Tuesday, January 14, 2020

[Hikvision] DVR DS-7204HGHI User Enumeration (CVE-2020-7057)

The DVR DS-7204HGHI created by Hikvision is using the Web version V4.0.1 build 180903.


When you try to log-in in the WebServer, the Webpage rely on the “ISAPI” for the authentication. It makes GET requests for the username trying to authenticate, if this username exists, it will respond a Session ID, a Challange and a SALT (also the iterations and if is reversible). If the username does not exist, is going to respond with a 500 Internal Server Error.


But as I said before, if the username exists, is going to response with interesting information.

This give us the chance to rely on a bruteforce attack for username enumeration. Hikvision’s Web Server, have a limit for fail log-ins, so be careful with the bruteforce OR do it manually avoiding the ban and trying only 4 – 5 usernames per device until you can try again.




0 comentarios:

Post a Comment