海康威视sadp,海康威视录像机内部构造

首先,sdp是向239.255.255.250:1900发送udp消息以达到局域网广播目的。

 

海康的sdp并没有像标准的ssdp那样包含:M-SEARCH,NOTIFY等关键字,也没有向1900端口发送,而是采用自定义的xml字符串作为其私有协议,并且向37020端口发送udp数据。

打开海康威视设备网络工具:

我用wireshark抓包得出:

我得机器ip是172.16.7.211 

在wireshark中输入过滤器ip.dst==239.255.255.250 and ip.src == 172.16.7.211

1.客户端发起:搜索设备

<?xml version=”1.0″ encoding=”utf-8″?>

<Probe>

<Uuid>F93CF8DC-DF53-424B-98A7-9FC0536E1083</Uuid>

<Types>inquiry</Types>

</Probe>

2.设备发起:摄像机回应

 <?xml version=”1.0″ encoding=”UTF-8″?>
<ProbeMatch><Uuid>F93CF8DC-DF53-424B-98A7-9FC0536E1083</Uuid>
<Types>inquiry</Types>
<DeviceType>140071</DeviceType>
<DeviceDescription>DS-2CD5026EFWD-A</DeviceDescription>
<DeviceSN>DS-2CD5026EFWD-A20171214AACH147955970</DeviceSN>
<CommandPort>8000</CommandPort>
<HttpPort>80</HttpPort>
<MAC>64-db-8b-08-cf-45</MAC>
<IPv4Address>192.168.66.25</IPv4Address>
<IPv4SubnetMask>255.255.255.0</IPv4SubnetMask>
<IPv4Gateway>192.168.66.254</IPv4Gateway>
<IPv6Address>::</IPv6Address>
<IPv6Gateway>::</IPv6Gateway>
<IPv6MaskLen>64</IPv6MaskLen>
<DHCP>false</DHCP>
<AnalogChannelNum>0</AnalogChannelNum>
<DigitalChannelNum>1</DigitalChannelNum>
<SoftwareVersion>V5.5.0build 170914</SoftwareVersion>
<DSPVersion>V7.3 build 170818</DSPVersion>
<BootTime>1970-02-10 05:19:22</BootTime>
<Encrypt>true</Encrypt>
<ResetAbility>false</ResetAbility>
<DiskNumber>0</DiskNumber>
<Activated>true</Activated>
<PasswordResetAbility>true</PasswordResetAbility>
<PasswordResetModeSecond>true</PasswordResetModeSecond>
<SupportSecurityQuestion>true</SupportSecurityQuestion>
<SupportHCPlatform>true</SupportHCPlatform>
<HCPlatformEnable>flase</HCPlatformEnable>
<IsModifyVerificationCode>true</IsModifyVerificationCode>
<Salt>21ea877fbac71d715a34f28e194d39b80ed9965e96e26bb0a6b00d6240e1dc3b</Salt>
<DeviceLock>true</DeviceLock>
</ProbeMatch>
 

3.客户端发起:修改相机IP为192.168.66.25

<?xml version=”1.0″ encoding=”utf-8″?>
<Probe>
<Uuid>AC2CEC98-C7FA-42B9-A9AE-23608F923E78</Uuid>
<Types>update</Types>
<PWErrorParse>true</PWErrorParse>
<MAC>64-db-8b-08-cf-45</MAC>
<Password bSalt=”true”>kFnsMaQrzmGi89g+6txepC1RNnZMSi/fA16x+UdjFOmqBmoVCc/zeZ8X6oZmLBdWaXnvwTxjLIQBsLsDP0xjHw==</Password>
<IPv4Address>192.168.66.25</IPv4Address>
<CommandPort>8000</CommandPort>
<IPv4SubnetMask>255.255.255.0</IPv4SubnetMask>
<IPv4Gateway>192.168.66.254</IPv4Gateway>
<IPv6Address>::</IPv6Address>
<IPv6Gateway>::</IPv6Gateway>
<IPv6MaskLen>64</IPv6MaskLen>
<DHCP>false</DHCP>
<HttpPort>80</HttpPort>
</Probe>

