Hey guys, I want to hack into a CCTV System. The System is from Hikvision. Yes, I know, that there is an exploit out there for command injection. This system is not affected for this issue. 

My current state is: I'm in the Network. The firmware is up to date, so there is no way to reset the password without knowing the three answers for the questions, have some kind of file or get some kind of "master password" sent to some E-Mail address (I don't know and I have no access to). 

The CCTV System consists of an NVR for Coax Cameras and two IP cameras. The NVR gets the stream from the IP Cameras over RTSP. With ARP Poisoning I was able to get in-between the Camera and the NVR and capture the traffic. The Stream is password protected. The Authentication type is Digest, unfortunately not Basic. So it's hashed. I tried to crack it with hashcat using a huge wordlist but with no success. I also tried brute force the password. Min password length for the camera is 8 chars. I tried 8 and 9 chars of  a-zA-Z0-9 - no success. I also tried phone numbers up to 13 chars. No luck.

One Idea is to intercept the traffic again and try to force a Basic authentication and hope, that the NVR will reveal the password. But I don't know how to do that. Or does some one has a better wordlist? Or another idea?

If you send me the hash and its algorithm, I'll gladly give it a shot. Alternatively, Hashmob offers paid hash bounties for crypto (and looks like so does GPUHASH, but I can't vouch for them)

(November 14, 2022, 03:54 PM)mbraun Wrote: Hey guys, I want to hack into a CCTV System. The System is from Hikvision. Yes, I know, that there is an exploit out there for command injection. This system is not affected for this issue. 

My current state is: I'm in the Network. The firmware is up to date, so there is no way to reset the password without knowing the three answers for the questions, have some kind of file or get some kind of "master password" sent to some E-Mail address (I don't know and I have no access to). 

The CCTV System consists of an NVR for Coax Cameras and two IP cameras. The NVR gets the stream from the IP Cameras over RTSP. With ARP Poisoning I was able to get in-between the Camera and the NVR and capture the traffic. The Stream is password protected. The Authentication type is Digest, unfortunately not Basic. So it's hashed. I tried to crack it with hashcat using a huge wordlist but with no success. I also tried brute force the password. Min password length for the camera is 8 chars. I tried 8 and 9 chars of  a-zA-Z0-9 - no success. I also tried phone numbers up to 13 chars. No luck.

One Idea is to intercept the traffic again and try to force a Basic authentication and hope, that the NVR will reveal the password. But I don't know how to do that. Or does some one has a better wordlist? Or another idea?

Hi,
Awesome explanation so far.
I will be happy to help in cracking hash.
If you think the hash can be shared, I can try cracking.

Thank you, that you want to help me with the password. First here is the hash:

$sip$*/ch1/sub/av_stream**admin*IP Camera(G0039)*DESCRIBE**/ch1/sub/av_stream**b5fc222f8bf2095a7e299a60065e241f****MD5*3e4362b8012633a9b21d5b59e8e30194

The type of the hash is "SIP Digest", it's Algorithm 11400 with hashcat. To be a little bit more technical about the process:
I was able to capture these Packets / Communication:

OPTIONS rtsp://192.168.0.201/ch1/sub/av_stream RTSP/1.0
CSeq: 1
User-Agent: HIKVISION player NVR V4.70.140

RTSP/1.0 200 OK
CSeq: 1
Public: OPTIONS, DESCRIBE, GET_PARAMETER, PAUSE, PLAY, SETUP, SET_PARAMETER, TEARDOWN
Date:  Sun, Nov 13 2022 09:23:11 GMT

DESCRIBE rtsp://192.168.0.201/ch1/sub/av_stream RTSP/1.0
CSeq: 2
Accept: application/sdp
User-Agent: HIKVISION player NVR V4.70.140

RTSP/1.0 401 Unauthorized
CSeq: 2
WWW-Authenticate: Digest realm="IP Camera(G0039)", nonce="b5fc222f8bf2095a7e299a60065e241f", stale="FALSE"
Date:  Sun, Nov 13 2022 09:23:12 GMT

