Dahua remote authentication - Printable Version

Dahua remote authentication - Printable Version

+- hashcat Forum (https://hashcat.net/forum)
+-- Forum: Misc (https://hashcat.net/forum/forum-15.html)
+--- Forum: User Contributions (https://hashcat.net/forum/forum-25.html)
+--- Thread: Dahua remote authentication (/thread-12542.html)

Dahua remote authentication - Ed - 04-05-2025

Hi, guys.
I have a shopcam DHI-XVR5116HE. There is an application DMSS to manage it and see screenshots and etc .
I have udp packets from app.
Using wireshark I have found certain interesting string:

NFPOST /device/3D011F0 /p2p-channel HTTP/1.1
X-Version: 6.7.15
x-pcs-request-id: 14fa2865e5ad0e0faca77e9beb79a7b4
X-ToUType: Client/Dmss_Mac
CSeq: 2088966071
Authorization: WSSE profile="UsernameToken"
X-WSSE: UsernameToken Username="cba1b29e32cb17aa46b8ff9e73c7f40b", PasswordDigest="y70nnRaOAk9Pbc1cz8L8esO9ph8=", Nonce="1552662507", Created="2025-04-04T15:17:40+03:00"
X-SVersion: 1.1.0
Content-Type:
Content-Length: 532
Content-MD5: 832f1c7f19bd8fe62e423770083c80de

NFPOST /device/3D011F0 /relay-channel HTTP/1.1
X-Version: 6.7.15
x-pcs-request-id: 14fa2865e5ad0e0faca77e9beb79a7b4
X-ToUType: Client/Dmss_Mac
CSeq: -562956295
Authorization: WSSE profile="UsernameToken"
X-WSSE: UsernameToken Username="cba1b29e32cb17aa46b8ff9e73c7f40b", PasswordDigest="wg6ud9Lw7o1p/uPhm37jf1Lchv8=", Nonce="-2106309976", Created="2025-04-04T15:17:42+03:00"
X-SVersion: 1.1.0
Content-Type:
Content-Length: 330
Content-MD5: e2a3b2f84d59e1c7ed8966bd48c7d8de

<body><ClientId>3FB7F9E6-BE74-4A47-9A95- :37777</ClientId><CreateDate>1743769062</CreateDate><DevAuth>QiU5g5MwLhAED8WxIRHM+nykTeS69S5fNcwRDar43oM=</DevAuth><Nonce>1437081999</Nonce><UserName>fullacs</UserName><X-SvrVersion>6.2.0</X-SvrVersion><agentAddr>128.14.231.148:46408</agentAddr><sVersion>1.1.0</sVersion></body>NFPOST /device/3D011F0PAE00039/relay-channel HTTP/1.1
X-Version: 6.7.15
x-pcs-request-id: 14fa2865e5ad0e0faca77e9beb79a7b4
X-ToUType: Client/Dmss_Mac
CSeq: -562956295
Authorization: WSSE profile="UsernameToken"
X-WSSE: UsernameToken Username="cba1b29e32cb17aa46b8ff9e73c7f40b", PasswordDigest="0NXzm3+vygDq5Tqyj3duHhuPGTM=", Nonce="-1753810627", Created="2025-04 04T15:17:43+03:00"
X-SVersion: 1.1.0
Content-Type:
Content-Length: 330
Content-MD5: 1d044b86f5a205cbb1a0c76fe408756f

I define the way PasswordDigest string created:

Password_Digest = Base64 ( SHA-1 ( nonce + created + password ) )

Can I use hashcat to get a password and in what way?

RE: Dahua remote authentication - RealEnder - 04-07-2025

You should be able to use m120. First convert your hash to hex, eg like this:

Code:
echo y70nnRaOAk9Pbc1cz8L8esO9ph8= | base64 -d | xxd -p

Then take hex value of the salt, since there is a delimiter in it:

Code:
echo -n '15526625072025-04-04T15:17:40+03:00' | xxd -p -c0

Your hashline should look like this:

Code:
cbbd279d168e024f4f6dcd5ccfc2fc7ac3bda61f:31353532363632353037323032352d30342d30345431353a31373a34302b30333a3030

Then pass --hex-salt to hashcat.
This should work, of course, if this is the correct way to construct the resulting hash.