Illegal Logins On Hikvision NVR?

I have a customer with a Hikvision NVR with email alerts set up to alert to illegal logins. At around 4:00am, there were 2,000 attempts to login to "admin" from IP address 192.168.1.33. The store was closed at the time and due to the extremely high number of attempts I'm sure this was a computer generated attack. Any thoughts on why this is showing a LAN address? Does this mean that whatever PC is 1.33 is suspect? How serious is this and what steps should I suggest to the customer?


That IP address is a local address to that LAN. Do you know what device is currently using 1.33?

Maybe a camera at 1.33 is trying to send video to the NVR?

I will be checking for the ip address when on site tomorrow. Cameras are in 192.168.254...

hmmm, the NVR is 192.168.0...

I havent seen many cameras log into an NVR usally its the other way around, but anything is possible, they wouldnt happen to be connected to a WLAN (wireless LAN) of some sort would they? nothing like hopping on someone's free wifi and seeing what you can break into if you are a bored hacker?

Cameras are connected the built in POE and NVR is hardwired to the LAN. Yes there is wifi access to this network but would 192.168.1.33 be able to connect to 192.168.0.5 to even get to the login screen? And for someone to manually attempt 2,000 times in one hour?

Yes, assuming there is a router between the 1 and the 0 subnets.

I have software that can do login that many times in an hour it just spam against a list of well known and used user/passwords and if its connected somehow then yes you can get to it just depends on whats left open port wise

Maybe just a PC rebooting after Windows Update with a client viewer in the autostart group?

edit: just saw the 2000/hr

if the IP address in on the wifi LAN or then I would say someone just used a password cracker software on it as the "admin" is consistently used as a user for login.

Perhaps a virus on the 1.33 PC which does a network scan. are you sure there is even a 1.33 machine?

Will be checking tomorrow for that IP. I'm don't have formal training in network security but I can see how your theory is very possible. I just didn't know 1.33 could talk to 0.5 that easy.

There are a number of ways a 192.168.0.x address can communicate with a 192.168.1.33 address. If the subnet mask is set to a class A or B for example, a misconfigured L3 switch or a router would all provide such functionality. regardless, it looks like an automated probing via software. Could also just be a kerbos / ssl key expiration. Hope this helps.

UPDATE...

No 1.33 on the customer's network. The customer lost remote viewing at the same time as the illegal logins. The password to the NVR had been changed so I suspect the attacker to have been successful at getting in and changing the password. Got the password reset by Hik and got back in and remote view working. Checked the log again but it was no longer showing illegal logins. I did see where I remotely logged in right after the attack but it should my IP address as 192.168.0.40. I thought it would have shown the WAN not the LAN IP of the remote machine? If not, then 1.33 was simply a remote PC of the attacker, right?

I returned to the office and logged in remotely again. I went through a few menus but lost connection just before checking the log ( I wanted to verify my IP address). I tried the phone app but now I get Connection Failed. I suspect that there has been another attack this afternoon that changed the password again. Very strange.

Any more thoughts?

Is your local IP definitely 0.40 ? And you connect to the client network how exactly? VPN or direct?

My PC is on DHCP but as of now it is 0.41. The log entry showing 0.40 was at the same time that I logged in last week and the only remote login showing. So I'm assuming, for now, that 0.40 was my PC last week at that time. That's why I logged back in this afternoon to make a new log entry but I lost connection before checking it.

"Got the password reset by Hik and got back in and remote view working"

excuse me? hik has access to the system? why? no manufacturer should have access to the system once it leaves the shelf ... ever.

on a personal note especially not the Chicom government. or the US for that matter.

secondly if the network that had the IP address "192.168.1.33" was apart of the Wifi guest or customer login and it is bridged or joined to the same network the cameras and NVR is on the yes they could have "hacked the NVR" if they are not then you have something else going on that need a whole lot more investigating.

it could also be a bad firmware upload or version. bad firmware can cause all sorts of crazy things.