DESCRIBE rtsp://192.168.0.201/ch1/sub/av_stream RTSP/1.0
CSeq: 3
Accept: application/sdp
Authorization: Digest username="admin", realm="IP Camera(G0039)", nonce="b5fc222f8bf2095a7e299a60065e241f", uri="/ch1/sub/av_stream", response="3e4362b8012633a9b21d5b59e8e30194"
User-Agent: HIKVISION player NVR V4.70.140

RTSP/1.0 200 OK
CSeq: 3
Content-Type: application/sdp
Content-Length: 505

So what do we see here. Here we have a Digest authentication. According to Wikipedia the Server sends a nonce string. From this string and some other data and the password, the client generates an answer. It's done with this algorithm:

HA1 = MD5(username:realm:password)
HA2 = MD5(method:digestURI)
response = MD5(HA1:nonce:HA2)

I searched the whole web and there seems to be two methods. First is using the algorithm above and brute force it with the CPU or using hashcat and the GPU. Because it's just 2x MD5 (the third time is static), the process is quite fast on a GPU, but I wasn't able to do on my 3070 more then 8 Chars Mixed Case + Numbers. 

Let's go further. With hashcat there is no typical "Digest" algorithm. And also no converter from HTTP / RTSP Header to the hash string for hashcat. Hashcat gives as a string description this:

$sip$*[URI_SERVER]*[URI_CLIENT]*[USERNAME]*[REALM]*[METHOD]*[URI_PREFIX]*[URI_RESOURCE]*[URI_SUFFIX]*[NONCE_SERVER]*[NONCE_CLIENT]*[NONCE_COUNT]*[QOP]*[DIRECTIVE]*[MD5]

When I saw this string for the first time, I didn't know, what to do. Because there is a nonce_client, QOP, NONCE_COUNT... And so on. These fields were missing with the RTSP Authentication. To be sure, to have the right hash string, I used a http digest authentication. The captured header was this:

Authorization: Digest username="test", realm="[email protected]", nonce="53f7fddcb5db74aeb3872a540b9cf46f", uri="/digest-auth/undefined/test/test123", algorithm=MD5, response="80a992050800c37b07b2f752d702b341", opaque="b6c0f870225bad41df87ad88deb9aa1b", qop=auth, nc=00000001, cnonce="a840537d6e4df4be"

As you can see, there are more "fields" populated, then with RTSP. With this sample I was able to find the right variable set and first time crack the password. But I still got the problem, that some variables were missing. 

I also have some CCTV Cameras in my home. These are Reolink Cameras. And they also use RTSP and Digest Authentication. So I captured their traffic. The header looked similar:

DESCRIBE rtsp://10.2.0.132:554/h264Preview_01_main RTSP/1.0
CSeq: 4
Authorization: Digest username="admin", realm="LIVE555 Streaming Media", nonce="bd509e8a78f885d51659162a426e8ff9", uri="rtsp://10.2.0.132:554/h264Preview_01_main", response="*************"
User-Agent: LibVLC/3.0.16 (LIVE555 Streaming Media v2016.11.28)
Accept: application/sdp

 
With this data and my first knowledge about the Digest Cracking from the first sample, I was able to crack after few failures my own password for my cameras. So I adapted the variables and now I'm sure, that I got the right hash string for hashcat.

(November 15, 2022, 03:34 PM)mbraun Wrote: Thank you, that you want to help me with the password. First here is the hash:

$sip$*/ch1/sub/av_stream**admin*IP Camera(G0039)*DESCRIBE**/ch1/sub/av_stream**b5fc222f8bf2095a7e299a60065e241f****MD5*3e4362b8012633a9b21d5b59e8e30194

The type of the hash is "SIP Digest", it's Algorithm 11400 with hashcat. To be a little bit more technical about the process:
I was able to capture these Packets / Communication:

OPTIONS rtsp://192.168.0.201/ch1/sub/av_stream RTSP/1.0
CSeq: 1
User-Agent: HIKVISION player NVR V4.70.140

