Jump to content
mroek

Dahua user account system badly designed?

Recommended Posts

What's up with the user account system on the Dahua cameras? I have some HFW-2100 (got them a few days ago), and I have naturally changed the passwords on the accounts (admin/888888/666666). Today I tried installing PSS just to see how it works, and even though I can add cameras, PSS cannot login to them, and the accounts subsequently gets locked (for 30 minutes, apparently).

 

I am of course 100% certain that I have entered the correct password (which works on the web interface), but PSS (which tries to connect at port 37777) obviously manages to lock the account. Afterwards this account is also locked for login from the web interface (which it should be, as long as it is the same account).

 

Anyone have any insight here?

Share this post


Link to post
Share on other sites

I am using the latest version, and I have tried deleting the camera and re-adding it. The problem is not that the password is incorrect, I'm not that bad at typing passwords.

 

I also tried connecting to the camera via IP Cam Viewer on Android. Works fine with RTSP, but if I try the dedicated driver for Dahua HFW-cameras (which then tries to use port 37777, just as PSS), the same thing happens. IP Cam Viewer reports password error.

 

One other thing I've discovered, is that if you try to access the camera via Onvif Device manager, the user/password of admin/admin works regardless of how the user accounts are configured (major security flaw). I meant to mention this in my first post, but I forgot. If I try my real admin password in Onvif Device manager, then I get an error message that the login fails...

Share this post


Link to post
Share on other sites

9 characters in my password. Is there a max limit less than that, perhaps?

I'll experiment, perhaps you're onto something. I remember some Linux-version I worked with that ignored anything over 8 characters.

Share this post


Link to post
Share on other sites

You were right!

The limit is 8, but only for access on the 37777-port. Login on the web interface works with longer passwords also.

 

Anyway, thanks a bunch! I'm going to change all passwords to 8 characters on these cameras, just to be on the safe (kind of an oxymoron, don't you agree) side.

Share this post


Link to post
Share on other sites

The bigger issue is that the combination admin/admin works for Onvif access no matter what password you have set for the admin account...

Share this post


Link to post
Share on other sites

I have now spent some time tinkering with the cameras, and I have found a way to modify (and delete) the accounts even if the web interface does not allow that. The camera config is stored in two locations:

 

/mnt/backup/Config

/mnt/mtd/Config

 

The backup location appears to be just that, a backup of the config. The config that is actually used is the latter, but files will be copied to the backup folder automatically.

 

The accounts are stored in this file:

/mnt/mtd/Config/Account1

 

Unfortunately, Dahua has not included any text editor (not even vi, can you believe it), so to edit the file you need to have a FTP server in your network, and then use ftpput to copy the file to the FTP, modify it on your computer, and ftpget it back onto the camera.

 

The account file is clear text, and easy to read. This is how it looks by default (serial number has been edited by me):

 

// ÄÈϾÄÕʧÅäÖãÄÈϾÄ×é°üº×éÃûºÍ×éÃèÊö¾È¹ØÌîÏî£ÄÈϾÄÓç°üºÓçÃû£Óç
// ÃèÊö£ËùÊô×éÃû£ÃÜÂë£ÊÇ¡ñš²Ïí¾È¹ØÌîÏdefaultÓç²ÓÃдÔÚϹíÖÐ¥£

