Cheap ONVIF camera hacking

Recently I’ve bought some cheap IP CCTV cameras. This post tries to summarize what ports are available on such devices as the docs on the internet are really weak:

  • standard telnet port – you can login as root with password xmhdipc. Yes, the password seems to be the same on all devices
  • 8899 – ONVIF W/S protocol
    <SOAP-ENV:Envelope>
    <SOAP-ENV:Body>
    <SOAP-ENV:Fault>
    <faultcode>SOAP-ENV:Client</faultcode>
    <faultstring>HTTP GET method not implemented</faultstring>
    </SOAP-ENV:Fault>
    </SOAP-ENV:Body>
    </SOAP-ENV:Envelope>
    
  • 34567 – what is it
  • 554 – is supposed to be RTSP protocol

However, the tested device opens more ports, you can see them when you login to shell:

# netstat -a
Active Internet connections (servers and established)
Proto Recv-Q Send-Q Local Address           Foreign Address         State
tcp        0      0 0.0.0.0:34561           0.0.0.0:*               LISTEN
tcp        0      0 0.0.0.0:8899            0.0.0.0:*               LISTEN
tcp        0      0 0.0.0.0:34599           0.0.0.0:*               LISTEN
tcp        0      0 0.0.0.0:34567           0.0.0.0:*               LISTEN
tcp        0      0 0.0.0.0:554             0.0.0.0:*               LISTEN
tcp        0      0 0.0.0.0:www             0.0.0.0:*               LISTEN
tcp        0      0 0.0.0.0:9527            0.0.0.0:*               LISTEN
tcp        0      0 0.0.0.0:telnet          0.0.0.0:*               LISTEN
tcp        0    139 192.168.1.11:telnet     192.168.1.29:33700      ESTABLISHED
tcp        0      0 192.168.1.11:8899       192.168.1.74:34803      ESTABLISHED
tcp        0      0 192.168.1.11:34567      192.168.1.29:26664      ESTABLISHED
tcp        0      0 192.168.1.11:9527       192.168.1.29:34079      ESTABLISHED

The port 9527 seemed interesting – here is what can be observed on that port:

1], s_NatRunStatus[2]OnNatProbe: 52.29.246.211 : 8000 
username:password:login(Host: 192.168.1.11:9527, ******, Console, address:)
user:Host: 192.168.1.11:9527 account invalid
User not valid!
user name:password:login(Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8, ******, Console, address:)
user:Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 account invalid
User not valid!
user name:password:login(Accept-Encoding: gzip, deflate, ******, Console, address:)
user:Accept-Encoding: gzip, deflate account invalid
User not valid!
user name:password:login(Connection: keep-alive, ******, Console, address:)
user:Connection: keep-alive account invalid
User not valid!
user name:password:OnNatProbe: run Status[1], s_NatRunStatus[2]OnNatProbe: 52.29.246.211 : 8000 
Transport: Client ID[3] ---> SetDeadFlag to 1
Transport: SetDeadFlag --->Enter  
Transport: SetDeadFlag --->Exit 
Transprot: New Client ID[3] ___!!!___
@@@FILE -> ../..//Source/TransportClient.cpp, LINE -> 399Transport: client connect error
@@@FILE -> ../..//Source/TransportClient.cpp, LINE -> 214Treansport: ConnectSocket Failed 
_______DAS   Connct  IP[192.168.1.67]    Port [9400]   Failed!______ 
OnNatProbe: run Status[1], s_NatRunStatus[2]OnNatProbe: 52.29.246.211 : 8000 
Transport: Client ID[3] ---> SetDeadFlag to 1
Transport: SetDeadFlag --->Enter  
Transport: SetDeadFlag --->Exit 
Transprot: New Client ID[3] ___!!!___