Nikos Glikis

So I went on my daily browse on the netsec temple, reddit.com/r/netsec, to pay my respects as usual, pray to the hacking gods for the prosperity of my servers and offer my upvotes.

The gods were kind and the rewarded me with much fun. One fellow white hat hacker, Andrew Tierney, was blessed with the joy of vulnerability discovery. When I saw the article https://www.pentestpartners.com/blog/pwning-cctv-cameras/ https://www.reddit.com/r/netsec/comments/466jap/pwning_cctv_cameras/ I immediately knew what I had to do. I needed to find and exploit every single one of those DVR systems connected to the internet and provide the world a simple-easy to understand proof of concept, prooving that these things are the devils work, and we must not install them in our home.

Its also one hell of a way to show off my awesome coding skills given to me by the kind grayhat gods.

So if you read the article on  this excellent sample of human stupidity, you will see lots and lots of vulnerabilities including:

• Defaut username is: admin/[blank]
• Remote/Web Root shell
• Client site – Javascript authentication
• Each DVR is sending daily screenshots to a specific email (the creator of the firmware)

In other words, this DVR system, is worse than the deliberately vulnerable applications that young netsec students are trained on.

The only problem is finding them. Fortunately, as Andrew states, you can easily find those devices in Shodan.io. But we want to find each and every one of them. And we don’t have a Shodan premium account.

One side note is, I have been working on multiple libraries. I didn’t intent on releasing them, but this POC would be faster to build If I used them. If nothing else I will write them better if I release them. You know, so that people won’t make fun of my hacky code (please don’t).

Fortunately, I was already working on a Shodan.io Scraper called ShodanScanner, which I also released as open source on my github page here.

So my thought was I will write my first program to use ShodanScanner and I will use it to download all the screenshots for all vulnerable web cameras Shodan can detect.

ShodanScanner in turn also depends on another library that I wrote called TorRange uploaded here.

TorRange is a library that can create multiple threads and consume large input of any size efficiently. A Tor Instance is tied to each thread if needed and the thread can control the connection (Restart circuit/change ip etc). The process can be stopped and resumed at any point.

All libraries are Maven projects, although not uploaded yet to Maven Central. A bit to much for a simple POC (Proof of consept), but that’s the way I program. After all I am a Software Engineer. The actual POC is 150 lines. The rest is reusuable libraries.

So the only thing we have to do is fire up ShodanScanner and tell it to scan for: JAWS/1.0.

So back to our cameras. The screenshot is easy to download. You know, considering the utter lack of sane authentication.

I connected to a couple of cameras:

Please note that the above is live video of the cameras. You can basically see the live feed for more than 40 000 cameras worldwide.

I quicly found out the link to  download the image which is:
http://ip/cgi-bin/snapshot.cgi?chn=1&u=admin&p=&q=0&d=1
http://ip/cgi-bin/snapshot.cgi?chn=2&u=admin&p=&q=0&d=1

chn parameter is incremental. You can download screenshot for each camera but increasing the chn by one.

You know when you are finished from the response headers, Content-Disposition header). When the cameras finish the filename of the attachment is camera_0_[…]. If I get that I know there are no more cameras and I move on to the next. And if you didn’t read the article, this firmware uses javascript authentication. If we were on a browser we would set the appropriate cookies (username, password) with any values, or disable javascript all together. When crawling with Java, javascript authentication = no authentication.

From there my task was easy. ccSnapTv was build. I told my brother Rafael about it, and asked him to test it. He made 2 excellent suggestions, store the images per country and create a POC Video.

I really liked the POC video idea. You can babble for hours trying to explain to a non technical person, about a concept, but there is nothing better than visual representation of the idea. And a video where cameras are hacked live, is the best presentation you can have.

So here is the video:

Source on github:

https://github.com/nikos-glikis/ccSnapTv

Intro

The primary function of a captcha is to prevent an automated software simulating human activities like registering forms, view important information etc. They are used as a precaution to prevent automated software of copying content, or protecting a system from automated requests.

They work pretty well, but implementation errors are very common.

Captchas is a thing I have studied a lot and I enjoy breaking. There are many weaknesses one might exploit, implementation errors where it’s enough just to not sent the captcha variable, or neural networks that you can train to solve a specific implementation. Even plain OCR software work if the captcha is clean enough. gocr is a linux command line tool I often use (in my perfectly legal white-hat activities 😀 )

If you have a website with enough traffic, you can get real visitors solving your captchas without them realizing it. You just copy the image and ask them to write the captcha code, them thinking its a real captcha will copy it correctly. That was the most genius method I have thought and have won me lots of bets.

Today’s solution though is 100% code.

forth.gr uses a captcha to stop automatic whois requests at: https://grweb.ics.forth.gr/public/whois.jsp?lang=en. Its not something that I use every day and don’t care must to automate, I just thought it is was fun to try.

