Dahua-3DES-IMOU-PoC.py -dhp2p XXXXXXXXXXXXXXX Note: This PoC will only connect via Dahua DHP2P IMOU Cloud and request REALM and RANDOM from remote device. Dahua-3DES-IMOU-PoC.py -dhp2p XXXXXXXXXXXXXXX -probe
#HOW TO UPDATE SYMANTEC ENCRYPTION DESKTOP 10.3.2 TO 10.4.11 SERIAL NUMBER#
Note: XXXXXXXXXXXXXXX is the serial number of remote device (if S/N starts with letter, make it lowercase - some stupid bug) Note: All providers using different entry FQDN/IPs. Same packets as in DVRIP exist with Dahua DHP2P Cloud, but DVRIP is encapsulated within PTCP UDP packets.Ġ0000000 a0 01 00 00 00 00 00 00 c4 a3 af 48 99 56 b6 b4 │ Waiting for connections on 0.0.0.0:37777 Trying to bind to 0.0.0.0 on port 37777: Done Note: The difference to login with 3DES or request REALM lays in the second byte of the two first bytes.Ġ0000000 a0 00 00 00 00 00 00 00 c4 a3 af 48 99 56 b6 b4 │ Replicated Dahua's implemenation, both encrypt and decrypt does work.ĭahua 3DES pre-shared key (PSK): poiuytrewqģDES Username: c4 a3 af 48 99 56 b6 b4 (admin)ģDES Password: 54 ab ae b6 01 21 d6 71 (donotuse) =-ĭahua DES/3DES authentication implementation are broken by endianess bugs, marked below with 'Dahua endianness bug' in this script PoC: Access to devices within DHP2P Cloud. Vulnerability: Hardcoded DHP2P Cloud keys/passwords for 23 different providersĦ. Vulnerability: Dahua DHP2P Cloud protocol credentials leakageĥ. PoC: Added simple TCP/37777 DVRIP listener to display decrypted credentials in clear textĤ. Vulnerability: Dahua NetSDK leaking credentials (first 8 chars) from all clients in REALM request when using DVRIP and DHP2P protocolģ. Dahua DES/3DES (broken) authentication implementation and PSKĢ.
Subject: Dahua DES/3DES encrypt/decrypt, NetSDK credentials leaks, Cloud keys/passwords, DHP2P PoCġ.
0 kommentar(er)
