Hi guys,
Recently, I learned about IP camera devices to serve my work. I have found some pretty good knowledge. In this post, I will share to you the little knowledge I have learned.
What is Ip camera?
An Internet Protocol camera, or IP camera, is a type of digital video camera that receives control data and sends image data via the Internet. They are commonly used for surveillance. Unlike analog closed-circuit television(CCTV) cameras, they require no local recording device, but only a local area network. Most IP cameras are webcams, but the term IP camera or netcam usually applies only to those used for surveillance that can be directly accessed over a network connection.(Wikipedia)
Some IP cameras require support of a central network video recorder (NVR) to handle the recording, video and alarm management. Others are able to operate in a decentralized manner with no NVR needed, as the camera is able to record directly to any local or remote storage media. The first centralized IP camera was Axis Neteye 200, released in 1996 by Axis Communications.(Wikipedia)
The methods to hack Ip camera
-
Use a website that shows hacked CCTV cameras
This is not really hacking, but it’s the easiest method. You just visit a website that list a lot of hacked CCTV cameras and you just need to watch them.
Those website are created by hackers that get into IP CCTV cameras or DVRs (Digital Video Recorders) and let the information available for you for free.
So, in the end of the day you are not hacking anything but just watching CCTV camera that have been hacked by somebody else.
See below an example of a website that show such hacked CCTV cameras:
The website lists CCTV hacked cameras around the world and organize them by manufacturers, countries, places, cities and timezone.
See below an example of live CCTV cameras installed on malls.
The website administrator claims that this The world biggest directory of online surveillance security cameras and that no privacy of individuals will be respected by showing only filtered cameras (whatever this means).
According to a message in the main page, the CCTV camera can be removed from the site when somebody send an email asking for it.
-
Hack CCTV camera using default passwords
When installing cctv devices the user did not change the default configuration, especially the username, that password gave the hacker the opportunity to hack into those devices and perform malicious actions.
For each manufacturer, we list the username first and pasword section in the following format: username/password. Where manufacturers have multiple defaults:
| Camera Manufacturer | username | Password | Default IP |
|---|---|---|---|
| 3xLogic | admin | 12345 | 192.0.0.64 |
| ACTi | Admin | 123456 | 192.168.0.100 |
| ACTi | admin | 123456 | 192.168.0.100 |
| Arecont | admin | DHCP | |
| Amcrest | admin | admin | DHCP |
| American Dynamics | admin | admin | DHCP |
| American Dynamics | admin | 9999 | DHCP |
| Arecont Vision | none | DHCP | |
| AvertX | admin | 1234 | DHCP |
| Avigilon | admin | admin | DHCP |
| Avigilon | Administrator | DHCP | |
| Axis | root | pass | 192.168.0.90 |
| Axis | root | 192.168.0.90 | |
| Basler | admin | admin | DHCP |
| Bosch | none | DHCP | |
| Bosch | service | service | 192.168.0.1 |
| Bosch | Dinion | 192.168.0.1 | |
| Brickcom | admin | admin | 192.168.1.1 |
| Canon | root | camera | DHCP |
| Canon | root | Model # of camera | 192.168.100.1 |
| CBC Ganz | admin | admin | 192.168.100.x |
| Cisco | no default | 192.168.0.100 | |
| CNB | root | admin | 192.168.123.100 |
| Costar | root | root | DHCP |
| Dahua | admin | admin | 192.168.1.108 |
| Dahua | 888888 | 888888 | 192.168.1.108 |
| Dahua | 666666 | 666666 | 192.168.1.108 |
| Digital Watchdog | admin | admin | DHCP |
| DRS | admin | 1234 | DHCP |
