Wednesday, January 24, 2018

IPC Camera Hacking

After my run-in with HikVision and HoSafe cameras (no provided firmwares that they would send to me), I decided to try another cheap camera.  What I settled on had someone claiming that the cameras wouldn't dial home to China.  They were Camius BoltV cameras.

When I checked, they were all based on the same chinese maker, and branded with their own firmwares.  For example, the first ones were HoSafe, and returned the model "JVS-HI3516CS" (see the More on Chinese Camera Hacking post).  The second, HikVision cameras returned something similar (but I do not have that as the camera was phased out quickly due to a hardware failure), and the latest Camius BoltV returns :
    root@kali:~# strings CH29XH3_F16M_SF_ENU_CAMIUS_V2.1.3.6-171009_W.sw |head -n5
RSUp
IPC3516D
IPC3516D
V170913
V170911
Hm. Looks like a new company in the same old market, base model of HI3516, so let me ask you a quick question.  It doesn't "dial home" because someone on the Internet said it doesn't. Is that , right?  Let's see.  Let's boot one up inside of my no-access network and see what we get.
    Jan 24 17:59:12 hostname dhcpd: DHCPDISCOVER from 58:e8:76:01:05:ff via eth0
Jan 24 17:59:12 hostname dhcpd: DHCPOFFER on 192.168.1.30 to 58:e8:76:01:05:ff via eth0
Jan 24 17:59:13 hostname dhcpd: DHCPREQUEST for 192.168.1.30 (192.168.1.1) from 58:e8:76:01:05:ff via eth0
Jan 24 17:59:13 hostname dhcpd: DHCPACK on 192.168.1.30 to 58:e8:76:01:05:ff via eth0
Looks good so far.  I wait for a few minutes, and no DNS lookups.  Looks great!  I load up the browser, and....
    09:26:39.253127 IP 192.168.1.30.46294 > router.example.com.domain: 11532+ A? p2p.anlian.co. (31)
09:26:39.253347 IP router.example.com > 192.168.1.30: ICMP host router.example.com unreachable - admin prohibited, length 67
09:26:39.255060 IP 192.168.1.30.35474 > router.example.com.domain: 11533+ A? p2p.anlian.co. (31)
09:26:39.255171 IP router.example.com > 192.168.1.30: ICMP host router.example.com unreachable - admin prohibited, length 67
09:26:39.256390 IP 192.168.1.30.38702 > router.example.com.domain: 11534+ A? p2p.anlian.co. (31)
09:26:39.256489 IP router.example.com > 192.168.1.30: ICMP host router.example.com unreachable - admin prohibited, length 67
09:26:41.272833 IP 192.168.1.30.37976 > router.example.com.domain: 11535+ A? p2p.anlian.co. (31)
09:26:41.273096 IP router.example.com > 192.168.1.30: ICMP host router.example.com unreachable - admin prohibited, length 67
09:26:41.273923 IP 192.168.1.30.50096 > router.example.com.domain: 11536+ A? p2p.anlian.co. (31)
09:26:41.274022 IP router.example.com > 192.168.1.30: ICMP host router.example.com unreachable - admin prohibited, length 67
09:26:41.274857 IP 192.168.1.30.36165 > router.example.com.domain: 11537+ A? p2p.anlian.co. (31)
09:26:41.274956 IP router.example.com > 192.168.1.30: ICMP host router.example.com unreachable - admin prohibited, length 67
09:26:43.292613 IP 192.168.1.30.58809 > router.example.com.domain: 11538+ A? p2p.anlian.co. (31)
09:26:43.292800 IP router.example.com > 192.168.1.30: ICMP host router.example.com unreachable - admin prohibited, length 67
09:26:43.293694 IP 192.168.1.30.33953 > router.example.com.domain: 11539+ A? p2p.anlian.co. (31)
09:26:43.293800 IP router.example.com > 192.168.1.30: ICMP host router.example.com unreachable - admin prohibited, length 67
09:26:43.294944 IP 192.168.1.30.37312 > router.example.com.domain: 11540+ A? p2p.anlian.co. (31)
09:26:43.295039 IP router.example.com > 192.168.1.30: ICMP host router.example.com unreachable - admin prohibited, length 67
09:26:45.312929 IP 192.168.1.30.34936 > router.example.com.domain: 11541+ A? p2p.anlian.co. (31)
09:26:45.313133 IP router.example.com > 192.168.1.30: ICMP host router.example.com unreachable - admin prohibited, length 67
09:26:45.315165 IP 192.168.1.30.32893 > router.example.com.domain: 11542+ A? p2p.anlian.co. (31)
09:26:45.315265 IP router.example.com > 192.168.1.30: ICMP host router.example.com unreachable - admin prohibited, length 67
09:26:45.316177 IP 192.168.1.30.60287 > router.example.com.domain: 11543+ A? p2p.anlian.co. (31)
09:26:45.316273 IP router.example.com > 192.168.1.30: ICMP host router.example.com unreachable - admin prohibited, length 67
09:26:46.287401 ARP, Request who-has 192.168.1.30 tell router.example.com, length 28
09:26:46.288148 ARP, Reply 192.168.1.30 is-at 58:e8:76:01:05:fe (oui Unknown), length 46
09:26:47.332854 IP 192.168.1.30.57413 > router.example.com.domain: 11544+ A? p2p.anlian.co. (31)
09:26:47.333058 IP router.example.com > 192.168.1.30: ICMP host router.example.com unreachable - admin prohibited, length 67
09:26:47.334285 IP 192.168.1.30.35320 > router.example.com.domain: 11545+ A? p2p.anlian.co. (31)
09:26:47.334409 IP router.example.com > 192.168.1.30: ICMP host router.example.com unreachable - admin prohibited, length 67
09:26:47.335774 IP 192.168.1.30.51734 > router.example.com.domain: 11546+ A? p2p.anlian.co. (31)
After connecting with the browser, it appears to dial home to China, to a peer-to-peer network.   People seem to answer questions they know nothing about.