{
  "DevInformation" : {
     "SerialID" : "TZC2Lxxxxxxxxx"
  },
  "Groups" : [
     {
        "AuthorityList" : [
           "ShutDown",
           "Monitor_01",
           "Replay_01",
           "Record",
           "Backup",
           "MHardisk",
           "Account",
           "Alarm",
           "QueryLog",
           "DelLog",
           "SysUpdate",
           "AutoMaintain",
           "GeneralConf",
           "EncodeConf",
           "RecordConf",
           "ComConf",
           "NetConf",
           "AlarmConf",
           "VideoConfig",
           "DefaultConfig",
           "VideoInputConfig"
        ],
        "Id" : 1,
        "Memo" : "administrator group",
        "Name" : "admin"
     },
     {
        "AuthorityList" : [ "Monitor_01", "Replay_01" ],
        "Id" : 2,
        "Memo" : "user group",
        "Name" : "user"
     }
  ],
  "Users" : [
     {
        "AuthorityList" : [
           "ShutDown",
           "Monitor_01",
           "Replay_01",
           "Record",
           "Backup",
           "MHardisk",
           "Account",
           "Alarm",
           "QueryLog",
           "DelLog",
           "SysUpdate",
           "AutoMaintain",
           "GeneralConf",
           "EncodeConf",
           "RecordConf",
           "ComConf",
           "NetConf",
           "AlarmConf",
           "VideoConfig",
           "DefaultConfig",
           "VideoInputConfig"
        ],
        "Group" : "admin",
        "Id" : 1,
        "Memo" : "admin 's account",
        "Name" : "admin",
        "Password" : "6EFF35CB0D61578D8D0A5351CA74ADB5",
        "Reserved" : true,
        "Sharable" : true
     },
     {
        "AuthorityList" : [
           "ShutDown",
           "Monitor_01",
           "Replay_01",
           "Record",
           "Backup",
           "MHardisk",
           "Account",
           "Alarm",
           "QueryLog",
           "DelLog",
           "SysUpdate",
           "AutoMaintain",
           "GeneralConf",
           "EncodeConf",
           "RecordConf",
           "ComConf",
           "NetConf",
           "AlarmConf",
           "VideoConfig",
           "DefaultConfig",
           "VideoInputConfig"
        ],
        "Group" : "admin",
        "Id" : 2,
        "Memo" : "888888 's account",
        "Name" : "888888",
        "Password" : "261E49200CB8EA1800A9568504FBA0C3",
        "Reserved" : true,
        "Sharable" : true
     },
     {
        "AuthorityList" : [ "Monitor_01", "Replay_01" ],
        "Group" : "user",
        "Id" : 3,
        "Memo" : "666666 's account",
        "Name" : "666666",
        "Password" : "A36040975B36C11630E534AB561D77AD",
        "Reserved" : true,
        "Sharable" : true
     },
     {
        "AuthorityList" : [ "Monitor_01" ],
        "Group" : "user",
        "Id" : 4,
        "Memo" : "default account",
        "Name" : "default",
        "Password" : "B1AF93D7B8D1C96E4563AB36095687FA",
        "Sharable" : true
     }
  ]
}

 

As you can see, there are four users defined: admin, 888888, 666666 and default. If you just want to be able to delete the users from within the camera web interface, change the "Reserved"-property from true to false. Then, after putting the file back onto the camera, reboot (just use the reboot command from the shell) it to make the changes effective. After the camera has rebooted, you can now do what you want with the accounts. A word of caution, though: I have only tried deleting one of the extra accounts, so I don't know for sure if renaming/deleting the admin account will have any adverse effects (clearly you must retain at least one account with full admin privileges), but I believe it should work just fine. Don't try to edit the passwords manually, they are just hashes (and also salted, I think), only change them from the web interface.

 

This is just for information, I'm not responsible for anything you might do! I'm not including detailed instructions here, because those that would want to do this already have the required knowledge.

Share this post


Link to post
Share on other sites

How did you FTP into the cameras ? I don't see that as an option. If you wouldn't mind, can you give the steps you used ? Thanks.

Share this post


Link to post
Share on other sites

You can't FTP into the cameras. You must login to a shell with telnet, and then use the builtin commands ftpget and ftpput to move files to and from an FTP server in your network.

Share this post


Link to post
Share on other sites

I know I'm doing something wrong. Do you mind pointing me in the right direction ?

 

 

(none) login: root

Password:

# cd /mnt/mtd/Config

# ftpget /mnt/mtd/Config/Account1

BusyBox v1.9.1 (2011-10-28 09:19:04 CST) multi-call binary

 

Usage: ftpget [options] remote-host local-file remote-file

 

Retrieve a remote file via FTP

 

Options:

-c,--continue Continue previous transfer

-v,--verbose Verbose

-u,--username Username

-p,--password Password

-P,--port Port number

 

#

 

You can't FTP into the cameras. You must login to a shell with telnet, and then use the builtin commands ftpget and ftpput to move files to and from an FTP server in your network.

Share this post


Link to post
Share on other sites

If you are trying to get the file out of your camera then you need to telnet in and ftpPUT the file into your ftp server.

 

dig into the ftpput command.

Share this post


Link to post
Share on other sites
I know I'm doing something wrong. Do you mind pointing me in the right direction ?

 

 

(none) login: root

Password:

# cd /mnt/mtd/Config

# ftpget /mnt/mtd/Config/Account1

BusyBox v1.9.1 (2011-10-28 09:19:04 CST) multi-call binary

 

Usage: ftpget [options] remote-host local-file remote-file

 

Retrieve a remote file via FTP

 

Options:

-c,--continue Continue previous transfer

-v,--verbose Verbose

-u,--username Username

-p,--password Password

-P,--port Port number

 

#

 

You can't FTP into the cameras. You must login to a shell with telnet, and then use the builtin commands ftpget and ftpput to move files to and from an FTP server in your network.
First, do you actually have an FTP-server in your network? If yes, then you must run this command to get the file onto that server:

 

ftpput -u -p Account1 Account1

 

You must of course substitute user/password and server-ip with the appropriate values for your server. It is possible that you also need to supply a target directory on your server, but since you should be in control of that server, you'd be the one to know that.

