The basic functionality of the application is as follows:
- Application sends out a UDP broadcast on port 5978
- Camera sees the broadcast on port 5978 and inspects the payload – if it sees that the initial part of the payload contains "FF FF FF FF FF FF" it responds (UDP broadcast port 5978) with an encoded payload with its own MAC address
- Application retrieves the camera's response and creates another UDP broadcast but this time it sets the payload to contain the target camera's MAC address, this encoded value contains the command to send over the password
- Camera sees the broadcast on port 5978 and checks that it is meant for it by inspecting the MAC address that has been specified in the payload, it responds with an encoded payload that contains its password (base64 encoded)
After spending some time with the application in a debugger I found what looked like it was responsible for the decoding of the encoded values that are passed:
super exciting screen shot. |
Translated into english: the application first uses a lookup table to translate every byte in the input string, to do this it uses the value of the current byte as an offset into the table. After it is done with "stage1" it traverses the translated input buffer a dword at a time and does some bit shifting and addition to fully decode the value. The following roughly shows the "stage2" routine:
(Dword[0] << 2) + (Dword[1] >> 4) = unencoded byte 1
(Dword[1] << 4) + (Dword[2] >> 2) = unencoded byte 2
(Dword[2] << 6) + Dword[3] = unencoded byte 3
I then confirmed that this routine worked on an "encoded" value that went over the wire from the application to the camera. After confirming the encoding scheme worked, I recreated the network transaction the application does with the camera to create a stand alone script that will retrieve the password from a camera that is on the same lan as the "attacker". The script can be found here, thanks to Jason Doyle for the original finding (@jasond0yle ).
More information
- Pentest Automation Tools
- Blackhat Hacker Tools
- Best Hacking Tools 2020
- Hackers Toolbox
- Ethical Hacker Tools
- Pentest Tools Find Subdomains
- Hacking Tools For Mac
- Wifi Hacker Tools For Windows
- How To Install Pentest Tools In Ubuntu
- Pentest Tools Website Vulnerability
- Free Pentest Tools For Windows
- Pentest Tools Free
- Hacker Hardware Tools
- Hacking Tools For Pc
- Hack Tools
- Hacking Tools 2019
- New Hack Tools
- Termux Hacking Tools 2019
- Hacker Tools Windows
- Pentest Tools Android
- Hacking Tools Software
- Hacking Tools Name
- Pentest Tools Port Scanner
- Underground Hacker Sites
- Hack Tools Online
- Hack Tools For Windows
- Nsa Hack Tools Download
- Pentest Tools Bluekeep
- Hack Tool Apk
- Hack Tools 2019
- Tools 4 Hack
- Usb Pentest Tools
- Hack Tools Github
- Hacking Tools Github
- Nsa Hack Tools Download
- Termux Hacking Tools 2019
- Hacking Tools For Windows 7
- Hacking Tools For Beginners
- Hacker
- Hack Tools Pc
- Ethical Hacker Tools
- Hack Tool Apk
- Hacker
- Nsa Hacker Tools
- Hacker Tools Windows
- Top Pentest Tools
- Hacking App
- Hacking Tools Windows
- New Hack Tools
- Pentest Tools Download
- Hacking Tools
Nenhum comentário:
Postar um comentário