hashcat Forum

hashcat Forum > Misc > User Contributions > Dahua remote authentication
Full Version: Dahua remote authentication
You're currently viewing a stripped down version of our content. View the full version with proper formatting.

Ed

04-05-2025, 09:16 AM
Hi, guys.
I have a shopcam DHI-XVR5116HE. There is an application DMSS to manage it and see screenshots and etc .
I have udp packets from app. 
Using wireshark I  have found certain interesting string:


NFPOST /device/3D011F0                /p2p-channel HTTP/1.1
X-Version: 6.7.15
x-pcs-request-id: 14fa2865e5ad0e0faca77e9beb79a7b4
X-ToUType: Client/Dmss_Mac
CSeq: 2088966071
Authorization: WSSE profile="UsernameToken"
X-WSSE: UsernameToken Username="cba1b29e32cb17aa46b8ff9e73c7f40b", PasswordDigest="y70nnRaOAk9Pbc1cz8L8esO9ph8=", Nonce="1552662507", Created="2025-04-04T15:17:40+03:00"
X-SVersion: 1.1.0
Content-Type:
Content-Length: 532
Content-MD5: 832f1c7f19bd8fe62e423770083c80de

NFPOST /device/3D011F0          /relay-channel HTTP/1.1
X-Version: 6.7.15
x-pcs-request-id: 14fa2865e5ad0e0faca77e9beb79a7b4
X-ToUType: Client/Dmss_Mac
CSeq: -562956295
Authorization: WSSE profile="UsernameToken"
X-WSSE: UsernameToken Username="cba1b29e32cb17aa46b8ff9e73c7f40b", PasswordDigest="wg6ud9Lw7o1p/uPhm37jf1Lchv8=", Nonce="-2106309976", Created="2025-04-04T15:17:42+03:00"
X-SVersion: 1.1.0
Content-Type:
Content-Length: 330
Content-MD5: e2a3b2f84d59e1c7ed8966bd48c7d8de


<body><ClientId>3FB7F9E6-BE74-4A47-9A95-             :37777</ClientId><CreateDate>1743769062</CreateDate><DevAuth>QiU5g5MwLhAED8WxIRHM+nykTeS69S5fNcwRDar43oM=</DevAuth><Nonce>1437081999</Nonce><UserName>fullacs</UserName><X-SvrVersion>6.2.0</X-SvrVersion><agentAddr>128.14.231.148:46408</agentAddr><sVersion>1.1.0</sVersion></body>NFPOST /device/3D011F0PAE00039/relay-channel HTTP/1.1
X-Version: 6.7.15
x-pcs-request-id: 14fa2865e5ad0e0faca77e9beb79a7b4
X-ToUType: Client/Dmss_Mac
CSeq: -562956295
Authorization: WSSE profile="UsernameToken"
X-WSSE: UsernameToken Username="cba1b29e32cb17aa46b8ff9e73c7f40b", PasswordDigest="0NXzm3+vygDq5Tqyj3duHhuPGTM=", Nonce="-1753810627", Created="2025-04 04T15:17:43+03:00"
X-SVersion: 1.1.0
Content-Type:
Content-Length: 330
Content-MD5: 1d044b86f5a205cbb1a0c76fe408756f 


I define the way PasswordDigest string created:
Password_Digest = Base64 ( SHA-1 ( nonce + created + password ) )

Can I use hashcat to get a password and in what way?

RealEnder

04-07-2025, 08:08 PM
You should be able to use m120. First convert your hash to hex, eg like this:
Code:
echo y70nnRaOAk9Pbc1cz8L8esO9ph8= | base64 -d | xxd -p
Then take hex value of the salt, since there is a delimiter in it:
Code:
echo -n '15526625072025-04-04T15:17:40+03:00' | xxd -p -c0
Your hashline should look like this:
Code:
cbbd279d168e024f4f6dcd5ccfc2fc7ac3bda61f:31353532363632353037323032352d30342d30345431353a31373a34302b30333a3030
Then pass --hex-salt to hashcat.
This should work, of course, if this is the correct way to construct the resulting hash.

FiosFiend

04-17-2025, 12:27 PM
Not sure if this helps, but this just popped up while searching for something else

https://www.dahuawiki.com/Firmware_Search_Tool
hashcat Forum > Misc > User Contributions > Dahua remote authentication