Thursday, April 18, 2013

Hack of the week: Hacking An IP Camera

When we have assigned labs in the VE, I usually try things out on my home network as well. A couple of recent labs had us scanning to discover hosts on a network. Because my intent was not to intrude, but simply discover, I decided to scan my ISP subnet . My netmask is 255.255.248.0, so I know that I'm on a /21 network. In Zenmap the command "nmap -T4 -F xxx.xxx.xxx.xxx/21" provided me with a quick scan of 100 common ports. Most IP's were filtering the ports queried , but a handful were advertising services that were against ISP policies and risky security wise. There were also two that were advertising RPC/MS file sharing ports that we exploited in our labs with metasploit!

I picked a couple that were advertising HTTP services on port 80. One in particular presented me with the following login screen:
DCS-932L turns out to be a DLink IP Camera. A quick google search turned up a rather nasty vulnerability with firmware releases prior to August of 2012. It turns out the owner didn't update the firmware, so punching "http://<device IP address>/frame/GetConfig" into my browser actually worked. The code to decrypt the config file is another story......I don't know python very well and it doesn't run properly. I've re-written it in C, but it's still a work in progress and so is this hack.

Actually completing the exploit isn't the point of this though. I don't intend to violate anyone's privacy or break any laws. Having done this, I can't help but wonder how many exploitable devices are out there that just need a firmware update or a software patch. Pretty scary......



Posted by at

13 comments:

  1. moonmanblackApril 18, 2013 at 8:34 PM

    great job.

    ReplyDelete
  2. UnknownApril 19, 2013 at 7:19 PM

    This a very good application of what we've been learning in class, and a great "project" that you have undertaken. I would be more than happy to debug the python code, if you would like. Aside from that, I applaud the initiative!

    ReplyDelete
  3. Capn Crunch CardinalApril 21, 2013 at 11:13 AM

    Thank you for the feedback everyone. Peon, if you take a look at the second link in my post, the python code is posted on that page. It's in need of some work, and if you have time to take a look, that would be awsome.

    Don't forget to rate hacks posted on the blog! Game rules state 0, 2, 5, or 10 points according to what you think its worth.

    ReplyDelete
    Replies
    1. UnknownApril 21, 2013 at 4:30 PM

      Could you please post the config file as well? Thanks.

      Delete
    2. Capn Crunch CardinalApril 21, 2013 at 7:22 PM

      Done, it's now the third link in my orginal post.

      Delete
  4. UnknownApril 21, 2013 at 10:12 PM

    I have modified the code to read and process your configuration file. I have also tested it and it seems to be working, but only with Python 2, as the functionality in Python 3 is slightly different. In case you are using that, I will post a version of the code that will work with Python 3. Both code is complete with at least a basic amount of exception/error handling. If you find any problems with the code, or would like special modifications, let me know. The results were quite interesting, which I will let you post on your own. I admire your work and initiative, and think you deserve at least a 5 for this hack.

    Link to the modified program for Python 2 interpreters: decode.py
    Link to the modified program for Python 3 interpreters: decode3.py

    Link to the configuration file and results: See Capn Crunch! ;-)

    Congratulations on your hack, once again. I enjoyed being able to be a part of it.

    -- Peon

    ReplyDelete
  5. Capn Crunch CardinalApril 22, 2013 at 6:38 AM

    I'm running python 2.7.3, so the code you provided worked flawless. Thank you for the pitching in. I imagine this is how real hacking works, each person brings a strength to the table to get things done.

    Now for the ethics part: should I notify this person about this issue? If I didn't know any better, I would want to know....

    ReplyDelete
  6. UnknownApril 22, 2013 at 9:40 AM

    That's a good question. I would be hesitant, because as you've seen from reading the book and reading all the disclaimers throughout the course, and from the plight of others, no matter how innocent or white hat your intentions were, legally, you may be subject to hell in a hand basket. Knowing the situation all of us are in, it's not worth it to sacrifice yourself and your hardwork to be criminalized by individuals who don't get the point. We don't need you to be a martyr... Leave that for the script kiddies.

    ReplyDelete
    Replies
    1. Capn Crunch CardinalApril 22, 2013 at 11:27 AM

      Funny, I posted my most recent reply and THEN pondered the parallel to our most recent ethics discussion. I couldn't agree more with your opinion on the matter.

      Lets chalk this up to a fun and interesting exercise and move on!

      Delete
    2. Prof L'HeureuxApril 22, 2013 at 1:43 PM

      Wow! I will be sharing this with future Ethical Hacking classes. This is EXACTLY the ethics and the hacking we want to come out of this class! Amazing stuff!

      Delete
  7. Monica PooleApril 22, 2013 at 11:29 AM

    This is so awesome, gentlemen! Great teamwork--and great job moving to consider the ethical dimensions!

    ReplyDelete
  8. Prof L'HeureuxApril 22, 2013 at 1:44 PM

    Also.....10 points as this was a difficult hack...though I'm not exactly sure if I would call it social engineering. It is impressive however and for that I will give you 10 points.

    ReplyDelete

Subscribe to: Post Comments (Atom)