Default Passwords and ONVIF

Update:
Before you judge me borderline insane, in this post, I am talking about FACTORY DEFAULT passwords, for example : mobotix

My darling ONVIF, you’ve come of age and I tried to woo you. But you turned me down. Again.

A while back I decided to take the plunge, and have some fun with ONVIF. Axis knows I’ve been very happy with ONVIF’s older, and more mature, sister VAPIX. VAPIX is damn nice. But there’s a certain allure to ONVIF, the young, promiscuous rebel, and I wanted to see if I could tame her too.

ONVIF provides a handy mechanism for detecting ONVIF cameras on the local subnet. Easy peasy.  Got all the cameras in a jiffy. Next step was to get some attributes about each camera. And suddenly the approachable darling turned out to be an outright bitch.

Usually, using a web service is a one-two-three step process. Very simple, which is important if you want any sort of penetration. Unfortunately, the camera in question decided that I wasn’t worthy of a response. Usually, I would have given up, but I was in a fighting mood so a few hours of searching high and low, I found a piece of code that would allow me to authenticate properly with the camera. That, in my opinion, is fail #1. I doubt that there would be any way for me to figure out what the hell was wrong by looking at the authentication failure error code, and it’s not as if the ONVIF site makes it clear either. Now that I spent a day looking for it, I am going to be an asshole and not share the solution until my own thing is good and done.

A small part of my  problems is that I used the root account to access the camera. The root user (built in to Axis cameras) is not an “ONVIF user”. I can – apparently – create an ONVIF user by using the root-credentials and some ONVIF wdsl, but I haven’t tried that yet. My workflow would then be : detect cameras, then connect to the camera to get caps using some user-supplied credentials (say onvif_user:1234). Now that may fail, because the user hasn’t been created yet, so I will now have to use the VAPIX root account (which the user also has to supply the password for) to create the onvif_user account. THEN I will be able to finally do ONVIF. But it’s a damn mess from the user perspective. Especially because it’s a really bad idea to have the same root password on all the cameras.

It seems to me that the lack of an ONVIF default user is a problem.

Ideally, you’d plug in your ONVIF cameras, the DHCP server gives them an IP with a long lease. We then find the cameras on the network using the default credentials. Once you decide to import a camera, the NVR server should change the cameras password and store that in an encrypted file. This way the cameras are easy to install, and you maintain security.

The way it works now is too cumbersome and error prone, and it doesn’t scale too well. I don’t want my users to fiddle with spreadsheets for each installation.

I’ve created a small page where you can, if you like, see and add default credentials for various cameras.

List of default usernames and passwords

Let’s work together and make ONVIF viable.

Advertisements
Tagged , , , ,

7 thoughts on “Default Passwords and ONVIF

  1. Frederik De Ruyck says:

    Hi, is it possible you’d share your solution you talk about? I need to code audio backchannel support but I fail to do rtsp DESCRIBE due to the lack of authentication (I just want to do a describe on the network using perl RTSP::LITE) and the ability to turn it off while developing…

    • prescienta says:

      What are you trying to do? Connect to an RTSP stream that requires authentication?

      • Frederik De Ruyck says:

        Just communicating simply by using perl rtsp::lite (rtsp-request, see https://www.kosho.org/tools/rtsp-request/)
        For example: trying to do a describe with the onvif url results in the following (I replaced a bunch of output with ‘…’ to save space)
        user@DevelFrederik:~/Downloads$ perl rtsp-request -b -d -m DESCRIBE rtsp://192.168.10.43/onvif-media/media.amp Accept=application/sdp
        write: DESCRIBE rtsp://192.168.10.43/onvif-media/media.amp RTSP/1.0

        read: RTSP/1.0 401 Unauthorized..

        trying to do a describe with the axis url however just works:
        user@DevelFrederik:~/Downloads$ perl rtsp-request -b -d -m DESCRIBE rtsp://192.168.10.43/axis-media/media.amp Accept=application/sdp
        write: DESCRIBE rtsp://192.168.10.43/axis-media/media.amp RTSP/1.0

        read: RTSP/1.0 200 OK..
        read: CSeq: 1..
        read: Content-Type: application/sdp..
        read: Content-Base: rtsp://192.168.10.43/axis-media/media.amp/..
        read: Date: Wed, 09 Mar 2016 14:40:23 GMT..
        read: Content-Length: 476..
        #what follows here is the SDP contents

        In the Axis camera (M1054), the option “Enable anonymous viewer login (no user name or password required)” is turned on.
        When this option is turned off the describe with the axis url returns unauthorized as well.
        What I want is to communicate without authorizing or to authorize in a simple way so I can move on and check for audio backchannel support by adding a require field to my describe command.

