Author Topic: Recon for Ip Cameras (Read 1700 times)

khofo · « **on:** August 26, 2014, 10:44:00 pm »

Hey Guys,
While gathering info about my school's website I realized that the website is hosted inside the school, and not in a hosting company, and after a quick maltego mapping i realized all the services are hosted in the same place a kind of hub. Then I realized that perhaps the cameras are connected to the same network so I ran HttpRecon and realized that effectively it's a hub since the number of barracudas, NAS's and other services indicated that the wp website is only a small part of a huge network. I did not recognize any device that could be a camera nor did I recognize any interface the cameras may intercat with. So my question is that is it possible to find those cams via the websites url or I should have acess to the network itself. Here is attached the scan I made with httprecon.

Any useful reply, indication or clarification is welcome

Kulverstukas · « **Reply #1 on:** August 27, 2014, 06:07:03 am »

The cameras are most likely only accesible from the inside. Only those standalone home monitoring systems stream live...

proxx · « **Reply #2 on:** August 27, 2014, 08:59:36 am »

Quote from: Kulverstukas on August 27, 2014, 06:07:03 am

The cameras are most likely only accesible from the inside. Only those standalone home monitoring systems stream live...

Often these are put on a different network.
@op I think you should learn a bit about how networks are built.
If I would put that shit on the same network (which obviously no sane person would do) I would loose my job.
There is likely to be a network segment dedicated to the cameras, possibly on a seperate VLAN if not on a completely isolated zone.
If they went crazy on this shit it is also likely that there is additional MAC and/or IP filtering going on.
Its no bank but even things like 802.1x over ethernet is not uncommon these days.
Welcome to 2014.
Glad to ruin your day.

khofo · « **Reply #3 on:** August 27, 2014, 07:02:25 pm »

Oh, I see now I think I going to look for some documentation on how surveillance cameras are implemented in a an existent network. I thought that perhaps the cameras are accessible from outside via the website. But what would be common sense for the IT team is to isolate from general traffic and create a VPN or some kind of filtering. Anws thanks for the clarifications

proxx · « **Reply #4 on:** August 27, 2014, 07:06:40 pm »

There is always physical security

It often sucks.

khofo · « **Reply #5 on:** August 27, 2014, 07:20:47 pm »

There is Ethernet ports in the walls connected to routers that are for sure used to make teachers computers connect to the network and not to offer WiFi I think getting access to this internal network physically may offer more possibilities. What I noticed indeed is that via the canteen WiFi which is accessible for students u can access all school's related online material such as the grades and school website much faster via the internal network and not an external request. But I think that there is some restrictions anws to access the network itself. I guess I'll take my laptop there someday and check this out.

StarLord · « **Reply #6 on:** September 15, 2014, 06:47:45 pm »

Here is my advice on what you should do

1. You have already scaned the whole network that you could possibly do

2. What you need to do now is
-> find a software that will scan every IP address on the whole network and Scan EVERY single port open - Once it has scanned all ports - it will now grab all the banners off the ports for example

on ip 10.0.0.7 has ports 21 - 23 - 3306 on it when the banner scans those ports its going to output via file > /tmp/scan.txt - and display the banner such as

port 3306 -> banner > Mysql Version X
port 21 -> banner > Proftpd
port 80 -> Web Camera Software Version X

Now you know what ip + port is located on the network and now you have found the camera

If that does not work
Locate your local School office Principals - Assistant Principle - or any Supervisor
you have found those out you need to get the ip of his computer
Simply send him an email and wait for him to simply reply back
Now you have to get his account information
Simply start a MiTM attack on the subnet his ip is located on

Go talk to him and say hey someone stole my stuff can you see who done it on the camera?

behind the doors your executing a sniffing attack on his system

which now allows you access into his computer now you have access to the Camera System

and boom your done

----------------------------------
Also some networks have different Jack ports you will see the common color " blue "

but then there are other ports specifically designed for IT department , School officials , etc etc etc
it might be a color of orange , yellow , or whatever the Field technician that installed the cable had put in
plug your local computer that your on into that port - or a laptop

and start sniffing

and let the Fun begin
Have fun

khofo · « **Reply #7 on:** September 15, 2014, 06:53:21 pm »

Quote from: StarLord on September 15, 2014, 06:47:45 pm

Here is my advice on what you should do

1. You have already scaned the whole network that you could possibly do

2. What you need to do now is
-> find a software that will scan every IP address on the whole network and Scan EVERY single port open - Once it has scanned all ports - it will now grab all the banners off the ports for example

on ip 10.0.0.7 has ports 21 - 23 - 3306 on it when the banner scans those ports its going to output via file > /tmp/scan.txt - and display the banner such as

port 3306 -> banner > Mysql Version X
port 21 -> banner > Proftpd
port 80 -> Web Camera Software Version X

