SSH Dahua

O

OnePunch

n3wb
Mar 31, 2018
20
5
Anyone know why I cannot SSH into my IPC-HDW5231R-ZE after I enabled SSH?


Code: 
ssh admin@yardcam.CQF.local
admin@yardcam.cqf.local's password:
Permission denied, please try again.
 
  • Like
Reactions: mat200
Same here.
 
You have to prepend the password with 7ujMko0
like this: 7ujMko0PASSWORD

Once you're in you're greeted by the dsh dahua protected shell which only lets you run a small list of prechosen commands. It isn't very useful. I put about 10 minutes to effort in to poking a hole in this sandbox without success. There are ways around it, some of which require opening the camera. Getting a full shell takes more effort than most people will want to put in.

I did recently manage to crash some of the camera software on a dahua camera by accident. Trust me there are plenty more bugs and security vulnerabilities in the software.
Remember kids, most of computer security can be boiled down to one thing: input validation.

Code: 
Commands in dsh
help:
Support Commands:
shell    help    getDateInfo    diagnose    gethwid


diagnose 1:    cat /proc/interrupts
diagnose 2:    cat /proc/meminfo
diagnose 3:    cat /proc/devices
diagnose 4:    cat /proc/net/dev
diagnose 5:    cat /proc/uptime
diagnose 6:    route -n

gethwid [option 0-22]
        productGetName        = 0
        HWID_VERSION            = 1
        CATEGORY            = 2
        SUB_CATEGORY            = 3
        FVIDEO_CHIP            = 4
        DSP_CHIP            = 5
        BVIDEO_CHIP            = 6
        VIDEO_CHANNEL            = 7
        ANALOG_AUDIO_MODE        = 8
        AUDIO_IN_CHANNEL        = 9
        AUDIO_OUT_CHANNEL        = 10
        STORE_INTERFACE            = 11
        CPU_COUNT            = 12
        ALARM_MODE            = 13
        WIRELESS_INTERFACE        = 14
        HD_ENCODE            = 15
        VD_INTERFACE            = 16
        NET_INTERFACE            = 17
        INTE_ANALYSE            = 18
        HD_VERSION            = 19
        VIDEO_STAND            = 20
        HAS_SD_CARD            = 21
        PHY_MEMSIZE            = 22


and getDateInfo which displays the wrong date.

the shell command asks for a password.
 
Last edited:
  • Like
Reactions: carbonita and mat200
alastairstevenson said:
I have a recollection that the 'shell' command takes you to a full shell and that helpme was the password - but I can't check as I don't have the device any more.
Click to expand...
helpme doesn't work. After you type in shell the prompt is "Domain Accounts:"
hik used zhimakaimen in their shell for something, i don't remember exactly what that did.
 
tangent said:
helpme doesn't work. After you type in shell the prompt is "Domain Accounts:"
Click to expand...
I do recall getting to a full command access - but I didn't write down the detail and don't remember it, apart from being surprised that it was possible.
Presumably you've tried the usual 888888 666666 and the admin password? I think that's what I would have done when trying it.

tangent said:
hik used zhimakaimen in their shell for something, i don't remember exactly what that did
Click to expand...
This is a challenge / response command to bypass the 'psh' restricted shell, but I never figured how to get through it, just past it.
 
alastairstevenson said:
I do recall getting to a full command access - but I didn't write down the detail and don't remember it, apart from being surprised that it was possible.
Presumably you've tried the usual 888888 666666 and the admin password? I think that's what I would have done when trying it.


This is a challenge / response command to bypass the 'psh' restricted shell, but I never figured how to get through it, just past it.
Click to expand...
I know way to get past it, so also didn't put too much effort into getting through it. 888888 for the 'domain account' spews some gibberish (I tried a few charsets but don't have that sorted), then prompts "Check codes:"
 
tangent said:
I know way to get past it, so also didn't put too much effort into getting through it. 888888 for the 'domain account' spews some gibberish (I tried a few charsets but don't have that sorted), then prompts "Check codes:"
Click to expand...
So I changed some settings on my ssh client, and as I suspected the gibberish is a QR code. It contains a URL that gets passed some hashed or otherwise encoded strings.
 
Dahuacamcctv said:
How do you enable ssh on a dahua camera? Do you have to use an http command like with telnet?
Click to expand...

From my "dahua scrapbook":
http://<ip-address>/cgi-bin/configManager.cgi?action=setConfig&Telnet.Enable=true

Login: telnet <ip-address>
Username: admin
Password: 7ujMko0<YOURADMINPASSWORD>
example: admin password ipcamtalk then use the password: 7ujMko0ipcamtalk
Click to expand...
 
Hi Guys, you will be never get the right answer.

The generated QR Code, is for DAHUA employees, so you get only Access with there Accounts.

For SSH the Password is for default 7ujMko0(YOUR ADMIN PASSWORD)
 
  • Like
Reactions: Nurettin Alp
Greetings!

How do I login via SSH to the following units:
  • VTH1550CH
  • VHT5221DW

I tried 7ujMko0(ADMIN PASSWORD), but it tells me that the password is invalid.
Any other options?

Thank you.
 
  • Like
Reactions: brianegge
You must log in or register to reply here.
Top Bottom