I know that everyone wants cheap, but i just had rip down some hikvison cameras the other day because some depts. thought it was a good idea to install their own cameras. and so it took only 20 sec for my password cracker to break them and change the passwords on them.

I probably misworded. Hik did not change the password or login. They generated a code that allowed me to enter a new password.

....They generated a code that allowed me to enter a new password.

What info did they need from you in order to generate this "code?"

Like others, wondering if this process creates a risk for Hik owners.

The device serial number and the start date and time. They generated a code which I entered. The NVR then reverted to 12345 password but required me to enter a new secure password to proceed.

I am unable to find any devices with 1.1's on the network. This was 4am and the store was closed. Which reminds me, I meant to review the recordings to see if anyone was in the parking lot at the time. Got caught up in the networking and forgot the visual clues.

it could be the customer's mobile phone with a wrong password. he got an IP address from the wifi router on the wireless lan.

at 4 am while hes not in the store? that one hell of a Wifi coverage area

The customer was in the bed asleep... and it was 2,000 attempts in barely an hour.

NVR have anything like this?

I will check this. That could explain not getting back in instead of the password getting changed.

Without having to manually default the NVR , doesn't that mean the HIK NVR had a backdoor to allow them to access it and program the new password?

Just curious if that seems suspicious to anyone else?

Easy people! All of the real manufacturers have an algorithm to create a one day only admin password. How else would they be able to allow you into your locked device? I know that with Dahua, this special password can only be used at the DVR/NVR. You cannot use it remotely.

Jason, the attack came from a host that had the IP address 192.168.1.33 on your local network. How they got there is the real question. Is 192.168.1.33 a PC that could have been remoted into? Is it another device like a wireless access point or switch? That is your first goal. WTH is at 192.168.1.33.

Secondly, you can assume that either the local WiFi network is insecure, or they had remote access. If they have insecure WiFi, that needs to be addressed. If 192.168.1.33 is a PC, you need to check it for typical remote desktop apps (LMI, Teamviewer, VNC, etc) or have it scanned for malware.

Third, you need to restrict illegal log ins like mentioned above. In fact, I believe that should be a default setting. I know that Dahua only allow 3 log in attempts before locking the account. You have to reboot the unit before being able to try that account again.

Fourth, assign better passwords too. 2000 attempts means your password was very weak, or the hacker has a horseshoe up his ass. There is no way a good password will be cracked in 2000 attempts.

Last, like others have said above, there are many scenarios where dissimilar subnets have access to each other. Unless there is a firewall explicitly blocking traffic between the subnets, a simple subnet mask error (class A instead class C mask) will allow it.

Hey Jon,

Can you elaborate on "one day only administrator password"?

I am just wondering how that would be acceptable? How would you ensure that a disgruntled employee could not just use that knowledge and share with the world?

I'm sure you can find it if you have any Google skills. I won't post it here to make it easy for others. What I will say is it is based on the current date of the device. The formula takes that date and creates a password that will work at the device locally.

I now believe that the hacker was unable to get in. Instead, I believe the NVR was simply locked and the password had not been changed. The password reset worked the same as just restarting the NVR after it was locked. The password was somewhat strong as it was 10 characters with upper/lower symbols and numbers. I did not know about the "Enable Illegal Login Lock" until you pointed out. Thanks for that!

As for the hacking, 192.168.1.33 is not any device I can find on their network. I believe it is going to be the LAN IP of the PC that remoted in. It would be nice if the NVR would capture the WAN IP. Can I get the WAN IP by checking the logs in the modem?

Jason, trust me it won't be a local IP of any system that left on a NAT router and came thru your NAT router.

Of course, if there's no NAT then it could have the actual LAN address of the attacker, except for the fact that it is a reserved private IP address that has little chance of even making it out of the harbor and into open internet waters.

If the attack came from inside, it could just be a spoofed IP address.

