Jump to content

Best way to "hack" ip-camera?


burton666

Recommended Posts

I recently bought a cheap ip-camera from ebay but noticed after I recieved it that you had to use android/ios apps to get access to it. And after reading the ebay info again it actually says that it is only compatible with Android/IOS.

Ebay link

After setting up the wifi from the app I thought that it would be easy to log in using port 8080, 80 or similar and just find the correct path to the videostream.
I have done a portscan and port 80 and 23 is open and I also found that port 22334 is used from spying on the packets from my android phone.

I tried a lot of paths using iSpys camera url generator but none of them work. if I just enter <IP>:80 in a browser I get a file downloaded witch contains only this: "<H1>Index of /mnt/web/</H1>"
I also tried hydra on the telnet port 23 using some camera password-lists from github. But it takes forever to complete. I also tried all random telnet user/pass combinations I could think of like: admin:admin, admin:(blank), root:root, etc.

Anyone knows how I should proceed? And would access to telnet get me anywhere? My goal is to be able to get the videostream by URL so that I can add it in some camera software.
When capturing the packets from the app the trafik was pretty big, like ~1Mb for around 30s of capturingtime so I guess that that port 22334 is probably used for the videostream. 

On the box it says: 360Eye S
Model: EC11-I6

And when trying to log in using telnet this comes up:
IPC365 Login:
 
Link to comment
Share on other sites

From a quick google I see you have asked a few places. ispyconnect seems to support IPC365 maybe this allows you to do what you want.

https://www.ispyconnect.com/man.aspx?n=IPC#

If you need telnet access then maybe try setting up an account on the android app (like described in the user manual) and then using those credentials on the terminal to get in. Worth a try.

Link to comment
Share on other sites

3 hours ago, burton666 said:

Thanks, but I tried both of those suggestions and nothing works

There are a couple of things online that look similar (but not identical) to the camera you have bought - did you already try: -
 

User = root
Password = 123456
or 
User = ADMIN
Password = 123456789

if they don’t work then I would stick to your brute force or alternatively open it up and see if there is a serial/uart you can tap into.

Edited by Just_a_User
Link to comment
Share on other sites

I really suck at wireshark so tho only packet capture I got is a really messy one directly from my android phone where I used some generic packet capture app.

But I decoded the android app and tried searching for anything useful, found alot of strange stuff but nothing that helps me get the videostream. But maybe someone more skilled could have a look at it and see if they get anything useful from it? decoded android app

 

 

Link to comment
Share on other sites

  • 1 month later...

Ok, some update. I managed to get access to the camera from PC using a program called "CMS". I used the login/pass: admin/123456 <IP>:34567 and channel=1

But now the next problem, I still can'f figure out what url to use to be able to get a snapshot or to be able to add the camera to any ip-camera software.

I tried using wireshark but could not understand if it is possible to get any relevant info from there. Strange thing is that I can see another login in plaintext in wireshark but don't understand what that is for as admin/123456 is used for the login.

 

Here is the wireshark-file.

