In a previous manual, I showed you how to use Wireshark to extract images from a surveillance camera over Wi-Fi, provided you know the password. If you do not know the password, you can always become physical with the Hak5 Plunder Bug. With this small LAN port, we can intercept traffic such as images from a Wi-Fi or IP surveillance camera when physical access to the Ethernet cable with the data is possible.
Many IoT devices use weak security because these devices assume live in Wi-Fi networks with strong passwords. However, this does not protect them from physical attacks. So if you get access to an Ethernet cable, these devices can often be accessed in unexpected ways without the need for a password.
In this guide, we try to retrieve images from a surveillance camera connected to a local area network that somebody displays on a monitor. Our goal is to capture the traffic from the insecure webpage on the device to see if we can extract images from the traffic that we intercept, allowing us to "see" what the recipient sees.
Limitations of Wi-Fi [1
9659005] While Wi-Fi allows us to see everything that happens in a network, there are also some disadvantages. For the attack we are talking about, we first need to know the password for the Wi-Fi network. We also need to get started on the device that we briefly tried to hear when the device and the wireless router negotiated the keys for their connection.
This means that two major conditions have to be met for the Wi-Fi version to work. First, someone has to be on the network to get started, and second, we need to know the password to build everything together. Once we have all this information, capturing the images is easy. The hard part can often be the wi-fi password.
The Hak5 Plunder Bug is a 10/100 Base-T Fast Ethernet Switch with the mirrored traffic direction to a built-in USB Type-C Ethernet adapter , The whole thing can easily be moved between the interfaces of a router and an Ethernet cable, so you can access unencrypted traffic.
What you need
You'll need a wired or wireless surveillance camera connected to your network to experiment with, as well as a "victim" computer watching the camera feed in a browser window. The webcam must use HTTP, not HTTPS. You'll also need a $ 49.99 Hak5 junk bug and a Type C USB to Type A USB cable to connect the bug to your computer.
If you do not have Ethernet cables lying around, you may also need an Ethernet cable to push the Plunder Bug between the destination's Ethernet connection and the router.
To start you need to access the network built-in interface for any webcam, IP security camera or DVR system from which you want to intercept images. This attack requires the target to access the insecure web site hosted on the device to view the camera feed. If HTTPS is used, it will not work. To set up our test computer, we need to access the camera and watch it.
In a browser window on your target computer, navigate to the HTTP interface, enter the required password, and begin the Live View webcam view. Make sure that "HTTP" is enabled, not "HTTPS". Below is a typical login prompt.
If you need to find your camera on the network, you can use to run an Nmap scan to discover other devices on the network that use common HTTP ports often connected to cameras.
You need to know the network area for this command. You can do this by typing ifconfig and copying down the IP address assigned to your computer. Then you can enter ipcalc and your IP address to calculate the network range. It should be something like 192.168.0.0/24. Run the following command and replace your own network realm with 192.168.0.0/24.
sudo nmap -p 80,81,8080,8081 192.168.0.0/24 --open
If you can find a device on the network With the port open, you can navigate to this port by typing the IP address and then enter the port number in a browser window. For example, to navigate to port 8081 on 192.168.0.1, enter 192.168.0.1:8081 in your browser window.
After inserting the junk error, you should see a second USB Ethernet device. To check out ifconfig before and after and look for something like eth1 that should appear. If your computer does not have an Ethernet port, eth0 is usually your internal adapter.
eth0: flags = 4099
mtu 1500 Ether 50: 7b: 9d: 7a: c8: 8a txqueuelen 1000 (Ethernet) RX packets 0 Byte 0 (0,0 B) RX error 0 fell 0 exceeded 0 frame 0 TX packets 0 byte 0 (0,0 B) TX error 0 fell 0 exceeded 0 carrier 0 collisions 0 eth1: flags = 4163 mtu 1500 inet6 fe80 :: e476: ed83: a72c: 72b4 prefixlen 64 scopeid 0x20 Ether 00: 13: 37: A7: 25: cf txqueuelen 1000 (Ethernet) RX packets 25 bytes 6272 (6.1 KiB) RX error 0 fell 0 exceeded 0 frame 0 TX packets 50 bytes 7364 (7.1 KiB) TX Error 0 Dropped 0 Passed 0 Carrier 0 Collision 0
Now that we know the name of the adapter, in this case eth1 we can start Wireshark and monitor the traffic through that interface. 19659036] Step 4: Start Wireshark
Even though we have access to network traffic and have confined it to the target computer, there may be other accesses that are unrelated to the images we want to capture and that are difficult Focus on what we are looking for.
Start Wireshark by selecting it from the applications drop-down menu in Kali or using a quick search. Next, select the interface we found in my case eth1 .
Double-click the interface to launch Wireshark. A flood of packages should begin to fill the window.
That's far too much traffic to analyze. To cut the data, we add another network filter to show only the HTTP traffic flowing on the network. In the Wireshark main view, enter http in the display filter bar.
This will only send HTTP traffic to the computer we send. We monitor the ad and filter our view even further until we just get our traffic consider unsafe web app. Now we actually have to decode the intercepted packets into pictures so that we can see what our goal is. Stop Wireshark by clicking on the red square and we'll export the JPEG images we've captured.
Now we can see the HTTP traffic from the web app You have to select the encoded JPEG files to make something we can work with. Click on "File" and then on "Export Objects". We will export the found HTTP objects, so click on "HTTP" to open the object list.
The HTTP object list shows a list of HTTP objects we intercepted. Here we can see the JPEG images we want to decode. You can select one or all and then click "Save" or "Save All" and select a location to which you want to export the files.
Click Close and navigate to the folder where you exported the images. You should see a list of the files that Wireshark exported from our recording. This depends more or less on how long you have taken the picture.
Finally, click on one of the images to display the intercepted image the way to the target computer. You should see a picture from the video feed!
As the Junkyard shows, access is physically everything. In particular, for IoT devices designed for use within a protected LAN, physical access to the network may inadvertently allow access to devices such as surveillance cameras. Advanced IoT devices using HTTPS are protected from these attacks by encrypted traffic before the end, but critical details such as HTTPS security are often overlooked when connected devices are developed.
This is just the beginning of what you can do with this great Hak5 tool. You can get a junk bug from the Hak5 shop and search the official documentation for more information on setting the device's active and passive modes.
I hope you have enjoyed this guide to using the Hak5 Plunder Bug to intercept the webcam images. If you have questions about this tutorial on LAN taps or have a comment, feel free to post it in the comments or me on Twitter @KodyKinzie .
Do not Miss: Use MDK3 for Advanced Wi-Fi Jamming