burton666 Posted April 21, 2017 Share Posted April 21, 2017 I recently bought a cheap ip-camera from ebay but noticed after I recieved it that you had to use android/ios apps to get access to it. And after reading the ebay info again it actually says that it is only compatible with Android/IOS.Ebay link After setting up the wifi from the app I thought that it would be easy to log in using port 8080, 80 or similar and just find the correct path to the videostream. I have done a portscan and port 80 and 23 is open and I also found that port 22334 is used from spying on the packets from my android phone. I tried a lot of paths using iSpys camera url generator but none of them work. if I just enter <IP>:80 in a browser I get a file downloaded witch contains only this: "<H1>Index of /mnt/web/</H1>" I also tried hydra on the telnet port 23 using some camera password-lists from github. But it takes forever to complete. I also tried all random telnet user/pass combinations I could think of like: admin:admin, admin:(blank), root:root, etc. Anyone knows how I should proceed? And would access to telnet get me anywhere? My goal is to be able to get the videostream by URL so that I can add it in some camera software. When capturing the packets from the app the trafik was pretty big, like ~1Mb for around 30s of capturingtime so I guess that that port 22334 is probably used for the videostream. On the box it says: 360Eye S Model: EC11-I6 And when trying to log in using telnet this comes up: IPC365 Login: Quote Link to comment Share on other sites More sharing options...
Just_a_User Posted April 21, 2017 Share Posted April 21, 2017 From a quick google I see you have asked a few places. ispyconnect seems to support IPC365 maybe this allows you to do what you want. https://www.ispyconnect.com/man.aspx?n=IPC# If you need telnet access then maybe try setting up an account on the android app (like described in the user manual) and then using those credentials on the terminal to get in. Worth a try. Quote Link to comment Share on other sites More sharing options...
burton666 Posted April 21, 2017 Author Share Posted April 21, 2017 Thanks, but I tried both of those suggestions and nothing works Quote Link to comment Share on other sites More sharing options...
Just_a_User Posted April 21, 2017 Share Posted April 21, 2017 (edited) 3 hours ago, burton666 said: Thanks, but I tried both of those suggestions and nothing works There are a couple of things online that look similar (but not identical) to the camera you have bought - did you already try: - User = root Password = 123456 or User = ADMIN Password = 123456789 if they don’t work then I would stick to your brute force or alternatively open it up and see if there is a serial/uart you can tap into. Edited April 21, 2017 by Just_a_User Quote Link to comment Share on other sites More sharing options...
burton666 Posted April 23, 2017 Author Share Posted April 23, 2017 I really suck at wireshark so tho only packet capture I got is a really messy one directly from my android phone where I used some generic packet capture app. But I decoded the android app and tried searching for anything useful, found alot of strange stuff but nothing that helps me get the videostream. But maybe someone more skilled could have a look at it and see if they get anything useful from it? decoded android app Quote Link to comment Share on other sites More sharing options...
burton666 Posted May 24, 2017 Author Share Posted May 24, 2017 Ok, some update. I managed to get access to the camera from PC using a program called "CMS". I used the login/pass: admin/123456 <IP>:34567 and channel=1 But now the next problem, I still can'f figure out what url to use to be able to get a snapshot or to be able to add the camera to any ip-camera software. I tried using wireshark but could not understand if it is possible to get any relevant info from there. Strange thing is that I can see another login in plaintext in wireshark but don't understand what that is for as admin/123456 is used for the login. Here is the wireshark-file. wireshark log Quote Link to comment Share on other sites More sharing options...