wireshark log

Link to comment
Share on other sites

................d...{ "EncryptType" : "MD5", "LoginType" : "DVRIP-Web", "PassWord" : "nTBCS19C", "UserName" : "admin" }
....^...............{ "AliveInterval" : 20, "ChannelNum" : 1, "DeviceType " : "IPC", "ExtraChannel" : 0, "Ret" : 100, "SessionID" : "0x0000015E" }
.....^...........6...{ "Name" : "SystemInfo", "SessionID" : "0x0000015E" }
....^...........2...{ "Name" : "SystemInfo", "Ret" : 100, "SessionID" : "0x15e", "SystemInfo" : { "AlarmInChannel" : 0, "AlarmOutChannel" : 0, "AudioInChannel" : 1, "BuildTime" : "2017-01-13 11:28:50", "CombineSwitch" : 0, "DeviceRunTime" : "0x00007C0A", "DigChannel" : 0, "EncryptVersion" : "Unknown", "ExtraChannel" : 0, "HardWare" : "S5-T(P)", "HardWareVersion" : "0000000000000000000000000000000000", "SerialNo" : "CEDC17B1347A3505", "SoftWareVersion" : "V3.01.70", "TalkInChannel" : 1, "TalkOutChannel" : 1, "UUID" : "Unknown", "VideoInChannel" : 1, "VideoOutChannel" : 1 } }
.....^...........,...{ "Name" : "", "SessionID" : "0x0000015E" }
....^...........8...{ "Name" : "ChannelTitle", "SessionID" : "0x0000015E" }
....^...........:...{ "Name" : "", "Ret" : 100, "SessionID" : "0x0000015E" }
.....^...........d...{ "ChannelTitle" : [ "CAM01" ], "Name" : "ChannelTitle", "Ret" : 100, "SessionID" : "0x0000015E" }
.....^.........P.;...{ "Name" : "TalkAudioFormat", "SessionID" : "0x0000015E" }
....^.........Q.....{ "Name" : "TalkAudioFormat", "Ret" : 100, "SessionID" : "0x0000015E", "TalkAudioFormat" : [ { "BitRate" : 128, "EncodeType" : "G711_ALAW", "SampleBit" : 8, "SampleRate" : 44100 }, { "BitRate" : 128, "EncodeType" : "G711_ALAW", "SampleBit" : 8, "SampleRate" : 44100 }, { "BitRate" : 128, "EncodeType" : "G711_ALAW", "SampleBit" : 8, "SampleRate" : 44100 }, { "BitRate" : 128, "EncodeType" : "G711_ALAW", "SampleBit" : 8, "SampleRate" : 44100 }, { "BitRate" : 128, "EncodeType" : "G711_ALAW", "SampleBit" : 8, "SampleRate" : 44100 }, { "BitRate" : 128, "EncodeType" : "G711_ALAW", "SampleBit" : 8, "SampleRate" : 44100 }, { "BitRate" : 128, "EncodeType" : "G711_ALAW", "SampleBit" : 8, "SampleRate" : 44100 }, { "BitRate" : 128, "EncodeType" : "G711_ALAW", "SampleBit" : 8, "SampleRate" : 44100 }, { "BitRate" : 128, "EncodeType" : "G711_ALAW", "SampleBit" : 8, "SampleRate" : 44100 }, { "BitRate" : 128, "EncodeType" : "G711_ALAW", "SampleBit" : 8, "SampleRate" : 44100 }, { "BitRate" : 128, "EncodeType" : "G711_ALAW", "SampleBit" : 8, "SampleRate" : 44100 }, { "BitRate" : 128, "EncodeType" : "G711_ALAW", "SampleBit" : 8, "SampleRate" : 44100 }, { "BitRate" : 128, "EncodeType" : "G711_ALAW", "SampleBit" : 8, "SampleRate" : 44100 }, { "BitRate" : 128, "EncodeType" : "G711_ALAW", "SampleBit" : 8, "SampleRate" : 44100 }, { "BitRate" : 128, "EncodeType" : "G711_ALAW", "SampleBit" : 8, "SampleRate" : 44100 }, { "BitRate" : 128, "EncodeType" : "G711_ALAW", "SampleBit" : 8, "SampleRate" : 44100 } ] }
.....^.........P.:...{ "Name" : "SystemFunction", "SessionID" : "0x0000015E" }
....^...........5...{ "Name" : "KeepAlive", "SessionID" : "0x0000015E" }
....^.........Q.J...{ "Name" : "SystemFunction", "Ret" : 100, "SessionID" : "0x0000015E", "SystemFunction" : { "AlarmFunction" : { "AlarmConfig" : false, "BlindDetect" : true, "LossDetect" : true, "MotionDetect" : true, "NetAbort" : true, "NetAlarm" : true, "NetIpConflict" : true, "StorageFailure" : true, "StorageLowSpace" : true, "StorageNotExist" : true, "VideoAnalyze" : false }, "CommFunction" : { "CommRS232" : true, "CommRS485" : true }, "EncodeFunction" : { "CombineStream" : false, "DoubleStream" : true, "SnapStream" : true, "WaterMark" : false }, "InputMethod" : { "NoSupportChinese" : false }, "MobileDVR" : { "CarPlateSet" : false, "DelaySet" : false, "GpsTiming" : false, "StatusExchange" : false }, "NetServerFunction" : { "Net3G" : false, "NetARSP" : true, "NetAlarmCenter" : true, "NetDAS" : false, "NetDDNS" : false, "NetDHCP" : true, "NetDNS" : true, "NetEmail" : false, "NetFTP" : false, "NetGodEyeAlarm" : false, "NetIPFilter" : true, "NetLocalSdkPlatform" : false, "NetMediaStream" : false, "NetMobile" : false, "NetMutliCast" : false, "NetNTP" : true, "NetNat" : false, "NetPPPoE" : true, "NetPhoneMultimediaMsg" : false, "NetPhoneShortMsg" : false, "NetPlatMega" : false, "NetPlatShiSou" : false, "NetPlatVVEye" : false, "NetPlatXingWang" : false, "NetRTSP" : false, "NetUPNP" : false, "NetVPN" : false, "NetWifi" : true }, "OtherFunction" : { "DownLoadPause" : true, "SDsupportRecord" : false, "SupportOnvifClient" : false, "USBsupportRecord" : false }, "PreviewFunction" : { "GUISet" : true, "Tour" : false }, "TipShow" : { "NoBeepTipShow" : false, "NoEmailTipShow" : true, "NoFTPTipShow" : true } } }
.....^...........C...{ "Name" : "KeepAlive", "Ret" : 100, "SessionID" : "0x0000015E" }
.....^...........]...{ "Name" : "OPTimeSetting", "OPTimeSetting" : "2017-05-24 21:01:43", "SessionID" : "0x15e" }
....^...........:...{ "Name" : "", "Ret" : 100, "SessionID" : "0x0000015E" }
.....^...............{ "Name" : "OPMonitor", "OPMonitor" : { "Action" : "Start", "Parameter" : { "Channel" : 0, "CombinMode" : "NONE", "StreamType" : "Main", "TransMode" : "TCP" } }, "SessionID" : "0x15e" }
....^...........C...{ "Name" : "OPMonitor", "Ret" : 100, "SessionID" : "0x0000015E" }

