Telnet help please

Hi all, I could do with some help. I have a CCTV DVR which accepts ping requests, but I don't seem to be able to Telnet into it. Does anyone have any ideas? Thanks in advance

Not all devices support telnet access, are you sure it has a telnet interface

Ahhhh that could be it. It is able to be configured to connect to a FTP server, but I don't know if that is any use anyway. I am looking at the possibly of installing a Syslog server on it. Your help is much appreciated

With no make/model chance of getting help is close to zero

Configuring to upload image/video to a FTP server is an expected option on a CCTV device, installing syslog etc is not something they'd have coded for

This did cross my mind... The make of the DVR is Floureon, I think it is running standard cheap but functioning firmware. On the net, some have reported being able to Telnet into similar boxes. As a side note I have a additional router with a USB port in it (the one that does the logging hasn't). I wonder if that could do the trick some way?

You could try ssh rather than telnet. For ssh I use Bitvise Tunnelier. There may be something in the menus to enable telnet or ssh.

Edited by Michael_Chare (Sat 26-Jan-19 17:19:59)

TELNET is insecure and offers no encryption, industry best practice if followed by vendors will dictate it is disabled. SSH is a secure alternative, and that might be available on your device.

Just out of curiosity, does the DVR offer something called �XMEye P2P Cloud� to view video images remotely?

If so, you might want to read this.

As ukhardy07 states, telnet isn't secure and should never be used for remote access. FTP is also completely insecure. SSH may be more secure but not all implementations of SSH are secure. You may also have a password which is weak or the device may have a hardcoded default admin password which cannot be changed.

Thank you everyone for your quality input. The DVR isn't exposed to the Web, but does have the cloud capabilities that has been mentioned (thank you for that link, it was interesting reading) . The DVR is connected to my LAN with a false gateway address (the DVR won't accept a blank gateway). IPv6 is a unknown (it won't let me access the configuration applet), and returns a "get config from device failed" message. IPv6 is disabled on the router, with all ports set to stealth. I shall look into SSH, and reply in due course. Thanks once again

I tried SSH, again no go... seems silly though that I can ping the box...

I can ping my Now TV Smart Stick...

I think I see your point

I have a CCTV DVR installed by a local security company and I have been meaning to try this in order to secure the DVR. I think the company had access to it via the cloud app. Your question prompted me to try to get into its admin console, and here is what I have been able to do so far.

I couldn't telnet to it, however, using a web browser (I had to use Internet Explorer because Chrome and Firefox did not allow required plugins to load, although I am sure there must be a way to use these) I could get to its web admin console.

Search for your model number and default admin user name and password (unless of course you already know the credentials). I got into mine in less than a minute and changed its admin password and set a static IP address. There are a number of settings in the web admin console, although I could not find any to enable Telnet or SSH. At least now I know the installing company cannot get into the system - the cloud app on my phone stopped working and I had to enter the new password into the app).

I connected a USB mouse and keyboard, along with an old VGA monitor to the DVR and was able to access its console although, as yet, I have not been able to do much with it apart from view the various camera feeds.

I'll explore it further later.

Out of curiosity, what are you trying to achieve by using telnet to access the DVR?

Edited by teshy (Mon 28-Jan-19 16:43:30)

The problem with the GUI, is it's limited to its CCTV/DVR configurations. As the box is connected to the LAN 24/7, (not internet) it seemed to make sense at looking into the possibility of being able to use it for forwarding the router logs to... So far no joy though, but thank you for sharing

In reply to a post by teshy:

At least now I know the installing company cannot get into the system

Except they can. It's not just the installers who can still get in, it's anyone and it's trivial. You have missed a key point in both my post and the article I linked to. I knew about the hardcoded default password from firsthand experience but it is confirmed in the SEC Consult article;

even if the device has been secured by changing the admin password, it can be accessed via the XMEye cloud via the �default� user.

In a related post; SEC Consult say;

In reference to sec-consult.com/en/blog/advisories/vulnerabilities-xiongmai-ip-came...:

SEC Consult advises not to use the products of Xiongmai and any 3rd party OEM device associated with the XMeye cloud feature.

Workaround

There are no workarounds available as the devices are connected via the cloud, the usual recommendations changing default passwords, strict firewalling and network segmentation unfortunately do not mitigate the whole range of discovered issues.

If wanting to go down the DIY route for this you probably want a LINUX box that you can control, and perhaps a Raspberry PI meets that at a low cost

Except they can. It's not just the installers who can still get in, it's anyone and it's trivial. You have missed a key point in both my post and the article I linked to. I knew about the hardcoded default password from firsthand experience but it is confirmed in the SEC Consult article;

Thanks for the information about it being trivial to get into the DVR. I hadn't actually read your post, I was replying to dwg1's original post.

I don't think I am using any of the products mentioned in the link you posted, however, at least now I know of the vulnerability in these devices.