Computer_Security Posted March 14, 2018 Share Posted March 14, 2018 Im currently working on a project of trying to pen-test this cheap IP camera I bought online I've port scanned it a few times and the only thing open is PORT STATE SERVICE 7777/tcp open cbt 49152/tcp open unknown I've done some research and a few wireshark scans and have found out that the 7777 port is for transmitting the image of the camera and port 49152 is for UPnP and port forwarding. Is anyone familiar with any vulnerabilities that I could exploit using this information? This is my first hardware pen-test btw. I'm thinking about opening it up and trying to see if there is any serial connections. Any advice is appreciated :) Quote Link to comment Share on other sites More sharing options...
Computer_Security Posted March 16, 2018 Author Share Posted March 16, 2018 Update: I have looked further into the firmware file and used binwalker to extract some of the files since they aren't encrypted. One is called chpasswd.sh and the contents is: #!/bin/sh # $Id: chpasswd.sh,v 1.1 2008-05-19 13:08:34 winfred Exp $ # usage: chpasswd.sh <user name> [<password>] usage() { echo "Usage:" echo " $0 <user name> [<password>]" exit 1 } if [ "$1" == "" ]; then echo "$0: insufficient arguments" usage $0 fi echo "$1:$2" > /tmp/tmpchpw chpasswd < /tmp/tmpchpw rm -f /tmp/tmpchpw Also after port scanning using -sS I found that there are more ports than I originally thought, most are filtered though. Starting Nmap 7.40 ( https://nmap.org ) at 2018-03-16 11:37 EDT Warning: 192.168.1.6 giving up on port because retransmission cap hit (10). Nmap scan report for Jacques.home (192.168.1.6) Host is up (0.62s latency). Not shown: 986 closed ports PORT STATE SERVICE 70/tcp filtered gopher 389/tcp filtered ldap 500/tcp filtered isakmp 514/tcp filtered shell 1095/tcp filtered nicelink 1112/tcp filtered msql 1533/tcp filtered virtual-places 1700/tcp filtered mps-raft 1900/tcp filtered upnp 5414/tcp filtered statusd 7777/tcp open cbt 9010/tcp filtered sdr 49152/tcp open unknown 50500/tcp filtered unknown Nmap done: 1 IP address (1 host up) scanned in 975.17 seconds I feel like I am on the right track but some help would be appreciated. Also I can post the folder of all the files I extracted from the .bin firmware file If you guys want Quote Link to comment Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.