To use this trick we will use a very nice IP scanner called Angry IP Scanner or Nmap itself if you prefer. It was based on a very fucking post from Hacoder , blog that I follow and particularly think too much. It pays to spend time revolving the pages of the site. Basically we will scan a certain range of IP’s to search for camera ports that are open and try brute forces of default passwords on them. We can also use Google Dorks and Shodan Dorks to search for certain camera models.
:: Installing Angry IP Scan
Slackware 14,1 # sbopkg -i ipscan Debian Distros # wget http://github.com/angryziber/ipscan/releases/download/3.4.1/ipscan_3.4.1_amd64.deb # dpkg -i ipscan_3.4.1_amd64.deb
For more installation versions: http://angryip.org/download/
Introduction :: Initial Considerations
1. Attention !!
First, all content presented here aims to show vulnerability and risks run by weak passwords on devices and systems open to the internet. We are not responsible for the misuse of the content presented, as it is based solely on educating professionals and enthusiasts in the field of information security.
2. Types of Search
Some interesting results that we can find and watch us on the way:
- RomPager / 4.07 UPnP / 1.0 – router
- Uc-httpd 1.0.0 – CCTV camera
- DVRDVS-Webs – CCTV camera
- Microhttpd – router
- Webs – CCTV camera
- Hikvision-Webs – CCTV camera
- IBall-Baton – CCTV camera
3. Default Passwords
Username: admin | Password: admin
Username: admin | Password: (blank password)
Username: admin | Password: 12345
Username: admin | Password: 9999
Method 1 :: Scanning IP Ranges with Angry IP Scan
First we need to choose a specific range of IP’s to scan and find possible targets for vulnerable cameras. Let’s say you already have a range of valid public ips. In this case, I will be using the most obvious randomness. I’ll get a tor host and sweep its range.
In this case, I picked up a random range, such as 197.231.xxx.xxx, or as an example: 126.96.36.199, so my IP range goes from 188.8.131.52 to 184.108.40.206. Let’s set up the Angry IP Scanner to only pick up information from ports 80.8080 for a faster test. Here you customize as you want, but the ideal is to leave with the most specific doors possible.
Note: DVR’s, if I am not mistaken they can run on ports 81 – 85.
Go to Tools> Preferences> Ports
Now let’s add the Scan operation to the ‘Web Detect’ option so that it is possible to raise some more information about the host, such as model, version, manufacturer and so on. In this case we should beware of camera names or DVR’s. Let’s go to Tools> Fetchers> and add the Web Detect option . Then just start Scan.
After Scan starts, the software will scan all hosts in the IP range and try to fetch the headers from the server that is running behind the ports we specified earlier. We must pay attention to the names of cam, mini_http, DVR and etc.
Method 2 :: Scanning IP Ranges with NMAP
We can also use NMAP to pull information from a range of IP’s. Nmap is the most powerful Port Scanning option I have today, in my opinion, and we can optimize its syntax for scanning a range and only certain ports by raising information about the services running on them:
# nmap -sS -sC -sV 192.168.0.1-255 -p 80,8080,8000
Method 3 :: ShodanHQ and CenSys Search
Shodan is a very sinister site, which along with CenSys has left many SysAdmins with the ear standing. Basically these are services that scan the internet daily, capturing banners, doors and all kinds of information possible on them. To make a search really fuck with it, it is necessary to register on the site. Basically this generates us a development API and also allows us to place filters of location, service, country, city, port on the searches. The ‘non-register’ search is very limited.
The service also allows you to search through dorks, so along with an API allows you to perform cool searches in your own scripts. I’m thinking of coding a search engine that performs basic brute force on all search results :).
Brute Force :: Breaking passwords from cameras with Hydra
We can test search results with wordlists containing silly passwords with Hydra. We’ve talked a lot about Hydra here on the blog, one of the first posts actually :). Stay tuned, it may be useful:
# hydra -s 80 -l admin -P /caminho/para/wordlist e ns -t 192.168.0.1 http -v -vV