tag:blogger.com,1999:blog-7429675726481888518.post152327348670766394..comments2024-03-20T11:01:04.236+01:00Comments on Jump ESP, jump!: How I hacked my IP camera, and found this backdoor accountZhttp://www.blogger.com/profile/12373001166765443215noreply@blogger.comBlogger42125tag:blogger.com,1999:blog-7429675726481888518.post-53087480218990563642019-08-06T00:18:21.541+02:002019-08-06T00:18:21.541+02:00I have suspected for some time now that my camera ...I have suspected for some time now that my camera system has a backdoor being used by an actor in china. With the required military cooperation by businesses in china it would not be a surprise of all camera survaillance systems produced in china are required to have a backdoor for china military use. Imagine the benefit of being able to see your targets populations reaction to a minor (feint) attack on a mid-size city in the NW while you quietly prepare to attack elsewhere.<br />You could find news accounts, target militaries movements, etc...Anonymoushttps://www.blogger.com/profile/11482961884541037388noreply@blogger.comtag:blogger.com,1999:blog-7429675726481888518.post-22356998079699313432019-05-31T15:48:17.241+02:002019-05-31T15:48:17.241+02:00I have connected my insecure cameras to an old rou...I have connected my insecure cameras to an old router, without an internet gateway. My recording PC runs iSpy, keeps archive stream data, and is connected both to my home network (which has internet access), and to my local camera network. It won't forward packets from the insecure camera network to my primary network. I think it should be easy to arrange to port-forward from my cellphone to iSpy if I want to view streams from outside home. <br /><br />So rather than advise throwing cheap cloud camera in the garbage, put them on their own isolated intranet. (My old router can occasionally be connected to the internet if I need the cloud to initially configure a new camera). Anonymoushttps://www.blogger.com/profile/16389662696503656566noreply@blogger.comtag:blogger.com,1999:blog-7429675726481888518.post-78155153959791961952018-12-26T00:20:03.594+01:002018-12-26T00:20:03.594+01:00>even if you disabled port-forward/UPNP on your...>even if you disabled port-forward/UPNP on your router, the cloud protocol still allows anyone to connect to the camera<br />Not sure after this sentence - if I am dropping any communication from camera (identified by MAC address) to the Internet, I AM safe, am I not?Unknownhttps://www.blogger.com/profile/13841129402678132640noreply@blogger.comtag:blogger.com,1999:blog-7429675726481888518.post-31926012774487431722018-12-10T11:48:23.446+01:002018-12-10T11:48:23.446+01:00I read your articles very excellent and the i agre...I read your articles very excellent and the i agree our all points because all is very good information provided this through in the post.Millan Tahttps://www.blogger.com/profile/02782110860884590869noreply@blogger.comtag:blogger.com,1999:blog-7429675726481888518.post-78027871470845455842018-09-19T06:03:10.510+02:002018-09-19T06:03:10.510+02:00Awesome article, can anybody confirm that i can se...Awesome article, can anybody confirm that i can setup my own server and acccessing from that will be safer? TqRevmeshhttps://www.blogger.com/profile/16432944073319080160noreply@blogger.comtag:blogger.com,1999:blog-7429675726481888518.post-57918797600376153312018-07-11T12:55:01.425+02:002018-07-11T12:55:01.425+02:00Hi,
Can you send CGI that you have used to collec...Hi,<br /><br />Can you send CGI that you have used to collect /etc/passwd. that will help a lotchirag vaishnavhttps://www.blogger.com/profile/10641857762415463318noreply@blogger.comtag:blogger.com,1999:blog-7429675726481888518.post-78898920881825246692018-04-04T14:48:10.413+02:002018-04-04T14:48:10.413+02:00Anonymous chinese IP Cam, ESCAM like.