I should mention that this tool, has unique information not appearing in standard international whois services. for example see http://whois.domaintools.com/in.gr and then search in the above website. Results are very different. This is pretty much the case with all country-level TLD.

Why break the .gr registry captcha

1. Because I can 🙂
2. Because I was stranded in Troodos hotel in a snowy day (HOW COOL IS THAT ??), in a perfect setting, with lots of hours to kill, and an Internet connection + my laptop.

Yes I am a geek. And I love it 🙂

How

So, this is the forth.gr whois captha:

It is not clear enough to be solved only with an OCR software, but there are lots of thins wrong with it.

• There are only 2 colors in the image.
• The captcha is always 6 digits.
• The char set is limited (only digits, no letters)
• The noise part of the image is basically a grid.

I though, this should be simple enough to solve. I started to think how I can approach this. At this point I should note that I am extreamly lazy and my image processing abilities are minimal.

The goal is to eliminate the grid. The method I thought first was that:

1. I loop through all pixels in the image.
2. When I found a non black, non transparent pixel I do the following (red line):
   1. I look 5 pixels down.
   2. If I don’t find a black pixel, I paint that pixel “transparent”.
   3. If I find a black pixel, I paint the initial pixel black too.

Red part here will be transformed to transparent because there are no black pixels below.

Red part below will be transformed to black because pixels below are black:

The code for that is just 2 loops, one inside the other, like you loop a 2 dimentional array and a third loop that scans the pixels below.

That covers the horizontal lines and gives us something like this:

After that I go through a second pass.

• If pixel is not black AND
• If a pixel on the left OR a pixel on the right is black, I mark this pixel too black.

That gives us that:

At this point I thought, this looks clear enough, lets try OCR. I tried gocr, with no success. Then I tried javaocr package, but still no luck.

Then I found tess4j, that uses Google Tesseract OCR. There is a cool feature where you can define the working characters you are interested in. That helps the OCR software a lot and increases the ods a lot.

After that cracking worked in about 40% of the cases, so I didn’t bother clearing the image further.

If you ever try something like this, keep in mind imagemagick, a commandline tool that makes images transformation. We could smooth the image a little to make the percentages better, but 40% us already high enough.

All code is published at my github page: https://github.com/nikos-glikis/ForthPwn

Wisdom

I don’t consider this a great hack. I only want to demonstrate a simple solution to what it seems a complicated problem from a programming point of view.

Wisdom for hackers:

The lesson here is: Always keep in mind that each case is unique. Unique case means that you can approach it differently, more optimized, more targeted. For example here OCR in general is not enough. All OCR solutions assume, clean text and try to match every character in the English alphabet.

Our situation is a lot different: We have only digits and we know there exact count: 6. Matching a character with one out of 10 symbols is a lot more easier that matching it in 62 (Upper lower special characters etc).

Problems analyzed by researches assume optimal conditions and specific environment. When they say something is impossible, they mean something is impossible within these optimal parameters and assumptions. Always look for the differences in your specific situation and envoronment and try to understand how that changes your situation, how the different parameters can be exploited, what advantages you gain from those.

That’s how most hacks are made. Solutions are usually a lot more simpler than one thinks.

Wisdom for developers:

Captchas can be hacked. Make them complicated. That.

Hacker definition

As my grandpa says (:D) :

“O hacker gie mou, enen tzinos pou trexei to exploit, en tzinos pou shizeei o nous tou”

Thanks for visiting !

Security in Cyprus is bad. That is not a surprise.

Primetel uses insecure default passwords in their WIFI routers. A WPA password can be cracked in 4-5 seconds with a simple laptop. If you are interested in the details see below.

I used Primetel on the my previous apartment. The password was on the form of 12345678. 8 Digits, all integers. I thought that was strange, the password doesn’t have enough entropy, So I caclulated how must time someone needs to brute force the password.

At a rate of 900/passwords per second (a simple laptop) this can be brute forced in 30 hours. Its not that good but at least its not as bad as the whole Cyta/Thomson thing.

Soon I noticed some passwords containing a letter, like 1234567a 123456f8 sometimes 2. That is somewhat better, or so I thought. Clearly I didn’t have the whole story.

When I moved to another apartment I reconnected with PrimeTel. Then I noticed that the 4 first digits of the password were the same, only the latest 4 digits changed. That made me wonder. The first digits are clearly connected to the client. Are the latest 4 digits based on something else like mac or SSID ? There was a question bugging me, that needed to be answered.

That kids, is the garden variety programmer/hacker OCD. Sometimes useful, most times just annoying 🙂

Then I make a list of people I know, public places with Primetel routers, and aggregate their passwords, SSID (Wireless network name), bssid (The mac address of the router). All these information (excluding the password) are broadcasted for each router, you can easily see them.