      • Frederik De Ruyck says:

        For example: trying to do a describe with the onvif url results in the following (I replaced a bunch of output with … to save space)
        user@DevelFrederik:~/Downloads$ perl rtsp-request -b -d -m DESCRIBE rtsp://192.168.10.43/onvif-media/media.amp Accept=application/sdp
        write: DESCRIBE rtsp://192.168.10.43/onvif-media/media.amp RTSP/1.0

        read: RTSP/1.0 401 Unauthorized..

        trying to do a describe with the axis url however just works:
        user@DevelFrederik:~/Downloads$ perl rtsp-request -b -d -m DESCRIBE rtsp://192.168.10.43/axis-media/media.amp Accept=application/sdp
        write: DESCRIBE rtsp://192.168.10.43/axis-media/media.amp RTSP/1.0

        read: RTSP/1.0 200 OK..
        read: CSeq: 1..
        read: Content-Type: application/sdp..
        read: Content-Base: rtsp://192.168.10.43/axis-media/media.amp/..
        read: Date: Wed, 09 Mar 2016 14:40:23 GMT..
        read: Content-Length: 476..
        #what follows here is the SDP contents

        In the Axis camera (M1054), the option “Enable anonymous viewer login (no user name or password required)” is turned on.
        When this option is turned off the describe with the axis url returns unauthorized as well.
        What I want is to communicate without authorizing or to authorize in a simple way so I can move on and check for audio backchannel support by adding a require field to my describe command.

  2. prescienta says:

    I guess you have tried passing the credentials in the URL (rtsp://user:pass@somehost/some_path)

    If this doesn’t work, you’ll have to handle the www-authenticate message. You’ll receive something like this :

    WWW-Authenticate: Digest realm=”iPOLiS”, nonce=”C82CC3EEAAE002D7ED98947C260998E0″

    You will then extract the realm and nounce values, and respond with the following header set:

    Authorization: Digest username=”someuser”, realm=”iPOLiS”, nonce=”C82CC3EEAAE002D7ED98947C260998E0″, uri=”rtsp://192.168.10.195:554/profile1/media.smp”, response=”447e4a5ecc676ef0a9c809c3766789f8″

    Username, realm and nounce you know (see above), the response is computed by doing the following (c++ code, but you get the gist):

    std::string HA1 = md5( username + “:” + _realm + “:” + password );
    std::string HA2 = md5 ( method + “:” + verb );

    return md5 ( HA1 + “:” + _nonce + “:” + HA2 );

    So, if you are trying to get DESCRIBE, here’s what I do

    stringstream rtsp_describe;

    rtsp_describe << "DESCRIBE rtsp://&quot; << _url << " RTSP/1.0\r\n" ;
    rtsp_describe << "CSeq: " << _cseq << "\r\n";
    rtsp_describe << "User-Agent: " << _userAgent << "\r\n";
    rtsp_describe << "Accept: application/sdp\r\n";

    if ( _mustAuthenticate )
    {
    rtsp_describe << _authentication.getDigest ( "rtsp://&quot; + _url, "DESCRIBE", _username, _password ) << "\r\n";
    }

    if ( header.length() != 0 )
    {
    rtsp_describe << header << "\r\n";
    }

    rtsp_describe << "\r\n";

    Not sure if it helps. I am not really familiar with the Perl RTSP library.

  3. Giovanni says:

    The page doesn’t wotk

  4. wwww says:

    Is there a default root user for ONVIF cameras from Armix or a way to reset the admin password having only the serial number?

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: