Toying with a Hosafe IP Camera

I was curious about a few things, and one thing led to another.  I purchased a HoSafe IP camera, HOSAFE-2MB3W 1080P, and wanted to see what it would do on the network.  I tossed squid into the mix and forced everything on the IP camera's network to funnel through Squid, only to find :

1468748798.090    711 192.168.128.31 TCP_MISS/200 591 GET http://www.jovetech.com/down/YST/S/yst_home.txt - HIER_DIRECT/119.188.172.17 text/plain

That returned :

DIP:112.4.212.199:9210
DIP:221.234.43.228:9210
WIP:112.84.180.43:9210
WIP:58.56.111.4:9210
WIP:119.188.172.5:9210
DIP:58.56.111.11:9210
DIP:120.192.81.186:9210
WIP:120.192.84.26:9210

Those IP addresses are owned by :

person:         Chinanet Hostmaster
nic-hdl:        CH93-AP
e-mail:         anti-spam@ns.chinanet.cn.net
address:        No.31 ,jingrong street,beijing
address:        100032
phone:          +86-10-58501724
fax-no:         +86-10-58501724
country:        CN
changed:        dingsy@cndata.com 20070416
changed:        zhengzm@gsta.com 20140227
mnt-by:         MAINT-CHINANET
source:         APNIC

Looks like a legitimate request, right?  Ouch.  I knew those ports needed to get blocked (port 9210).  Next, I thought I'd try to scan it to see some details :

[root@hostname squid]# nmap -sT -O 192.168.128.31

Starting Nmap 6.40 ( http://nmap.org ) at 2016-07-17 20:03 MDT
Nmap scan report for 192.168.128.31
Host is up (0.0013s latency).
Not shown: 995 closed ports
PORT     STATE SERVICE
23/tcp   open  telnet
80/tcp   open  http
554/tcp  open  rtsp
8099/tcp open  unknown
9101/tcp open  jetdirect
MAC Address: E0:62:90:E4:E2:34 (Jinan Jovision Science & Technology Co.)
Device type: general purpose
Running: Linux 2.6.X|3.X
OS CPE: cpe:/o:linux:linux_kernel:2.6 cpe:/o:linux:linux_kernel:3
OS details: Linux 2.6.32 - 3.2
Network Distance: 1 hop

OS detection performed. Please report any incorrect results at http://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 4.98 seconds
[root@hostname squid]#

A little research, and I found ports 8099 and 9101 were related to some ONVIF and DVR functionality of the camera.  I was actually more interested in the "23/tcp open telnet" line to gain root access.  I currently cannot find the default credentials.  I may have to really get more in depth.

I also threw a simple HTTP request at it to see what it returned.

GET / HTTP/1.0
Host: camera-backporch

HTTP/1.0 200 OK
Server: thttpd/2.25b 29dec2003
Content-Type: text/html; charset=utf-8
Date: Sat, 15 Jan 2000 05:43:43 GMT
Last-Modified: Thu, 26 Mar 2015 02:37:24 GMT
Accept-Ranges: bytes
Connection: close
Content-Length: 9872

<!doctype html>
<html>
  <head>
    <!-- use webkit mode for 360 -->
    <meta name="renderer" content="webkit">
    <meta http-equiv="X-UA-Compatible" content="IE=10" />
    <meta charset="utf-8" />
    <script src="js/jq.js">
    <script src="js/jq.browser.js">
    <script src="js/jq.i18n.p.js">
    <script src="js/u.js">
    <link rel="stylesheet" href="css/reset.css" />
    <link rel="stylesheet" href="css/style.css" />
    <script src="js/index.js">
    <title data-i18n-l="jovision">
  </head>
[ ... snip ... ]
      </div>
    </div>
    <div id="footer" data-i18n-l="jovision">
</body>
</html>
Connection closed by foreign host.
[root@ch squid]#

The "Server: thttpd/2.25b 29dec2003" header was beneficial, but the last "<div id="footer" data-i18n-l="jovision"></div>" line seemed to match the MAC address description with a reference to "Jovision", and also corresponds to the "jovetech" reference from Squid.  Huh!  Looks like it tries to dial home!