With that out of the way, let's see what we have.  I first ran NMAP against the camera :
    root@kali:~# map -sT -O 192.168.1.30
Starting Nmap 7.60 ( https://nmap.org ) at 2018-01-20 08:33 MST
Nmap scan report for 192.168.128.31
Host is up (0.0031s latency).
Not shown: 996 closed ports
PORT     STATE SERVICE
23/tcp   open  telnet
80/tcp   open  http
554/tcp  open  rtsp
7000/tcp open  afs3-fileserver
No exact OS matches for host (If you know what OS is running on it, see https://nmap.org/submit/ ).
TCP/IP fingerprint:
OS:SCAN(V=7.60%E=4%D=1/20%OT=23%CT=1%CU=39315%PV=Y%DS=2%DC=I%G=Y%TM=5A63616
OS:2%P=x86_64-pc-linux-gnu)SEQ(SP=11%GCD=FA00%ISR=9C%TI=I%CI=I%TS=U)OPS(O1=
OS:M5B4%O2=M5B4%O3=M5B4%O4=M5B4%O5=M5B4%O6=M5B4)WIN(W1=FFFF%W2=FFFF%W3=FFFF
OS:%W4=FFFF%W5=FFFF%W6=FFFF)ECN(R=Y%DF=N%T=41%W=FFFF%O=M5B4%CC=N%Q=)T1(R=Y%
OS:DF=N%T=41%S=O%A=S+%F=AS%RD=0%Q=)T2(R=Y%DF=N%T=100%W=0%S=Z%A=S%F=AR%O=%RD
OS:=0%Q=)T3(R=Y%DF=N%T=100%W=0%S=Z%A=S+%F=AR%O=%RD=0%Q=)T4(R=Y%DF=N%T=100%W
OS:=0%S=A%A=Z%F=R%O=%RD=0%Q=)T5(R=Y%DF=N%T=100%W=0%S=Z%A=S+%F=AR%O=%RD=0%Q=
OS:)T6(R=Y%DF=N%T=100%W=0%S=A%A=Z%F=R%O=%RD=0%Q=)T7(R=Y%DF=N%T=100%W=0%S=Z%
OS:A=S%F=AR%O=%RD=0%Q=)U1(R=Y%DF=N%T=37%IPL=164%UN=0%RIPL=G%RID=G%RIPCK=G%R
OS:UCK=G%RUD=G)IE(R=N)

