yes I got a QR code that contains the url
    https://svsh.dahuatech.com/svsh.html?v=2&u=888888&t=xxxxxxxxxxxxxxxxxx

    where xxxxxx is a string of 64 characters.

    The web page says

    Agent 888888.
    To get a Authent code, You must verify your identity first.Enter your domain password below:

    And there I do not know what to type...
     
    Last edited: Dec 21, 2018
    intelcom likes this.
  11. Dahuacamcctv

    Dahuacamcctv Young grasshopper

    Joined:
    Jun 6, 2018
    Messages:
    61
    Likes Received:
    26
    Location:
    Chicago
    How do you enable ssh on a dahua camera? Do you have to use an http command like with telnet?
     
  12. catcamstar

    catcamstar Getting comfortable

    Joined:
    Jan 28, 2018
    Messages:
    964
    Likes Received:
    586
    From my "dahua scrapbook":
     
  13. Dahuacamcctv

    Dahuacamcctv Young grasshopper

    Joined:
    Jun 6, 2018
    Messages:
    61
    Likes Received:
    26
    Location:
    Chicago
    Yes, but that is for telnet. I am looking to enable ssh. Telnet was removed.
     
  14. carbonita

    carbonita Young grasshopper

    Joined:
    Oct 15, 2018
    Messages:
    50
    Likes Received:
    16
    Location:
    SFBayArea
    activeX client: Setting > System > Safety > SSH (enable)
     
  15. afddwfadwfadwf

    afddwfadwfadwf Young grasshopper

    Joined:
    Mar 28, 2016
    Messages:
    69
    Likes Received:
    8
    any news on Domain accounts? The QR code goes to dahua's website asking for domain password
     
  16. intelcom

    intelcom n3wb

    Joined:
    Oct 12, 2016
    Messages:
    5
    Likes Received:
    0

    Do you have any news for that???
     
  17. mifrey

    mifrey n3wb

    Joined:
    Dec 20, 2018
    Messages:
    14
    Likes Received:
    5
    Location:
    Belgium
    No ☹️
     
  18. Soeren_DK

    Soeren_DK n3wb

    Joined:
    Dec 20, 2018
    Messages:
    1
    Likes Received:
    0
    Location:
    World
    Any news on this?
     
  19. Lanaii

    Lanaii n3wb

    Joined:
    Sep 9, 2019
    Messages:
    3
    Likes Received:
    0
    Location:
    Austria
    Hi Guys, you will be never get the right answer.

    The generated QR Code, is for DAHUA employees, so you get only Access with there Accounts.

    For SSH the Password is for default 7ujMko0(YOUR ADMIN PASSWORD)