At an internship I had a while ago one project assigned to me was to regain access to a CCTV security system which we had been locked out of for some years. (The previous manager left without leaving the password.)
The DVR system was a TRIPLEX DVRLink DVR468RW, whatever that is. It seemed cheap; a small embedded computer with video in/out, a hard-drive and CD-RW drive for recording storage. The administration interface was accessed either by a webserver running on the device or a desktop client you installed on your computer.
My initial thought was to remove the device’s internal clock battery to reset the password back to the default of “1234”, no dice. Next on the list of things to try was examining the hard-drive in a desktop computer to see if the password could be viewed or reset. The hard drive had a single partition with some old surveillance video footage; nothing to do with settings or authentication. Further examination of the main board revealed a flash memory chip which I assumed stored the device’s configuration, including the administration password.
Let me step back here… The administration password could be entered either over one of the remote management interfaces (the desktop client or webserver) or physically on the devices keypad. The keypad had the buttons: <1> <2> <3><4> and <ENTER>. Well isn’t that interesting; it looks as if the password can only me made up of at most 4 characters. And the desktop client nicely informs me that when entering a password it must be between 4 and 8 characters long, that leaves only 87,296 possibilities.
So, onto the next attack! Knowing that this device had such a limited amount of possible options for the password a brute force attack wouldn’t be bad at all. After spending a lot of time examining unsuccessful login attempts from the desktop client in Wireshark and understanding their proprietary protocol, I wrote my first useful python script to automate the process. After a few false positives and tweaks, I was able to get the program to generate a list of every possible password combination for the device and try them out. Within a minute of running I had the device’s long lost administration password of “1324” (It has since been changed).
After logging in as the Administrator I was able to see that there were other accounts on the system as well. And my program worked equally well for all of them. However it is currently hard-coded to use the Administrator username. You may change it if you wish, but why bother? 😉
Attached to this post is both the exploit and manual for the TRIPLEX DVRLink DVR468RW. I hope that either may be useful to someone. (In a law abiding way)
DVR_exploit.py (Developed and tested with Python 3 running on Windows XP)
This article has been published in 2600 Magazine issue Spring 2013; Volume 30, Number one!