Found telnet...Anonymous chinese IP Cam, ESCAM like.<br />Found telnet on TCP port 8357.<br />No one of the known password found googling around worked.<br />I was able to collect /etc/passwd using cgi injection and to feed john-the-ripper.<br />Found telnet root password: runtop10<br />Hope it's useful...<br />Thank you.<br />Beghierohttps://www.blogger.com/profile/17577500579106357628noreply@blogger.comtag:blogger.com,1999:blog-7429675726481888518.post-10229689026607235172018-02-21T20:49:27.419+01:002018-02-21T20:49:27.419+01:00Hello, incredible!
escam qd500 telnet with root ...Hello, incredible!<br />escam qd500 telnet with root xmhdipc<br />Thank you!Anonymoushttps://www.blogger.com/profile/10506446771300118817noreply@blogger.comtag:blogger.com,1999:blog-7429675726481888518.post-74626891251384337622018-02-02T11:44:32.880+01:002018-02-02T11:44:32.880+01:00Look like the updated some firmwares and the root ...Look like the updated some firmwares and the root / 123456 isn't working anymore. I still can request some of the cgi scripts like get_status and get_params.cgi:<br /><br />var alias=""; var deviceid="BRTD-012185-MCYML"; var apilisense="GPYNQM"; var sys_ver="V6.3.22.38(M)"; var appver="V10.1.0.9"; var now=1517568122; var alarm_status=0; var upnp_status=0; var dnsenable=0; var osdenable=0; var syswifi_mode=0; var mac="00:c0:29:01:0b:b1"; var wifimac="00:c0:29:01:0b:b2"; var sdstatus=0; var record_sd_status=0; var dns_status=0; var devicetype=0; var devicesubtype=0; var externwifi=1; var encrypt=0; var under=0; var sdtotal=0; var sdfree=0; var sdlevel=0;<br /><br /><br />Starting Nmap 7.01 ( https://nmap.org ) at 2018-02-02 11:30 CET<br />Nmap scan report for 192.168.1.33<br />Host is up (0.0087s latency).<br />Not shown: 65533 closed ports<br />PORT STATE SERVICE<br />23/tcp open telnet<br />81/tcp open hosts2-ns<br /><br />Nmap done: 1 IP address (1 host up) scanned in 7.10 seconds<br /><br />Running Hydra with the rockyou password file but no luck yet :(<br /><br />Don't know if there is still code injection possibility through one off the .cgi scripts?<br />Anonymoushttps://www.blogger.com/profile/02015684112111432473noreply@blogger.comtag:blogger.com,1999:blog-7429675726481888518.post-48684169736027818222017-12-12T23:58:50.970+01:002017-12-12T23:58:50.970+01:00How did you get out of infinite reboot loop. I'...How did you get out of infinite reboot loop. I've just change language and ask me for reboot, and now is on that loop... no reset button.. no factory reset...NunezCastainhttps://www.blogger.com/profile/14439048395643083092noreply@blogger.comtag:blogger.com,1999:blog-7429675726481888518.post-27339108270251832132017-09-16T19:29:40.202+02:002017-09-16T19:29:40.202+02:00It was just after midnight 17th Sept 17 and I was ...It was just after midnight 17th Sept 17 and I was woken by the sound of the camera panning.<br /><br />I logged on to the Yoosee App on my mobile phone device to see it panning around left right ect. I then panned the camera in the opposing direction and it panned back. I then noted it said 2 audiences. I then panned the camera to the ceiling and it was then the audience went to 1.<br /><br />I immediately went to the camera and disconnected the power supply.<br /><br />I am the only user of the camera and app. I have passwords on my router and for camera App (different of course)<br /><br />I'll take your advice....throwing camera in the bin and deleting appsAnonymoushttps://www.blogger.com/profile/06828594876878497540noreply@blogger.comtag:blogger.com,1999:blog-7429675726481888518.post-6965160381764646912017-09-13T04:13:48.178+02:002017-09-13T04:13:48.178+02:00check these out
ls /sbin
