biob Posted September 3, 2012 Share Posted September 3, 2012 I've recently started mapping networks using Kismet and gpsd. I have discovered that my local council is using a mesh network or WDS to set up CCTV in my local area. I'm annoyed at this as they are using the system to spy on the housing estates. Even when they move their cameras around, it is easy to see where they have been previously installed as the sockets are still on the lighting lamp posts. I discovered these vacant lamp posts still transmit( must have AP's installed inside). Must admit the probe responses are what got my attention as they had 'CCTV' in the title:-) Is there a way to view what these cameras are seeing? I would love to prove these cameras insecure. Can anyone point me in the right direction to research this? Quote Link to comment Share on other sites More sharing options...
Jason Cooper Posted September 3, 2012 Share Posted September 3, 2012 First check your local laws, intercepting wireless communication and cracking captured wireless communication may be illegal in your country (If you aren't sure then assume it is illegal and don't mess with it). If I was investigating it I would start by finding some of the CCTV cameras in place and fire up kismet to check the details of the network (Things like channels and network security). When I knew what channel they are using I would lock Kismet to that channel to narrow the packets captured. The network security in use would dictate the next step. If WEP then aircrack should give the network key in 5 to 10 minutes (Assuming ARP packets can be replayed). If WPA-PSK then deauthing some of the attached devices should give is a handshake to be broken offline. If WPA-Eneterprise then things get a bit more tricky and would require some further investigation. Quote Link to comment Share on other sites More sharing options...
digininja Posted September 3, 2012 Share Posted September 3, 2012 Regardless of local laws on intercepting communications cracking WEP using replay or deauthing clients in WPA-PSK mode are illegal in the UK. Best you can probably do legallly is sniff the traffic and hope that it is unencrypted but if they have the skills to setup an WDS then that is very unlikely. Quote Link to comment Share on other sites More sharing options...
biob Posted September 3, 2012 Author Share Posted September 3, 2012 Kismet is reporting no encryption, which is funny as the ssid contains WPA. The council hasnt placed any type of sign that is clearly visible(which is breaking the law) , you need a pair of binoculars to see the sticker they have placed at the top of the lamp post :-).What's interesting is that they move them around and leave connection ports on the lamp posts, which are still transmitting as part of the WDS. I know a little about the system as I found articles on the net. I've identified the cameras they are using as D-link(I have a lovely brochure on them :-)) I went for a walk with my net book in backpack to try and collect more data , but when I had got home I discovered that it had gone into hibernation(doh). Will try again tomorrow. Thanks guys for the quick response. Quote Link to comment Share on other sites More sharing options...
digininja Posted September 3, 2012 Share Posted September 3, 2012 Are these council or police cameras? The police may have an excemption from advertising. Quote Link to comment Share on other sites More sharing options...
biob Posted September 3, 2012 Author Share Posted September 3, 2012 Hi Digininja, they are council. When I used my camera to zoom in they have a yellow sticker right at the top of the lamp post.( basically the sign they are suppose to put in clear view). I find it very interesting that the lamp posts have AP's.( just sad in my old age :-)) Quote Link to comment Share on other sites More sharing options...
digininja Posted September 3, 2012 Share Posted September 3, 2012 Ask the council for a statement. And if you can get along to any of the local OWASP meetings ask there see if anyone else in the area knows anything about them. Quote Link to comment Share on other sites More sharing options...
biob Posted September 3, 2012 Author Share Posted September 3, 2012 Kismet seems to be unable to tell what channel they are operating on. Looking at some of the logs, I think they are using a channel 1,5,9 scheme. I have found a few without a CCTV unit attached. I may have to loiter Around one tomorrow:-) Quote Link to comment Share on other sites More sharing options...
biob Posted September 3, 2012 Author Share Posted September 3, 2012 Will do, thanks for the advice. Quote Link to comment Share on other sites More sharing options...
digininja Posted September 3, 2012 Share Posted September 3, 2012 And before anyone points out that OWASP is web, I know but I also know that there is one in Biob's local area while I don't think there are any other hacker group meetings around there. Quote Link to comment Share on other sites More sharing options...
biob Posted September 3, 2012 Author Share Posted September 3, 2012 Just checked out the OWASP site. Thanks Digininja it's just what I'm looking for. Quote Link to comment Share on other sites More sharing options...
digininja Posted September 3, 2012 Share Posted September 3, 2012 I've not been to that one but I know a lot of the people who go and they are a good bunch. Quote Link to comment Share on other sites More sharing options...
barry99705 Posted September 11, 2012 Share Posted September 11, 2012 I have a couple municipality clients that use mesh networks built into the light poles for the police hud cams. I didn't set up the system, but I do know they use wpa2. Quote Link to comment Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.