Network Distance: 2 hops

OS detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 15.18 seconds

root@kali:~#
That looks like the last one, except the ports are different.  Aside from that, pretty near perfect.  This seems to be better in security, though, as every request from Hydra gave us false positives (a basic redirection to another location).
    workstation:~ username$ curl http://192.168.1.30/cgi-bin/something.pl
<root>
<port>9988</port>
<devtype>5932089570895921152</devtype>
<langstrs>ENU FRA DEU ITA PTG RUS ESN</langstrs>
<curlang>ENU</curlang>
<custom>CAMIUS</custom>
<logo>CAMIUS</logo>
<uiversion>0</uiversion>
<sdcardpageshow>0</sdcardpageshow>
<title></title>
<firstloginflag>0</firstloginflag>
<pluginfile>0</pluginfile>
<devicetime>2015-01-14_12-39-53</devicetime>
</root>
workstation:~ username$
So, I can't explore this one like I did HikVision or Hosafe.  Next try is to see if I could find the firmware.  Lo and behold!  A company that allowed the firmware to be downloaded!  Here's why this is beneficial.  We can dismantle the firmware to see what we have in there.  I'd never done this before, so it was an exercise in learning.  Maybe this will help.

Everything I read online explained to use binwalk, then firmware-mod-tools.  I ran binwalk (like I was supposed to), and then firmware-mod-tools to explode what binwalk found :
    root@kali:~# binwalk CH29XH3_F16M_SF_ENU_CAMIUS_V2.1.3.6-171009_W.sw

DECIMAL       HEXADECIMAL     DESCRIPTION
--------------------------------------------------------------------------------
179268        0x2BC44         CRC32 polynomial table, little endian
180292        0x2C044         CRC32 polynomial table, little endian
245840        0x3C050         uImage header, header size: 64 bytes, header CRC: 0x747FC94F, created: 2017-09-11 01:41:14, image size: 2751376 bytes, Data Address: 0x80008000, Entry Point: 0x80008000, data CRC: 0x242F03BD, OS: Linux, CPU: ARM, image type: OS Kernel Image, compression type: none, image name: "Linux-3.4.35"
263908        0x406E4         gzip compressed data, maximum compression, from Unix, NULL date (1970-01-01 00:00:00)
2997312       0x2DBC40        Squashfs filesystem, little endian, version 4.0, compression:xz, size: 2736056 bytes, 595 inodes, blocksize: 65536 bytes, created: 2017-09-20 00:46:43
5733440       0x577C40        Squashfs filesystem, little endian, version 4.0, compression:xz, size: 4828778 bytes, 121 inodes, blocksize: 131072 bytes, created: 2017-10-09 05:06:26
10749816      0xA40778        CRC32 polynomial table, little endian
10750840      0xA40B78        CRC32 polynomial table, little endian
10756235      0xA4208B        LZO compressed data
10818104      0xA51238        Squashfs filesystem, little endian, version 4.0, compression:xz, size: 3894082 bytes, 435 inodes, blocksize: 131072 bytes, created: 2017-10-09 03:39:10

root@kali:~# /opt/firmware-mod-kit/trunk/extract-firmware.sh CH29XH3_F16M_SF_ENU_CAMIUS_V2.1.3.6-171009_W.sw
[... a whole lot of compilation errors ...]
@kali:~#
Apparently, the distribution for Kali doesn't compile the firmware-mod-tools.  Then I found a nifty little flag in binwalk that gave me what I needed, which was a nifty little -e option to explode what was found :
    root@kali:~# binwalk -e CH29XH3_F16M_SF_ENU_CAMIUS_V2.1.3.6-171009_W.sw