All of the real manufacturers have an algorithm to create a one day only admin password.

All real manufacturers have back-doors? I thought the date thing was just a Hikua deal.

Just received some new Hik IP cams today and they do in fact have Enable Illegal Login Lock from the factory as checked on as default.

Not seeing a "Security" tab on the web interface. Did have it enabled locally on NVR. Just curious as to why I don't see the "Security" tab as in your photo.

Newest firmware is 5.3.6 and the UI has changed a lot.

Okay, now I'm finding some highly suspicious ip addresses on the operation log. 100.96.159.56, 100.125.174.172, 100.69.32.36, 100.86.75.101.

I've convinced the customer to change the password to 12 characters all random. I will probably set up some mac filtering for his devices only. Is the only move to make now to have the customer get their IT people to tighten up security? Or are there any other steps I need to take?

Holy ----! I've checked the logs on five other Hik NVR's. ALL of them are showing numerous illegal logins as well as successful logins from addresses very similar to 100.90.145.34. IP tracker shows them to C H I N A (of course), Sweden, and Vietnam... if the info provided by the tracker is reliable. These all have considerably strong passwords.

I know a lot of people here have been harping on Hik's security risk for a while. Unfortunately, I haven't heeded the warnings and now I must do the best I can to tighten up. Through all of the discussions about this, I don't recall anyone suggesting a viable alternative. I only recall suggestions for far more expensive options. Though I fully understand the argument against driving the cost down and using Chinese products, what are the small (very small) businesses and residential clients to do? They also need quality HD video surveillance but would not ever have it if it meant paying a huge price tag. It would be great if and American company would produce an NVR appliance comparable to Hik. I would definitely switch to it.

Jason, maybe your router is compromised as well? If so, it would allow the attacker to appear like they were on the local subnet and possibly use a password generator to get in?

Do you have full logging on your NVRs and router?

If you haven't, can you post your port forwarding setup, (obscuring any sensitive details)?

You can also slow them down by wildcard blocking on the router the range of incoming IP connections that you see.

Are they logging in as admin? Are you still able to, or are they changing things?

Port forwarding is currently default: 80 and 1050 to the NVR at 192.168.0.xxx. Not sure what you mean by "full" logging. The NVR does have logs available. The router is only showing the past 24 hours.

They are logging in as admin and I am still able to as well. Can't find anything they have changed. Can hacking the NVR gain then access to other devices on the network such as credit card machines? If not, what do they gain other than video?

it gives them a foothold on the local network from which they can attack other, normally unreachable devices, so yes it's a problem.

Anyway, I'm certain that Hikvision will be extremely interested in any machine that is being accessed unauthorized from the admin account when a strong password has been set.

IPVM will undoubtedly contact them once they see this.

Maybe the NVR came with a virus in its firmware to begin with.

Another thing you could do as a short term fix is to whitelist or only allow connections from known networks in your firewall rules.

Depending on how many mobile users you have this could be as easy as allowing only things coming from Sprint or a royal pain in the ass if you have overseas mobile users.

Less than 3 mobile users for each customer and all are using phone app on Verizon network. Didn't know you could whitelist a certain carrier. I will be doing this. Thanks!

Well, it might take a little trial and error to get the various ranges that they might use nationwide, but you can start with the users going to the web page whatismyipaddres.com and seeing what they currently are receiving.

ill look for a list on the web.

It sounds like you are blaming Hikvision for a sloppy network architecture and your lack of security setup on the NVR.

I wouldn't be worried about the NVR, I'd be worried about all of the other host devices on that network. You mentioned credit card machines. It sounds like your customer has a call to make to the FBI.

Or shall I call them for you?

It sounds like your customer has a call to make to the FBI.

Or shall I call them for you?

Who are you, Central Station?

