Hikvision Multiple Products Improper Authentication Vulnerability

Repository contains a single Python exploit/scanner (CVE-2017-7921.py) plus a short README. The script is a multi-threaded network scanner targeting Hikvision devices vulnerable to CVE-2017-7921 (improper authentication). For each target from ips.txt, it normalizes the base URL (adds http:// if missing and follows redirects), then requests the unauthenticated endpoint /System/configurationFile?auth=YWRtaW46MTEK. If HTTP 200 is returned, it processes the response as an encrypted/obfuscated configuration file: AES-ECB decrypt using a hardcoded 16-byte key (hex 279977f62f6cfd2d91cd75b889ce0c9a), then XORs the decrypted bytes with a repeating 4-byte key (0x73,0x8B,0x55,0x44). It extracts printable strings and searches for occurrences of the literal 'admin'; it assumes the next string is the password and writes target:username:password to ipsvalide.txt. The code is operational (performs real exploitation and credential recovery) but limited to credential disclosure; it does not implement command execution or a post-exploitation payload. README also includes Shodan dorks for identifying likely Hikvision web interfaces.

Repository contains a small Python rewrite PoC for CVE-2017-7921 (Hikvision auth bypass / information disclosure). It has two runnable scripts: - credentials.py: Prompts for a target IP, requests `/Security/users/` with a crafted `?auth=` token (base64 of `username:11`, defaulting to `admin:11`) to enumerate usernames, then requests `/System/configurationFile` and decrypts the returned blob using a hardcoded AES key (ECB) and a 4-byte XOR key. It parses decrypted text with regex tokenization and correlates usernames to subsequent tokens to print `user:password` pairs. - snapshot.py: Uses the same `admin:11` token approach to fetch `/Streaming/channels/1/picture` and writes the response to `<ip>.jpg` if it exceeds a minimum size threshold. No framework integration (not Metasploit/Nuclei). The exploit is operational for credential/snapshot retrieval but lacks robust target validation, error handling, and configurable payloads beyond the target IP.

Repository contains a standalone Python 3 tool (single main script: CVE-2017-7921.py) plus README and requirements. The script is a multi-function Hikvision camera/NVR utility centered on CVE-2017-7921 (“magic auth” authentication bypass). Core capabilities implemented in the script: - Target ingestion: reads a camera list file with entries in host or host:port format. - Snapshot collection (authenticated): attempts multiple known Hikvision snapshot endpoints in order (/ISAPI/Streaming/channels/1/picture, /ISAPI/Streaming/channels/101/picture, /onvif-http/snapshot) using HTTP Basic auth by default, with optional HTTP Digest. - CVE exploitation (unauthenticated): uses a hardcoded magic-auth query string (?auth=YWRtaW46MTEK) to access /onvif-http/snapshot without credentials; also used to access /Security/users and /System/configurationFile. - Vulnerability checking: determines likely vulnerability by requesting the magic-auth snapshot endpoint and validating response status/content. - Credential extraction: downloads the device configuration file via the bypass and performs decryption (using local OpenSSL plus embedded key material) to recover usernames/passwords; can then verify credentials. - Concurrency: uses ThreadPoolExecutor with configurable worker count to process many devices. - Output: writes per-device JPEG snapshots to an output directory (default snapshots/). Optional Pillow-based merge creates a single overview grid image. Overall purpose: bulk assess and interact with Hikvision devices from a separate host—enumerate targets, test for CVE-2017-7921 exposure, optionally extract credentials from vulnerable devices, and collect snapshots either with valid credentials or via the auth-bypass.