DECIMAL       HEXADECIMAL     DESCRIPTION
--------------------------------------------------------------------------------
179268        0x2BC44         CRC32 polynomial table, little endian
180292        0x2C044         CRC32 polynomial table, little endian
245840        0x3C050         uImage header, header size: 64 bytes, header CRC: 0x747FC94F, created: 2017-09-11 01:41:14, image size: 2751376 bytes, Data Address: 0x80008000, Entry Point: 0x80008000, data CRC: 0x242F03BD, OS: Linux, CPU: ARM, image type: OS Kernel Image, compression type: none, image name: "Linux-3.4.35"
263908        0x406E4         gzip compressed data, maximum compression, from Unix, NULL date (1970-01-01 00:00:00)
2997312       0x2DBC40        Squashfs filesystem, little endian, version 4.0, compression:xz, size: 2736056 bytes, 595 inodes, blocksize: 65536 bytes, created: 2017-09-20 00:46:43
5733440       0x577C40        Squashfs filesystem, little endian, version 4.0, compression:xz, size: 4828778 bytes, 121 inodes, blocksize: 131072 bytes, created: 2017-10-09 05:06:26
10749816      0xA40778        CRC32 polynomial table, little endian
10750840      0xA40B78        CRC32 polynomial table, little endian
10756235      0xA4208B        LZO compressed data
10818104      0xA51238        Squashfs filesystem, little endian, version 4.0, compression:xz, size: 3894082 bytes, 435 inodes, blocksize: 131072 bytes, created: 2017-10-09 03:39:10

root@kali:~# ls -ltr
total 86448
drwxr-xr-x 2 root root     4096 Jan 18 21:09 Videos
drwxr-xr-x 2 root root     4096 Jan 18 21:09 Templates
drwxr-xr-x 2 root root     4096 Jan 18 21:09 Public
drwxr-xr-x 2 root root     4096 Jan 18 21:09 Pictures
drwxr-xr-x 2 root root     4096 Jan 18 21:09 Music
drwxr-xr-x 2 root root     4096 Jan 18 21:09 Downloads
drwxr-xr-x 2 root root     4096 Jan 18 21:09 Documents
drwxr-xr-x 2 root root     4096 Jan 18 21:09 Desktop
Sweet!  I started immediately exploring the system after finding every file now available to me :
    root@kali:~# ls -ltr
total 86448
[... snip ...]
drwxr-xr-x 5 root root     4096 Jan 21 08:00 _CH29XH3_F16M_SF_ENU_CAMIUS_V2.1.3.6-171009_W.sw.extracted
root@kali:~#
root@kali:~# cd _CH29XH3_F16M_SF_ENU_CAMIUS_V2.1.3.6-171009_W.sw.extracted/
root@kali:~/_CH29XH3_F16M_SF_ENU_CAMIUS_V2.1.3.6-171009_W.sw.extracted# ls
2DBC40.squashfs  577C40.squashfs  squashfs-root    squashfs-root-1
406E4            A51238.squashfs  squashfs-root-0
root@kali:~/_CH29XH3_F16M_SF_ENU_CAMIUS_V2.1.3.6-171009_W.sw.extracted#
root@kali:~/_CH29XH3_F16M_SF_ENU_CAMIUS_V2.1.3.6-171009_W.sw.extracted# ls squashfs-root
bin   etc   lib         mkimg.rootfs   moudle   plugs  root   sys  var
boot  home  linuxrc     mknod_console  nfsroot  ppp    sbin   tmp
dev   init  lost+found  mnt            opt      proc   share  usr
root@kali:~/_CH29XH3_F16M_SF_ENU_CAMIUS_V2.1.3.6-171009_W.sw.extracted#
root@kali:~/_CH29XH3_F16M_SF_ENU_CAMIUS_V2.1.3.6-171009_W.sw.extracted# cd squashfs-root
root@kali:~/_CH29XH3_F16M_SF_ENU_CAMIUS_V2.1.3.6-171009_W.sw.extracted/squashfs-root# cd etc/
root@kali:~/_CH29XH3_F16M_SF_ENU_CAMIUS_V2.1.3.6-171009_W.sw.extracted/squashfs-root/etc# ls
boa    fs-version  group   inittab     mtab    passwd-  profile    resolv.conf  udev
fstab  goahead     init.d  mime.types  passwd  ppp      protocols  services
root@kali:~/_CH29XH3_F16M_SF_ENU_CAMIUS_V2.1.3.6-171009_W.sw.extracted/squashfs-root/etc# cp passwd ~/
root@kali:~/_CH29XH3_F16M_SF_ENU_CAMIUS_V2.1.3.6-171009_W.sw.extracted/squashfs-root/etc#
And now I only needed to run john-the-ripper on the password file and locate the proper RTSP stream for motion detection.  However, after a few days of running John, I still didn't have a matching password.  So, I started looking for other ways to gain that access.  But, let's keep digging, just because I am curious.  In the exploded web squashfs, we see just a bit more information :

