Scribd Logo
Hochladen

Willkommen bei Scribd!

  • The dangers of insecure IP cameras exposed on the internet

    Hochgeladen von

    Marco Razzetti
    96 Ansichten41 Seiten
    defcon de hackers

    Originaltitel

    defcon-130302135400-phpapp01

    Copyright

    © © All Rights Reserved

    Verfügbare Formate

    PDF, TXT oder online auf Scribd lesen

    Stufen Sie dieses Dokument als nützlich ein?

    Sind diese Inhalte unangemessen?

    Dieses Dokument melden
    defcon de hackers

    Copyright:

    © All Rights Reserved
    Als PDF, TXT herunterladen oder online auf Scribd lesen
    Markieren Sie unangemessene Inhalte
    96 Ansichten41 Seiten

    The dangers of insecure IP cameras exposed on the internet

    Hochgeladen von

    Marco Razzetti
    defcon de hackers

    Copyright:

    © All Rights Reserved
    Als PDF, TXT herunterladen oder online auf Scribd lesen
    Markieren Sie unangemessene Inhalte
    von 41

    The dangers of black box devices.

    Or...just how many insecure IP cameras are out there?


    Adrian Hayter
    Pen Tester - Convergent Network Solutions

    Blackbox Devices

    Timeline
    January 2012
    February 2012

    consolecowboys release exploit of TRENDnet IP


    cameras.
    TRENDnet release statement & new firmware.

    July 2012

    Dan Tentler (@Viss) speaks about issue at


    Defcon 20.

    September 2012

    7,000 potential feeds...748 are accessible.

    January 2013

    TRENDnet release updated statement.

    Timeline
    January 2012
    February 2012

    consolecowboys release exploit of TRENDnet IP


    cameras.
    TRENDnet release statement & new firmware.

    July 2012

    Dan Tentler (@Viss) speaks about issue at


    Defcon 20.

    September 2012

    7,000 potential feeds...748 are accessible.

    January 2013
    Today...

    TRENDnet release updated statement.


    637 accessible feeds (at least).

    IP Cameras
    A quick clarification...

    IP Camera

    Not an IP Camera

    The TRENDnet Exploit


    Authentication is required to access most of the IP camera
    interface.

    Side note: default credentials are admin/admin.

    The TRENDnet Exploit


    Accessing a specific path (/anony/mjpg.cgi) bypasses authentication:

    The TRENDnet Exploit


    For OWASP fans, this is a great example of #8 on the Top 10 Web
    Application Security Risks: Failure to Restrict URL Access.
    According to TRENDnets press release(s), the exploit aected all
    devices sold between April 2010 and February 2012.
    22 dierent camera models were aected.
    Motion JPEG format means (almost) real-time camera feeds. No
    static images! Supported by all modern web browsers with the
    obvious exception of IE.

    The Next Logical Step...Enumerate!


    Google hacking (inurl:/anony/mjpg.cgi) is limited and unreliable.
    We need something more powerful...
    What about the HTTP headers?

    The Next Logical Step...Enumerate!


    Google hacking (inurl:/anony/mjpg.cgi) is limited and unreliable.
    We need something more powerful...
    What about the HTTP headers?
    $ curl -I http://67.168.142.6
    HTTP/1.1 401 Unauthorized
    Content-Type: text/html
    Connection: keep-alive
    WWW-Authenticate: Basic realm="netcam"
    Content-Length: 17
    If only there were a way to search headers rather than content...

    SHODAN

    Google for hackers

    SHODAN
    SHODAN scans the entire (IPv4) Internet and indexes headers of
    dierent services (HTTP, Telnet, SSH, etc.)
    By default you can only look at the first 10 results. :-(
    However...

    SHODAN
    SHODAN scans the entire (IPv4) Internet and indexes headers of
    dierent services (HTTP, Telnet, SSH, etc.)
    By default you can only look at the first 10 results. :-(
    However...
    ...a one time payment of $19 gets you access to 10,000 results, plus
    unlimited API access, multiple filters, and lots more! :-)

    Enumeration Validation
    SHODAN isnt perfect. Lots of results are out of date. All searches
    are case-insensitive (so netcam also matches Netcam and
    NetCAM). We need validation!

    Enumeration Validation
    SHODAN isnt perfect. Lots of results are out of date. All searches
    are case-insensitive (so netcam also matches Netcam and
    NetCAM). We need validation!
    My favourite curl command:
    curl -sL --write-out %{http_code} -o /dev/null http://67.168.142.6/anony/mjpg.cgi

    Enumeration Validation
    SHODAN isnt perfect. Lots of results are out of date. All searches
    are case-insensitive (so netcam also matches Netcam and
    NetCAM). We need validation!
    My favourite curl command:
    curl -sL --write-out %{http_code} -o /dev/null http://67.168.142.6/anony/mjpg.cgi

    So now weve got a list of URLs that respond with a 200 OK status
    code. How best to manually check them all?

    Enumeration Validation

    TRENDnet Cameras are (Mostly) Boring


    The majority of vulnerable cameras are pretty basic. Low
    resolution, stationary...

    Controllable Cameras

    Move, pan, tilt, zoom, focus...the choice is yours!

    Controllable Cameras
    The controllable cameras most exposed on the Internet appear to
    be made by Sony and Panasonic. Both can easily be found via HTTP
    header searches:
    Server: NetEVI for Sony
    Server: U S So ware Web Server for Panasonic

    Controllable Cameras
    The controllable cameras most exposed on the Internet appear to
    be made by Sony and Panasonic. Both can easily be found via HTTP
    header searches:
    Server: NetEVI for Sony
    Server: U S So ware Web Server for Panasonic
    Many other makes / models can be found via Google hacking.
    Useful reddit community: /r/controllablewebcams

    High-definition Zooming!

    High-definition Zooming!

    High-definition Zooming!

    Examples!

    Cots & Childrens Bedrooms...

    Inside Homes

    Tattoo Parlour

    Lazy Oice Workers...

    ???

    Monitoring Employees

    Training Hospital

    Animals

    Nightclub

    Strip club!

    Dials

    Server Racks

    Various Controls / Outputs

    Windows!

    Exposed Webcam Viewer


    http://cryptogasm.com/webcams/
    38,037 potential feeds. 8,596 are currently online!

    Questions?

    adrian.hayter@cnsuk.co.uk
    @ah8r
    http://cryptogasm.com

    Das könnte Ihnen auch gefallen