Hikvision IP-camera activation - isapi

From couple of years Hikvision doesn't provide new IP cameras with defaults password for some strange security reasons and new user is forced to set unique password via web interface. In my case I need to activate hundreds of cameras and it will take too much time to do it via web.
I tried to make it via ONVIF SetUSers (http://www.onvif.org/ver10/device/wsdl/SetUser), but recieved:
ONVIFError: Unknown error: (401, u'Unauthorized')
Also i tried ISAPI protocol with /ISAPI/Security/users, but also no luck without any response at all.
Of course, after activation ONVIF and ISAPI work fine.
Is it any alternative way to automate activation process?

You cannot activate automatically. But you can use sadptool to set it up easily. if the cameras come with a preset password, they could cause security vulnerabilities. Because many people are setting up cameras with the default password. This is a very time-consuming process but there is no other way.

Hikvision provides "Batch Configuration" software.
https://us.hikvision.com/en/support-resources/downloads/tools

Related

Custom protocol handler - Clipboard deep dive

so I'm using a custom protocol handler for RDP from two sources, both are working great to connect.
Testing to the same remote machine clipboard works for one, but not the other.
Since I've tested on multiple source machines and same remote machine, using the same credentials, it does not seem to be an auth or machine issue, but an issue with the information that is being fed into the protocol handler or something to that affect.
The only difference is the auto generated file (which deletes itself on session connection).
I've seemingly scoured the internet and mostly found gpo/registry/rdpclip.exe fixes, none of which aim to solve this problem.
My questions:
How can I view detailed session information (such as the options that are passed using an rdp file) of active sessions? query user, query session, qwinsta etc do not have that capability it seems. For example: I see redirectclipboard:i:value in microsoft docs, how can I find what is currently set for this option, in a current session?
Are there any other suggestions on what may be causing this problem?

Systems that Access AD Attributes

I have been assigned a task to export the AD Attributes than find out what systems are using these attributes. I have not had much luck in scripting or a tool that can provide just that. Is this feasible and if so how? I have already exported attributes. Just need to find what systems are using them.
This isn't possible with any reasonable accuracy, especially if "using" isn't defined for you.
The event logs on the domain controllers will tell you where login events are coming from, but only by IP. That doesn't tell you which application is authenticating. You would have to do monitoring on that computer and see which application is making the connection. But then the logs would be cluttered with connections made by Windows itself, or Exchange (if you use Exchange for email). It it would be very difficult to identify what is coming from an 3rd-party application rather than Windows itself.
Also, applications can request more information than they need. It's very easy when programming with LDAP to request every attribute for an object, even if you only intend to use one. For example, take this C# code:
var de = new DirectoryEntry("LDAP://example.com");
Console.WriteLine(de.Properties["name"].Value);
That only "uses" the name attribute. But because of the way LDAP works, it actually requests every non-constructed attribute that has a value. (there is a way to specifically ask for only one attribute, but you have to know that and use that)
So even if you could find logs saying that "this IP requested all of these attributes", and then figure out which application made that request, that doesn't mean it "used" all of those attributes.

WCF ServiceHost restricted user netsh/httpcfg

I use a self hosted service within a WPF application for certain tasks. The service host is started at runtime and its base address is http://localhost:Whatever-port-is-free-at-runtime. This works fine when the user has admin rights but problems arise when the application is ran by a restricted user.
I found some suggestions on the web that suggested reserving the url using netsh/httpcfg which works fine for admin users but fails for restricted users because they presumably do not have the rights to use these tools to reserve a url. As the port number is not known until runtime the url reservation command can logically only be run at runtime which means the process will be initiated by a restricted user without the right privilege to execute the command. Am i correct in thinking this?
What i would like to know is if there is a suitable work around? Also, i would like to know if a restricted user can open a locally hosted WCF service at all, since solving the aforementioned problem will be pointless if the restricted user couldn't do this.
This question perfectly describes my first issue of URL reservation
In WCF, the HTTP and HTTPS bindings use HTTP.sys under the cover to reserve a required URL for a specific WCF service, which is the same path IIS itself follows while doing the bindings for the websites it manages. This explains why the process performing the HTTP/HTTPS binding is required to run in elevated mode.
That being said, I would solve your issue in two different ways:
Option 1: use a different kind of binding. NetTcpBinding and NetNamedPipesBinding, for example, do not generally require administrative privileges: this is by far the easiest way to go.
Option 2: setup the required namespace reservation at installation time. This way you may ask your users to perform the installation in elevated mode and later allow restricted accounts to run it. While performing the initial installation/reservation you may also find out an available port to use (and perhaps save it in a configuration file for later reuse).