Hm. A lot of binary files, but some configs.  So, what service is running HTTP?  I believe it is BOA, and in the root FS filesystem's /etc/boa/boa.conf, there is this interesting little setting for the server to run as :
    User 0
Group 0
Huh?  Wow.  If you can run anything on the service, you have ROOT ACCESS! So, let's see what else is in there :
    DocumentRoot /plugs
    [... snip ...]
CGIPath /plugs/cgi-bin:/bin:/usr/bin:/usr/local/bin
[SARCASM] Beautifully secure [/SARCASM]! It looks like if you can get any of the jobs in the cgi-bin directory of the second squashfs, you have a successful breach, because it will run any command as root that is in the /bin or /usr/bin or /usr/local/bin directories.  Unfortunately, there is only one thing in /cgi-bin, and that is media port.cgi, which is an ELF tool :
    root@kali:~# file mediaport.cgi
mediaport.cgi: ELF 32-bit LSB executable, ARM, EABI5 version 1 (SYSV), dynamically linked, interpreter /lib/ld-uClibc.so.0, stripped
root@kali:~#
This might not be as easy as I was hoping.
Posted by at 0 comments
Labels: , , , , ,

Monday, January 15, 2018

One Small Step for Machine Kind

After having a metal lathe for a while, and really wanting to be able to mill some stuff (for no reason), and (after receiving a 25% off coupon at Horror Fright) I finally knuckled under.  I bought their mini mill.  I ordered it two weeks ago, and received it within 4 days of the order (uh, for freight, that's pretty good).  It shipped via FedEx, and it was boxed up pretty well :



I didn't have immediate time to do anything with it, so the crate sat in the garage for a week and a half.  Today, in order to celebrate diversity, I cracked white wood open to reveal a tool of many colors.  I have to say, it was packed to be protected, too.  Full of styrofoam, my sweet wife said I looked like I cussed a few times trying to get it out.  Ultimately, I dismantled the crate to get to the styrofoam, and then the styrofoam easily popped out.



After taking a quick inventory, I was wondering why I had another handle for the milling head wheel.  The paper said it was a "drawbar".  Someone in China probably didn't realize that a drawbar is a bit different, but hey, it appears like what it was intended for will work fine..


The chuck came mounted in the spindle (R8), and it definitely looks like it is not square (tipped sideways).  That is something easily remedied after tramming a drill press table.  Once I get the space for the mill, I'll clean it all the way up and tram it in.  Hearing that the thread pitch for the tables was not on the half inch, the second thing I did was check the wheel dials, and sure enough, the table is on 0.625" per full turn, while the headstock is 0.60 or 0.060" per rotation :




Well, that is definitely not a deal breaker.  For as cheap as this was, I think it will get my foot in the door on milling, and it will fit my current needs well.  Here is my list of to-do's :


  1. Belt Drive Upgrade (big difference in noise and reducing chattering of endmills from the plastic gears)
  2. Changing headstock spring and moving to a constant force piston
  3. Add a DRO
  4. Square vice or vice jaws
  5. Collets instead of the chuck (already done)
  6. Light on the work area
  7. Traverse endmills (better end mills than the cheap Chinese stuff)
  8. Plastic covers  for the tables/ways (so you have less to clean up)
  9. Depth gauge to work in tight areas (e.g. under the headstock)
  10. Leather wrapping the motor to reduce noise.
  11. Change lead screws from 0.625 pitch to 0.50 pitch)
  12. CnC changes
Posted by at 0 comments
Labels: , , ,

Sunday, January 14, 2018

No Supervision is a Bad Idea

An engineer should never be left alone in a room full of tools and materials with time on his hand.  As an example, here's the latest conversation.

Right Brain: Hey, I could use a laptop stand for my desk.

Left Brain (this is where the argument of NOT having a laptop stand should be) : You have brass.  Brass would look cool as a laptop stand.  Why not use brass to do it?

Right Brain : Great idea!  I have rubber sheets I used to make the brake bleeder jars, and I have some brass flats.  That means I have exactly what I need!  Shall we get started?

Left Brain : I'm not so sure about this... I mean, how could we bend those flats into a laptop stand?

Right Brain : Not a problem.  We have a press, too.  I'll figure that out, you just worry about making it look good enough that Honey Woman will let it stay inside on the desk.

Left Brain : Cool!

