How to hack IP Cameras easy and fast
(improper authentication logic CVE-2017ā7921)
Hi haxxor, today i want to show you how to identify vulnerable Hikvision devices (IoT) to an improper aunthentication logic issue tracked as CVE-2017ā7921. Itās an old vulnerability, but thereāre still many vulnerable devices around the world since some of that devices will never be able to update the firmware because the provider prevents it.
This issue allows unauthenticated information disclosure of camera information, such as detailed hadware and software, user credentials, and camera snapshots.
Note: Please be aware that the actions listed below are illegal if performed on assets that do not belong to you. If you choose to engage in them anyway, do so with utmost caution and understanding of the potential legal consequences. Manage any personal risks that arise solely at your own discretion.
Mapping the internet
As you know, cameras are embedded system that represent āThe Internet Of Thingsā or āIoTā and work with help of a microprocessor, so we can search for possible targets with Shodan engine, our best ally on this occasion! Shodan is a search engine that indexes devices such as routers, IP cameras, servers and almost any device that is connected to the Internet of Things (IoT). Itās of great help to map the internet in search of ourĀ targets.
Shodan:
With a little Google search we can get the Shodan dork for Hikvision cameras. In my case i already have it on the hand and ready to use, so i immedately open a terminal and run Shodan with the API Key and query term to then download in JSON format and scrape the possible vulnerables targets, the syntax is the following:
shodan download <OutputFileName> <query>
The āTotal number of resultsā are 860 since i filtered by a specific country and the search results were greatly reduced.
Now we use the āparseā parameter to scrape information from compressed JSON files (in our case IP address) and send stdout to a new file. The syntax is the following:
shodan parseāāāfields ip_str <JSON-File.json.gz> > OutputFile.txt
The example above parses the JSON file and prints the ip_str fileds or properties using the ā fields parameter.
Note: for more information see the Shodan documentation āWorking with Shodan Data Filesā.
As you can see we have 835 results for further analysis. At the first thre were 860 but of those some were running other software so theyāre false positives.
Discovery vulnerable targets
Now we need something that automatically scans all 835 targets and executes some (script) instructions to check if itās vulnerable to CVE-2017ā7921, for the moement weāll use the most famous scanner that exists āNmapā
Nmap:
Nota: Nmap is so famous that it has appeared in many Hollywood movies, if you are interested in knowing which ones, here:
Iām going to use a lua script by Tomas Savenas with nmap to identify vulnerable cameras for my whitelist. The syntax is the following:
nmap -Pn -n -p80 ā script <āYourLuaScript(āNSEā)ā> -iL <HikvisionIPList>
I can say that i found many devices that are affected by this serious flaw. Unfortunately, many people are not aware of what can happen to their devices. Thereās a metasploit module to exploit this vulnerability āgather/hikvision_info_disclosure_cve_2017_7921ā
Real Time Streaming Protocol (RTSP)
The RTSP protocol is an application-level network communications standard for streamimg media data in real time. Security cameras use this protocol to stream data between client and server.
RTSP:
To access the live streaming iāll use ffmpeg which is a suite of libreries and programs to handle video, audio and other media files. The syntax is the following:
ffplay -i <rtsp://user:password@IP>
As you can see, in the digital world nothing is safe and with the rise of IoT devices, new technologies and devices are increasingly being incorporated into the Internet of Things, but it also opens a security gap.
Thank you very much for coming this far and i hope you have a great day.