burton666 Posted May 24, 2017 Author Share Posted May 24, 2017 ................d...{ "EncryptType" : "MD5", "LoginType" : "DVRIP-Web", "PassWord" : "nTBCS19C", "UserName" : "admin" } ....^...............{ "AliveInterval" : 20, "ChannelNum" : 1, "DeviceType " : "IPC", "ExtraChannel" : 0, "Ret" : 100, "SessionID" : "0x0000015E" } .....^...........6...{ "Name" : "SystemInfo", "SessionID" : "0x0000015E" } ....^...........2...{ "Name" : "SystemInfo", "Ret" : 100, "SessionID" : "0x15e", "SystemInfo" : { "AlarmInChannel" : 0, "AlarmOutChannel" : 0, "AudioInChannel" : 1, "BuildTime" : "2017-01-13 11:28:50", "CombineSwitch" : 0, "DeviceRunTime" : "0x00007C0A", "DigChannel" : 0, "EncryptVersion" : "Unknown", "ExtraChannel" : 0, "HardWare" : "S5-T(P)", "HardWareVersion" : "0000000000000000000000000000000000", "SerialNo" : "CEDC17B1347A3505", "SoftWareVersion" : "V3.01.70", "TalkInChannel" : 1, "TalkOutChannel" : 1, "UUID" : "Unknown", "VideoInChannel" : 1, "VideoOutChannel" : 1 } } .....^...........,...{ "Name" : "", "SessionID" : "0x0000015E" } ....^...........8...{ "Name" : "ChannelTitle", "SessionID" : "0x0000015E" } ....^...........:...{ "Name" : "", "Ret" : 100, "SessionID" : "0x0000015E" } .....^...........d...{ "ChannelTitle" : [ "CAM01" ], "Name" : "ChannelTitle", "Ret" : 100, "SessionID" : "0x0000015E" } .....^.........P.;...{ "Name" : "TalkAudioFormat", "SessionID" : "0x0000015E" } ....^.........Q.....{ "Name" : "TalkAudioFormat", "Ret" : 100, "SessionID" : "0x0000015E", "TalkAudioFormat" : [ { "BitRate" : 128, "EncodeType" : "G711_ALAW", "SampleBit" : 8, "SampleRate" : 44100 }, { "BitRate" : 128, "EncodeType" : "G711_ALAW", "SampleBit" : 8, "SampleRate" : 44100 }, { "BitRate" : 128, "EncodeType" : "G711_ALAW", "SampleBit" : 8, "SampleRate" : 44100 }, { "BitRate" : 128, "EncodeType" : "G711_ALAW", "SampleBit" : 8, "SampleRate" : 44100 }, { "BitRate" : 128, "EncodeType" : "G711_ALAW", "SampleBit" : 8, "SampleRate" : 44100 }, { "BitRate" : 128, "EncodeType" : "G711_ALAW", "SampleBit" : 8, "SampleRate" : 44100 }, { "BitRate" : 128, "EncodeType" : "G711_ALAW", "SampleBit" : 8, "SampleRate" : 44100 }, { "BitRate" : 128, "EncodeType" : "G711_ALAW", "SampleBit" : 8, "SampleRate" : 44100 }, { "BitRate" : 128, "EncodeType" : "G711_ALAW", "SampleBit" : 8, "SampleRate" : 44100 }, { "BitRate" : 128, "EncodeType" : "G711_ALAW", "SampleBit" : 8, "SampleRate" : 44100 }, { "BitRate" : 128, "EncodeType" : "G711_ALAW", "SampleBit" : 8, "SampleRate" : 44100 }, { "BitRate" : 128, "EncodeType" : "G711_ALAW", "SampleBit" : 8, "SampleRate" : 44100 }, { "BitRate" : 128, "EncodeType" : "G711_ALAW", "SampleBit" : 8, "SampleRate" : 44100 }, { "BitRate" : 128, "EncodeType" : "G711_ALAW", "SampleBit" : 8, "SampleRate" : 44100 }, { "BitRate" : 128, "EncodeType" : "G711_ALAW", "SampleBit" : 8, "SampleRate" : 44100 }, { "BitRate" : 128, "EncodeType" : "G711_ALAW", "SampleBit" : 8, "SampleRate" : 44100 } ] } .....^.........P.:...{ "Name" : "SystemFunction", "SessionID" : "0x0000015E" } ....^...........5...{ "Name" : "KeepAlive", "SessionID" : "0x0000015E" } ....^.........Q.J...{ "Name" : "SystemFunction", "Ret" : 100, "SessionID" : "0x0000015E", "SystemFunction" : { "AlarmFunction" : { "AlarmConfig" : false, "BlindDetect" : true, "LossDetect" : true, "MotionDetect" : true, "NetAbort" : true, "NetAlarm" : true, "NetIpConflict" : true, "StorageFailure" : true, "StorageLowSpace" : true, "StorageNotExist" : true, "VideoAnalyze" : false }, "CommFunction" : { "CommRS232" : true, "CommRS485" : true }, "EncodeFunction" : { "CombineStream" : false, "DoubleStream" : true, "SnapStream" : true, "WaterMark" : false }, "InputMethod" : { "NoSupportChinese" : false }, "MobileDVR" : { "CarPlateSet" : false, "DelaySet" : false, "GpsTiming" : false, "StatusExchange" : false }, "NetServerFunction" : { "Net3G" : false, "NetARSP" : true, "NetAlarmCenter" : true, "NetDAS" : false, "NetDDNS" : false, "NetDHCP" : true, "NetDNS" : true, "NetEmail" : false, "NetFTP" : false, "NetGodEyeAlarm" : false, "NetIPFilter" : true, "NetLocalSdkPlatform" : false, "NetMediaStream" : false, "NetMobile" : false, "NetMutliCast" : false, "NetNTP" : true, "NetNat" : false, "NetPPPoE" : true, "NetPhoneMultimediaMsg" : false, "NetPhoneShortMsg" : false, "NetPlatMega" : false, "NetPlatShiSou" : false, "NetPlatVVEye" : false, "NetPlatXingWang" : false, "NetRTSP" : false, "NetUPNP" : false, "NetVPN" : false, "NetWifi" : true }, "OtherFunction" : { "DownLoadPause" : true, "SDsupportRecord" : false, "SupportOnvifClient" : false, "USBsupportRecord" : false }, "PreviewFunction" : { "GUISet" : true, "Tour" : false }, "TipShow" : { "NoBeepTipShow" : false, "NoEmailTipShow" : true, "NoFTPTipShow" : true } } } .....^...........C...{ "Name" : "KeepAlive", "Ret" : 100, "SessionID" : "0x0000015E" } .....^...........]...{ "Name" : "OPTimeSetting", "OPTimeSetting" : "2017-05-24 21:01:43", "SessionID" : "0x15e" } ....^...........:...{ "Name" : "", "Ret" : 100, "SessionID" : "0x0000015E" } .....^...............{ "Name" : "OPMonitor", "OPMonitor" : { "Action" : "Start", "Parameter" : { "Channel" : 0, "CombinMode" : "NONE", "StreamType" : "Main", "TransMode" : "TCP" } }, "SessionID" : "0x15e" } ....^...........C...{ "Name" : "OPMonitor", "Ret" : 100, "SessionID" : "0x0000015E" } Quote Link to comment Share on other sites More sharing options...
