.

.

Trendnet Cameras - I Always Feel Like Somebody'S Watching Me.

By on 18:15
Firstly this post requires the following song to be playing.

Now that we got that out of the way... I have been seeing posts on sites with people having fun with embedded systems/devices and I was feeling left out. I didn't really want to go out and buy a device so I looked at what was laying around. 

To start off the latest firmware for this device can be found at the following location :

First order of business was to update the camera with the most recent firmware:
Device info page confirming firmware version
Now that the device was using the same version of firmware as I was going to dive into, lets get to work. I will be using binwalk to fingerprint file headers that exist inside the firmware file. Binwalk can be downloaded from the following url: http://code.google.com/p/binwalk/

Running binwalk against the firmware file 
binwalk FW_TV-IP110W_1.1.0-104_20110325_r1006.pck 
DECIMAL   HEX       DESCRIPTION
-------------------------------------------------------------------------------------------------------
32320     0x7E40     gzip compressed data, from Unix, last modified: Thu Mar 24 22:59:08 2011, max compression
679136     0xA5CE0   gzip compressed data, was "rootfs", from Unix, last modified: Thu Mar 24 22:59:09 2011, max compression
Looks like there are two gzip files in the "pck" file. Lets carve them out using 'dd'. First cut the head off the file and save it off as '1_unk'
#dd if=FW_TV-IP110W_1.1.0-104_20110325_r1006.pck of=1_unk bs=1 count=32320
32320+0 records in
32320+0 records out
32320 bytes (32 kB) copied, 0.167867 s, 193 kB/s
Next cut out the first gzip file that was identified, we will call this file '2'
#dd if=FW_TV-IP110W_1.1.0-104_20110325_r1006.pck of=2 bs=1 skip=32320 count=646816
646816+0 records in
646816+0 records out
646816 bytes (647 kB) copied, 2.87656 s, 225 kB/s
Finally cut the last part of the file out that was identified as being a gzip file, call this file '3'
#dd if=FW_TV-IP110W_1.1.0-104_20110325_r1006.pck of=3 bs=1 skip=679136
2008256+0 records in
2008256+0 records out
2008256 bytes (2.0 MB) copied, 8.84203 s, 227 kB/s
For this post I am going to ignore files '1_unk' and '2' and just concentrate on file '3' as it contains an interesting bug :) Make a copy of the file '3' and extract it using gunzip
#file 3
3: gzip compressed data, was "rootfs", from Unix, last modified: Thu Mar 24 22:59:09 2011, max compression
#cp 3 3z.gz
#gunzip 3z.gz
gzip: 3z.gz: decompression OK, trailing garbage ignored
#file 3z
3z: Minix filesystem, 30 char names
As we can see the file '3' was a compressed Minix file system. Lets mount it and take a look around.
#mkdir cameraFS
#sudo mount -o loop -t minix 3z cameraFS/
#cd cameraFS/
#ls
bin  dev  etc  lib  linuxrc  mnt  proc  sbin  server  tmp  usr  var
There is all sorts of interesting stuff in the "/server" directory but we are going to zero in on a specific directory "/server/cgi-bin/anony/"
#cd server/cgi-bin/anony/
#ls
jpgview.htm  mjpeg.cgi  mjpg.cgi  view2.cgi
The "cgi-bin" directory is mapped to the root directory of http server of the camera, knowing this we can make a request to http://192.168.1.17/anony/mjpg.cgi and surprisingly we get a live stream from the camera. 

video stream. giving no fucks.


Now at first I am thinking, well the directory is named "anony" that means anonymous so this must be something that is enabled in the settings that we can disable.... Looking at the configuration screen you can see where users can be configured to access the camera. The following screen shows the users I have configured (user, guest)
Users configured with passwords.

Still after setting up users with passwords the camera is more than happy to let me view its video stream by making our previous request. There does not appear to be a way to disable access to the video stream, I can't really believe this is something that is intended by the manufacturer. Lets see who is out there :)

Because the web server requires authentication to access it (normally) we can use this information to fingerprint the camera easily. We can use the realm of 'netcam' to conduct our searches 
HTTP Auth with 'netcam' realm
Hopping on over to Shodan (http://www.shodanhq.com) we can search for 'netcam' and see if there is anyone out there for us to watch
9,500 results
If we check a few we can see this is limited to only those results with the realm of 'netcam' and not 'Netcam'
creepy hole in the wall

front doors to some business
Doing this manually is boring and tedious, wouldn't it be great if we could automagically walk through all 9,500 results and log the 'good' hosts.... http://consolecowboys.org/scripts/camscan.py

This python script requires the shodan api libs http://docs.shodanhq.com/ and an API key. It will crawl the shodan results and check if the device is vulnerable and log it. The only caveat here is that the shodan api.py file needs to be edited to allow for including result page offsets. I have highlighted the required changes below.
    def search(self, query,page=1):
        """Search the SHODAN database.
     
        Arguments:
        query    -- search query; identical syntax to the website
        page     -- page number of results      

        Returns:
        A dictionary with 3 main items: matches, countries and total.
        Visit the website for more detailed information.
     
        """
        return self._request('search', {'q': query,'page':page})

Last I ran this there was something like 350 vulnerable devices that were available via shodan. Enjoy.

Update: We are in no way associated with the @TRENDnetExposed twitter account.

