Truvision NVR71 config backup decrypt

N

neuser1

n3wb
May 2, 2022
2
1
Seattle USA
Hi Everyone!

I am really happy to have stumbled upon this resource!

Currently, I am assisting a colleague with a TruVision NVR71 which appears to be a rebranded Hikvision NVR.

There are a dozen or so cameras that I want to recover the password from the database.

We have access to the device. The serial console is locked down. What's more interesting, the uBoot console is also locked down and does not allow changes to setenv to enable a high privileged console.

The admin password is known and we were able to get a config backup.

Does anyone have any ideas on what to try?

The config backup process asks us to set a password for the config file. It looks like AES ECB encryption on the backup file itself.
 
neuser1 said:
Does anyone have any ideas on what to try?
Click to expand...
A bit of a long shot -
Presumably you've tried using the NVR admin password on the cameras without success.
With a Hikvision NVR PoE channel in 'Plug&Play' mode, it will 'Activate' a camera that's added to an NVR PoE port, or one found with the 'Quick add' button in the NVR web GUI Camera Management page for non-PoE NVRs.
By default, on older firmware, Activation used the NVR admin password.
But - as this provided a 'trojan horse' method of extracting an NVR password, Hikvision added the facility to define a separate camera activation password.
Initially, optional, but on newest firmware, mandatory.

I'm wondering if the NVR you're assisting with has the alternate camera activation password defined and in use.
If so - a suggestion to try :
With a Hikvision camera that has firmware between 5.3.0 and 5.4.0 (so it has the backdoor vulnerability) reset it to defaults so it's 'Inactive' and connect it to the network the NVR is on.
In the NVR web GUI, in Camera Management, use the Quick Add button to search and find the camera and add it, then use the 'Activation' button (top right, Camera Management) to activate it.
Tick the box to use the defined activation password as opposed to specifying the password.

If this activates and adds the camera OK, pull a copy of the camera configuration file using the backdoor vulnerability with this URL :
http://<camera_IP_address>/System/configurationFile?auth=YWRtaW46MTEK
If that works, zip it up and attach here and it can be decrypted and decoded to extract the camera password.

I hope that makes sense!
 
neuser1 said:
There are a dozen or so cameras that I want to recover the password from the database.
Click to expand...
And I should have asked -
What's the firmware version of the presumed Hikvision-OEM cameras?
If it's from 5.3.0 to 5.4.0 try this URL to see if it pulls a configuration file with no authorisation needed :
http://<camera_IP_address>/System/configurationFile?auth=YWRtaW46MTEK
If so - zip it up and attach here, it can be decryped and decoded to extract the password.
 
You must log in or register to reply here.
Top Bottom