IOT Security: Pentesting on IP Cameras
Summary
This is a documentation on pentesting (information gathering and vulnerability scans) performed on TP-link Kasa Cam Smart Home Camera KC120, Ezviz CS-C1C and Abus PPIC32020.
Requirements
Operating System
- Kali Linux 2022.2
Hardware
- TP-link Kasa Cam Smart Home Camera KC120
- Encryption: 128-Bit-AES, WPA/WPA2-PSK
- Storage: Amazon Web Services (AWS) Cloud
- Ezviz CS-C1C
- Encryption: 64/128-bit WEP, WPA/WPA2, WPA-PSK/WPA2-PSK
- Storage: EZVIZ cloud and/or MicroSD
- Abus PPIC32020
- Encryption: AES 128bit, WPA/WPA2-PSK
- Storage: MicroSD
Apps
- Kasa Smartphone application (IOS or Android)
- Ezviz Smartphone application (IOS or Android)
- ABUS App2Cam Plus Smartphone application (IOS or Android)
Description
A penetration test can be divided into several stages:
- Planning
Working with a costumer to absolutely outline and report evaluation objectives, scope, and policies of engagement.
- Gathering Information
Collecting and examing key data approximately the software and its infrastructure.
- Discovering Vulnerabilities
Find current vulnerabilities and identify any potential security weaknesses that could allow an outside attacker to gain access to the environment.
- Exploitation
The pentester tries to establish a connection with the target and exploit the vulnerabilities found in the previous phase.
- Reporting
Providing a complete documentation with deep evaluation and suggestions on the way to mitigate the found vulnerabilities.
Planning
You need to set up the camera at home together with your phone app and allow it to connect with the identical WiFi that your smartphone uses. To find out the IP Address of the camera you need to install scanning tools, that can gain access to devices in your subnet.
Scanning
Nmap
First, an Nmap scan is performed. Doing so will give you important information to find the vulnerability.
Target Specification:
$sudo nmap <target IP> Scan a single IP
Enables OS detection, version detection, script scanning, and traceroute:
$sudo nmap -sV -A <target IP>
Scan TCP/UDP Ports:
$sudo nmap <target IP> -sT TCP connect port scan (Default without root privilege). $sudo nmap <target IP> -sU UDP port scan.
Host Discovery and Port Scan:
$sudo nmap <target IP> -sn Disable port scanning. Host discovery only. $sudo nmap <target IP> -Pn Disable host discovery. Port scan only. (If the host is down)
Port Specification:
$sudo nmap <target IP> -p- Scan all ports
OS Detection:
$sudo nmap <target IP> -O Remote OS detection using TCP/IP
It is possible to use a set of scripts from the /usr/share/nmap/scripts/ directory:
$nmap -sV --script $SCRIPT <target IP>
Spiderfoot
Spiderfoot uses various modules to collect information and it can collect information about the target host through the scanning options available in the Spiderfoot Framework.
$spiderfoot -l <target IP>:<target Port>
Dimitry
Dmitry Tool can be used to search subdomains of the target, find open ports of the target system, perform TCP scan, find operating system information, web server details, web host details, hosting service details, registered domain, name, address, the contact information of the person who registered it, find email addresses that are associated with the domain of the target.
$dimitry -p -l <target IP>
Legion
Legion works with a GUI which can perform automatic recon and scanning with NMAP, whataweb, nikto, Vulners, Hydra, SMBenum, dirbuster, sslyzer, webslayer, and more (with almost 100 auto-scheduled scripts). It is already installed on Kali Linux 2022.2.
Nessus
Nessus is a special software, so-called vulnerability scanner, that inspects systems for security gaps and vulnerabilities. It can be used to identify local and remote vulnerabilities, to audit configuration and compliance, verify default credentials, and scan web applications.
$sudo dpkg -i <Nessus deb file> $/bin/systemctl start nessusd.service go to https://kali:8834/ to configure the scanner
Exploitation Tools
Metasploit
Test your camera for security gaps with the help of the framework provided by Metasploit.
You can use the various exploits collected by the framework to perform various security and penetration tests on your distributed target system.
The attack method (exploit) and the executed code are separated.
Exploits need to be specially tuned for various security gaps in software and hardware.
This code is used when the attack method is successful and can break into or compromise the system.
msf6 > search <open port protocol> Search for exploits for open ports
Sarchsploit
The SearchSploit utility is a local copy of the Exploit Database and it searches this database to find exploits for various software and services found during the penetration testing phase. You can also use this utility to inspect an exploit and make a copy that you can modify for use on a particular host.
$searchsploit <open port protocol> Search for exploits for open ports
Hydra
Hydra is a login cracker that supports numerous attack protocols. This tool makes it possible for researchers and security consultants to show how easy it would be to gain unauthorized access to a system remotely. It is used to brute-force username and password to different services such as ftp, ssh, telnet, MS-SQL, etc.
You can access the wordlist in a directory by using the below command.
$cd /usr/share/wordlists
$hydra <Target_IP> ssh -l <username> -P <password_file> -s 22 -vV to brute-force SSH username and password $hydra -L <username_file> -P <password_file> ftp://<Target_IP> to brute-force FTP username and password $hydra -l <username> -p <password> telnet://<Target_IP> to brute-force Telnet username and password