Difference between revisions of "IP Cameras Pentesting Report"
| Line 70: | Line 70: | ||
* [https://www.tp-link.com/at/support/download/nc200/#Firmware TP-Link NC200] | * [https://www.tp-link.com/at/support/download/nc200/#Firmware TP-Link NC200] | ||
* Blink Mini (no open and accessible firmware found) | * Blink Mini (no open and accessible firmware found) | ||
=== Gathered Information === | |||
==== NMAP ==== | |||
{| class="wikitable" style="margin:auto" | |||
|+ NMAP Information | |||
|- | |||
! Header <b>NMAP Command</b>!! Header <b>ABUS PPIC32020</b> !! Header <b>TP-Link NC200</b> !! Header <b>Blink Mini</b> | |||
|- | |||
| Port Scan || Example || Example || Example | |||
|- | |||
| OS Scan || Example || Example || Example | |||
|- | |||
| Vulnerability Scan || Example || Example || Example | |||
|} | |||
== Courses == | == Courses == | ||
Revision as of 12:55, 13 July 2022
Summary
This Article is a comprehensive descirption of a pentesting process regarding three IP Cameras ABUS PPIC32020, Blink-Mini and TP-Link NC200. In the further course of this Report the Methology of the Information Gathering Process will be pointed out, afterwards the gathered information will be analysed. With the analysis of the gathered information vulnerabilities will be pointed out. We will form attack vectors, exploit this vulnerabilites and recommend countermesaures for the vendors to make their systems more secure.
Requirements
In order to perform the Exploits the following tools were needed.
- Operating System:
- Kali Linux 2022.2
- Tools:
- Cameras:
Description
In this chapter, we will demonstrate how we were able to extract information about the target devices, form attack vectors and exploit them afterwards.
Methodology
Step 1: NMAP
We used NMAP to gather as much information as possible about the target systems. This includes IP Addresses, open Ports, Operating Systems, Services and many more. This part is crucial to gain a better understanding of how the camera works and is neccessary to perform sophisticated attacks to extract information or gain access.
Nmap (Network Mapper) is a network scanner created by Gordon Lyon (also known by his pseudonym Fyodor Vaskovich).[4] Nmap is used to discover hosts and services on a computer network by sending packets and analyzing the responses.[5]
Nmap provides a number of features for probing computer networks, including host discovery and service and operating system detection. These features are extensible by scripts that provide more advanced service detection,[6] vulnerability detection,[6] and other features. Nmap can adapt to network conditions including latency and congestion during a scan. [1]
To gather information about the target systems we used the following commands:
nmap -sP [Network Address/Subnetmask] Network Scan --> To discover the IP addresses of the target system inside the LAN nmap -sS -F [IP Address] TCP-SYN-Port-Scan (Host-Fast-Scan) --> Discovers open ports on target system nmap -sV [IP Address] Service Scan --> To discover the services listening on the open ports nmap -O [IP Address] Operating System Scan --> Guesses the Operating System running on target host (Based on OS Fingerprints) nmap -Pn -sV --script vuln [IP Address] Discovers possible vulnerabilities based on already known exploits for the specific service
Step 2: Man in the Middle (MitM)
In order to get a better understanding of how the architecture of the service provided by the IP Cameras works, we mounted a Man in the Middle Attack to gain information about how and where the camera connects to and how it deliveres their service to the endpoints (in our case the ABUS Camera used a Smartphone App to connect and configure the camera and the two other used Web Services). To mount the MitM attack we utilized ARP Spoofing which can easily be done with the arpspoof command.
arpspoof -i [Your network interface] -t [Target IP] [The IP you pretend to be]
In order to be able to completely execute the MitM attack, you need to enable IP forwarding otherwise the packets would be sent to you but would never arrive at their destination. To do this, enter the following command:
sysctl -w net.ipv4.ip_forward=1
If the attack was mounted correctly, you should be able to capture the traffic between the two endpoints you mounted the attack (e.g. with Wireshark).
In our case, we mounted two MitM attacks, the first one between the camera and the gateway, the second one between the smartphone or endpoint and the gateway to understand fully where and how the service connects to to provide its capabilities.
Step 3: Reverse DNS Lookup & Geo Locator
When viewing the captured traffic we stumbled over a lot of remote IP Addresses where the communication takes place. Therefore, we wanted to know the Domain of the Webservice the Camera is communicating with. To achieve this, we used the following, free to use, tools:
Step 4: Look through the, open source, firmware of the cameras (if available)
To finish our research we searched for any open and available firmware packages of any of the given cameras provided by the manifacturer.
Firmware:
- ABUS PPIC32020
- TP-Link NC200
- Blink Mini (no open and accessible firmware found)
Gathered Information
NMAP
| Header NMAP Command | Header ABUS PPIC32020 | Header TP-Link NC200 | Header Blink Mini |
|---|---|---|---|
| Port Scan | Example | Example | Example |
| OS Scan | Example | Example | Example |
| Vulnerability Scan | Example | Example | Example |
Courses
- A course where this documentation was used (2017, 2018)
- Another one (2018)