Now you know what ip + port is located on the network and now you have found the camera

If that does not work
Locate your local School office Principals - Assistant Principle - or any Supervisor
you have found those out you need to get the ip of his computer
Simply send him an email and wait for him to simply reply back
Now you have to get his account information
Simply start a MiTM attack on the subnet his ip is located on

Go talk to him and say hey someone stole my stuff can you see who done it on the camera?

behind the doors your executing a sniffing attack on his system

which now allows you access into his computer now you have access to the Camera System

and boom your done

----------------------------------
Also some networks have different Jack ports you will see the common color " blue "

but then there are other ports specifically designed for IT department , School officials , etc etc etc
it might be a color of orange , yellow , or whatever the Field technician that installed the cable had put in
plug your local computer that your on into that port - or a laptop

and start sniffing

and let the Fun begin
Have fun

well thanks a lot

Any software example that can do that ??

and I finally got the chance to use this

Schalla · « **Reply #8 on:** September 15, 2014, 07:41:12 pm »

The thread is 3 weeks old............... That is no necromancy.

proxx · « **Reply #9 on:** September 15, 2014, 07:43:34 pm »

Eventhough his post is pretty blunt and lacks the a solution for the defensive arguments discussed below it is constructive therefor nercoing is acceptable.

StarLord · « **Reply #10 on:** September 15, 2014, 07:57:48 pm »

nmap has a plugin built in called " banner "

http://nmap.org/nsedoc/scripts/banner.html

and just scan the subnet with the /24 command /27 etc etc

HTH · « **Reply #11 on:** September 16, 2014, 02:01:29 am »

Do you have access to the cameras in person? if you do go ahead and look up their model/serial number online..

Not only will you know what port their control panel is likely to be on, you'll also (likely) be able to download firmware (and reverse it), and those cameras quite often have RCE or LFI type vulnerabilities.

Security on these SHOULD be very tight, but with what I've seen... it usually isn't.
Dont go scanning their whole damn network repeatedly.

khofo · « **Reply #12 on:** September 16, 2014, 06:17:18 pm »

Quote from: HTH on September 16, 2014, 02:01:29 am

Do you have access to the cameras in person? if you do go ahead and look up their model/serial number online..

Not only will you know what port their control panel is likely to be on, you'll also (likely) be able to download firmware (and reverse it), and those cameras quite often have RCE or LFI type vulnerabilities.

Security on these SHOULD be very tight, but with what I've seen... it usually isn't.
Dont go scanning their whole damn network repeatedly.

I'll look this up tomorrow, will an image search be enough or I'll should look for the serial number written on the camera

TheWormKill · « **Reply #13 on:** September 16, 2014, 06:44:47 pm »

An image-search on a photo of the cctv-camera? I'd doubt it, serial number, vendor and/or model should bring up what you need. feel free to try tho.

khofo · « **Reply #14 on:** September 16, 2014, 11:48:04 pm »

Quote from: TheWormKill on September 16, 2014, 06:44:47 pm

An image-search on a photo of the cctv-camera? I'd doubt it, serial number, vendor and/or model should bring up what you need. feel free to try tho.

EDIT: this is definitely the camera

http://www.samsungsv.com/Product/Detail/13/Samsung-SED-1001R-Night-Vision-Indoor-Dome-Camera-

EDIT 2: The camera is not an IP camera, only CAT5 cables and DVR, probably not connected to network perhaps the DVR is and storing on networks disk, this is the only way I guess

EvilZone

News:

Author Topic: Recon for Ip Cameras (Read 1700 times)

khofo

Recon for Ip Cameras

Kulverstukas

Re: Recon for Ip Cameras

proxx

Re: Recon for Ip Cameras

khofo

Re: Recon for Ip Cameras

proxx

Re: Recon for Ip Cameras

khofo

Re: Recon for Ip Cameras

StarLord

Re: Recon for Ip Cameras

khofo

Re: Recon for Ip Cameras

Schalla

Re: Recon for Ip Cameras

proxx

Re: Recon for Ip Cameras

StarLord

Re: Recon for Ip Cameras

HTH

Re: Recon for Ip Cameras

khofo

Re: Recon for Ip Cameras

TheWormKill

Re: Recon for Ip Cameras

khofo

Re: Recon for Ip Cameras