![]() This turned out to be fairly easy and had the big advantage of having someone else worry about threading, networking and all the other underlying things that I didn't really care about. This time I wasn't going to let the data get away.Īrmed with previous knowledge I decided to abandon my previous Ruby script and write my first nmap script in Lua. This camera also boasted the same features as the first except this time with a different DDNS provider,. ![]() I ended up getting a very similar one as it turns out that there are a lot of companies re-branding the same basic camera. I thought that was that and moved on.Īll this was two years ago, we've now has a second kid and decided to get him a camera as well. I presented and pointed out that as a researcher your findings are often only valid for a short time window so should be released as soon as possible. I decided to get fresh data but unfortunately found that the ipcam.hk service was dead so all I had was the data I'd previously collected. I found quite a few open cameras, most boring but a couple of fun ones.Ī couple of months went by and unfortunately I didn't get time to write up all the work I'd done, I was then asked to speak at OWASP Leeds and thought it would be a perfect opportunity to release the info. ![]() So I wrote a script to scan a range of codes, look at the IP returned and see if it required authentication or not. It isn't hard to request a bunch of URLs, ask HD Moore! If the UPnP request to that users router worked then I'll end up on the web interface for their camera. If I want to see if a camera with code xxxxxx is registered I simply browse to and see where I get redirected to. Every camera which successfully registers with the service has its IP and port available to anyone who decides to query the service. So, what is wrong with this? Camera enumeration. This is a neat idea because the cameras use a default port of 81 rather than the normal 80 and so users would have to know to add :81 to their URL which would go against the ease of use they are aiming for. If you browse to the subdomain the page you get does a 302 redirect to the IP of the camera. The way this is set up with the DDNS is quite interesting, rather than having the subdomain return the external IP of the camera, all subdomains resolve to the ipcam.hk domain. The device comes with a unique 6 character code which the manual says can be used for external viewing, for example if my code is abcdef then it says to browse to to see my camera. The UPnP traffic was attempting to get my router to open up a PAT hole through it, basically allowing the outside world full access to the camera's web interface - not good! Dissecting the web traffic, that turned out to be the DDNS setup. Two things stood out, UPnP traffic heading to my router and web traffic to the domain ipcam.hk. The device will run over a wired or wireless network so I set it up so all traffic passed through my laptop, started Wireshark and powered it on. There are also mentions of things like "automatic registration" and "easy remote monitoring", I didn't like the sound of these so I decided to dig a little deeper. Includes support for dynamic IP address and DDNS and with wireless connectivity you don't have to worry about running cables around your home or office. ![]() The software supplied manages the set-up process for you. Looking through the info that comes with it I spotted this line: The one I chose was from Storage Options. When my daughter was born I decided to get an IP camera to put over her cot so I could keep an eye on her at night.
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |