IP camera 的 telnet 有办法破解得到 root password 吗？

1883 好像是内网传统端口，路由器上面会被 upnp

nmap -Pn -O 10.0.0.110

Starting Nmap 6.00 ( http://nmap.org ) at 2016-07-25 21:03 CST
Nmap scan report for 10.0.0.110
Host is up (0.0034s latency).
Not shown: 999 closed ports
PORT STATE SERVICE
23/tcp open telnet
MAC Address: F0:B4:29:C6:F3:D6 (Unknown)
No exact OS matches for host (If you know what OS is running on it, see http://nmap.org/submit/ ).
TCP/IP fingerprint:
OS:SCAN(V=6.00%E=4%D=7/25%OT=23%CT=1%CU=32082%PV=Y%DS=1%DC=D%G=Y%M=F0B429%T
OS:M=57960E2A%P=armv7l-unknown-linux-gnueabi)SEQ(SP=104%GCD=1%ISR=10E%TI=Z%
OS:CI=I%II=I%TS=7)OPS(O1=M5B4ST11NW4%O2=M5B4ST11NW4%O3=M5B4NNT11NW4%O4=M5B4
OS:ST11NW4%O5=M5B4ST11NW4%O6=M5B4ST11)WIN(W1=3890%W2=3890%W3=3890%W4=3890%W
OS:5=3890%W6=3890)ECN(R=Y%DF=Y%T=41%W=3908%O=M5B4NNSNW4%CC=Y%Q=)T1(R=Y%DF=Y
OS:%T=41%S=O%A=S+%F=AS%RD=0%Q=)T2(R=N)T3(R=N)T4(R=Y%DF=Y%T=41%W=0%S=A%A=Z%F
OS:=R%O=%RD=0%Q=)T5(R=Y%DF=Y%T=41%W=0%S=Z%A=S+%F=AR%O=%RD=0%Q=)T6(R=Y%DF=Y%
OS:T=41%W=0%S=A%A=Z%F=R%O=%RD=0%Q=)T7(R=Y%DF=Y%T=41%W=0%S=Z%A=S+%F=AR%O=%RD
OS:=0%Q=)U1(R=Y%DF=N%T=41%IPL=164%UN=0%RIPL=G%RID=G%RIPCK=G%RUCK=G%RUD=G)IE
OS:(R=Y%DFI=N%T=41%CD=S)

Network Distance: 1 hop

OS detection performed. Please report any incorrect results at http://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 20.39 seconds

哈哈,我以前也想过这问题,后来找到办法是导出备份文件,查看备份文件里有没有什么服务可以 enable 的,然后再导入这个备份文件到后台,我上次 telnet 就这样被我打开了,不过我的没有密码
解密码也可以试试这思路,看看有什么可疑的

现在破解了吗？

@kekeones 木有呢，有想法没？

@zhangyuting 都想把它拆了

拆开，找串口，也许有办法

@20150517 你试过备份小白吗？好像没办法备份，没提供这个功能

@zhangyuting 小白是啥,你有 admin 吗