Well, I have stuck with Hik even after all of the recent/past comments and articles on IPVM about their security. I read all of them. But Hik has been my best option for most of my customers. Security aside, I love the product and its' operation, and yes the price has been nice as well. I know sounded as though I'm blaming Hik for this but I panicked a little after checking the logs on several other systems and seeing the same activity. I actually believe the opposite may be true and that the Hik NVR exposed what was going on and not the cause. Granted any NVR setup with email alerts would have done the same.

And if calling the FBI is the right course of action, then I will. I have worked with many FBI investigations in the past 11 years as I have recently left my position as a police detective. I still have local agents contact info. Do you think they I should call them? And tell them what? It appears that this activity is wide spread and from what I'm reading here it is not uncommon. They probably already know this.

Jason, are you sure that they are successfully logging in using accounts that you have changed the passwords on?

Not positive at this point. I'm now leaning toward no. NVR's response of "Incorrect username/password" when I tried to login led me to believe that they had changed the password. I will look deeper and know for sure later.

And I'll take the blame for being lazy and leaving port 80 open. I am changing that today. But I did set the email alerts up so do I get partial credit?

Jason, the 100.86.254.147 is not a public IP address, it 's a reserved address just like 192.168.x.x (read: internal IP). Given the method in which HIK implemented the IP capture, its pure child's play for the attacker to spoof the IPs shown in the log. Those attempts could have come from anywhere in the world. Real 1984 level technology Hik!

The 100.x.x.x subnet is not reserved for private networks. The only reserved ranges are:

Class A: 10.0.0.0/8

Class B: 172.16.0.0/16

Class C: 192.168.0.0/24

John,

Sorry to disagree but the above are the most commonly known. The entire 100.64.0.0 - 100.127.255.255 block is also reserved as private IP space under RFC6598. There are other blocks as well reserved under special use. http://www.iana.org/assignments/iana-ipv4-special-registry/iana-ipv4-special-registry.xhtml

Look at the table in your link. Look for the words "Private Use" and you will see that it bolsters my claim.

Shared Address Space is distinct from RFC 1918 private address space because it is intended for use on Service Provider networks.

However, it may be used in a manner similar to RFC 1918 private address space on routing equipment that is able to do address translation across router interfaces when the addresses are identical on two different interfaces.

For all intents, purposes it's private.

John, it's essential the same as RFC1918 in it's behavior. My point was simply due to the manner in which HIK is recording source IPs in their logs, there is a low level of confidence in the accuracy. Yes, it would be more challenging to the attack appear as if generated from the IPs of Microsoft, Google, or other well known blocks, but to spoof something in the private range is Network Security 101 stuff.

It's reserved, but not like the others. It's a telco POP internal use range.

Real 1984 level technology Hik!

Yes, Orwellian indeed.

Calling the FBI is a little drastic, but you really should have all credit card transactions on a seperate network anyways. It is required for PCI compliance.

I am not their network guy but I will discuss this with them as I feel it is my place to protect them from loss.

Folks, the real issue here is his server (HIK NVR in this case) responding to requests on TCP port 80. Plenty of other ports under the sun to choose from which offer some reduced visibility to those looking to compromise his system.

The log files are showing nothing more than probing from an outside source. The manner in which HIK has chosen to implement IP capture in their logs is based on a decades old standard and is VERY easy to spoof. I would spend no time trying to chase down a phantom private address like 192.168.1.33 or 100.96.159.56 as they are not real public IPs (More here: http://www.iana.org/assignments/iana-ipv4-special-registry/iana-ipv4-special-registry.xhtml).

The logs post above show common day to day probing. Anyone operating a web enabled server will see thousands of these an hour in many cases. from HTTP to FTP to other protocols, the probing party is simply using a dictionary attack to hurl passwords at the "admin" account. To stay safe: keep your passwords complex, keep your system patched, and change your port to something higher than 1024! (More here: https://en.wikipedia.org/wiki/List_of_TCP_and_UDP_port_numbers)

Hope this helps.

