burton666

Best way to "hack" ip-camera?

15 posts in this topic

I recently bought a cheap ip-camera from ebay but noticed after I recieved it that you had to use android/ios apps to get access to it. And after reading the ebay info again it actually says that it is only compatible with Android/IOS.

Ebay link

After setting up the wifi from the app I thought that it would be easy to log in using port 8080, 80 or similar and just find the correct path to the videostream.
I have done a portscan and port 80 and 23 is open and I also found that port 22334 is used from spying on the packets from my android phone.

I tried a lot of paths using iSpys camera url generator but none of them work. if I just enter <IP>:80 in a browser I get a file downloaded witch contains only this: "<H1>Index of /mnt/web/</H1>"
I also tried hydra on the telnet port 23 using some camera password-lists from github. But it takes forever to complete. I also tried all random telnet user/pass combinations I could think of like: admin:admin, admin:(blank), root:root, etc.

Anyone knows how I should proceed? And would access to telnet get me anywhere? My goal is to be able to get the videostream by URL so that I can add it in some camera software.
When capturing the packets from the app the trafik was pretty big, like ~1Mb for around 30s of capturingtime so I guess that that port 22334 is probably used for the videostream. 

On the box it says: 360Eye S
Model: EC11-I6

And when trying to log in using telnet this comes up:
IPC365 Login:
 
0

Share this post


Link to post
Share on other sites

From a quick google I see you have asked a few places. ispyconnect seems to support IPC365 maybe this allows you to do what you want.

https://www.ispyconnect.com/man.aspx?n=IPC#

If you need telnet access then maybe try setting up an account on the android app (like described in the user manual) and then using those credentials on the terminal to get in. Worth a try.

0

Share this post


Link to post
Share on other sites

Thanks, but I tried both of those suggestions and nothing works

0

Share this post


Link to post
Share on other sites

Posted (edited)

3 hours ago, burton666 said:

Thanks, but I tried both of those suggestions and nothing works

There are a couple of things online that look similar (but not identical) to the camera you have bought - did you already try: -
 

User = root
Password = 123456
or 
User = ADMIN
Password = 123456789

if they don’t work then I would stick to your brute force or alternatively open it up and see if there is a serial/uart you can tap into.

Edited by Just_a_User
0

Share this post


Link to post
Share on other sites

Would you be willing to provide a copy of the PCAP file for us to view? Also, see if there is any firmware available to download (smh 'unbranded'), might get lucky and find the username and password in plaintext in there using the tool 'binwalk'.

0

Share this post


Link to post
Share on other sites

I really suck at wireshark so tho only packet capture I got is a really messy one directly from my android phone where I used some generic packet capture app.

But I decoded the android app and tried searching for anything useful, found alot of strange stuff but nothing that helps me get the videostream. But maybe someone more skilled could have a look at it and see if they get anything useful from it? decoded android app

 

 

0

Share this post


Link to post
Share on other sites

Ok, some update. I managed to get access to the camera from PC using a program called "CMS". I used the login/pass: admin/123456 <IP>:34567 and channel=1

But now the next problem, I still can'f figure out what url to use to be able to get a snapshot or to be able to add the camera to any ip-camera software.

I tried using wireshark but could not understand if it is possible to get any relevant info from there. Strange thing is that I can see another login in plaintext in wireshark but don't understand what that is for as admin/123456 is used for the login.

 

Here is the wireshark-file.