4.设备发起:修改成功后相机192.168.66.25主动回复

<?xml version=”1.0″ encoding=”UTF-8″?>
<ProbeMatch>
飞艇如何买前5后5pC1RNnZMSi/fA16x+UdjFOmqBmoVCc/zeZ8X6oZmLBdWaXnvwTxjLIQBsLsDP0xjHw==</Password>
<IPv4Address>192.168.66.25</IPv4Address>
<CommandPort>8000</CommandPort>
<IPv4SubnetMask>255.255.255.0</IPv4SubnetMask>
<IPv4Gateway>192.168.66.254</IPv4Gateway>
<IPv6Address>::</IPv6Address>
<IPv6Gateway>::</IPv6Gateway>
<IPv6MaskLen>64</IPv6MaskLen>
<DHCP>false</DHCP>
<HttpPort>80</HttpPort>
</Probe>

4.设备发起:修改成功后相机192.168.66.25主动回复

<?xml version=”1.0″ encoding=”UTF-8″?>
<ProbeMatch>
<Uuid>AC2CEC98-C7FA-42B9-A9AE-23608F923E78</Uuid>
<Types>update</Types>
<Result>success</Result>
<DeviceType>140071</DeviceType>
<DeviceDescription>DS-2CD5026EFWD-A</DeviceDescription>
<DeviceSN>DS-2CD5026EFWD-A20171214AACH147955970</DeviceSN>
<CommandPort>8000</CommandPort>
<HttpPort>80</HttpPort>
<MAC>64-db-8b-08-cf-45</MAC>
<IPv4Address>192.168.66.25</IPv4Address>
<IPv4SubnetMask>255.255.255.0</IPv4SubnetMask>
<IPv4Gateway>192.168.66.254</IPv4Gateway>
<IPv6Address>::</IPv6Address>
<IPv6Gateway>::</IPv6Gateway>
<IPv6MaskLen>64</IPv6MaskLen>
<DHCP>false</DHCP>
<AnalogChannelNum>0</AnalogChannelNum>
<DigitalChannelNum>1</DigitalChannelNum>
<SoftwareVersion>V5.5.0build 170914</SoftwareVersion>
<DSPVersion>V7.3 build 170818</DSPVersion>
<BootTime>1970-02-10 05:19:22</BootTime>
<Encrypt>true</Encrypt>
<ResetAbility>false</ResetAbility>
<DiskNumber>0</DiskNumber>
<Activated>true</Activated>
<PasswordResetAbility>true</PasswordResetAbility>
<PasswordResetModeSecond>true</PasswordResetModeSecond>
<SupportSecurityQuestion>true</SupportSecurityQuestion>
<SupportHCPlatform>true</SupportHCPlatform>
<HCPlatformEnable>flase</HCPlatformEnable>
<IsModifyVerificationCode>true</IsModifyVerificationCode>
<Salt>21ea877fbac71d715a34f28e194d39b80ed9965e96e26bb0a6b00d6240e1dc3b</Salt>
<DeviceLock>true</DeviceLock>
</ProbeMatch>

原理剖析:

为了防止被抓包破解密码,原理一定是由随机+用户名密码数生成密钥,设备收到这个密钥进行比对,如果吻合则判断密码正确。

1.通过UUID+用户名+密码,组成一串md5<uuid,uid,pwd>的字符串,摄像机收到这个字符串后,发现UUID是自己发送的,则可以进行参数配置等操作。

2.UUID的更新–

由客户端发起则请求的时候自带新的uuid,则设备响应的时候会返回uuid.如果不匹配则会失败,例如:用上一次的UUID进行当前设置,则失败。

Published by

风君子

独自遨游何稽首 揭天掀地慰生平

发表回复

您的电子邮箱地址不会被公开。 必填项已用 * 标注