wifi_unload.sh ope...check these out<br />ls /sbin<br /><br />wifi_unload.sh openl2tpd ddns.sh<br />wan.sh openl2tp.sh cpubusy.sh<br />vpn-passthru.sh ntp.sh config.sh<br />vconfig nat.sh config-vlan.sh<br />udhcpc.sh mkdosfs config-udhcpd.sh<br />udhcpc lsmod config-pptp.sh<br />syslogd logread config-pppoe.sh<br />sysctl lan.sh config-l2tp.sh<br />snort.sh klogd config-igmpproxy.sh<br />snmp.sh internet.sh config-iTunes.sh<br />route insmod config-dns.sh<br />rmmod init chpasswd.sh<br />reboot ifconfig automount.sh<br />radvd halt autoconn3G.sh<br />pppoe.sh global.sh accel-pptp.sh<br />pppoe-relay firewall.sh<br />poweroff fdisk<br /><br />cashhttps://www.blogger.com/profile/07073929006781229048noreply@blogger.comtag:blogger.com,1999:blog-7429675726481888518.post-75124151635987172792017-07-18T06:54:59.668+02:002017-07-18T06:54:59.668+02:00Hi. May i know if you are able to hack my IP camer...Hi. May i know if you are able to hack my IP camera to retrieve backdated footage? I believe some of the footage was recorded but i cant retrieve it because it has seemingly been 'deleted'. Do PM me for more details. I am keen to compensate as there are some evidence on this footage which we are very keen on retrieving! <br />Thanks !Anonymoushttps://www.blogger.com/profile/07523338127782475124noreply@blogger.comtag:blogger.com,1999:blog-7429675726481888518.post-41853060994971995032017-07-11T08:55:45.475+02:002017-07-11T08:55:45.475+02:00Hello, congrats it's a nice article, I did the...Hello, congrats it's a nice article, I did the same hack with an Escam camera back in 2015. The only difference was that I asked the Chinese manufacturer for a firmware upgrade. They just sent it so I could look into it, seeing the file system so I extracted the /etc/passwd from that fs. :-D<br /><br />I still have the camera (not connected to my local network) and recently I wondering to make use of it somehow. So it'd be nice to - after revealing the facts how bad are these little cameras - looking for a kind of a solution. Ordinary people think totally insecure like "hey, this food is toxic but it's soooo cheap" :-) If we can't change their mindset then let's propose a proper secure solution for the problem that someone want to see the home garden from an Android phone - just because it's a justifiable demand nowadays. In other words, you showed that using a cheap Chinese cam out of the box is a bad idea, so what's next? Thanks.Unknownhttps://www.blogger.com/profile/16229227346195172837noreply@blogger.comtag:blogger.com,1999:blog-7429675726481888518.post-36552033813955914942017-05-02T18:15:45.303+02:002017-05-02T18:15:45.303+02:00Hi, nice writeup about these IoT nightmares. For u...Hi, nice writeup about these IoT nightmares. For update 2017-03-08 pre-auth vuln:<br />I've also found an other interesting pre-auth vuln which makes it possible to get access for the RCE super easily. Just "GET login.cgi" (without the leading "/") and you get the admin password as cleartext. :)<br /><br />This writeup is a little bit confusing, but contains the disclosure:<br />https://blogs.securiteam.com/index.php/archives/3043s_zer0https://www.blogger.com/profile/00968649374412666501noreply@blogger.comtag:blogger.com,1999:blog-7429675726481888518.post-42339054676653968042017-04-11T19:50:10.662+02:002017-04-11T19:50:10.662+02:00
# netstat -na
Active Internet connections (server...