 

Link to comment
Share on other sites

Many devices have more than one login, and different admin panels for each. My IP camera had two logins, one for administering and setting passwords, and the other for viewing and forwarding to FTP or Email. They both logged in with admin, but you can or on mine, could change the name for the lower priv one to whatever you wanted from the real admin one. The password, and the ports are what were different. I haven't used that camera since I lived in our apartment few years ago, and it's packed away somewhere, but I imagine your's works similarly. I'd try scanning the device for open ports, and trying the admin and other password, on other open ports, see if you get a different web panel login from the desktop, or explore the other login you already use, to see what the admin panel options are and if they show other login creds, like FTP setup that previous owner might have used for their servers to upload images to or the web somewhere.

That first line above, might be to control the DVR capabilities over a web page panel or for offloading video to another server, or a DVR device's creds to record directly from the camera's stream.

 

Link to comment
Share on other sites

  • 3 weeks later...

Did you get any further forward figuring this one out?

I got this far before googling and ending up here :)

Open TCP Port: 23     telnet

Open TCP Port: 80     http

Open TCP Port: 110    pop3

Open TCP Port: 143    imap

Open TCP Port: 443    https

Open TCP Port: 993    imaps

Open TCP Port: 995    pop3s

Open TCP Port: 9527

Open TCP Port: 22334

Open TCP Port: 34567

Link to comment
Share on other sites

Went back to windows and got it running on the CMS software but couldnt't see any further clues in there how to set it up in other software. 

Encouraging that the stream is accessible not only from the mobile apps, but it makes me wonder what is different about CMS above and every other camera software, I must have tried 15-20 different ones on the mac and no joy. 

Still no further forward in figuring out which type of stream it is either.

Link to comment
Share on other sites

  • 3 weeks later...

I managed to get it running on desktop using an android emulator called ARC welder and the IPcam Viewer app.

https://developer.chrome.com/apps/getstarted_arc

https://play.google.com/store/apps/details?id=com.rcreations.ipcamviewerBasic&hl=en_GB for free

or the pro version is better https://play.google.com/store/apps/details?id=com.rcreations.WebCamViewerPaid&hl=en_GB

Link to comment
Share on other sites

the ip camera should just be setup like an access point if im not mistaken

i dont know how yours is set up   but  you can  use aircrack-ng the normal way  like you do cracking a router and as for the web login url

you should be able to use a wordlist  and hydra to bruteforce       email me or mssg me on here it dont matter  send me  all the info ill do

my best to help you  oh lol  i just skimmed over this forum  i missed the part  where you already have a handshake / pcap ?  if thats correct we can use crunch or something to crack it  then as for the log in  use hydra  either  terminal command or hydra gtk   ....for give me if i skiped over any info and answered incorrectly 

Link to comment
Share on other sites

It is possible to access the videostream using some videosoftware like CMS from pc and also I have sen that it is also possible accessing the stream using android and a couple of different apps. The problem seams to be that there is no native http access to the camera. The videostream is accessed using ip:34567 and password 123456

But I do not understand in what way the other software uses that info to access the videostream.  

Link to comment
Share on other sites

  • 5 months later...
  • 3 years later...
  • 2 years later...

For anyone still interested in this. I was able to get an HTTP streaming out of this device. Both audio and video work. I don't know if my device was easier to access but it's really simple. I arrived at this solution randomly but here's what I think:
This camera uses a protocol called dvrip. I've used https://github.com/AlexxIT/WebRTC
This Home Assistant integration uses WebRTC + go2rtc which is able to talk to this protocol I presume
If you are confused from what this "Home Assistant integration" is, look into Home Assistant first.

I'll explain what I did from after the GitHub guide ends
After the configuration (of the 'basic' version) of go2rtc. It gets its own port, 1984.
Write <homeassistant-ip>:1984 in a browser just like you do with :8123 to access Home Assistant
Here click "Add", then open "temponary stream" 
```
Name: (What you want, you'll need it later, I put IPC365) 
url: dvrip://admin:123456@<IP Address of the camera>?channel=0&subtype=0
```
Remember that the IP address should be static or this configuration will get broken later on, you can likely do that from your router
Go back to Home Assistant, click on the kebab (3 dots) in the top right to access "Edit dashboard", then on the bottom right "+ Add cards", scroll to the bottom to find "Manual". Paste all of this
```
type: custom:webrtc-camera
url: IPC365 <---- The name you had to put in before
ui: true
digital_ptz:
  mouse_drag_pan: true
  mouse_wheel_zoom: true
  mouse_double_click_zoom: true
  touch_drag_pan: true
  touch_pinch_zoom: true
  touch_tap_drag_zoom: true
  persist: true
title: What you want
muted: true
intersection: 0.75
background: false
shortcuts:
  - name: Record
    icon: mdi:record-circle-outline
    service: switch.toggle
    service_data:
      entity_id: switch.camera_record
mode: webrtc,mse,hls,mjpeg
```

As you can see here "url:" is the name I have given it before in the go2rtc interface

Sorry for bad english but it isn't my first language

Link to comment
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...