Taarif karu kya uski new version ringtone download. The media files you download with Mp3take must be for time shifting, personal, private, non commercial use only and must remove the files after listening. ![]() After learning how to hack security cameras, you will also be able to protect them. If you want to hack CCTV camera just to learn the basic security concepts, you are in the right place. In this article, I show in details the different ways to hack CCTV camera by using tools and the Internet. How to hack CCTV cameras. Changing the default password of the DVR or IP camera does not guarantee that the device is 100% protected against hack attack and. The first thing I did was look at the web interface. The user manual indicates that “IE will download ActiveX component automatically” I don't know much about ActiveX controls, except that it isn't a good idea to run them indiscriminately. Next I decided to poke around the source of the login page. First off, it handles logging in by sending the username and password in clear text as an http post request. Since admin:admin isn't the correct password, it sends back a response telling us that the password was wrong. ![]() The response is different if the username isn't correct. If you attempt to log in with a user account that doesn't exits, you get a neat little popup window that says no account. Moving on, I decided to scan it with nmap. Not surprisingly telnet is enabled, and listening on port 23. I tried a couple of the standard combos, root:root, admin:password, etc., with no luck. Fortunately the manufacturer offered a downloadable firmware update which was a simple cramfs file system. I used binwalk to extract everything. As expected, in /etc/passwd there were usernames and password hashes. I let john the ripper try to crack it overnight, but no luck, so I got impatient. A quick google search for the password hash took me to some Russian forums where someone had already cracked it. It was only 5 characters, all lower case with a single special character. I'd guess that given enough time john would have cracked it, but who knows how long that would have taken. Since it was already cracked by somebody else, it doesn't really matter. Knowing what I know now, I would have had better success with a rule based mode rather than a wordlist. There are likely hundreds if not thousands of these devices in the wild, and I'm willing to bet the number of people who even checked to see what ports were open is very few. After logging in with the gathered credentials, I was able to run commands such as passwd and change the root password, as well as create additional users. This could be a potential location of persistence for an attacker since there is no way to audit the list of system users by the average user in the first place. The web interface does not view or list the system users, only the web/local users. Of course the greater power is being able to delete the security footage or shutdown the device. I don't have a spare hard drive to put in the DVR to test the recording feature, but since deleting the recorded files is not done from the web interface, I am fairly confident that there wouldn't be a log entry created that would be viewable to normal users. Some more sleuthing around the file system revealed a second passwd file in the web app directory. This password file contains the usernames and passwords used to log into the web app. The passwords for the web interface are hashed using a dahua algorithm. This led to two rather large vulnerabilities: an undocumented user (which does not show up in the user list) and a bug caused by the create user feature. When a user is created (in the windows web client since linux doesn't run ActiveX), if the memo field is left blank, the placeholder in the passwd file is populated with the cleartext password.
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |