04-05-2025, 09:16 AM
(This post was last modified: 04-07-2025, 05:53 AM by Chick3nman.)
Hi, guys.
I have a shopcam DHI-XVR5116HE. There is an application DMSS to manage it and see screenshots and etc .
I have udp packets from app.
Using wireshark I have found certain interesting string:
NFPOST /device/3D011F0 /p2p-channel HTTP/1.1
X-Version: 6.7.15
x-pcs-request-id: 14fa2865e5ad0e0faca77e9beb79a7b4
X-ToUType: Client/Dmss_Mac
CSeq: 2088966071
Authorization: WSSE profile="UsernameToken"
X-WSSE: UsernameToken Username="cba1b29e32cb17aa46b8ff9e73c7f40b", PasswordDigest="y70nnRaOAk9Pbc1cz8L8esO9ph8=", Nonce="1552662507", Created="2025-04-04T15:17:40+03:00"
X-SVersion: 1.1.0
Content-Type:
Content-Length: 532
Content-MD5: 832f1c7f19bd8fe62e423770083c80de
NFPOST /device/3D011F0 /relay-channel HTTP/1.1
X-Version: 6.7.15
x-pcs-request-id: 14fa2865e5ad0e0faca77e9beb79a7b4
X-ToUType: Client/Dmss_Mac
CSeq: -562956295
Authorization: WSSE profile="UsernameToken"
X-WSSE: UsernameToken Username="cba1b29e32cb17aa46b8ff9e73c7f40b", PasswordDigest="wg6ud9Lw7o1p/uPhm37jf1Lchv8=", Nonce="-2106309976", Created="2025-04-04T15:17:42+03:00"
X-SVersion: 1.1.0
Content-Type:
Content-Length: 330
Content-MD5: e2a3b2f84d59e1c7ed8966bd48c7d8de
<body><ClientId>3FB7F9E6-BE74-4A47-9A95- :37777</ClientId><CreateDate>1743769062</CreateDate><DevAuth>QiU5g5MwLhAED8WxIRHM+nykTeS69S5fNcwRDar43oM=</DevAuth><Nonce>1437081999</Nonce><UserName>fullacs</UserName><X-SvrVersion>6.2.0</X-SvrVersion><agentAddr>128.14.231.148:46408</agentAddr><sVersion>1.1.0</sVersion></body>NFPOST /device/3D011F0PAE00039/relay-channel HTTP/1.1
X-Version: 6.7.15
x-pcs-request-id: 14fa2865e5ad0e0faca77e9beb79a7b4
X-ToUType: Client/Dmss_Mac
CSeq: -562956295
Authorization: WSSE profile="UsernameToken"
X-WSSE: UsernameToken Username="cba1b29e32cb17aa46b8ff9e73c7f40b", PasswordDigest="0NXzm3+vygDq5Tqyj3duHhuPGTM=", Nonce="-1753810627", Created="2025-04 04T15:17:43+03:00"
X-SVersion: 1.1.0
Content-Type:
Content-Length: 330
Content-MD5: 1d044b86f5a205cbb1a0c76fe408756f
I define the way PasswordDigest string created:
I have a shopcam DHI-XVR5116HE. There is an application DMSS to manage it and see screenshots and etc .
I have udp packets from app.
Using wireshark I have found certain interesting string:
NFPOST /device/3D011F0 /p2p-channel HTTP/1.1
X-Version: 6.7.15
x-pcs-request-id: 14fa2865e5ad0e0faca77e9beb79a7b4
X-ToUType: Client/Dmss_Mac
CSeq: 2088966071
Authorization: WSSE profile="UsernameToken"
X-WSSE: UsernameToken Username="cba1b29e32cb17aa46b8ff9e73c7f40b", PasswordDigest="y70nnRaOAk9Pbc1cz8L8esO9ph8=", Nonce="1552662507", Created="2025-04-04T15:17:40+03:00"
X-SVersion: 1.1.0
Content-Type:
Content-Length: 532
Content-MD5: 832f1c7f19bd8fe62e423770083c80de
NFPOST /device/3D011F0 /relay-channel HTTP/1.1
X-Version: 6.7.15
x-pcs-request-id: 14fa2865e5ad0e0faca77e9beb79a7b4
X-ToUType: Client/Dmss_Mac
CSeq: -562956295
Authorization: WSSE profile="UsernameToken"
X-WSSE: UsernameToken Username="cba1b29e32cb17aa46b8ff9e73c7f40b", PasswordDigest="wg6ud9Lw7o1p/uPhm37jf1Lchv8=", Nonce="-2106309976", Created="2025-04-04T15:17:42+03:00"
X-SVersion: 1.1.0
Content-Type:
Content-Length: 330
Content-MD5: e2a3b2f84d59e1c7ed8966bd48c7d8de
<body><ClientId>3FB7F9E6-BE74-4A47-9A95- :37777</ClientId><CreateDate>1743769062</CreateDate><DevAuth>QiU5g5MwLhAED8WxIRHM+nykTeS69S5fNcwRDar43oM=</DevAuth><Nonce>1437081999</Nonce><UserName>fullacs</UserName><X-SvrVersion>6.2.0</X-SvrVersion><agentAddr>128.14.231.148:46408</agentAddr><sVersion>1.1.0</sVersion></body>NFPOST /device/3D011F0PAE00039/relay-channel HTTP/1.1
X-Version: 6.7.15
x-pcs-request-id: 14fa2865e5ad0e0faca77e9beb79a7b4
X-ToUType: Client/Dmss_Mac
CSeq: -562956295
Authorization: WSSE profile="UsernameToken"
X-WSSE: UsernameToken Username="cba1b29e32cb17aa46b8ff9e73c7f40b", PasswordDigest="0NXzm3+vygDq5Tqyj3duHhuPGTM=", Nonce="-1753810627", Created="2025-04 04T15:17:43+03:00"
X-SVersion: 1.1.0
Content-Type:
Content-Length: 330
Content-MD5: 1d044b86f5a205cbb1a0c76fe408756f
I define the way PasswordDigest string created:
Password_Digest = Base64 ( SHA-1 ( nonce + created + password ) )
Can I use hashcat to get a password and in what way?
Can I use hashcat to get a password and in what way?