Jump to content

Tenvis IP Camera JPT3815W


Computer_Security
 Share

Recommended Posts

Im currently working on a project of trying to pen-test this cheap IP camera I bought online I've port scanned it a few times and the only thing open is 

PORT      STATE SERVICE
7777/tcp  open  cbt
49152/tcp open  unknown
 

I've done some research and a few wireshark scans and have found out that the 7777 port is for transmitting the image of the camera and port 49152 is for UPnP and port forwarding. Is anyone familiar with any vulnerabilities that I could exploit using this information? This is my first hardware pen-test btw. I'm thinking about opening it up and trying to see if there is any serial connections.

Any advice is appreciated :)

Link to comment
Share on other sites

Update: I have looked further into the firmware file and used binwalker to extract some of the files since they aren't encrypted.

One is called chpasswd.sh and the contents is:

#!/bin/sh

# $Id: chpasswd.sh,v 1.1 2008-05-19 13:08:34 winfred Exp $
# usage: chpasswd.sh <user name> [<password>]

usage()
{
    echo "Usage:"
    echo "  $0 <user name> [<password>]"
    exit 1
}

if [ "$1" == "" ]; then
    echo "$0: insufficient arguments"
    usage $0
fi

echo "$1:$2" > /tmp/tmpchpw
chpasswd < /tmp/tmpchpw
rm -f /tmp/tmpchpw

 

 

Also after port scanning using -sS I found that there are more ports than I originally thought, most are filtered though.

Starting Nmap 7.40 ( https://nmap.org ) at 2018-03-16 11:37 EDT
Warning: 192.168.1.6 giving up on port because retransmission cap hit (10).
Nmap scan report for Jacques.home (192.168.1.6)
Host is up (0.62s latency).
Not shown: 986 closed ports
PORT      STATE    SERVICE
70/tcp    filtered gopher
389/tcp   filtered ldap
500/tcp   filtered isakmp
514/tcp   filtered shell
1095/tcp  filtered nicelink
1112/tcp  filtered msql
1533/tcp  filtered virtual-places
1700/tcp  filtered mps-raft
1900/tcp  filtered upnp
5414/tcp  filtered statusd
7777/tcp  open     cbt
9010/tcp  filtered sdr
49152/tcp open     unknown
50500/tcp filtered unknown

Nmap done: 1 IP address (1 host up) scanned in 975.17 seconds
 

 

 

I feel like I am on the right track but some help would be appreciated. Also I can post the folder of all the files I extracted from the .bin firmware file If you guys want

Link to comment
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

 Share

  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...