I pushed the data to Dropbox for continue the research when I had time.

Then I forgot about the matter, until I was on an airplane for 2 hours with no internet. I opened my tablet, started reading a book. The of course I was bored from the first 5 minutes.

Then I saw the file in front of me staring at me: primetel.txt. Ok why not, lets take a look. I started looking at the numbers, and some patterns emerged. In all cases digits 3-4 of the password were the same as the password.

Example:

Mac: 00:21:96:2b:13:bc
Password     29 79 13 b4

Also latest 2 digits had some similarity. After some more intense number watching I noticed the second pattern.

• If the last 2 digits of the mac address is an odd number then the latest 2 digits had a difference of one. If lets say the last 2 digits of the mac are 11, then the last 2 digits of the password are 10
• If the last 2 digits of the mac address is an even number, then the latest 2 digits of the password was the latest 2 digits of the mac – 8. If for example 12 will give 04.

In our example 00:21:96:2b:13:bc:

• The last 2 digits of the mac is bc (even number)
• The latest 2 password digits are bc – 08 = b4

Another example is: 2c:ab:25:b9:22:85

• The latest 2 digits are 85 (odd number)
• Latest 2 password numbers are 85 – 1 = 84

That drops the entropy a lot. All possible passwords are basically 9000 since the first part is always decimal. That can be cracked in about 10 seconds with a simple laptop.

Not bad at all.

So I introduce my tool: primeTeller. Using the logic described here, generates a wordlist with 9000 passwords, and one of them is the password of your router.

What most people don’t know is that these matters are not just a matter of “someone is using my wifi”. The password is used to encrypt data. If someone has your password, then he is able to monitor your online activities wirelessly, from a great distance.

From my experience the most websites that are hacked are WordPress websites. This is because of 2 reasons:

1) WordPress is open source and many people write code for it, often not the best programmers and there are lots of buggy plugins.
2) Because of its popularity and weak architecture there are lots of automatic scanners that find vulnerabilities, either with massive scans for a specific vulnerability, or scanning all plugins on a particular WordPress site.

What I found out is that, custom written websites usually have bugs too, often more, but it’s slightly more difficult to detect them, but not impossible. I actually like authoring custom written websites. Its more challenging, and the level of complexity is slightly higher, thus making the pentesters to use different techniques and get a better understanding of how actually things work!.

I have been using SQLMap for a year or so. Its’ an excellent tool that can be used to identify vulnerabilities on your websites which may be buried deep down in your code and also to exploit them using the different options/techniques it supports. I even found a couple problems on my websites, which I didn’t even noticed I had.

I am often asked to run scans on custom websites. Authors often have small mistakes or use code that haven’t properly been reviewed and those bugs might affect the website’s integrity, but it’s less likely that it will be found by automated tools.

Apart from some code I pushed on GitHub, this is my only contribution to humanity and an excellent hobby. First identifying vulnerabilities on different websites, then tell the authors how to fix them. So the universe is happy with me. Most of the times anyway :).

I heard from a friend about psalidaki.com. I opened the website, and thought this looks custom enough, let’s take a look. I confirmed that I was allowed to test it by dropping an email to the owner explaining what I would like to do. It goes without saying that an NDA was signed, and upon getting his final written approval, I kicked off!

Most of the website was secure. Usual suspects for SQL injections were not there (exposed GET parameters like articles ids etc).

Then I found a possible XSS vulnerability. Video Viewer is basically an iframe to:

http://psalidaki.com/youtube/video.php?video_=http://www.youtube.com/v/2v378b-Dw4I

From what I saw the youtube id, 2v378b-Dw4I was copied into the code. I then tried:

http://psalidaki.com/youtube/video.php?video_=http://www.youtube.com/v/”><script>alert(“Hello!”)</script>

and the I was greeted with  a “Not Acceptable” security warning, which blocked my attempt to execute the script and thus confirm if that was a real vulnerability :).

I was ready to give up and then I saw the poll. I quickly opened Firefox HTTP Headers plugin, and clicked on an answer. The request was a post request to:

http://www.psalidaki.com/poll/poll.php

and the post data was:

id=16&ac=vote&onLoad=%5Btype%20Function%5D&a=1

With the help of the SQLMap I identified that parameter ‘id’ “seemed” to be injectable. That was certainly a vulnerability which, potentially and under specific circumstances, could lead to unauthorised access to the website’s database!

I was able to list the names of a couple of tables, but my purpose was not to proceed further (legal aspects)!

I soon after contacted the owner of the website and told him the details of the vulnerability. His response was quick and professional, the vulnerability was fixed in the same day and he even allowed me to write about it.

This is a post written to welcome you.

After some though I decided to post some of the interesting (or geeky if you are a normal person) things I do every day, especially my white-hat hacking little stories (with some grayish shades from time to time).

Be back soon.