Repository purpose: a CVE-2017-7921 “research toolkit” for Hikvision IP cameras that performs bulk network scanning of provided device URLs, exploits the authentication bypass to fetch the device configuration file, decrypts/deobfuscates it, and extracts credentials. Structure: - README.md: Chinese documentation describing CVE-2017-7921, usage workflow, expected input format (newline-delimited JSON in `zc/`), and output (`vulnerable_devices.json`). It also documents the hardcoded auth token and crypto details (AES-ECB key and XOR key). - batch_decrypt.py: Main executable Python script. Key exploit capabilities (batch_decrypt.py): - Input handling: enumerates `.json` files under `zc/`, loads devices line-by-line as JSON objects; expects at least `link` (base URL). - Network exploitation: for each device, performs `GET {link}/System/configurationFile?auth=YWRtaW46MTEK` with a browser-like User-Agent and 5s timeout. - Crypto processing: if response is 200 and content length > 100 bytes, decrypts using AES-ECB with hardcoded key `279977f62f6cfd2d91cd75b889ce0c9a` (skipping the first AES block), then XORs the result with repeating key bytes `73 8B 55 44`. - Credential extraction: converts bytes to ISO-8859-1, extracts printable strings, searches for the string 'admin' and treats the next extracted string as the password. - Concurrency: uses ThreadPoolExecutor with user-specified worker count; progress shown via tqdm. - Output: prints discovered credentials and writes all successful findings to `vulnerable_devices.json` in the script directory. Overall, this is an operational credential-dumping exploit tool (not just detection) targeting Hikvision devices vulnerable to CVE-2017-7921 via a specific configuration file download endpoint and known static decryption parameters.

Repository contains two standalone Python exploit tools targeting Hikvision devices: 1) 2017/CVE-2017-7921.py (Hikvision information disclosure/auth bypass): - Performs unauthenticated HTTP requests using a hardcoded base64 auth token (auth=YWRtaW46MTEK) to ISAPI-style endpoints. - Verifies exposure by requesting /Security/users and then downloads /System/configurationFile. - Implements offline decryption of the configuration export using AES-ECB with a hardcoded key (279977f62f6cfd2d91cd75b889ce0c9a) followed by XOR (0x73 0x8B 0x55 0x44) to recover plaintext and extract credentials (looks for 'admin' token and the subsequent password token). - Can also fetch a snapshot image from /onvif-http/snapshot. - Supports multi-target operation: single URL (-u), file list (-f), or IP/CIDR range (-ip) with port ranges, threading, progress bar, and writes results (likely CSV) plus snapshot files to an output directory. 2) 2021/CVE-2021-36260.py (Hikvision unauthenticated command injection/RCE): - Implements an HTTP client that targets /SDK/webLanguage and injects short commands (enforces ~22 byte limit for reliability). - Includes verification modes: “safe check” (write/read style verification) and “unsafe check” (reboot-based verification). - Provides actions: execute command with output, execute blind command, reboot device, and a --shell mode that attempts to enable/assume an SSH service on TCP/1337 and then connects using the local system ssh client. - Auto-toggles between http/https on connection issues and suppresses TLS warnings. Non-code files: - Per-year requirements.txt list Python dependencies. - commands.txt files provide example invocations and manual curl checks. - README.md is minimal, indicating both CVEs and an update date. Overall purpose: a small collection of operational PoC/utility exploits for Hikvision devices—one focused on credential/config extraction (CVE-2017-7921) and one providing unauthenticated RCE with optional interactive access (CVE-2021-36260).

This repository contains a Python exploit script (CVE-2017-7921.py) and a README.md. The script targets Hikvision IP cameras and DVRs vulnerable to CVE-2017-7921, an authentication bypass flaw. It reads a list of target IPs from 'ips.txt', then for each target, sends an unauthenticated HTTP GET request to the '/System/configurationFile?auth=YWRtaW46MTEK' endpoint. If the device is vulnerable, it receives an encrypted configuration file, which the script decrypts and decodes to extract admin credentials. These credentials are saved to 'ipsvalide.txt'. The script is multithreaded for efficiency and provides colored console output for status updates. The README provides a brief description of the vulnerability and a Shodan search dork for finding potentially vulnerable devices. The exploit is operational, providing real credential extraction, and is not just a proof of concept or detection script.

