Finding and Accessing Open Internet Cameras and Routers

To use this trick we will use a very nice IP scanner called Angry IP Scanner or Nmap itself if you prefer. It was based on a very fucking post from Hacoder , blog that I follow and particularly think too much. It pays to spend time revolving the pages of the site. Basically we will scan a certain range of IP’s to search for camera ports that are open and try brute forces of default passwords on them. We can also use Google Dorks and Shodan Dorks to search for certain camera models.

:: Installing Angry IP Scan

 Slackware 14,1 # sbopkg -i ipscan Debian Distros # wget http://github.com/angryziber/ipscan/releases/download/3.4.1/ipscan_3.4.1_amd64.deb # dpkg -i ipscan_3.4.1_amd64.deb

For more installation versions: http://angryip.org/download/

Introduction :: Initial Considerations

1. Attention !!
First, all content presented here aims to show vulnerability and risks run by weak passwords on devices and systems open to the internet. We are not responsible for the misuse of the content presented, as it is based solely on educating professionals and enthusiasts in the field of information security.

2. Types of Search
Some interesting results that we can find and watch us on the way:

  • RomPager / 4.07 UPnP / 1.0 – router
  • Uc-httpd 1.0.0 – CCTV camera
  • DVRDVS-Webs – CCTV camera
  • Microhttpd – router
  • Webs – CCTV camera
  • Hikvision-Webs – CCTV camera
  • IBall-Baton – CCTV camera

3. Default Passwords

As always, the most vulnerable system is the human. And we can always rely on weak system passwords or even default passwords. Before trying any Brute Force, we should try some factory passwords:

Username: admin | Password: admin
Username: admin | Password: (blank password)
Username: admin | Password: 12345
Username: admin | Password: 9999

This site has several Default Device passwords: http://www.defaultpassword.com/

Method 1 :: Scanning IP Ranges with Angry IP Scan

First we need to choose a specific range of IP’s to scan and find possible targets for vulnerable cameras. Let’s say you already have a range of valid public ips. In this case, I will be using the most obvious randomness. I’ll get a tor host and sweep its range.

In this case, I picked up a random range, such as 197.231.xxx.xxx, or as an example: 197.231.231.231, so my IP range goes from 197.231.231.1 to 197.231.231.255. Let’s set up the Angry IP Scanner to only pick up information from ports 80.8080 for a faster test. Here you customize as you want, but the ideal is to leave with the most specific doors possible.

Note: DVR’s, if I am not mistaken they can run on ports 81 – 85.

Go to Tools> Preferences> Ports

Now let’s add the Scan operation to the ‘Web Detect’ option so that it is possible to raise some more information about the host, such as model, version, manufacturer and so on. In this case we should beware of camera names or DVR’s. Let’s go to Tools> Fetchers> and add the Web Detect option . Then just start Scan.

After Scan starts, the software will scan all hosts in the IP range and try to fetch the headers from the server that is running behind the ports we specified earlier. We must pay attention to the names of cam, mini_http, DVR and etc.

Method 2 :: Scanning IP Ranges with NMAP

We can also use NMAP to pull information from a range of IP’s. Nmap is the most powerful Port Scanning option I have today, in my opinion, and we can optimize its syntax for scanning a range and only certain ports by raising information about the services running on them:

 # nmap -sS -sC -sV 192.168.0.1-255 -p 80,8080,8000

Method 3 :: ShodanHQ and CenSys Search

Shodan is a very sinister site, which along with CenSys has left many SysAdmins with the ear standing. Basically these are services that scan the internet daily, capturing banners, doors and all kinds of information possible on them. To make a search really fuck with it, it is necessary to register on the site. Basically this generates us a development API and also allows us to place filters of location, service, country, city, port on the searches. The ‘non-register’ search is very limited.

The service also allows you to search through dorks, so along with an API allows you to perform cool searches in your own scripts. I’m thinking of coding a search engine that performs basic brute force on all search results :).

Brute Force :: Breaking passwords from cameras with Hydra

We can test search results with wordlists containing silly passwords with Hydra. We’ve talked a lot about Hydra here on the blog, one of the first posts actually :). Stay tuned, it may be useful:

Auditing SSH Servers with Hydra and Metasploit
Brute Force on SSH Services with Hydra
Performing Brute Force on Login forms with Hydra

 # hydra -s 80 -l admin -P /caminho/para/wordlist e ns -t 192.168.0.1 http -v -vV

Advertisements

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s