mailto: blog -at- heyrick -dot- eu

Camera scanning

My IP camera comes with a manufacturer DDNS whereby and address in the form will redirect to the current IP/port of the camera. Well, that's the plan but I disabled this and set the IP address known to the system to be some random made-up address.
Yes - in the context of great security, the password for updating the DDNS is hardcoded into the firmware. This means that it would be quite possible - easy in fact - for me to whizz through the address space provided by the DDNS and point them all at something else. This, ladies and gentlemen, is why the IoT will fail.

The first task is to search for anything interesting in the DDNS range. The "xxx" part is a number. I presume from 000 to 999. The "yyyy" part are lowercase letters. I presume from "aaaa" to "zzzz". So I looked for 000aaaa, then 000aaab, 000aaac, you get the idea.

For this, I simply iterate the address space, passing the request to wget, throwing away the fetched result (if anything) and looking at what the header status says. The status will be one of two things. It will be 200 OK if the response is to say "OFFLINE", or it will be 302 Found if the response is a redirection; in which case the headers will also contain a "Location:" line that points to the IP address of the camera.

The command to do all of this is:

wget -PNull: -q -S -T 5 --max-redirect=0 <address> { > RAM:$.wgetlog }
-PNull: sends anything received to the Null: device, essentially throwing it away.
-q tells wget to be quiet, so all the is returned are the headers, not all the usual chatter.
-S means print out the headers.
-T 5 means set all of the timeouts to five seconds, to avoid hanging up the machine if something is wrong.
--max-redirect=0 defeats wget attempting to follow redirections. If it does this and there's nothing there, the machine will hang as wget will wait...and wait...and wait. Don't know what the 5 sec timeout is not obeyed, but there you go.
The { > RAM:$.wgetlog } at the end will redirect all printed output to a file on RAMdisc called "wgetlog". If you are scanning many addresses (aaaa to zzzz works out to be a little under half a million different potential addresses. Don't clobber your SD card when you can just dump info to RAMdisc!

From there, it is pretty easy to extract the IP addresses provided and build a page that lists them. I left mine running and I collected some three thousand odd links. I cheated slightly here as I was not seeing anything at all on 000xxxx addresses, so I noticed that my camera uses an 0005xxxx address, so I decided to try that and sure enough the links poured in. I left it running for about eight hours and scanned from 005aaaa to 005apgo.
Now the interesting thing is that I looked at the first sixty or so entries using port 80, on the basis that somebody who changed the port is going to be smart enough to also change the password, and I noticed that there was a lot of rubbish that was not an IP camera. I spotted a DVR login, a couple of IIS logins. But most of the links were dead. I looked up my own camera's DDNS and it was still listed using the bogus IP address. I wonder what determines when and if the server reports OFFLINE? Maybe that is reserved for DDNS entries that have never been set?

The address resolves to be which is an Amazon AWS service, specifically which is in Dublin.

I found one camera, when gave itself a way by being called "ipcamera_xxxxxxxxxx" where the x was the device MAC address, which was in the block assigned to Shenzhen Smarteye Digital Electronics Co., the same group that make pretty much all of these cheap cameras. The user, based in Germany according to the IP address, had changed the password away from the default (I tried several). So, one camera found and it is secured with a non-default password. That's good to see. Additionally, there is no telnet access to the device. Even better.

I've dumped my scan results here if you're interested (166KiB).

I could probably automate a further scan to see if anything responds, and keep only the IP addresses with something present, but to be honest it's a lot of bother for not a lot of payoff. I would imagine my chance of hitting an unsecured device (that hasn't already been hijacked by Mirai) when running a small scale scan from my Pi are about equal to my winning the EuroMillions jackpot. This was more a proof of concept, and I did create a DDNS list and I did find a camera on port 80. So, concept validated. I'll now shuffle off and do something else with my time, like watch DVDs. ☺


I picked up series 1 to 3 of Glee (if you've never heard of it - it's a series set in a generic American high school where a bunch of people sing, like, all the time). I'm not a fan of the series given that it is autotuned beyond the point of insanity, however with twenty DVDs (what is that, about fifty hours of screen time?) all costing a mere one euro (yikes!), I figure that should I ever be unfortunate enough to be admitted to hospital, I'll just take my portable DVD player and its charger, and my Glee box. Three series of autotuned vocals ought to either send me to the loony bin, or be a great incentive to break into the OR, perform the necessary manoeuvres on myself, and then get the hell out of hospital. As I'm no surgeon, I don't know anything about surgery, so I'd need to Google it. So, yeah, expect me to leave hospital with extra limbs attached. You know what Google is like if you ask it a medical question... Still, there's a great benefit to having four arms. I can program, hold a doughnut, and masturbate all at the same time.
Oh, wait, you thought this was going to be a serious blog post? Come on, Trump got put in office yesterday. May made her speech last week. I feel like this is what the world would be like if I got hooked on hard drugs, only this is what the world is really like and that's pretty bloody messed up.
Okay. Guys? I'm waiting for the mothership to come and take me home now. Hello?



Your comments:

Please note that while I check this page every so often, I am not able to control what users write; therefore I disclaim all liability for unpleasant and/or infringing and/or defamatory material. Undesired content will be removed as soon as it is noticed. By leaving a comment, you agree not to post material that is illegal or in bad taste, and you should be aware that the time and your IP address are both recorded, should it be necessary to find out who you are. Oh, and don't bother trying to inline HTML. I'm not that stupid! ☺ ADDING COMMENTS DOES NOT WORK IF READING TRANSLATED VERSIONS.
You can now follow comment additions with the comment RSS feed. This is distinct from the b.log RSS feed, so you can subscribe to one or both as you wish.

No comments yet...

Add a comment (v0.11) [help?] . . . try the comment feed!
Your name
Your email (optional)
Validation Are you real? Please type 16540 backwards.
Your comment
French flagSpanish flagJapanese flag
«   January 2017   »

(Felicity? Marte? Find out!)

Last 5 entries

List all b.log entries

Return to the site index



Search Rick's b.log!

PS: Don't try to be clever.
It's a simple substring match.


Last read at 08:01 on 2024/04/22.

QR code

Valid HTML 4.01 Transitional
Valid CSS
Valid RSS 2.0


© 2017 Rick Murray
This web page is licenced for your personal, private, non-commercial use only. No automated processing by advertising systems is permitted.
RIPA notice: No consent is given for interception of page transmission.


Have you noticed the watermarks on pictures?
Next entry - 2017/01/29
Return to top of page