wireshark log

0

Share this post


Link to post
Share on other sites
................d...{ "EncryptType" : "MD5", "LoginType" : "DVRIP-Web", "PassWord" : "nTBCS19C", "UserName" : "admin" }
....^...............{ "AliveInterval" : 20, "ChannelNum" : 1, "DeviceType " : "IPC", "ExtraChannel" : 0, "Ret" : 100, "SessionID" : "0x0000015E" }
.....^...........6...{ "Name" : "SystemInfo", "SessionID" : "0x0000015E" }
....^...........2...{ "Name" : "SystemInfo", "Ret" : 100, "SessionID" : "0x15e", "SystemInfo" : { "AlarmInChannel" : 0, "AlarmOutChannel" : 0, "AudioInChannel" : 1, "BuildTime" : "2017-01-13 11:28:50", "CombineSwitch" : 0, "DeviceRunTime" : "0x00007C0A", "DigChannel" : 0, "EncryptVersion" : "Unknown", "ExtraChannel" : 0, "HardWare" : "S5-T(P)", "HardWareVersion" : "0000000000000000000000000000000000", "SerialNo" : "CEDC17B1347A3505", "SoftWareVersion" : "V3.01.70", "TalkInChannel" : 1, "TalkOutChannel" : 1, "UUID" : "Unknown", "VideoInChannel" : 1, "VideoOutChannel" : 1 } }
.....^...........,...{ "Name" : "", "SessionID" : "0x0000015E" }
....^...........8...{ "Name" : "ChannelTitle", "SessionID" : "0x0000015E" }
....^...........:...{ "Name" : "", "Ret" : 100, "SessionID" : "0x0000015E" }
.....^...........d...{ "ChannelTitle" : [ "CAM01" ], "Name" : "ChannelTitle", "Ret" : 100, "SessionID" : "0x0000015E" }
.....^.........P.;...{ "Name" : "TalkAudioFormat", "SessionID" : "0x0000015E" }
....^.........Q.....{ "Name" : "TalkAudioFormat", "Ret" : 100, "SessionID" : "0x0000015E", "TalkAudioFormat" : [ { "BitRate" : 128, "EncodeType" : "G711_ALAW", "SampleBit" : 8, "SampleRate" : 44100 }, { "BitRate" : 128, "EncodeType" : "G711_ALAW", "SampleBit" : 8, "SampleRate" : 44100 }, { "BitRate" : 128, "EncodeType" : "G711_ALAW", "SampleBit" : 8, "SampleRate" : 44100 }, { "BitRate" : 128, "EncodeType" : "G711_ALAW", "SampleBit" : 8, "SampleRate" : 44100 }, { "BitRate" : 128, "EncodeType" : "G711_ALAW", "SampleBit" : 8, "SampleRate" : 44100 }, { "BitRate" : 128, "EncodeType" : "G711_ALAW", "SampleBit" : 8, "SampleRate" : 44100 }, { "BitRate" : 128, "EncodeType" : "G711_ALAW", "SampleBit" : 8, "SampleRate" : 44100 }, { "BitRate" : 128, "EncodeType" : "G711_ALAW", "SampleBit" : 8, "SampleRate" : 44100 }, { "BitRate" : 128, "EncodeType" : "G711_ALAW", "SampleBit" : 8, "SampleRate" : 44100 }, { "BitRate" : 128, "EncodeType" : "G711_ALAW", "SampleBit" : 8, "SampleRate" : 44100 }, { "BitRate" : 128, "EncodeType" : "G711_ALAW", "SampleBit" : 8, "SampleRate" : 44100 }, { "BitRate" : 128, "EncodeType" : "G711_ALAW", "SampleBit" : 8, "SampleRate" : 44100 }, { "BitRate" : 128, "EncodeType" : "G711_ALAW", "SampleBit" : 8, "SampleRate" : 44100 }, { "BitRate" : 128, "EncodeType" : "G711_ALAW", "SampleBit" : 8, "SampleRate" : 44100 }, { "BitRate" : 128, "EncodeType" : "G711_ALAW", "SampleBit" : 8, "SampleRate" : 44100 }, { "BitRate" : 128, "EncodeType" : "G711_ALAW", "SampleBit" : 8, "SampleRate" : 44100 } ] }
.....^.........P.:...{ "Name" : "SystemFunction", "SessionID" : "0x0000015E" }
....^...........5...{ "Name" : "KeepAlive", "SessionID" : "0x0000015E" }
....^.........Q.J...{ "Name" : "SystemFunction", "Ret" : 100, "SessionID" : "0x0000015E", "SystemFunction" : { "AlarmFunction" : { "AlarmConfig" : false, "BlindDetect" : true, "LossDetect" : true, "MotionDetect" : true, "NetAbort" : true, "NetAlarm" : true, "NetIpConflict" : true, "StorageFailure" : true, "StorageLowSpace" : true, "StorageNotExist" : true, "VideoAnalyze" : false }, "CommFunction" : { "CommRS232" : true, "CommRS485" : true }, "EncodeFunction" : { "CombineStream" : false, "DoubleStream" : true, "SnapStream" : true, "WaterMark" : false }, "InputMethod" : { "NoSupportChinese" : false }, "MobileDVR" : { "CarPlateSet" : false, "DelaySet" : false, "GpsTiming" : false, "StatusExchange" : false }, "NetServerFunction" : { "Net3G" : false, "NetARSP" : true, "NetAlarmCenter" : true, "NetDAS" : false, "NetDDNS" : false, "NetDHCP" : true, "NetDNS" : true, "NetEmail" : false, "NetFTP" : false, "NetGodEyeAlarm" : false, "NetIPFilter" : true, "NetLocalSdkPlatform" : false, "NetMediaStream" : false, "NetMobile" : false, "NetMutliCast" : false, "NetNTP" : true, "NetNat" : false, "NetPPPoE" : true, "NetPhoneMultimediaMsg" : false, "NetPhoneShortMsg" : false, "NetPlatMega" : false, "NetPlatShiSou" : false, "NetPlatVVEye" : false, "NetPlatXingWang" : false, "NetRTSP" : false, "NetUPNP" : false, "NetVPN" : false, "NetWifi" : true }, "OtherFunction" : { "DownLoadPause" : true, "SDsupportRecord" : false, "SupportOnvifClient" : false, "USBsupportRecord" : false }, "PreviewFunction" : { "GUISet" : true, "Tour" : false }, "TipShow" : { "NoBeepTipShow" : false, "NoEmailTipShow" : true, "NoFTPTipShow" : true } } }
.....^...........C...{ "Name" : "KeepAlive", "Ret" : 100, "SessionID" : "0x0000015E" }
.....^...........]...{ "Name" : "OPTimeSetting", "OPTimeSetting" : "2017-05-24 21:01:43", "SessionID" : "0x15e" }
....^...........:...{ "Name" : "", "Ret" : 100, "SessionID" : "0x0000015E" }
.....^...............{ "Name" : "OPMonitor", "OPMonitor" : { "Action" : "Start", "Parameter" : { "Channel" : 0, "CombinMode" : "NONE", "StreamType" : "Main", "TransMode" : "TCP" } }, "SessionID" : "0x15e" }
....^...........C...{ "Name" : "OPMonitor", "Ret" : 100, "SessionID" : "0x0000015E" }

