Does Milestone Store Camera Passwords In Clear Text?

I am going on site tomorrow for a location where the old integrator is now defunct. The system has been down for 2 months, and it was an old Intransa/Milestone system. The problem is that nobody knows what the camera passwords are. Is there a location on the Milestone server where you can find out the passwords in clear text? I know this exists on other systems, but I am not sure on Milestone. Maybe in the Database?


I do not know if Milestone does or not. However, if it is an older system there is a high probability that the cameras are not using HTTPS for the Milestone->Camera login. This means you can use a tool like Wireshark to sniff the network traffic and get the logins.

There are a number of ways you can go about this, using a mirror port on a switch would be the most common. One method that I've never tried personally, but would give a shot, would be to disconnect a camera, clone that camera's MAC address to your laptop, give your laptop the same IP as the camera, put the laptop on the network and let Milestone try to "log in" to your laptop while it is running Wireshark.

With any luck all the camera username/passwords are the same and getting one will give you all of them.

Milestone used to but as of some time around the 2013, 2013 R2, or 2014 release they are no longer stored in clear text. If you're operating on an older version you may be in luck. If running a newer version the method Brian spells out may be the best option and is something I will add to my book of tricks.

...give your laptop the same IP as the camera, put the laptop on the network and let Milestone try to "log in" to your laptop while it is running Wireshark.

Yes, but it needs to be listening on the port, no?

See: How To Write An RTSP URL Honeypot...

Yes, but it needs to be listening on the port, no?

No. By default Wireshark is going to be listening on ALL ports. You'll likely pick up a lot of traffic, so you could filter by port (if you know it), or by src ip of the Milestone server (probably easier to determine quickly).

By default Wireshark is going to be listening on ALL ports.

When I said listening, I mean as in the system call listen();

Without something listen()ing on port 554, for instance, no TCP connection will be established, and therefore no information will be exchanged between the VMS and your pseudo-camera.

It's been a while since I've tested something like this, and it was not with Milestone specifically, but in the past I did some Wiresharking to figure out an RTSP URL a pre-configured system was using. In that case the software was attempting to connect to a remote IP by passing the entire RTSP connection string in the format:

rtsp://username:password@IP.ADD.RE.SS:PORT/video.sdp

I seem to recall it just attempting to connect directly with the URL, but I also see what you mean about needing something to setup the TCP handshake. I was probably running a telnet or httpd on port 554 just to "accept" the incoming connection.

My idea might not work as intended without a little more twiddling around to create some sort of pseudo-listener on the laptop.

Maybe it would work as you say, in the case of a UDP connectionless datagram. Perhaps the VMS at some point would attempt that. You still need a listener on the receiving side to do anything real, but maybe you can see the user pass as the DGRAM gets bounced back. Ill try it.

I am going on site now and I am going to try Wireshark. I have a good feeling about this, and I will let you know how it goes!

Good luck.

To be clear, running Wireshark directly on the machine that Milestone is running on should work without any need for port duplication or a pseudo-camera listener.

As Brian points out, it's not normal for https to be used, and if you do encounter TLS packets, you can revert the system to https.

Older Milestone yes, newer no its hashed. Wireshark is your friend :)