RTSP/1.0 200 OK
CSeq: 1
Public: OPTIONS, DESCRIBE, GET_PARAMETER, PAUSE, PLAY, SETUP, SET_PARAMETER, TEARDOWN
Date:  Sun, Nov 13 2022 09:23:11 GMT

DESCRIBE rtsp://192.168.0.201/ch1/sub/av_stream RTSP/1.0
CSeq: 2
Accept: application/sdp
User-Agent: HIKVISION player NVR V4.70.140

RTSP/1.0 401 Unauthorized
CSeq: 2
WWW-Authenticate: Digest realm="IP Camera(G0039)", nonce="b5fc222f8bf2095a7e299a60065e241f", stale="FALSE"
Date:  Sun, Nov 13 2022 09:23:12 GMT

DESCRIBE rtsp://192.168.0.201/ch1/sub/av_stream RTSP/1.0
CSeq: 3
Accept: application/sdp
Authorization: Digest username="admin", realm="IP Camera(G0039)", nonce="b5fc222f8bf2095a7e299a60065e241f", uri="/ch1/sub/av_stream", response="3e4362b8012633a9b21d5b59e8e30194"
User-Agent: HIKVISION player NVR V4.70.140

RTSP/1.0 200 OK
CSeq: 3
Content-Type: application/sdp
Content-Length: 505

So what do we see here. Here we have a Digest authentication. According to Wikipedia the Server sends a nonce string. From this string and some other data and the password, the client generates an answer. It's done with this algorithm:

HA1 = MD5(username:realm:password)
HA2 = MD5(method:digestURI)
response = MD5(HA1:nonce:HA2)

I searched the whole web and there seems to be two methods. First is using the algorithm above and brute force it with the CPU or using hashcat and the GPU. Because it's just 2x MD5 (the third time is static), the process is quite fast on a GPU, but I wasn't able to do on my 3070 more then 8 Chars Mixed Case + Numbers. 

Let's go further. With hashcat there is no typical "Digest" algorithm. And also no converter from HTTP / RTSP Header to the hash string for hashcat. Hashcat gives as a string description this:

$sip$*[URI_SERVER]*[URI_CLIENT]*[USERNAME]*[REALM]*[METHOD]*[URI_PREFIX]*[URI_RESOURCE]*[URI_SUFFIX]*[NONCE_SERVER]*[NONCE_CLIENT]*[NONCE_COUNT]*[QOP]*[DIRECTIVE]*[MD5]

When I saw this string for the first time, I didn't know, what to do. Because there is a nonce_client, QOP, NONCE_COUNT... And so on. These fields were missing with the RTSP Authentication. To be sure, to have the right hash string, I used a http digest authentication. The captured header was this:

Authorization: Digest username="test", realm="[email protected]", nonce="53f7fddcb5db74aeb3872a540b9cf46f", uri="/digest-auth/undefined/test/test123", algorithm=MD5, response="80a992050800c37b07b2f752d702b341", opaque="b6c0f870225bad41df87ad88deb9aa1b", qop=auth, nc=00000001, cnonce="a840537d6e4df4be"

As you can see, there are more "fields" populated, then with RTSP. With this sample I was able to find the right variable set and first time crack the password. But I still got the problem, that some variables were missing. 

I also have some CCTV Cameras in my home. These are Reolink Cameras. And they also use RTSP and Digest Authentication. So I captured their traffic. The header looked similar:

DESCRIBE rtsp://10.2.0.132:554/h264Preview_01_main RTSP/1.0
CSeq: 4
Authorization: Digest username="admin", realm="LIVE555 Streaming Media", nonce="bd509e8a78f885d51659162a426e8ff9", uri="rtsp://10.2.0.132:554/h264Preview_01_main", response="*************"
User-Agent: LibVLC/3.0.16 (LIVE555 Streaming Media v2016.11.28)
Accept: application/sdp

 
With this data and my first knowledge about the Digest Cracking from the first sample, I was able to crack after few failures my own password for my cameras. So I adapted the variables and now I'm sure, that I got the right hash string for hashcat.

Taking a look at the hash. Will update if the thing can be cracked

This is so shitty, I would never do such a degenerate act as hacking a cctv