This repository contains a Python script ('Hunter.py') and a README file. The script is a city-targeted reconnaissance and exploitation tool for Hikvision IP cameras, DVRs, and NVRs. It uses the Shodan API to search for Hikvision devices in a specified city, filters out likely honeypots, and attempts to access each device using the default admin:12345 credentials (base64-encoded in the 'auth' parameter). For each accessible device, it enumerates detailed device information and attempts to download a camera snapshot. Results are saved to a timestamped hits file and snapshots are stored in a dedicated folder. The script is highly automated, supports high concurrency, and provides colorful real-time console output. The exploit leverages a well-known default credential vulnerability and is operational, providing both enumeration and snapshot download capabilities. No specific CVE is referenced, but the attack is effective against Hikvision devices with unchanged default credentials.

This repository contains a Python exploit script targeting Hikvision IP cameras vulnerable to CVE-2017-7921. The main script (script.py) provides three core capabilities: (1) Downloading and decrypting the camera's configuration file to extract admin credentials, (2) Continuously downloading camera snapshots and saving them locally, and (3) Converting a series of downloaded images into a video. The script interacts with the camera's HTTP endpoints, using hardcoded authentication tokens, and can optionally route requests through Tor for anonymity. The repository includes a requirements file for dependencies, a .gitignore for output directories, and a README with detailed usage instructions. The exploit is operational, providing real credential extraction and image/video exfiltration from vulnerable cameras.

This repository provides Python scripts to identify and probe Hikvision devices for three known vulnerabilities: CVE-2017-7921 (authentication bypass), CVE-2021-36260 (command injection), and CVE-2022-28171 (blind SQL injection). The structure includes a 'cve' directory with individual scripts for each CVE, a device identifier script (hikvision_identifier.py), and a main probe script (hikvision_probe.py) that orchestrates the vulnerability checks. The scripts are designed to be run from the command line, taking lists of IPs or URLs via standard input. The main capabilities are network-based vulnerability detection and device identification. The endpoints targeted are specific to Hikvision device web interfaces and known vulnerable paths. No weaponized payloads are included; the scripts are proof-of-concept checkers for the listed vulnerabilities.

This repository is a Go-based exploit tool targeting Hikvision devices vulnerable to CVE-2017-7921 (unauthorized access). The main code is in 'main.go', which provides three primary modules: a POC module to check for unauthorized access, an exploit module to extract admin credentials by decrypting the configuration file, and a brute-force module to attempt password guessing. The tool supports scanning single IPs, IP ranges, or lists from a file, and can operate over HTTP or HTTPS. It uses multi-threading for efficiency. The endpoints targeted are specific to Hikvision's web interface, and the exploit includes logic to decrypt and extract credentials from device responses. The repository is operational and provides real exploit functionality, not just detection.

This repository contains a Python proof-of-concept exploit for CVE-2017-7921, an improper authentication vulnerability affecting several Hikvision camera models and firmware versions. The main script, CVE-2017-7921.py, allows an attacker to scan one or more IP addresses for vulnerable Hikvision cameras, connect to them over HTTP, and exploit the authentication flaw to retrieve sensitive configuration files and user information. The script can also capture a snapshot image from the camera. Extracted configuration files are decrypted to recover admin credentials. The exploit is multi-threaded, supports scanning IP ranges, and outputs results to CSV and image files. The README provides background on the vulnerability, affected products, impact, and responsible disclosure. No hardcoded IPs or domains are present; the script targets user-supplied network addresses. The exploit is a functional PoC for information disclosure and credential extraction, not a weaponized or post-exploitation tool.