digip Posted May 25, 2017 Share Posted May 25, 2017 Many devices have more than one login, and different admin panels for each. My IP camera had two logins, one for administering and setting passwords, and the other for viewing and forwarding to FTP or Email. They both logged in with admin, but you can or on mine, could change the name for the lower priv one to whatever you wanted from the real admin one. The password, and the ports are what were different. I haven't used that camera since I lived in our apartment few years ago, and it's packed away somewhere, but I imagine your's works similarly. I'd try scanning the device for open ports, and trying the admin and other password, on other open ports, see if you get a different web panel login from the desktop, or explore the other login you already use, to see what the admin panel options are and if they show other login creds, like FTP setup that previous owner might have used for their servers to upload images to or the web somewhere. That first line above, might be to control the DVR capabilities over a web page panel or for offloading video to another server, or a DVR device's creds to record directly from the camera's stream. Quote Link to comment Share on other sites More sharing options...
munkiepus Posted June 12, 2017 Share Posted June 12, 2017 Did you get any further forward figuring this one out? I got this far before googling and ending up here :) Open TCP Port: 23 telnet Open TCP Port: 80 http Open TCP Port: 110 pop3 Open TCP Port: 143 imap Open TCP Port: 443 https Open TCP Port: 993 imaps Open TCP Port: 995 pop3s Open TCP Port: 9527 Open TCP Port: 22334 Open TCP Port: 34567 Quote Link to comment Share on other sites More sharing options...
burton666 Posted June 12, 2017 Author Share Posted June 12, 2017 Yes, you can read in this thread. Post a reply if you managed to get any more progress. Quote Link to comment Share on other sites More sharing options...
munkiepus Posted June 14, 2017 Share Posted June 14, 2017 Went back to windows and got it running on the CMS software but couldnt't see any further clues in there how to set it up in other software. Encouraging that the stream is accessible not only from the mobile apps, but it makes me wonder what is different about CMS above and every other camera software, I must have tried 15-20 different ones on the mac and no joy. Still no further forward in figuring out which type of stream it is either. Quote Link to comment Share on other sites More sharing options...
munkiepus Posted July 5, 2017 Share Posted July 5, 2017 I managed to get it running on desktop using an android emulator called ARC welder and the IPcam Viewer app. https://developer.chrome.com/apps/getstarted_arc https://play.google.com/store/apps/details?id=com.rcreations.ipcamviewerBasic&hl=en_GB for free or the pro version is better https://play.google.com/store/apps/details?id=com.rcreations.WebCamViewerPaid&hl=en_GB Quote Link to comment Share on other sites More sharing options...
datajumper Posted July 9, 2017 Share Posted July 9, 2017 the ip camera should just be setup like an access point if im not mistaken i dont know how yours is set up but you can use aircrack-ng the normal way like you do cracking a router and as for the web login url you should be able to use a wordlist and hydra to bruteforce email me or mssg me on here it dont matter send me all the info ill do my best to help you oh lol i just skimmed over this forum i missed the part where you already have a handshake / pcap ? if thats correct we can use crunch or something to crack it then as for the log in use hydra either terminal command or hydra gtk ....for give me if i skiped over any info and answered incorrectly Quote Link to comment Share on other sites More sharing options...
burton666 Posted July 9, 2017 Author Share Posted July 9, 2017 It is possible to access the videostream using some videosoftware like CMS from pc and also I have sen that it is also possible accessing the stream using android and a couple of different apps. The problem seams to be that there is no native http access to the camera. The videostream is accessed using ip:34567 and password 123456 But I do not understand in what way the other software uses that info to access the videostream. Quote Link to comment Share on other sites More sharing options...
bme2008 Posted December 10, 2017 Share Posted December 10, 2017 (bugmenot account) I hacked this camera's telnet. Username: root Password: noty See also: https://www.domoticz.com/forum/viewtopic.php?f=35&t=17059&start=20#p161045 Quote Link to comment Share on other sites More sharing options...
avgas3 Posted May 9, 2021 Share Posted May 9, 2021 YES thanks for the telnet credentials you're a hero. Quote Link to comment Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.