Donald, I would say you are right, except that Jason is insisting that the logins are successful now, even though the password has been made strong.

At this point I am no longer insisting the login was successful. I believe the NVR was "locked". I thought the password had been changed because when we tried to log in it said "Incorrect username or password", not "Locked". I will test this today to be for sure and post back my findings.

Yes, I missed where he said above that they were successful in logging in.

Jason, are you seeing something other than the logs which leads you to understand someone has been able to log in?

I based that assumption on the "Incorrect usernamre/apssword" response from the NVR. I will also check the logs closer to see the remote logins and logouts.

Guys...

2000 tries is too round number... it is almost impossible to crack password in such small quantity of tries... and 2000 is definitely a number to mask the direct login... The person who did that should have used exploit (what else shown in logs?) or just knew the password.

As for the remote IPs... the attacker would use proxy anonymizer to hide the source. I do such things regularly myself while pen-testing my customers... The attacker can drink coffee with a laptop at Starbucks next door and you will see him coming from China.

As for consequences: Jason you should treat an NVR or even camera as a regular PC run on Linux, so they could scan the network from inside; analyse other hosts, try to get access to other systems... pretty much everything...

I can't tell more, I don't know your topology...

Overall situation is tend to be a targeted attack led by semipro, definitely you should check other hosts.

For the risk mitigation I would recommend IPS (Intrusion Prevention Systems) they will prevent from password bruteforcing and assume that it is attack in progress, regular (not NG) firewall will pass this if remote login is permitted. If the outlet is stand alone then they should consider buying provider security service, if it is a network of outlets they should build a security perimeter with firewall and IPS.

Maybe the hacker's software was provisioned to stop after 2,000 attempts? Or the log stops storing at 2,000? The number 2,000 was odd to me but I'm no network security expert, obviously.

Jason again...

Let me show you some numbers... To crack a password 8 symbols long using bruteforce attack (trying every possible combination of lowercase, uppercase, numbers and symbols) with 1 billion tries per second will last rounded down 83 days... Ok assuming our password will not be the last combination available lets say one third out of this time we should spend... 27 days with billion tries per second for 8 character password...

Comparing to this what is 2000 tries? Nothing... And I really don't think that the guy had "90 level luck skill"... That's why I think that the password was known or exploit was used.

Did you check logs several days before? If not... then when have you done it last time?

About logs, you should check the equipment for storage limitations and as a support guy, install a log server at least on a PC and point all devices to copy logs there. Then you should be able to restore the whole picture and trace events occurred month ago or even earlier. (this is for the future)

try monitoring the attackers MAC address with Wireshark or similar. you can get the MAC address then you can block this MAC in your router and check the first few bytes for manifacturer, but at best you can get what network adapter he is using. your wifi is compromised at least, as they got a local IP address from your router.

as they stopped at 2000 tries their brute force password breaker might have a software limit for 2000 tries. I see multiple vulnerabilites, first your WIFI network, I bet you dont use any encryption at all or you use WEP which can be broken in a few minutes.

to be honest, to all these installers who are convinced that IP video surveillance is nothing but wiring a few devices together and connect a patch cable the router, I suggest to get an IT guy ASAP or take the consequences...

I am aware that there is a lot more to video surveillance than connecting a patch cable to the router. I believe that my system has identified attacks that where already occurring and going unnoticed until I discovered it. Had I have just connected a patch cable, got video, then left the customer out to dry the attacks would not have stopped. Being proactive, I am the one who discovered the issue. The customer was clueless until I brought it to light. Being that I am admitting that I am not a network security expert, I disconnected the system from the network and began looking into the logs for what answers I could find. I suggested to the customer to contact an IT company. I even made a recommendation for one that will work with me on the project.

I think we may we overlooking the log capacity may only show 2,000 attempts, right? I'm not familiar enough with that NVR to say what the limits of the log may be. 20 pages?