Read more


  1. Nsa Hacker Tools
  2. Pentest Tools Nmap
  3. Nsa Hacker Tools
  4. Termux Hacking Tools 2019
  5. Hack Tools Mac
  6. Hacker Tools 2020
  7. Hacking Tools Download
  8. Tools Used For Hacking
  9. Hacking Tools Pc
  10. Hacker Tools For Ios
  11. Kik Hack Tools
  12. Hacker Tools Hardware
  13. Ethical Hacker Tools
  14. New Hacker Tools
  15. Hacker Tools For Windows
  16. Pentest Tools Port Scanner
  17. Best Pentesting Tools 2018
  18. Hacking Tools 2019
  19. Hacker Tools For Pc
  20. Github Hacking Tools
  21. Pentest Tools Website Vulnerability
  22. Underground Hacker Sites
  23. Hack Website Online Tool
  24. Hacking Tools Windows 10
  25. Hacker Tools Free Download
  26. Hacker Tools Linux
  27. Hacking Tools For Beginners
  28. Hack Tools
  29. Hack Tools
  30. Pentest Tools Windows
  31. Hacking Tools Free Download
  32. Hack Tools Download
  33. Pentest Tools List
  34. Hacking Tools For Kali Linux
  35. Pentest Tools
  36. Hacking Tools For Mac
  37. Pentest Tools For Ubuntu
  38. Termux Hacking Tools 2019
  39. Pentest Tools Android
  40. Black Hat Hacker Tools
  41. Pentest Tools Framework
  42. Hacking Tools For Windows
  43. Hack Tools For Pc
  44. Github Hacking Tools
  45. Hacking Tools 2019
  46. Hacking App
  47. Tools Used For Hacking
  48. How To Make Hacking Tools
  49. Hacking Tools And Software
  50. Pentest Tools Open Source
  51. Hacker Tools Linux
  52. Best Pentesting Tools 2018
  53. Computer Hacker
  54. Hacker Tools For Pc
  55. Pentest Tools For Mac
  56. What Is Hacking Tools
  57. Pentest Tools Apk
  58. Hacking Tools 2020
  59. Free Pentest Tools For Windows
  60. Hacker Tool Kit
  61. Beginner Hacker Tools
  62. Hacker Tools 2020
  63. Pentest Tools Online
  64. How To Hack
  65. Pentest Tools Kali Linux
  66. Pentest Tools Alternative
  67. Hacking Tools For Windows Free Download
  68. Hak5 Tools
  69. Pentest Tools Free
  70. Hacking Tools For Windows 7
  71. Pentest Tools Android
  72. Pentest Tools Free
  73. Hacker Tool Kit
  74. Hacker Tools Linux
  75. Pentest Tools Review
  76. Pentest Tools Port Scanner
  77. How To Make Hacking Tools
  78. Top Pentest Tools
  79. Pentest Recon Tools
  80. Hacking Tools Windows 10
  81. Hacker Tools Online
  82. How To Hack
  83. Pentest Tools Nmap
  84. Hacker Tools Linux
  85. Best Hacking Tools 2019
  86. Pentest Tools Tcp Port Scanner
  87. Pentest Tools Nmap
  88. Hacking Tools And Software
  89. Pentest Tools Port Scanner
  90. New Hacker Tools
  91. Hack Tools Pc
  92. Free Pentest Tools For Windows
  93. Hack Tools 2019
  94. Pentest Tools Website
  95. Hacker Techniques Tools And Incident Handling
  96. Hack Website Online Tool
  97. Hacker Security Tools
  98. Pentest Tools Android
  99. Hack Rom Tools
  100. Best Hacking Tools 2019
  101. Best Hacking Tools 2019
  102. Hacking Tools For Pc
  103. Easy Hack Tools
  104. Hacking Tools For Mac
  105. Blackhat Hacker Tools
  106. Hacking Tools
  107. Hacking Tools Windows 10
  108. Tools Used For Hacking
  109. Hacker Tools Free
  110. Hack Tools For Mac
  111. Hack Tool Apk No Root
  112. Hacker Tools
  113. Hacker Tools Hardware
  114. Hacking Tools For Windows
  115. Pentest Tools Apk
  116. Hacker Tools Github
  117. Hacker Tools For Ios
  118. Hacker Tool Kit
  119. Hack Tools For Ubuntu
  120. Hack Tool Apk No Root
  121. Hacker Tools 2019
  122. Pentest Box Tools Download
  123. Hacker Tools
  124. Pentest Tools Kali Linux
  125. Hacker Hardware Tools
  126. Hacking Tools Windows
  127. Easy Hack Tools
  128. Pentest Tools For Mac
  129. Hacker Tools For Ios
  130. Bluetooth Hacking Tools Kali
  131. Kik Hack Tools
  132. Hacking Tools Free Download
  133. Hacking Apps
  134. Best Hacking Tools 2020
  135. Hacking Tools For Kali Linux
  136. Hack Tools
  137. Pentest Tools Alternative
  138. Top Pentest Tools
  139. Hack Tools For Pc
  140. Tools 4 Hack
  141. Hacking Apps
  142. Top Pentest Tools
  143. Install Pentest Tools Ubuntu
  144. Hacker Tools
  145. Hacking Tools For Pc
  146. Hacking Tools For Windows
  147. Hack Tool Apk
  148. What Are Hacking Tools
  149. Pentest Tools Open Source
  150. Pentest Tools Apk
  151. Hack Tools

0 comentarios:

Publicar un comentario

Suscribirse a: Enviar comentarios (Atom)