Class 10 Assignment - Hack Our Camera!

I used the app to change the password:

With the changed admin credentials I signed in - I was able to sign-in, however, due to IT restriction in my company I was unable to see the streaming video

I logged in, it had one account, admin.  I used the tool and changed the password to scottrocks!1

Added another user and wrapped up my work.

Note: I couldn't ever get live video to display via the web interface no matter browser tricks I used.  Didn't spend long at that part though.  And my antivirus really did not like the password helper since it was not common.   It did not detect it has an actual virus.

I logged into admin using the tool with the default password 12345abc.

I created myself an account, davidd, and gave myself plenty of privileges.

Then renamed the camera:

I decided the plugin couldn't be trusted to view video.  I'm assuming it will work if I run the plugin executable under Internet Explorer (the others don't allow plugins any more) and allow it several times to run the plugin.  I didn't want to allow the plugin on my work machine.  So I just used the snapshot command.

The backdoor was very inviting in this case!

Hi I used the Password change tool with the URL to change the password and then log in to the camera using the newly default password. As you can see below it wouldn't allow me to view a live image due to not having the plug in installed on my computer to view.

Very interesting how easy it was to do in the end.

Hi

First i accessed the screenshot of the camera using the screenshot URL.

I then used the app to change the password and was then able to access the camera. in the Image i was able to change the overlay text.

Great assignment...

• Then I reset the admin password to 54321zyx
• I logged in afterwards with the admin account
• I added a new user ipvm with pass: 1234azer

Pretty crazy, this kind of exploits

I located the camera’s IP and used it throughout the exercise.

I first acquired a still shot from the camera,

Then proceeded to access the user file,

I then proceeded to hack the password and change the OSD

 Looked into all the options available, was tempted to reset the camera.

Maintenance has some intreating options,

Did look and found more Hikvision cameras with this version of firmware, was tempted to hack in but that would be dishonest.

First I accessed the camera’s web interface at: http://hikvisionbackdoor.dyndns.org

I tried the Hikvision default credentials of admin/12345, which produced error “User name or password is incorrect. Please enter again.”

I tried accessing the user list without the auth string (hikvisionbackdoor.dyndns.org/Security/users), just to see what would happen. I received a popup box asking for credentials.

I then tried with the auth string (http://hikvisionbackdoor.dyndns.org/Security/users?auth=YWRtaW46MTEK) and found that the only user account is “admin.”

I obtained a snapshot:

I downloaded the configuration file, although my computer didn’t know how to open it. I tried opening with Notepad++, but it was just gibberish.

I downloaded the Password reset app and reset the password to ipvmIPVM!

I was then able to log in to the camera.

Live View would not load without installing a plug-in, but even after that, I continued to get an error that “Live view failed.” I tried a different browser and continued to have trouble with the Live View.

I used the app to change the password and then logged into the camera.

Once in, I changed the name of the camera and used the magic string for taking a snapshot (see below). I decided not to install the plugin to for live view.

Crazy how easy it is to gain complete access!

I used the app to change the password

this was a fun and scary lesson

Well, down to point,

Was able to immediately see the log screen.

Was able to get the config list

There was only one user listed.

I was able to take a snapshot: but wanted to be a little creative before taking snip.

I used the tool. Tried version 1.0 but it did not work at all

Was working on a windows 10 computer, and even with antivirus disabled, the tool would not work.

Moved to a Win 7 computer and it worked like a dream.

I changed the password for admin to UBHacked1234

When I logged in, I was getting a message that it needed a plug-in, although that didn’t work.

Tried with Chrome, Firefox, and IE, even added to IE for compatibility mode, and didn’t work.

I was able to get another snap shot. Through the web request, to verify that it worked.

I have to admit this assignment made me work for the final goal, but it was worth it.

I was able to change the password using the app to Hackerami95 aka "Hacker am I 95"

Then I entered the system and took a screenshot of the camera after I placed the sentence "It's official, I am a Hacker" on the top of the screen.

