Tuesday, May 15, 2012 At 5:10AM
A new module for the Metasploit Framework discovers and tests the security of numerous standalone CCTV (Closed Circuit Television) video surveillance systems. Such systems are frequently deployed in retail stores, living communities, personal residences, and business environments as part of their physical security policy. However, many of these systems are vulnerable to exploitation that can allow attackers remote access. Such remote access, enabled by default, can allow not only the ability to view real-time video, but control of the cameras (if supported), and provide access to archived footage. Many owners of CCTV video surveillance systems may not even be fully aware of the device’s remote access capabilities as monitoring may be conducted exclusively via the local video console. This further increases the likelihood of attackers gaining/persisting remote access, with no indication to the owner that their video surveillance system and archived footage may be accessed remotely.
This module targets standalone CCTV video surveillance systems by MicroDigital, HIVISION, CTRing, and a substantial number of other rebranded devices.
Background
Here at GDS, we often encounter video surveillance systems during penetration testing engagements – some of which may be exposed to the Internet, either intentionally or by accident. With any video surveillance system it is often interesting (and sometimes very important) to find out exactly what cameras are monitoring/recording within the environment. Furthermore, access to such systems can often be utilized to support physical security testing initiatives.
Technical Details
Interacting with the standalone CCTV system can be achieved via a Win32 thick client, a mobile device (Android/iPhone/Windows Mobile), or an IE ActiveX control in which a user name and password are required. Typically, in over 70% of cases the device is still configured with the default vendor password which allows trivial access to real time video, the ability to control PTZ (pan-tilt-zoom) cameras, and access to any archived footage. Unfortunately (for us) in this case, the default password to the Internet facing systems had been changed, warranting a more aggressive approach.
The first step was to gain a better understanding of the authentication mechanism. As it turned out the ActiveX control was not proxy aware, and did not handle authentication over the HTTP protocol. Enter Wireshark.
Wireshark revealed that the ActiveX client handles authentication over port 5920/TCP by first sending an 8-byte packet (notifying the server to prepare for authentication), followed by a 128-byte packet containing the user name and password (in clear-text).
The figure above displays the TCP stream of data sent and then received by the ActiveX control. First attempted was the user ‘admin’ with a password of ‘1234’ in which the ActiveX client returned the message “password error”. Next tried was the user name ‘test’ with a password of ‘1234’. This attempt returned the client side response “id error” as well as a different sequence of bytes, as can be observed in the figure below. Note the differences marked in red.
Based on the difference in responses, we know it’s possible to confirm valid users as well as invalid users. But what about other types of authentication responses? There are numerous methods that can be utilized to achieve this such as reverse engineering the ActiveX control, utilizing a generic network proxy, or via a MITM (man-in-the-middle) attack.
In this case, this most time effective solution was to utilize a proxy such as Echo Mirage, a generic network proxy that can be utilized to intercept and modify network data for non-proxy aware applications. As demonstrated in the figure below, this tool can be attached to the running process (iexplorer.exe) and then the response traffic intercepted and modified in order to classify unknown application responses.
Alternatively, MITM attacks leveraging tools such as Ettercap can be utilized to achieve the same result, and depending on the protocol, may be preferred. Beyond just ARP poisoning and sniffing network traffic, Ettercap has the ability to apply filters which can be utilized to intercept and modify packets on the wire. This ability can be leveraged to enumerate the different possible ActiveX client responses as well. The figure below displays a filter utilized to modify a known value (“password error”), with a network response not yet classified, “00 01 05 01 00 00 00 00 “.
if (ip.proto == TCP && tcp.src == 5920) {
replace(“x00x01x03x01x00x00x00x00”, “x00x01x05x01x00x00x00x00”);
msg(“Filter executed.n”); }
Executing this Ettercap MITM filter granted access to the ActiveX CCTV camera interface, thus indicating a successful authentication response, however, no video feed was displayed. On the upside though, we have now classified another response type from the server. The table below lists the responses x00 through x09. Note there are two responses for successful authentication.
