NOTE: Why not use our List Manager to crack your lists? Its easy and enables better management.

NOTE: When cracking WPA/WPA2 passwords, make sure you check gpuhash.me first incase it's already been processed.

Home - Other Hashes - Researching potential SHA256 - Help needed


3 Results - Page 1 of 1 -
1
Author Message
Avatar
cdoc

Status: n/a
Joined: Fri, 17 Aug 2018
Posts: 4
Team:
Reputation: 0 Reputation
Offline
Mon, 20 Aug 2018 @ 08:57:57

I am trying to understand the hashing algorithm that newest Dahua NVRs are using.
I own a Dahua NVR, but I can share with you Dahua's demo NVR to play around.

Their new hashing algorithm seems to be SHA256, salted with a random number, but I am unable to understand how it works and reproduce the same hashes manually.

I am using:
Dahua demo NVR: 9002A9553EB9.DahuaDDNS.com
At TCP port: 37777
With username: DNA
And password: DNA2017!
Via software: Smart PSS (latest version)

The results I get while sniffing Smart PSS upon login:
- Request (doesn't matter)
- Response: Realm: Login to BLAH Random:729153638
- Request (login): DNA&&3E47D902C7BA86DDB288A9F9FEA3E16154E809AD9AF3D2EFF76108EC435E1475

Where "DNA", is the username, and where the SHA256 hash, is the salted hash.

I imagine the hash is the result of some sort of pre/suffix salting with the "Random" value because, with the same password, every login request is different than the previous one.

All I need to understand is HOW these hashes are being produced and create my own valid hash, to be able to crack it later.

There is also a Javascript-based login interface on HTTP (Here: http://9002a9553eb9.dahuaddns.com/), which does the same thing, but I don't have much to do with JS so I am unable to reverse engineer the web login. Where of course, as it seems, everything is done through Javascript and their ActiveX program.

Valuable information can be found here: https://ku7tech.com/2017/02/24/danhua-nvr-multiple-exposures-cve-2017-6341-cve-2017-6342-cve-2017-6343/comment-page-1/

If anyone could cooperate with me to find a solution, please let me know guys.


Avatar
cdoc

Status: n/a
Joined: Fri, 17 Aug 2018
Posts: 4
Team:
Reputation: 0 Reputation
Offline
Mon, 20 Aug 2018 @ 09:32:12

Oh, sorry. I forgot to mention that the password MUST be 6 characters long. Not less, not more!


Avatar
cdoc

Status: n/a
Joined: Fri, 17 Aug 2018
Posts: 4
Team:
Reputation: 0 Reputation
Offline
Mon, 20 Aug 2018 @ 14:36:42

UPDATE:

I just saw in OllyDbg, that there are three (3) encoding/encrypting methods in there.

There is a base64 encoder, a bcrypt hashing algorithm and a SHA256.



3 Results - Page 1 of 1 -
1

We have a total of 206295 messages in 25415 topics.
We have a total of 22584 registered users.
Our newest registered member is sdwzzx.