Awox CamLight Pentest

From Embedded Lab Vienna for IoT & Security
Jump to navigation Jump to search


DRAFT - This is a report on pentest - the information gathering and vulnerability scans - performed on Awox CamLight.


  • Operating system: Kali Linux 2021.1 amd64, Parrot Security 4.10 amd64
  • AWOX CamLight Hardware
  • AWOX CamLight Smartphone application (IOS or Android)

Disclaimer: all possible examples and tests done have been done in VMWare in a Kali Linux and ParrotOS VM.


In an effort to evaluate the Awox CamLight and perform a pentest, there are certain steps to be followed. A penetration test in general consists of several stages:

  • Planning and reconnaissance

This is where the attacker/tester gets familiar with the target and gathers as much information as possible. Finding out what the network topology is (in case of networks), what the IP addresses, domain details or possible mail servers are etc.

  • Scanning

This is the phase where you interact with the target, in our case the target host CamLight. Probes are sent to the target and responses are recorded. This includes scanning the target with various scanning tools, identification of open ports, services that are running and much more. The goal is to identify vulnerable ports, functions or services.

  • Gaining Access

In this step the vulnerabilities are exploited to gain access to the target. However, not all vulnerabilities will lead to this stage, only those exploitable enough to grant access to the target host.

  • Maintaining access

For example to make sure that access is maintained after reboot or modifications of the target. This would be the case for attackers whose goal is to stay in a system and collect information over longer periods of time to catch the perfect moment to exploit.

  • Exploitation

This would be the stage where an attacker/tester does the "actual damage". The goal is to get their hands on data, compromise a system, launch various attacks etc. During authorized penetration testing, this will take place in a very controlled environment.

  • Evidence collection and reporting

This is the stage where the results of the penetration test are collected, evaluated and handed in to whoever ordered the security evaluation.

In this pentest, the focus lies on information gathering and vulnerability scans of the target host, with possible attempts to exploit the vulnerabilities found.

Planning and reconnaissance

To list the known information about the camera, first step would be to find out, how it works and what are the specifications from the vendor. It should be noted that the camera can no longer be found in the AwoX official store, which would indicate that it is no longer sold, and therefore there isn't much information on the vendor's page, only the resellers. A brief documentation of the camera can also be found here. The camera connects over WiFi. You set it up in your home/office with your smartphone app and let it connect to the same WiFi that your phone is using. Disclaimer: The IOS AwoX CamLightapp does NOT work. If you own an IOS smartphone, you could still try the app, but if it doesn't work for you, the way to go would be to install an android emulator on your PC and then download the android there and perform the connection setup through there, since the app seems to no longer work properly for IOS - the reason for this could possibly be that the Camera is no longer sold, thus the application is no longer kept up to date.
To gather information about the camera itself, we need it to be connected to power and to WiFi and have your scanning tools (in our case the Kali Linux VM) available to access devices in that subnet. The IP address of the camera in this demonstration will be, which was concluded from excluding all the other known devices on the network and also turning the camera on and off to see which IP address is new.


Starting with nmap, the following results have been gathered:
$ sudo nmap -O

Nmap scan report for
Host is up (0.043s latency).
Not shown: 996 closed ports
23/tcp   open  telnet
554/tcp  open  rtsp
843/tcp  open  unknown
5001/tcp open  commplex-link
MAC Address: 7C:DD:90:AF:4E:7D (Shenzhen Ogemray Technology)
Device type: general purpose
Running: Linux 2.6.X|3.X
OS CPE: cpe:/o:linux:linux_kernel:2.6 cpe:/o:linux:linux_kernel:3
OS details: Linux 2.6.32 - 3.5
Network Distance: 1 hop

$ sudo nmap -sA

Nmap scan report for
Host is up (1.1s latency).
All 1000 scanned ports on are unfiltered
MAC Address: 7C:DD:90:AF:4E:7D (Shenzhen Ogemray Technology)
Nmap done: 1 IP address (1 host up) scanned in 5.67 seconds