Response Value | ActiveX Client Response |
x00x01x00x01x00x00x00x00 | <no response> |
x00x01x01x01x00x00x00x00 | <authentication successful> |
x00x01x02x01x00x00x00x00 | “id error” |
x00x01x03x01x00x00x00x00 | “password error” |
x00x01x04x01x00x00x00x00 | “no network user” |
x00x01x05x01x00x00x00x00 | <authentication successful> |
x00x01x06x01x00x00x00x00 | <no response> |
x00x01x07x01x00x00x00x00 | <no response> |
x00x01x08x01x00x00x00x00 | <no response> |
x00x01x09x01x00x00x00x00 | <no response> |
Now that we can determine valid/invalid users as well as authentication succeeded/failed responses, we can build software to intelligently brute force valid accounts over the proprietary protocol. Enter Metasploit.
Metasploit is an amazing framework that can be adapted for a number of penetration testing activities, including rapid development of custom exploitation modules. In this case, we created a module that allowed us to successfully discover such systems elsewhere in the network, determine valid user accounts, exclude non-valid accounts, and then brute force logins. During this exercise, we discovered that 70% of the instances utilized had default vendor passwords that had not been changed. Thus included within the module is a list of common passwords utilized for such standalone CCTV video surveillance devices.
msf > use auxiliary/scanner/misc/cctv_dvr_login
msf auxiliary(cctv_dvr_login) > set RHOSTS 10.10.1.14
RHOSTS => 10.10.1.14
msf auxiliary(cctv_dvr_login) > exploit
[*] 10.10.1.14:5920 CCTV_DVR – [001/133] – Trying username:’admin’ with password:”
[-] 10.10.1.14:5920 CCTV_DVR – [001/133] – Failed login as: ‘admin’
[*] 10.10.1.14:5920 CCTV_DVR – [002/133] – Trying username:’user’ with password:”
[-] 10.10.1.14:5920 CCTV_DVR – [002/133] – Invalid user: ‘user’
[*] 10.10.1.14:5920 CCTV_DVR – [003/133] – Trying username:’admin’ with password:’admin’
[-] 10.10.1.14:5920 CCTV_DVR – [003/133] – Failed login as: ‘admin’
[*] 10.10.1.14:5920 CCTV_DVR – [004/133] – Trying username:’admin’ with password:’1111’
[+] 10.10.1.14:5920 Successful login: ‘admin’ : ‘1111’
[*] Confirmed IE ActiveX HTTP interface (CtrWeb.cab v1,1,3,1): http://10.10.1.14:80
[*] Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed
Follow Up
The market for CCTV video surveillance systems is significant with a large number of primary manufactures — and even more distributors selling rebranded equipment, all with similar internal components. After this penetration test we made inquiries to local businesses who sell/install these types of standalone CCTV video surveillance systems. We were told these devices are purchased “by the crate” as they are one of the most cost effective standalone CCTV solutions. A little more homework and passive reconnaissance showed that these devices have a substantial global deployment base with heavy concentrations in the United States, Russia, Japan, China, and South Korea.
In conclusion, physically monitoring sensitive locations within an environment is an important aspect of a well-rounded information security program. However, at the same time such video surveillance devices can themselves be a risk and are often overlooked during security audits and vulnerability/penetration tests. This module exploits one of the common types of standalone CCTV video surveillance systems in use globally. It is likely that other manufacturers and CCTV devices are similarly vulnerable.
Companies who want to protect against this type of attack should change default vendor passwords, use strong passwords, filter access to only trusted hosts, and only expose the CCTV system to the Internet if absolutely necessary. In addition, security professionals can use the new Metasploit module to scan their network for vulnerable systems.
The new CCTV module is already available in the Metasploit Framework. Simply download Metasploit and update to the latest version using the command msfupdate. The module will be added to the commercial Metasploit editions as a part of the normal release cycle later this week.
Author: Justin Cacak
©Aon plc 2023