 

0

Share this post


Link to post
Share on other sites

Many devices have more than one login, and different admin panels for each. My IP camera had two logins, one for administering and setting passwords, and the other for viewing and forwarding to FTP or Email. They both logged in with admin, but you can or on mine, could change the name for the lower priv one to whatever you wanted from the real admin one. The password, and the ports are what were different. I haven't used that camera since I lived in our apartment few years ago, and it's packed away somewhere, but I imagine your's works similarly. I'd try scanning the device for open ports, and trying the admin and other password, on other open ports, see if you get a different web panel login from the desktop, or explore the other login you already use, to see what the admin panel options are and if they show other login creds, like FTP setup that previous owner might have used for their servers to upload images to or the web somewhere.

That first line above, might be to control the DVR capabilities over a web page panel or for offloading video to another server, or a DVR device's creds to record directly from the camera's stream.

 

0

Share this post


Link to post
Share on other sites

Did you get any further forward figuring this one out?

I got this far before googling and ending up here :)

Open TCP Port: 23     telnet

Open TCP Port: 80     http

Open TCP Port: 110    pop3

Open TCP Port: 143    imap

Open TCP Port: 443    https

Open TCP Port: 993    imaps

Open TCP Port: 995    pop3s

Open TCP Port: 9527

Open TCP Port: 22334

Open TCP Port: 34567

0

Share this post


Link to post
Share on other sites

Yes, you can read in this thread. Post a reply if you managed to get any more progress.

0

Share this post


Link to post
Share on other sites

Went back to windows and got it running on the CMS software but couldnt't see any further clues in there how to set it up in other software. 

Encouraging that the stream is accessible not only from the mobile apps, but it makes me wonder what is different about CMS above and every other camera software, I must have tried 15-20 different ones on the mac and no joy. 

Still no further forward in figuring out which type of stream it is either.

0

Share this post


Link to post
Share on other sites

the ip camera should just be setup like an access point if im not mistaken

i dont know how yours is set up   but  you can  use aircrack-ng the normal way  like you do cracking a router and as for the web login url

you should be able to use a wordlist  and hydra to bruteforce       email me or mssg me on here it dont matter  send me  all the info ill do

my best to help you  oh lol  i just skimmed over this forum  i missed the part  where you already have a handshake / pcap ?  if thats correct we can use crunch or something to crack it  then as for the log in  use hydra  either  terminal command or hydra gtk   ....for give me if i skiped over any info and answered incorrectly 

0

Share this post


Link to post
Share on other sites

It is possible to access the videostream using some videosoftware like CMS from pc and also I have sen that it is also possible accessing the stream using android and a couple of different apps. The problem seams to be that there is no native http access to the camera. The videostream is accessed using ip:34567 and password 123456

But I do not understand in what way the other software uses that info to access the videostream.  

0

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!


Register a new account

Sign in

Already have an account? Sign in here.


Sign In Now

  • Recently Browsing   0 members

    No registered users viewing this page.