Built by reverse engineering the SwOS HTTP API, it provides complete programmatic access to all switch features. Works with both SwOS and SwOS Lite, supports everything from port configs and PoE to VLANs and SNMP settings.

Comes with a CLI tool for quick lookups and a full Ansible module for managing your entire switch fleet through YAML playbooks. Compatible with CRS305, CRS310, CRS326, CSS610 and other SwOS-based switches.

The web dashboard displays real-time analytics including current wait-list sizes, estimated wait times for /22, /23, and /24 blocks, and historical trends in IPv4 address allocation. This tool helps network administrators understand IPv4 scarcity patterns and plan address allocation strategies as IPv4 exhaustion continues.

The DVR system was a TRIPLEX DVRLink DVR468RW, whatever that is. It seemed cheap; a small embedded computer with video in/out, a hard-drive and CD-RW drive for recording storage. The administration interface was accessed either by a web server running on the device or a desktop client you installed on your computer.

My initial thought was to remove the device’s internal clock battery to reset the password back to the default of “1234”, no dice. Next on the list of things to try was examining the hard-drive in a desktop computer to see if the password could be viewed or reset. The hard drive had a single partition with some old surveillance video footage; nothing to do with settings or authentication. Further examination of the main board revealed a flash memory chip which I assumed stored the device’s configuration, including the administration password.

Let me step back here… The administration password could be entered either over one of the remote management interfaces (the desktop client or web server) or physically on the devices keypad. The keypad had the buttons: [1], [2], [3], [4] and [ENTER]. Well isn’t that interesting; it looks as if the password can only be made up of at most 4 characters. And the desktop client nicely informs me that when entering a password it must be between 4 and 8 characters long, that leaves only 87,296 possibilities.

So, onto the next attack! Knowing that this device had such a limited amount of possible options for the password a brute force attack wouldn’t be bad at all. After spending a lot of time examining unsuccessful login attempts from the desktop client in Wireshark and understanding their proprietary protocol, I wrote my first useful python script to automate the process. After a few false positives and tweaks, I was able to get the program to generate a list of every possible password combination for the device and try them out. Within a minute of running I had the device’s long lost administration password of “1324” (It has since been changed).

After logging in as the Administrator I was able to see that there were other accounts on the system as well. And my program worked equally well for all of them. However it is currently hard-coded to use the Administrator username. You may change it if you wish, but why bother? 😉

Attached to this post is both the exploit and manual for the TRIPLEX DVRLink DVR468RW. I hope that either may be useful to someone. (In a law abiding way)

DVR_exploit.py (Developed and tested with Python 3 running on Windows XP)

This article has been published in 2600 Magazine issue Spring 2013; Volume 30, Number one!