IOT Security: Pentesting on IP Cameras

From Embedded Lab Vienna for IoT & Security
Jump to navigation Jump to search

Summary

This is a documentation on pentesting (information gathering and vulnerability scans) performed on TP-link Kasa Cam Smart Home Camera KC120, Ezviz CS-C1C and Abus PPIC32020.

Requirements

Operating System

  • Kali Linux 2022.2

Hardware

  • TP-link Kasa Cam Smart Home Camera KC120
    • Encryption: 128-Bit-AES, WPA/WPA2-PSK
    • Storage: Amazon Web Services (AWS) Cloud
  • Ezviz CS-C1C
    • Encryption: 64/128-bit WEP, WPA/WPA2, WPA-PSK/WPA2-PSK
    • Storage: EZVIZ cloud and/or MicroSD
  • Abus PPIC32020
    • Encryption: AES 128bit, WPA/WPA2-PSK
    • Storage: MicroSD

Apps

  • Kasa Smartphone application (IOS or Android)
  • Ezviz Smartphone application (IOS or Android)
  • ABUS App2Cam Plus Smartphone application (IOS or Android)

Description

A penetration test can be divided into several stages:

  • Pre-Engagement Interactions

Working with a client to absolutely outline and report evaluation objectives, scope, and policies of engagement. There are three ways to run the test. In this case, the tester is using a black-box test case, which means the tester doesn't know anything about the system to be tested, i.e. he/she has to act as a hacker.

  • Gathering Information

Collecting and examing key data approximately the software and its infrastructure.

  • Threat Modeling

Threat modeling is an established technique of figuring out and prioritizing ability threats to a system and figuring out the value that ability mitigations might have in decreasing or neutralizing one's threats.

  • Vulnerability Analysis

Find current vulnerabilities and identify any potential security weaknesses that could allow an outside attacker to gain access to the environment.

  • Exploitation

The pentester tries to establish a connection with the target and exploit the vulnerabilities found in the previous phase. Exploitation can be software, shellcode, certain command, code injection, remote exploit without any prior access, local exploit with prior access to the system, and zero-day exploits which exploit known vulnerabilities.

  • Post Exploitation

After successful exploitation, it's far crucial to report all steps and tools - so that you can demonstrate the impact of the vulnerabilities to the client.

  • Reporting

Providing a complete report with deep evaluation and suggestions on the way to mitigate the found vulnerabilities.

  • Resolution & Re-Testing

The Client follows the recommendations and while completed patching the vulnerabilities a re-check is run.

Planning

You need to set up the camera together with your phone app and allow it to connect with the identical WiFi that your smartphone uses. To find out the IP Address of the camera you need to install scanning tools, that can gain access to devices in your subnet.

Scanning Tools

Nmap
Nmap Scans will give you important information to find a vulnerability.

Target Specification: 

$sudo nmap <target IP>            Scan a single IP

Enables OS detection, version detection, script scanning, and traceroute: 

$sudo nmap -sV -A <target IP>

Scan TCP/UDP Ports: 

$sudo nmap <target IP> -sT        TCP connect port scan (Default without root privilege)
$sudo nmap <target IP> -sU        UDP port scan

Host Discovery and Port Scan: 

$sudo nmap <target IP> -sn        Disable port scanning. Host discovery only
$sudo nmap <target IP> -Pn        Disable host discovery. Port scan only (If the host is down)

Port Specification: 

$sudo nmap <target IP> -p-        Scan all ports

OS Detection: 

$sudo nmap <target IP> -O         Remote OS detection using TCP/IP

It is possible to use a set of scripts from the /usr/share/nmap/scripts/ directory: 

$nmap -sV --script $SCRIPT <target IP>

Spiderfoot
Spiderfoot uses various modules to collect information and it can collect information about the target host through the scanning options available in the Spiderfoot Framework. 

$spiderfoot -l <target IP>:<target Port>

Dimitry
Dmitry Tool can be used to search subdomains of the target, find open ports of the target system, perform TCP scan, find operating system information, web server details, web host details, hosting service details, registered domain, name, address, the contact information of the person who registered it, find email addresses that are associated with the domain of the target. 

$dimitry -p -l <target IP>

The Harvester
With the Harvester, you can gather information like emails, subdomains, hosts, employee names, open ports and banners from different public sources like search engines, PGP key servers, and SHODAN computer database. 

$theHarvester -d <target IP> -l 1000 -b google

HackerEnv
HackerEnv is an automated tool developed in the Bash language that quickly performs port scans, scans target IP addresses for vulnerabilities, and retrieves exploits to form the Searchsploit utility. 

$git clone https://github.com/abdulr7mann/hackerEnv.git
$cd hackerEnv
$chmod +x hackerEnv
$bash hackerEnv -t <target IP>

Legion
Legion works with a GUI which can perform automatic recon and scanning with NMAP, whataweb, nikto, Vulners, Hydra, SMBenum, dirbuster, sslyzer, webslayer, and more (with almost 100 auto-scheduled scripts). It is already installed on Kali Linux 2022.2.

Nessus
Nessus is a special software, so-called vulnerability scanner, that inspects systems for security gaps and vulnerabilities. It can be used to identify local and remote vulnerabilities, to audit configuration and compliance, verify default credentials, and scan web applications. 

$sudo dpkg -i <Nessus deb file>
$/bin/systemctl start nessusd.service
go to https://kali:8834/ to configure the scanner

Exploitation Tools

Metasploit
Test your camera for security gaps with the help of the framework provided by Metasploit. You can use the various exploits collected by the framework to perform various security and penetration tests on your distributed target system. The attack method (exploit) and the executed code (payload) are separated. Exploits need to be specially tuned for various security gaps in software and hardware. This code is used when the attack method is successful and can break into or compromise the system. 

msf6 > search <open port protocol>           Search for exploits for open ports

Sarchsploit
The SearchSploit utility is a local copy of the Exploit Database and it searches this database to find exploits for various software and services found during the penetration testing phase. You can also use this utility to inspect an exploit and make a copy that you can modify for use on a particular host. 

$searchsploit <open port protocol>           Search for exploits for open ports

Hydra and Patator
Hydra and Patator are login crackers that support numerous attack protocols. This tools makes it possible for researchers and security consultants to show how easy it would be to gain unauthorized access to a system remotely. They are used to brute-force username and password to different services such as ftp, ssh, telnet, MS-SQL, etc.

You can access the wordlist in a directory by using the below command. 

$cd /usr/share/wordlists

$hydra <Target_IP> ssh -l <username> -P <password_file> -s 22 -vV                          to brute-force SSH username and password
$hydra -L <username_file> -P <password_file> ftp://<Target_IP>                             to brute-force FTP username and password
$hydra -l <username> -p <password> telnet://<Target_IP>                                    to brute-force Telnet username and password

$patator rdp_login host=<target IP> user=FILE0 0=<username_file> password=FILE1 1=<password_file> -x ignore:code=131

Report

Used Hardware

References
Retrieved from "https://wiki.elvis.science/index.php?title=IOT_Security:_Pentesting_on_IP_Cameras&oldid=9911"