| DVtel | Admin | 1234 | 192.168.0.250 |
| DynaColor | Admin | 1234 | DHCP |
| FLIR | admin | fliradmin | DHCP |
| FLIR (Dahua OEM) | admin | admin | DHCP |
| FLIR (Quasar/Ariel) | admin | admin | DHCP |
| Foscam | admin | DHCP | |
| GeoVision | admin | admin | 192.168.0.10 |
| Grandstream | admin | admin | 192.168.1.168 |
| GVI | Admin | 1234 | 192.168.0.250 |
| HIKVision | admin | 12345 | 192.0.0.64 |
| Honeywell | admin | 1234 | DHCP |
| Honeywell | administrator | 1234 | DHCP |
| IndigoVision (Ultra) | none | DHCP | |
| IndigoVision (BX/GX) | Admin | 1234 | DHCP |
| Intellio | admin | admin | DHCP |
| Interlogix | admin | 1234 | DHCP |
| IOImage | admin | admin | 192.168.123.10 |
| IQInvision | root | system | DHCP |
| IPX-DDK | root | admin | 192.168.1.168 |
| IPX-DDK | root | Admin | 192.168.1.168 |
| JVC | admin | jvc | DHCP |
| JVC | admin | Model # of Camera | DHCP |
| Longse | admin | 12345 | DHCP |
| Lorex | admin | admin | DHCP |
| LTS | admin | 12345 | DHCP |
| March Networks | admin | DHCP | |
| Merit Lilin Camera | admin | pass | DHCP |
| Merit Lilin Recorder | admin | 1111 | DHCP |
| Messoa | admin | Model # of Camera | 192.168.1.30 |
| Mobotix | admin | meinsm | DHCP |
| Northern | admin | 12345 | DHCP |
| Oncam | admin | admin | DHCP |
| Panasonic | admin | 12345 | 192.168.0.253 |
| Panasonic | admin1 | password | 192.168.0.253 |
| Pelco | admin | admin | DHCP |
| PiXORD | admin | admin | 192.168.0.200 |
| PiXORD | root | pass | 192.168.0.200 |
| Q-See | admin | admin | DHCP |
| Q-See | admin | 123456 | DHCP |
| QVIS | Admin | 1234 | 192.168.0.250 |
| Reolink | admin | DHCP | |
| Samsung Electronics | root | root | DHCP |
| Samsung Electronics | admin | 4321 | DHCP |
| Samsung Techwin (old) | admin | 1111111 | DHCP |
| Samsung (new) | admin | 4321 | DHCP |
| Samsung | root | 4321 | 192.168.1.200 |
| Samsung | root | admin | 192.168.1.200 |
| Samsung | admin | 4321 | 192.168.1.200 |
| Samsung | admin | 1111111 | 192.168.1.200 |
| Sanyo | admin | admin | 192.168.0.2 |
| Scallop | admin | password | DHCP |
| Sentry360 (mini) | admin | 1234 | DHCP |
| Sentry360 (pro) | none | DHCP | |
| Sentry 360 | Admin | 1234 | 192.168.0.250 |
| Sony | admin | admin | 192.168.0.100 |
| Speco | admin | 1234 | DHCP |
| Speco | root | root | 192.168.1.7 |
| Speco | admin | admin | 192.168.1.7 |
| Stardot | admin | admin | DHCP |
| Starvedia | admin | DHCP | |
| Sunell | admin | admin | DHCP |
| Swann | admin | 12345 | DHCP |
| Trendnet | admin | admin | DHCP |
| Toshiba | root | ikwd | DHCP |
| Toshiba | root | ikwb | 192.168.0.30 |
| VideoIQ | supervisor | supervisor | DHCP |
| Vivotek | root | DHCP | |
| Ubiquiti | ubnt | ubnt | 192.168.1.20 |
| Uniview | admin | 123456 | DHCP |
| Verint | admin | admin | DHCP |
| VideoIQ | supervisor | supervisor | DHCP |
| Vivotek | root | DHCP | |
| W-Box (Hikvision OEM, old) | admin | wbox123 | DHCP |
| W-Box (Sunell OEM, new) | admin | admin | DHCP |
| Wodsee | admin | DHCP |
To make the exploit we can use the Hydra tool.
Example: hydra -l Username -P password.txt IP:port(victim)
File password.txt
Result:
-
Hack CCTV camera using exploit vulnerabilities
In this section, we have a lot of exploitation options. In the article scope of my article, I will introduce you a tool to exploit the error of Netwave IP cameras.
NETSCRAPED EXPLOIT TOOL
Framework for obtaining all the credentials stored in vulnerable Netwave IP cameras. Can be used to break into IP cameras, use for research only.
Prerequisites
You’re required to install Python 3.x
apt-get install python3
You also require to have Shodan module installed
pip install shodan
You need cURL for this to work as well
apt-get install curl
Using Shodan API
This tool requires you to own an upgraded Shodan API
You may obtain one for free in Shodan if you sign up using a .edu email.
Result:
