The basic functionality of the application is as follows:
- Application sends out a UDP broadcast on port 5978
- Camera sees the broadcast on port 5978 and inspects the payload – if it sees that the initial part of the payload contains "FF FF FF FF FF FF" it responds (UDP broadcast port 5978) with an encoded payload with its own MAC address
- Application retrieves the camera's response and creates another UDP broadcast but this time it sets the payload to contain the target camera's MAC address, this encoded value contains the command to send over the password
- Camera sees the broadcast on port 5978 and checks that it is meant for it by inspecting the MAC address that has been specified in the payload, it responds with an encoded payload that contains its password (base64 encoded)
After spending some time with the application in a debugger I found what looked like it was responsible for the decoding of the encoded values that are passed:
super exciting screen shot. |
Translated into english: the application first uses a lookup table to translate every byte in the input string, to do this it uses the value of the current byte as an offset into the table. After it is done with "stage1" it traverses the translated input buffer a dword at a time and does some bit shifting and addition to fully decode the value. The following roughly shows the "stage2" routine:
(Dword[0] << 2) + (Dword[1] >> 4) = unencoded byte 1
(Dword[1] << 4) + (Dword[2] >> 2) = unencoded byte 2
(Dword[2] << 6) + Dword[3] = unencoded byte 3
I then confirmed that this routine worked on an "encoded" value that went over the wire from the application to the camera. After confirming the encoding scheme worked, I recreated the network transaction the application does with the camera to create a stand alone script that will retrieve the password from a camera that is on the same lan as the "attacker". The script can be found here, thanks to Jason Doyle for the original finding (@jasond0yle ).
- Computer Hacker
- Hack Tools For Pc
- Hacker Hardware Tools
- Hacker Tools Software
- Hacker Tools 2020
- Hacker Tools For Ios
- How To Hack
- Hacker Security Tools
- Pentest Tools List
- Underground Hacker Sites
- Pentest Tools Website
- Nsa Hacker Tools
- Hacker Tools Free
- Hacker Tools For Ios
- Best Hacking Tools 2019
- What Are Hacking Tools
- Hacking Tools For Mac
- Pentest Tools Open Source
- Tools 4 Hack
- Hacking Tools
- Pentest Tools Online
- Hacking Tools
- Nsa Hack Tools
- Hacker Tools Github
- What Are Hacking Tools
- Pentest Tools Port Scanner
- Pentest Tools Kali Linux
- Hack And Tools
- Hacking Tools For Games
- Free Pentest Tools For Windows
- Hacking Tools 2020
- Free Pentest Tools For Windows
- Hacker Tools Apk Download
- Pentest Tools Windows
- Pentest Tools Bluekeep
- How To Install Pentest Tools In Ubuntu
- Pentest Tools Alternative
- Hacking Tools
- Pentest Tools Website Vulnerability
- Beginner Hacker Tools
- Hack Tools Pc
- Nsa Hack Tools Download
- Hak5 Tools
- Pentest Tools List
- Beginner Hacker Tools
- Hacker Tools Apk
- Hacker Techniques Tools And Incident Handling
- Hacking Tools Windows
- Hacking Tools Usb
- Black Hat Hacker Tools
- Hacking Tools 2019
- Black Hat Hacker Tools
- Black Hat Hacker Tools
- Pentest Tools Subdomain
- Best Hacking Tools 2020
- Hack Website Online Tool
- Pentest Tools Tcp Port Scanner
- Pentest Tools
- Hacking Tools Pc
- Physical Pentest Tools
- Hacker Tools 2020
- Hacking Tools And Software
- Hacker Tools Apk
- Hack Tools For Ubuntu
- Hacking Tools For Mac
- New Hack Tools
- Game Hacking
- Hacking Tools For Games
- Pentest Tools Find Subdomains
- Hacker Tools For Mac
- Kik Hack Tools
- Pentest Tools Subdomain
- Hacker Tools 2020
- Hack Tool Apk
- Hack Tools For Games
- Hacking Tools Mac
- Wifi Hacker Tools For Windows
- Computer Hacker
- Hacking Tools For Beginners
- Tools Used For Hacking
- Hacking Tools Mac
- Hack Tools For Games
- Pentest Tools Website Vulnerability
- Hacker Tools For Ios
- Pentest Tools Windows
- Hacking Tools Windows
No hay comentarios:
Publicar un comentario