Dahua / Intelbras MitM Attack

Requirements

  • One IP Camera or DVR from Intelbras / Dahua connected through Ethernet Cable (Wireless might work, but not tested)
  • One cellphone with the Intelbras / Dahua Application with the Camera or DVR Configured
  • One computer with Linux and GoLang installed
  • Patience to get everything to work

Attack Idea

The main idea between the is the concept of MitM (Man-in-the-Middle) using ARP Poisoning. The idea is to inform all network devices that you have the IP that belongs to the DVR, and then receive all the packets that were intended originally to the DVR. That way, when someone logs in, you will also receive the Login Packet.

Normal Communication between Smartphone and Camera
Passive Packet Reception (One-way)
Intercept and resend attack (Both-ways)

Ethernet Communication

The main protocol used nowadays in conventional computer networks is called Ethernet. This protocol works in the Link layer of a network. That means it works directly over the device that connects the computers (for example your network card). That’s why we usually call a Ethernet Network. There are other types of networks, but in general, nowadays everything is Ethernet based (even if its a virtual Ethernet not a hardware one)

Ethernet Window
  • Preamble: That portion of the window tells the network card that a set of data is coming. It usually contains a magic number that is repeated over and over for a small period of time. Think about a “Hello” when you’re answering a phone call, to let the other side know that you’re about to say something.
  • SFD (Start of Frame Delimiter): That portion says that that the Preamble is over. That way the network card knows that relevant data for Ethernet is coming next.
  • Destination MAC Address / Source MAC Address: Each network card, in any device, has a unique number which identifies it. That number has 6 groups of 2 hexadecimal digits (6 bytes) where the first three groups say which manufacturer did that device, and the last 3 say the device number (usually manufacturer sequence). Ideally every device in the world has a unique MAC Address (which is not always true).
  • EtherType: This field says which type of packet will be transmitted in this ethernet window. For example a hexadecimal value of 08 00 says its an IPv4 packet.
  • Payload: This field contains the data that are being transmitted. What bytes are in this field depends exclusively on the protocol type that is being used.
  • FCS (Frame Check Sequence): That field contains a number that is calculated using all previous bytes using a very specific mathematical formula (CRC32). That field is used as a check to see if any data has been corrupted during transmission

Discovering MAC Addresses using ARP

The ARP Protocol was created to discover MAC Addresses over the network. It literally means Address Resolution Protocol. To understand how it works, there is one more detail to understand about Ethernet: The Broadcast Communication.

ARP Request / Reply
  • Hardware Type: Defines the hardware type (in this case Ethernet)
  • Protocol Type: Defines the protocol type (in this case IPv4)
  • Hardware Address Length: Defines the length of the hardware address (since we’re on a Ethernet Network, we use MAC Address which has 6 bytes)
  • Protocol Address Length: Defines the length of the protocol address (since we’re talking about IPv4 protocol, we use 4 byte IP Addresses)
  • Operation Code: Type of the operation. We’re asking who has an IP or sending an answer?
  • Source / Target Hardware Address: Source / Destination Hardware Address (in this case MAC). If that’s a question, the destination will be 00:00:00:00:00:00 (if you don’t know, you just send it blank)
  • Source / Target Protocol Address: Source / Destination Protocol Address (in this case IP). In that case both are filled even in a question. The source is your IP and destination is the IP you’re looking for.

ARP Poison

The ARP Poison is very simple. Everyone in the network receives the ARP Request, so why not when you receive the ARP packet just store in the local table? Then you don’t need to ask when needed. Using that information we can forge a ARP Reply packet saying that we has the IP 1.1.1.1, and then let all the network know that they should send the packets to us. Simple right?

Finding the Intelbras/Dahua DVR/Camera in the network

Our attack is simple. We find our DVR/Camera IPs in the network and act as them. But first we need to find them. For that we can use a peculiar information of Dahua/Intelbras Devices: They always talk in port 37777 using TCP Protocol. Why is that important? It’s because that port is not very common, so if it is open in a device, we can assume its a DVR or Camera. To scan we can use our great friend nmap.

sudo nmap -sT 10.10.5.0/24 -p 37777 --open
  • -sT makes TCP connections for the specified ports and IPs
  • 10.10.5.0/24 tries to connect in all IPs of the specified network( in this case from 10.10.5.1 to 10.10.5.254)
  • -p 37777 tries only in port 37777
  • --open show only results where the por was open
Starting Nmap 7.60 ( https://nmap.org ) at 2019-08-02 18:01 -03
Nmap scan report for 10.10.5.107
Host is up (-0.085s latency).

PORT STATE SERVICE
37777/tcp open unknown
MAC Address: 58:10:8C:3B:38:35 (Intelbras)

Nmap done: 256 IP addresses (28 hosts up) scanned in 10.29 seconds

Poisoning the ARP using Ettercap

In near future the Go script will also do the ARP Poison. Now I will show how to do it using Ettercap. Ettercap is an excelent application to do several types of attack MitM by ARP, and has some presets to monitor for username/passwords from unencrypted POP/IMAP/SMTP (you would be suprise how easy is to get one). Today we will only use to poison the arp tables in the network and get the packets.

sudo ettercap -G

Receiving the Username / Password

The golang script nowiseeyou.go,(check the end of this page) will analyze any packet your machine receives in port 37777 waiting for a packet that looks like a login packet. To run just download all dependencies using go get and then run:

sudo go run nowiseeyou.go
2019-08-02T18:18:12-03:00|I| Dahua | Opening wlp3s0 in promisc mode
2019-08-02T18:18:12-03:00|I| Dahua | Waiting
2019-08-02T18:18:12-03:00|I| Dahua | Opening wlp3s0 in promisc mode
2019-08-02T18:18:12-03:00|I| Dahua | Waiting
2019-08-02T18:19:01-03:00|W| Dahua | GOTCHA! Username: admin - Password: admin
2019-08-02T18:19:01-03:00|W| Dahua | GOTCHA! Username: admin - Password: admin
2019-08-02T18:19:02-03:00|W| Dahua | Got login, and stream data. Closing it...

--

--

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store
Lucas Teske

Lucas Teske

Programming, Hacking, SDR, Satellites. Basically everything technology related. Everything is also posted on my site https://lucasteske.dev/