This repository is an exploit toolkit targeting Hikvision IP cameras and NVRs vulnerable to a known backdoor (triggered by the parameter ?auth=YWRtaW46MTEK). The main components are: - 'exploit.sh': A Bash script that takes a target host, port, and SSL flag, crafts HTTP(S) requests to various endpoints on the device using the backdoor, and attempts to download sensitive files (notably the configuration file), take snapshots, dump device/user info, and perform DoS actions (reboot/factory reset). It checks for vulnerability by probing the /Security/users endpoint and, if successful, downloads the configuration file. - 'config-decryptor.py': A Python script that decrypts the downloaded configuration file using a hardcoded AES key and XOR operation, then extracts readable strings (including admin credentials). - 'main.py': A Python script that automates exploitation against a list of targets specified in 'webcams.txt', running the Bash exploit for each IP:port pair. - 'webcams.txt': A sample list of target IP addresses and ports. - 'requirements.txt': Specifies the 'pycryptodome' dependency for decryption. The exploit is operational and automates the process of identifying vulnerable Hikvision devices, extracting their configuration files, decrypting them, and retrieving admin credentials. It also supports additional actions such as taking snapshots and performing denial-of-service attacks (reboot/factory reset). The main attack vector is network-based, requiring access to the device's HTTP(S) interface. The endpoints targeted are well-defined and fingerprintable, and the exploit is effective against devices with the backdoor enabled.

This repository contains a Python exploit for CVE-2017-7921, a critical improper authentication vulnerability affecting Hikvision IP cameras and similar devices. The main file, CVE_2017_7921_EXP.py, is a command-line tool that takes a target IP address (or a file containing multiple targets) and attempts to exploit the vulnerability by sending a crafted HTTP GET request to the /System/configurationFile endpoint with a static base64-encoded 'admin' credential in the 'auth' parameter. If the device is vulnerable, it responds with an encrypted configuration file, which the script then decrypts using a hardcoded AES key and XOR operation. The script extracts and prints out usernames and passwords (including the admin account) in plaintext. The exploit is operational and automates the process of credential extraction from vulnerable devices. The repository also includes a README.md with usage instructions and a requirements.txt listing Python dependencies (requests, fire, pycrypto). No fake or destructive code is present; the exploit is focused on credential extraction via a network attack vector.

This repository is a mass exploitation toolkit targeting Hikvision IP cameras vulnerable to CVE-2017-7921. It contains three main Python scripts: - 'download.py': Scans a list of IP addresses (from the 'ip' file) and attempts to exploit the unauthenticated configuration file download vulnerability. If successful, it can optionally download the configuration file from each vulnerable device. - 'snapshot.py': Similar to 'download.py', but targets the unauthenticated snapshot endpoint to download camera images from vulnerable devices. - 'decrypt.py': Decrypts configuration files obtained from the cameras using a known static AES key and an XOR operation, extracting readable strings (such as credentials). The 'ip' file contains a large list of target IP addresses and hostnames. The default target port is 80, but this can be changed in the code. The attack vector is network-based, requiring access to the camera's web interface. The endpoints '/System/configurationFile?auth=YWRtaW46MTEK' and '/onvif-http/snapshot?auth=YWRtaW46MTEK' are fingerprintable and are used to exploit the vulnerability. The toolkit is operational and can be used to extract sensitive data from a large number of vulnerable devices.

This repository is a Go-based exploit for the Hikvision CVE-2017-7921 vulnerability. The main exploit logic is in 'src/cve-2017-7921-golang/main.go', which provides two modes: direct exploitation of the vulnerability to extract admin credentials, and a brute-force mode to guess the admin password. The exploit works by sending a crafted HTTP GET request to the vulnerable device's '/System/configurationFile' endpoint, decrypting the response using a hardcoded AES key and XOR key, and parsing out credentials. The brute-force mode attempts to authenticate to '/PSIA/System/deviceinfo' using a password list. The repository includes supporting code for AES decryption (src/aesebc), IP/subnet handling (src/gip), and output management. The exploit is operational and can be used against multiple targets in parallel, as specified by the user. No fake or destructive code is present; the exploit is focused on credential extraction and brute-force password discovery for Hikvision devices vulnerable to CVE-2017-7921.