Cheap ONVIF camera hacking | Lukasz Baran personal dev-blog

Recently I’ve bought some cheap IP CCTV cameras. This post tries to summarize what ports are available on such devices as the docs on the internet are really weak:

standard telnet port – you can login as root with password xmhdipc. Yes, the password seems to be the same on all devices

8899 – ONVIF W/S protocol

<SOAP-ENV:Envelope>
<SOAP-ENV:Body>
<SOAP-ENV:Fault>
<faultcode>SOAP-ENV:Client</faultcode>
<faultstring>HTTP GET method not implemented</faultstring>
</SOAP-ENV:Fault>
</SOAP-ENV:Body>
</SOAP-ENV:Envelope>

34567 – what is it
554 – is supposed to be RTSP protocol

However, the tested device opens more ports, you can see them when you login to shell:

# netstat -a
Active Internet connections (servers and established)
Proto Recv-Q Send-Q Local Address           Foreign Address         State
tcp        0      0 0.0.0.0:34561           0.0.0.0:*               LISTEN
tcp        0      0 0.0.0.0:8899            0.0.0.0:*               LISTEN
tcp        0      0 0.0.0.0:34599           0.0.0.0:*               LISTEN
tcp        0      0 0.0.0.0:34567           0.0.0.0:*               LISTEN
tcp        0      0 0.0.0.0:554             0.0.0.0:*               LISTEN
tcp        0      0 0.0.0.0:www             0.0.0.0:*               LISTEN
tcp        0      0 0.0.0.0:9527            0.0.0.0:*               LISTEN
tcp        0      0 0.0.0.0:telnet          0.0.0.0:*               LISTEN
tcp        0    139 192.168.1.11:telnet     192.168.1.29:33700      ESTABLISHED
tcp        0      0 192.168.1.11:8899       192.168.1.74:34803      ESTABLISHED
tcp        0      0 192.168.1.11:34567      192.168.1.29:26664      ESTABLISHED
tcp        0      0 192.168.1.11:9527       192.168.1.29:34079      ESTABLISHED

The port 9527 seemed interesting – here is what can be observed on that port:

1], s_NatRunStatus[2]OnNatProbe: 52.29.246.211 : 8000 
username:password:login(Host: 192.168.1.11:9527, ******, Console, address:)
user:Host: 192.168.1.11:9527 account invalid
User not valid!
user name:password:login(Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8, ******, Console, address:)
user:Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 account invalid
User not valid!
user name:password:login(Accept-Encoding: gzip, deflate, ******, Console, address:)
user:Accept-Encoding: gzip, deflate account invalid
User not valid!
user name:password:login(Connection: keep-alive, ******, Console, address:)
user:Connection: keep-alive account invalid
User not valid!
user name:password:OnNatProbe: run Status[1], s_NatRunStatus[2]OnNatProbe: 52.29.246.211 : 8000 
Transport: Client ID[3] ---> SetDeadFlag to 1
Transport: SetDeadFlag --->Enter  
Transport: SetDeadFlag --->Exit 
Transprot: New Client ID[3] ___!!!___
@@@FILE -> ../..//Source/TransportClient.cpp, LINE -> 399Transport: client connect error
@@@FILE -> ../..//Source/TransportClient.cpp, LINE -> 214Treansport: ConnectSocket Failed 
_______DAS   Connct  IP[192.168.1.67]    Port [9400]   Failed!______ 
OnNatProbe: run Status[1], s_NatRunStatus[2]OnNatProbe: 52.29.246.211 : 8000 
Transport: Client ID[3] ---> SetDeadFlag to 1
Transport: SetDeadFlag --->Enter  
Transport: SetDeadFlag --->Exit 
Transprot: New Client ID[3] ___!!!___