So, here's what happened next.  First, the idea went to an "official standards document", and marked into the material :


Then, starting to get things lined up for the bending of the flats.  First, I tried using machinist clamps to bend the bars at the same time.  But that failed to keep the bars lined up (parallel, yes, but they kept pivoting on me).  My next solution worked, and that was using some steel bar as a "clamp".  The brass was drilled and tapped, then the steel was match drilled to the screws and things were screwed tightly together :



Once that was complete and tested to ensure that there was the lack of movement if I twisted the steel, I headed out to the press and started to bend.  I don't have a fancy compact bender, so I had to use the shop press.  That was difficult to work around the tool without having dies, but it still worked out well :


The hardest part of those bends was actually the lip right on the end, with as short as it is.  I ended up starting it with the press to get it marked properly, and then finished the bend using a MAP torch and a hammer on a steel square tubing chunk.  I did some sanding (all of it by hand, actually, because I didn't want concave surfaces), and then coated it with lacquer to keep it from tarnishing :


Once those were complete, I parted off four hex rod pieces.  The length was the width of the flat bars I'd already painted (they'd sit on the bent flats).  I drilled and tapped them through the side and end-to-end.  I stood things up for a quick "fit" check :


Knowing it looked good, I threw the rods into the lathe and cut threads the length of both of them and rounded the ends.  This allowed me to simply thread the rods through the hex "nuts" that were attached to the brass flats, and bind it all together.  Next was a quick run to the basement to try it all out :



Worked out well, and only took me about a day!
Posted by at 0 comments
Labels: , , , , , ,

Tuesday, January 2, 2018

New Years Boredom

What happens on New Years' day when you have 3D printer filament, a messy cupboard containing your shaving supplies, and you are full of boredom?  You make something to hold your razors on the cupboard door, that's what.  It's a nice test of the rapid prototyping techniques and tools.  Here's the details.

First, over the last little while, I kept thinking about trying to mount the razors against the inside of the cupboard door.  It keeps them easily accessible, and leaves the rest of the shelf open for other things like shaving gels and other "keep me in a state my wife is willing to be close to me" stuff.  Yeah, this is serious stuff.  I thought about using some robe-hangers found at the local orange-box-type of store, but didn't think it would work.  (Translation: I was too lazy to go buy one of those and try it.)  New Years' morning, I woke up early (it happens a lot, even if I was up late).  It only took me an hour before I needed to do something constructive (there is only so much screen time I guy can take before his engineering kicks in, you know?).  Then it hit me - why not build my razor hangers?  I have everything I need.

I headed out to the shop and grabbed the calipers (uh, just because I might need 0.005" of accuracy), and took a few measurements of the razors in the position I'd be hanging them.  This would simply give me the basic design of the holders.


Next, I opened OpenSCAD (seriously? Yup, I grew up with POV-Ray, so I am used to using code to set up the object.  It took me an hour to get everything the way I wanted it to look.


After the design and a quick STL export, I loaded it into the printer and hit "run".


My wife and I ran and played some racquetball, then came back to a failed print.  The filament got tangled up, and prevented it from being extruded.  [sigh].  I untangled it, got it set up again (with something to keep it spooling), and hit "run" again.


We ran to see "Star Wars".  Finally saw it.  If I actually cared about my "nerd credentials", I'd have been to see it sooner, but I'm willing to wait.  Visited an "adopted" couple of boys (cute, but bouncing-off-of-the-walls kinds of energy).  Then headed and grabbed dinner, came home, and found a successful print.  I did another one (I have two razors), just for that one.  We watched another movie while we ate dinner (Disney's The Sword in the Stone), and I had two prints ready to be cleaned up and installed in less than 24 hours.


This morning, I cleaned them up (breaking support structures out of the parts), and did some sanding on them with a Dremel to remove some of the hard edges.  They turned out nice, so I grabbed some machine screws and installed them.  I know I could have used some body filler to really smooth them out and painted them, but it just wasn't worth it to me.  My wife somewhat enjoys aesthetics.  To me, it has to have a good function. We are great together, because when our heads work together, we can do some amazing work.  So, they got installed as-is, and are fully functional.


Not a bad little bit of work!
Posted by at 0 comments
Labels: , , , ,
Subscribe to: Posts (Atom)