Bypassing web login username with Qt

[giusepped]

I received a very intriguing project.
1) Suppose that you have a lot DVR accessed via WEB with login and password.
2) The DVRs require special ActiveX (usually work with IE)
3) Suppose that you have a lot of DVR and do not want to remember username and password, but just store them and then click on a button to access.

I implemented the solution by using a proxy filtering like Proxomitron, and a webserver wich store DVR login info into Proxomitron. But the solution is quite bad.

I know that with Qt you can user QActiveX container. And, thus, running IE inside Qt is not a problem.
The problem is how to bypass the login of the DVR.
I thought that you can make a proxy in Qt (not very difficult, not very easy). Then,
modify the page and then pass it to the ActiveX.
BUT: i do not know how to pass it!

Any suggestion, very appreciated.
Regards

[squidge]

Regardless of the ActiveX component, it must just pass some kind of token to the server to accept the authorisation, and it seems that the authorisation is static as you already implemented a solution using Proxomitron. So all you need to do is figure out this data (try Wireshark) and send it yourself using Qt network classes. Typically it will be sent as some kind of GET or POST request, SSL-free, with perhaps some custom encryption or obfuscation by ActiveX object (which you don't care about as you only want to login as one particular user).

[giusepped]

I think the ActiveX container is necessary because the DVR works only with special ActiveX and only with IE (sorry!).
Anyway I will try with Qt Network class, although I am not familiar with.

[squidge]

The ActiveX object only runs on your PC so you can emulate anything it does.

[giusepped]

This is the problem: I do not know how to do it. I will appreciate any pointer on the subject.
So far, I can understand that with Qt Network Classes I can do everything that also curl and php can do.
Remember also that cookies are important : I tried to send (with curl) POST data but with no success. I think the same will happen
with Qt Network.
Let's suppose, however, that I will be able to connect to the DVR. But then, how to display the page?
In Qt WebKit? If yes, can WebKit handle ActiveX? If yes, how?
Sorry for my in-expertise, but I would like to understand what I am missing.
Regards

1)

[squidge]

You'll need a certain amount of knowledge of reverse engineering. If you can not do this then you will find it difficult to accomplish your task.

[ChrisW67]

We cannot tell you exactly how the ActiveX component does it. We can only tell you the usual ways these things are done. It is quite possible that the entire user interface is encapsulated in the ActiveX with some proprietary communication mechanism. In this case the only option might be to use ActiveQt to operate the ActiveX control and embed it like any other widget. It may be only the authentication part that is an ActiveX control, with the remainder of the DVR UI served as plain HTML: you could possible operate the ActiveX to log in and use webkit to display the results. Or, the ActiveX control could be a red herring, only existing to give a look and feel they could not reliably achieve in HTML, but all the underlying login and presentation is HTTP/HTML in which case QNetworkAccessManager and web kit would do it. You should try to work out which applies.

You can use tools like Wireshark to look at what is actually sent on the wire. My bet is you will see HTTP GET and POST requests/responses only.

[SixDegrees]

Why is remembering a username and password so hard?

Subverting these simple security measures is pretty much never a good idea. They're put in place to protect users, and sneaking around them exposes you and other users to all sorts of potential unpleasantness.

[giusepped]

This is project for a company, no problem. remembering 500 user's credentail is quite difficult, isn'it?G

[squidge]

If you can provide ActiveX object and some way of accessing a server which uses that object (doesn't matter if local or global) then perhaps I can take a look. My day job is automotive reverse engineering, but I think PC RE will not be much different. No guarantees though.

[SixDegrees]

This is project for a company, no problem. remembering 500 user's credentail is quite difficult, isn'it?G

There should be no reason for you or anyone else to remember - or even know - other user's passwords. Period. And yes, there certainly is a problem if you're proposing to log on to a service or machine using someone else's account; even system administrators don't need that information.

Perhaps you should explain exactly what it is you're trying to accomplish, and why.

[squidge]

I do know a fair number of other users passwords in the company I work for. The reasoning behind this is that it creates less work to do so. If someone comes from there vacation and says "I forgot my password" I can simply tell them rather than having to login to the appropriate system and change it. Its also easier if I'm doing work on a users PC to login as them rather than administrator.

We also have cameras on site (I think most companies do now), but logging into each server to browse the cluster of cameras it supports is tedious, therefore we developed an application which displayed all cameras on a single web page. It authenticated the user via IP address and specific cookies being present. Not ideal, but then again, the camera data isn't a trade secret either.

[dr_km]

Hi, I am a bit of a newby to quicktime and i too have a similar problem. Only difference is that i would actually be quite happy to do the authentication with the activeX. I have spent hours and cannot quite figure out how to pass a user and password to to the activeX.

Can somebody please point me in the right direction? I will hugely appreciate it!