GWT RPC Data Encryption and gwt-crypto issue

I have a GWT app, which is deployed on the app engine. The application is basically an exam simulator. All the exam questions and answers are stored in an XML file on the server. I use JAXB parser to parse the XML file and send a list of objects to the client through GWT RPC.
I noticed that during the transit (server -> client), the entire data is visible in plain text in Firebug. Since the data (exam questions and answers) are my intellectual property (IP) and something that I give lot of value to, I'm concerned that it's very easy to steal that data. Therefore, I'm trying to find ways to do some basic encryption and obfuscate the content when it's being sent over from the server to the client.
After Googling, I came across gwt-crypto project, and within a few minutes, I was able to achieve the exact result that I wanted. The server would encrypt the data, and the client would decrypt it. In Firebug, it would show the data in encrypted format, and not as plain text.
However, I ran into an issue. After implementing encryption/decryption, I noticed that my application would not load inside my company's network, which is obviously protected by a firewall. The application works perfectly from home or even on a 3G network on my phone. Another version of the application, which does not use encryption/decryption works perfectly from within my company's network. I confirmed this by creating 2 exact same versions of the app, with the only difference between a boolean flag, that determines whether encryption/decryption is enabled or disabled.
I have the following questions here:
What is the best way to achieve the result that I want to achieve? Is gwt-crypto a good solution for that? I'm fine with any simple approach to obfuscate the data during transit. It doesn't have to be a sophisticated algorithm.
What could be the possible reason for a GWT app, with encryption/decryption enabled, not working inside a firewall? I'm really clueless on this.
I'll appreciate any help on this issue.
Using SSL is the right way to go.
In your case, given AppEngine SSL limitations, you should load your HTML normally from non-SSL domain and use cross-site RPC to load your data via SSL domain.
Update:
What is the best way to achieve the result that I want to achieve?
If you want to secure the data in transit then the only secure option is SSL/HTTP. Usually it's also the simplest one as it does not require you to change the application code, just server configuration. In your particular case (appengine with private domain), it takes more work as described above.
Is gwt-crypto a good solution for that?
No. gwt-crypto uses a key to encrpt/decrypt the data. You also need a secure way to discribute this key.
I'm fine with any simple approach to obfuscate the data during transit.
Security through obscurity in not security. It's a false sense of security, which is even more dangerous than no security. It's enough that only one of the technically capable students cracks this and soon everybody would do it.
Possible attack would go like this:
Snoop the network, get username/password of user.
Login as that user, have browser load exam data, which is now unencrypted in memory.
Dump the DOM and inspect it for exam questions.
-
What could be the possible reason for a GWT app, with encryption/decryption
enabled, not working inside a firewall?
Use firebug to make sure network connections are identical, except for the encrypted content. Firewalls should not work that deep. Talk to sysadmin about it.

How to control a web application through email? Or how to run php script by sending an email?