I used the app to change the password as follows: 

With access to the camera I then changed the OSD:

This seems like a really fun assignment however my company is blocking this link http://hikvisionbackdoor.dyndns.org Is there possibly another assignment that is similar to this or something else i would be able to do to complete this? 

very interesting assignment; Symantec would not let me load the password reset app. or

would not let me exe. the viewer in firefox, but able to get snapshot in IE(above)

might get the visit from the IT GUYS on this one.

http://camera.ip/Security/users?auth=YWRtaW46MTEK

http://camera.ip/onvif-http/snapshot?auth=YWRtaW46MTEK

http://camera.ip/System/configurationFile?auth=YWRtaW46MTEK

I have tryed to copy and paste the above links:  and is saids :Server not found when i typed in full address with the Http://.

and without Http:// I get a list of hack programs that i have no info on and somewhat don't trust to run on my computer

I used the configuration to change the text overlay.

I was able to change admin password to Hack101?

able to login to the camera:

added plugin but wouldn't allow me to view live. below it shows I'm able to get into config and change camera name.

Used the tool to change the password

Was unable to get the streaming working. It may be our network.

Since I was unable to see the screen. I added a new operator.

 I used the tool and changed the password back to 12345abc

Thanks John that worked

List of user roles.

Here is a snapshot of the camera.

User File: 
<UserList xmlns="http://www.hikvision.com/ver10/XMLSchema"version="1.0">
<User xmlns="http://www.hikvision.com/ver10/XMLSchema" version="1.0">
<id>1</id>
<userName>admin</userName>
<priority>high</priority>
<ipAddress>0.0.0.0</ipAddress>
<macAddress>00:00:00:00:00:00</macAddress>
<userLevel>Administrator</userLevel>
</User>
<User xmlns="http://www.hikvision.com/ver10/XMLSchema" version="1.0">
<id>2</id>
<userName>sneakyOperator</userName>
<priority>low</priority>
<ipAddress>0.0.0.0</ipAddress>
<macAddress>00:00:00:00:00:00</macAddress>
<userLevel>Operator</userLevel>
</User>
</UserList>

This is how far I got with this, I had a difficult time getting a image.

Used the app to change the password

Here is the view of the new OSD I changed.

1) I used the app to change the password.

2) Logged in and changed the OSD to Happy Happy Halloween AND changed the date format.

3) Retrieved user list.

<UserList xmlns="http://www.hikvision.com/ver10/XMLSchema" version="1.0"><User xmlns="http://www.hikvision.com/ver10/XMLSchema" version="1.0"><id>1</id><userName>admin</userName><priority>high</priority><ipAddress>0.0.0.0</ipAddress><macAddress>00:00:00:00:00:00</macAddress><userLevel>Administrator</userLevel></User><User xmlns="http://www.hikvision.com/ver10/XMLSchema" version="1.0"><id>2</id><userName>sneakyOperator</userName><priority>low</priority><ipAddress>0.0.0.0</ipAddress><macAddress>00:00:00:00:00:00</macAddress><userLevel>Operator</userLevel></User><User xmlns="http://www.hikvision.com/ver10/XMLSchema" version="1.0"><id>3</id><userName>johnd</userName><priority>low</priority><ipAddress>0.0.0.0</ipAddress><macAddress>00:00:00:00:00:00</macAddress><userLevel>Operator</userLevel></User></UserList>

camera snapshot

camera information

v/r

kelly

Hi All,

I used the windows app to reset the admin password to JZwashere123.

Login to the camera with this credential and changed the camera name to "JZ was here"

Used the link with the auth string and took a snapshot. See below.

Also downloaded the user list and camera configuration.

Was not able use commands.  But got in using the default directory listing. admin/12345abc.  I gave myself a user name.

Live view failed, even after installing plug ins.  I suspect it has to do with network security at my work.  But, otherwise i had free run of the camera's systems.

I accessed the:

1) List of all users and their roles
2) Camera snapshot without authentication
3) Camera configuration code

After dl'ing the pwd change app, I retrieved the user list and changed the admin password. After logging into the device under the new password, I created user account "donc" and subsequently logged in under the new user name. I perused the camera settings--unfortunately I am unable to see motion images on the computer that I have access to today.