 

If I'm going to be brutally honest with you, it does not sound like you have enough knowledge to be doing these things. That's precisely why I did not supply any detailed instructions, because anyone with the required knowledge would immediately understand what to do.

 

In any case I will not be responsible if you brick your camera.

Share this post


Link to post
Share on other sites

This is all I needed and it worked fine. Thanks.

 

ftpput -u -p Account1 Account1

 

Of course. Not sure that needed to be said.

 

In any case I will not be responsible if you brick your camera.

Share this post


Link to post
Share on other sites
This is all I needed and it worked fine. Thanks.

 

ftpput -u -p Account1 Account1

 

Of course. Not sure that needed to be said.

 

In any case I will not be responsible if you brick your camera.
Ok, great!

Share this post


Link to post
Share on other sites

What's not so great is that there seems to be no easy way of fixing the builtin security vulnerability that admin/admin seems to be hardcoded for login via Onvif. In the current latest release, Onvif sits at port 9988, so you can at least avoid exposing that port to the internet even if you want to set up access to the web interface (at port 80). Unfortunately, it may seem as if Dahua has moved Onvif to port 80 in later test versions, and if admin/admin still works for Onvif, then anyone can actually reboot your camera or reset the config (in addition to other stuff) if you have set up internet access to your camera on port 80.

 

What they need to do, is to allow the user to decide which port Onvif should work with, and they also really, really, really need to link the Onvif account info to the actual accounts defined in the camera, not a hardcoded value.

Share this post


Link to post
Share on other sites

So how can you disable the locked account feature of the dahua dvr and nvr when you log in incorrectly (I know waiting for 30 minutes would make it back online)? This is security vulnerability because what if you are monitoring at remote location and the perpetrators purposedly log into your account incorrect and lock it to avoid your remote monitoering and 30 minutes is enough time to get away with any crimes. Do other brands have this account lock feature too or only dahua?

Share this post


Link to post
Share on other sites

You cannot disable this feature, specifically designed to stop brute-force attacks.

 

If you design very well your system and you use a "special" account - for example, a very uncommon username - there will be no problems in remote accessing the devices.

Share this post


Link to post
Share on other sites

But you can't change the username "admin".. even if you create a new account with different username and password, the "admin" is still there.. any attempt to log-in into it with incorrect password will lock remote access for 30 minutes..

 

My NVR is connected to an isolated warehouse. The alarm outputs are wired to relays that would power higher amperage sirens that can be heard for one kilometer. So if the robber lock out the cctv, how can I even view or sound the alarm (manually).

 

Is there a way to change the "admin" name to a unique one that can't be guessed? This is last chance before I return it because I have 4 days exchange policy. Thank you.

Share this post


Link to post
Share on other sites
Will lock remote access only for "admin" account, not for all accounts.

 

Then if I know someone's P2P SN or port forwarding ipaddress.. I can log in with "admin" name using any password and he would be locked for 30 minutes enough to effectively disable his security and remote monitoring. So if the robbers know your unit serial number (P2P) or ip, then you are vulnerable. Dont you agree? Is there no way around this? This defeats the purpose of remote monitoring.

Share this post


Link to post
Share on other sites

What he is saying is that yes the admin account will get locked out, but if you created another user called User15, that account will still work.

 

 

 

Will lock remote access only for "admin" account, not for all accounts.

 

Then if I know someone's P2P SN or port forwarding ipaddress.. I can log in with "admin" name using any password and he would be locked for 30 minutes enough to effectively disable his security and remote monitoring. So if the robbers know your unit serial number (P2P) or ip, then you are vulnerable. Dont you agree? Is there no way around this? This defeats the purpose of remote monitoring.

Share this post


Link to post
Share on other sites
What he is saying is that yes the admin account will get locked out, but if you created another user called User15, that account will still work.

 

 

 

Will lock remote access only for "admin" account, not for all accounts.

 

Then if I know someone's P2P SN or port forwarding ipaddress.. I can log in with "admin" name using any password and he would be locked for 30 minutes enough to effectively disable his security and remote monitoring. So if the robbers know your unit serial number (P2P) or ip, then you are vulnerable. Dont you agree? Is there no way around this? This defeats the purpose of remote monitoring.

 

You have local storage - DVR or NVR. Even if you lock the account, the recordings or the whole functionality of the system will not be affected.

 

Also, there are ways to combat brute force attacks: for example, changing the default port forwarded. And, as I stated before, remote monitoring can be done with any other account - btw, it's a bad practice to use admin to remote monitor. Also, the admin user (if I do remember well) can be locked out from network login.

 

There are several ways to mitigate any or all of the problems that do arise in these situations or some other particular situations.

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now

×