I want to run a web application on php and mysql, using the CakePHP framework. And to keep the threshold of using the site at a very low place, I want to not use the standard login with username/password. (And I don't want to hassle my users with something like OpenID either. Goes to user type.)
So I'm thinking that the users shall be able to log in by sending an email to login#domain.com with no subject or content required. And they will get, in reply, an email with a link that will log them in (it will contain a hash). Also I will let the users do some actions without even visiting the site at all, just send an email with command#domain.com and the command will be carried out. I will assume that the users and their email providers takes care of their email account security and as such there is no need for it on my site.
Now, how do I go from an email is sent to an account that is not read by humans to there being fired off some script (basically a "dummy browser client" calls an url( and the cakephp will take care of the rest)?
I have never used a cron job before, but I do think I understand their purpose or how they generally work. I can not have the script be called by random people visiting the site, as that solution won't work for several reasons. I think I would like to hear more about the possibility of having the script be run as response to an email coming in, if anyone has any input at all on that. If it's run as a cron job it would only check every X minutes and users would get a lag in their response (if i understand it correctly).
Since there will be different email addresses for different commands, like login#domain.com and I know what to do and how to do it to based on the sender email, i dont even need the content, subject or any other headers from the email.
There is a lot of worry about security of this application, I understand the issues, but without giving away my concept, I dont think it is a big issue for what I am doing. Also about the usability issue, there really isnt any. It's just gonna be login to provide changes on a users profile if/when they need that and one other command. And this is the main email and is very easy to remember and the outset of this whole concept.
I have used the pop3 php class with great success (there is also a Pear POP3 module).
Using the pop3 class looks something like this:
require ('pop3.php');
$pop3 = new pop3_class();
$pop3->hostname = MAILHOST;
$pop3->Open();
$pop3->Login('myemailaddress#mydomain.com', 'mypassword');
foreach($pop3->ListMessages("","") as $msgidx => $msgsize)
{
$headers = "";
$body = "";
$pop3->RetrieveMessage($msgidx, $headers, $body, -1);
}
I use it to monitor a POP3 mailbox which feeds into a database.
It gets called by a cronjob which uses wget to call the url to my php script.
*/5 * * * * "wget -q --http-user=me --http-passwd=pass 'http://mydomain.com/mail.php'" >> /dev/null 2>&1
Edit
I've been thinking about your need to have users send certain site commands by email.
Wouldn't it be easier to have a single address that multiple commands can be sent to rather than having multiple addresses?
I think the security concerns are pretty valid too. Unless the commands are non-destructive or aren't doing anything user-specific, the system will be wide open to anyone who knows how to spoof an email address (which would be everyone :) ).
You'll need some sort of CronJob/Timer Service that checks the Mailbox regularly and then acts on it. Alternatively, you should check the mailserver if it can run a script when a mail arrives (i.e. see if it's possible to put a spamfilter-script in and "abuse" that functionality to call your script instead).
With pure PHP, you're mostly out of luck as something needs to trigger the script. On a Pagewith a LOT of traffic, you could have your index.php or whatever do the check, but when no one visits your site for quite some time, then the mail will not be sent, and you have to be careful of "race conditions" when multiple people are accessing the script at the same time.
Edit: Just keep one usability flaw in mind: People with Multiple PCs and without an e-Mail Client on every one. For example, I use 4 PCs, but only 1 (my main one) has a Mail Client installed, and I use Webmail to check the other ones. Now, logging in and sending a mail through Webmail is not the greatest usability - in order to use YOUR site, I first have to log in to ANOTHER site, compose a mail through the crappy interface most Webmail tools have and wait for answer. Could as well use OpenID there :-)
If your server allows it you can use a .forward file or Procmail to start a process (php or anything) when a mail arrives to a certain address.
You don't want to hassle users with OpenID, but you want them to deal with this email scheme. Firstly, email can take a long time to go through. There isn't any guaranteed time that an email will be delivered in. It's not even guaranteed that the email will get there at all. I know things usually are quick, but it's not uncommon to take up to 10 minutes for a round trip to be completed. Also, unless you're encrypting the email, the link you are sending back is sent in the open. That means anybody can use that link to log in. Depending one how secure you want to be, this may or may not be an issue, but it's definitely something to think about. Using a non-standard login method like this is going to be a lot more work than it is probably worth, and I can't really see any advantages to the whole process.
I was also thinking using procmail to start some script. There is also formail, which might come in handy to change or extract headers. If you have admin access to the mail server, you could also use /etc/aliases and just pipe to your script.
Besides usability issues, you should really think about security - it's actually quite simple to send email with a fake sender address, so I would not rely on it for anything critical.
I agree with all the security concerns. Your assumption that "the users and their email providers takes care of their email account security" is not correct when it comes to the sender's e-mail address.
But since you specifically asked "how do I go from an email is sent to an account that is not read by humans to there being fired off some script", I recommend using procmail to deliver the incoming e-mail to a script you write.
I would not call a URL. I would have the script perform the work by reading the message sent in on stdin. That way, the script is not acessible to anyone on the web site.
To set this up, the e-mail address you provide to your users will have to be associated with a real user
on the system. In that user's home directory, create a file called ".procmailrc"
In that file, add these two lines:
:0 hb:
| /path/to/program
Where /path/to/program is the full path to the script or program for handling
the incoming message. Then create the script with code something like this:
#!/usr/bin/php
<?php
$fp=fopen('php://stdin','r');
while($line = fgets($fp)) {
[do something with each $line of input here]
}
?>
The e-mail message will not remain in the mailbox, so if you want to save or log it, have the script do it.
--
Bruce
I would seriously reconsider this approach. E-mail hasn't got very high reliability. There's all kinds of spamfilters that might intercept e-mails with links thereby rendering the "command" half-finished, not to mention the security risks.
It's very easy to spoof the sender-address on an e-mail. You are basically opening up your system to anyone.
Also instead of a username/password combination you're suddenly requiring the users to remember a list of commands to put in front of an email-address. It would be better to provide them with a username/password and then giving access to a help page.
In other words the usability and security of this scheme scores very low.
I can't really find any advantages to this approach that even comes close to outweighing the massive disadvantages.
One solution to prevent spam, make sure the first line, last line or a specific line contains a certain string, almost like a password, but a full sentence is better.
Only you have the word or words, pretty secure, just remember to delete the mails after use and those that do not have the secret line.
Apart from the security and usability email delivery can be another problem. Depending on the user's email provider, email delivery can be delayed from a few minutes to few hours.
There is a realy nice educational story on thedailywtf.com on designing software. The posed question should be solved by a proper design, not by techo-woopla.
Alexander, please read the linked story and think gloves, not email-driven webpage browsing.
PHP is not a hammer.

Resources