$ nmap -Pn -sV --script vuln

Host discovery disabled (-Pn). All addresses will be marked 'up' and scan times will be slower.
Starting Nmap 7.91 ( ) at 2021-06-21 23:45 CEST
Pre-scan script results:
| broadcast-avahi-dos: 
|   Discovered hosts:
|   After NULL UDP avahi packet DoS (CVE-2011-1002).
|_  Hosts are all up (not vulnerable).
Nmap scan report for
Host is up (0.060s latency).
Not shown: 967 closed ports, 29 filtered ports
23/tcp   open  telnet         security DVR telnetd (many brands)
554/tcp  open  rtsp
| fingerprint-strings: 
|   HTTPOptions, RTSPRequest: 
|     RTSP/1.0 200 OK
|     CSeq: 0
|     Server: CameraRtspServer
|   SIPOptions: 
|     RTSP/1.0 200 OK
|     CSeq: 42
|     Server: CameraRtspServer
843/tcp  open  unknown
5001/tcp open  commplex-link?
1 service unrecognized despite returning data. If you know the service/version, please submit the following fingerprint at :
Nmap done: 1 IP address (1 host up) scanned in 152.36 seconds

After performing nmap and trying some other Kali tools but not discovering any more useful information, openVAS was used, which is a vulnerability scanner that can be installed additionally on Kali. To install openVAS the following commands are needed:

apt update
apt dist-upgrade
apt upgrade
apt install openvas

Afterwards just launch it on localhost in browser on, add a target (our camera) and set up tasks to perform scans. The results of a full scan are shown below, however it mostly showed what we already knew, which is the Telnet port:

  • Telnet Vulnerability
  • TCP Timestamps

After openVAS we also tried the Nessus vulnerability scanner, which can be downloaded here. This did not offer any new information and the setup was quite lengthy, but it offers a nice GUI for possible newbie users.

Gaining access

When trying to telnet to the camera, you are prompted with a username and password, which we don't know. Guessing several admin-password combinations was also not met with success. The vulnerability here would thus be: being able to listen on the plaintext telnet connection (which was successfully done with Wireshark) if the admin would access the camera. The SSH port is not open for access (telnet connection failed, plus no scans show the port), which would solve this vulnerability from the admin's perspective.

  • Attempt at Metasploit Telnet Login brute force exploit:
$ msfconsole
msf6 > use auxiliary/scanner/telnet/telnet_login
msf6 auxiliary(scanner/telnet/telnet_login) > set BLANK_PASSWORDS false
msf6 auxiliary(scanner/telnet/telnet_login) > set PASS_FILE /usr/share/wordlists/metasploit/unix_passwords.txt
msf6 auxiliary(scanner/telnet/telnet_login) > set RHOSTS
msf6 auxiliary(scanner/telnet/telnet_login) > set THREADS 254
msf6 auxiliary(scanner/telnet/telnet_login) > set USER_FILE /usr/share/wordlists/metasploit/unix_users.txt
msf6 auxiliary(scanner/telnet/telnet_login) > set VERBOSE true
msf6 auxiliary(scanner/telnet/telnet_login) > run

Results: no match found
This result was of course expected, bots need days and months to brute force telnet passwords of IoT devices, the important factor here is how much time one is willing to invest. Telnet brute force attacks on IoT devices are very popular and common nowadays, that's why the importance of a good username and password is so prevalent.

  • Attempt at Hydra Telnet Login brute force exploit:
$ hydra -L /usr/share/wordlists/metasploit/unix_users.txt -P /usr/share/wordlists/metasploit/unix_passwords.txt telnet
$ hydra -L /usr/share/wordlists/metasploit/unix_users.txt -P /usr/share/wordlists/rockyou.txt telnet

Elapsed time: several days
Results: not successful

Used Hardware

AwoX CamLight