<br /># netstat -na<br />Active Internet connections (servers and established)<br />Proto Recv-Q Send-Q Local Address Foreign Address State<br />tcp 0 0 192.168.88.21:10080 0.0.0.0:* LISTEN<br />tcp 0 0 0.0.0.0:9600 0.0.0.0:* LISTEN<br />tcp 0 0 0.0.0.0:108 0.0.0.0:* LISTEN<br />tcp 0 0 0.0.0.0:23 0.0.0.0:* LISTEN<br />tcp 0 0 0.0.0.0:10554 0.0.0.0:* LISTEN<br />tcp 0 0 192.168.88.21:23 192.168.88.57:55316 ESTABLISHEDElihttps://www.blogger.com/profile/06870807051768560139noreply@blogger.comtag:blogger.com,1999:blog-7429675726481888518.post-89010216179251991092017-03-19T23:23:20.806+01:002017-03-19T23:23:20.806+01:00I'm with "Marie's erster Blog". ...I'm with "Marie's erster Blog". I'd like to setup my own server for this. I am able to intercept the keep-alives, but need to know the payload to trigger the UDP tunnel. The cloud server that my ip camera came preconfigured with is unreachable, so I can't even do a trial run to see what they are sending back.Chrishttps://www.blogger.com/profile/12246141461005302244noreply@blogger.comtag:blogger.com,1999:blog-7429675726481888518.post-58739001421771093292017-02-22T13:27:14.846+01:002017-02-22T13:27:14.846+01:00Hi,
Is it possible to block the cloud services fro...Hi,<br />Is it possible to block the cloud services from ROUTER?<br />I don;t like the idea that anyone can have have access to my camera, I prefer to use my camera local or via VPN tunnel. Anonymoushttps://www.blogger.com/profile/00423256633566218074noreply@blogger.comtag:blogger.com,1999:blog-7429675726481888518.post-61367290493857122612017-01-09T12:11:48.695+01:002017-01-09T12:11:48.695+01:00Did anybody analyze the UDP cloud protocol? To get...Did anybody analyze the UDP cloud protocol? To get my p2p cam (doorbell) working as i want, i need to decrypt the protocol and build my own "server".Marie's erster Bloghttps://www.blogger.com/profile/08547750537916778075noreply@blogger.comtag:blogger.com,1999:blog-7429675726481888518.post-25960481861427132162016-11-25T21:46:43.496+01:002016-11-25T21:46:43.496+01:00Hi,
I have a "hosafe" nvr and i like roo...Hi,<br />I have a "hosafe" nvr and i like root password. <br />root:$1$y5hskMvE$Pdm4AgjJjNL5Uk08vgH/h0:0:0::/root:/bin/sh<br />pls help me! Tetyehttps://www.blogger.com/profile/07961850402921875136noreply@blogger.comtag:blogger.com,1999:blog-7429675726481888518.post-32170268813744485132016-06-15T00:20:30.227+02:002016-06-15T00:20:30.227+02:00Yep. Found all the passwords from the camera via t...Yep. Found all the passwords from the camera via telnet.Niko Eurénhttps://www.blogger.com/profile/18119208025432876160noreply@blogger.comtag:blogger.com,1999:blog-7429675726481888518.post-29262493999352862302016-01-21T11:35:48.422+01:002016-01-21T11:35:48.422+01:00Hi.
Can i use this camera video for Zoneminder ?Hi.<br /><br />Can i use this camera video for Zoneminder ?Ants Tammhttps://www.blogger.com/profile/12842742900490337174noreply@blogger.comtag:blogger.com,1999:blog-7429675726481888518.post-73116270561013680242015-11-26T16:19:40.932+01:002015-11-26T16:19:40.932+01:00I brute-forced the telnet a while ago hoping to di...I brute-forced the telnet a while ago hoping to dig out the decoder_control.cgi and camera_control.cgi but I cannot find them anywhere. I tried to mount the additional mtdblock devices to see if they are in a read only boot rom but they won' load.<br />Anyone else had any luck with this?kaykhttps://www.blogger.com/profile/01640469157856946757noreply@blogger.comtag:blogger.com,1999:blog-7429675726481888518.post-67540838624639821992015-11-14T00:56:52.678+01:002015-11-14T00:56:52.678+01:00The camera is EMINENT EM6220
1. The picture (obvi...The camera is EMINENT EM6220<br /><br />1. The picture (obviously)<br />2. The online manual has precisely 27 pages<br /><br />This is far from responsible disclosure…<br />JonnyZhttps://www.blogger.com/profile/18273731677031170129noreply@blogger.comtag:blogger.com,1999:blog-7429675726481888518.post-30322091212004186052015-11-14T00:56:25.784+01:002015-11-14T00:56:25.784+01:00The camera is EMINENT EM6220
1. The picture (obvi...The camera is EMINENT EM6220<br /><br />1. The picture (obviously)<br />2. The online manual has precisely 27 pages<br /><br />This is far from responsible disclosure…<br />JonnyZhttps://www.blogger.com/profile/18273731677031170129noreply@blogger.com