Part 8 - Brute Force

Looking at the hashing format, we know it's going to have collisions. To find out the plain-text password to the backdoor user account, we are going to need to take some time and brute force the hash to find the plain text password. I just want to point out, this step is mostly unnecessary, since the hash is as good as the plain text password when logging into the camera. Regardless, it would still be a good idea to crack it, just in case.

  require "./dahua_hash"

  module Brute
    def self.run(hash : String, start = "a") : String
      current = start
      counter = 0
      success = false
      start_time = Time.now
      until success
        if Dahua.digest(current) == hash
          puts "SUCCESS!!!"
          success = true
        counter += 1
        current = current.succ
        if counter % 1_000_000 == 0
          puts " @ #{current} : #{Time.now - start_time}"
        elsif counter % 10_000 == 0
          print '.'
      end_time = Time.now
      puts "Time: #{end_time - start_time}"
      puts "Result: #{current} : #{Dahua.digest(current)}"
We know the details of the "user" account, so all we need to do is plug it in and BAM!


We end up getting back the string "tluafed", or "default" backwards, after about 16 or so hours.

Looking up this string provides an [interesting article](https://www.zdnet.com/article/over-nine-million-cameras-and-dvrs-open-to-apts-botnet-herders-and-voyeurs/) which describes a method of testing to see if the camera is a Xiongmai, by going to a specific htm page, err.htm.

So now we know for certain that the camera is actually a Xiongmai product, not Besder.