Trendnet Cameras - I Always Feel Like Somebody'S Watching Me.

Firstly this post requires the following song to be playing.

http://www.youtube.com/watch?v=wVfjwIyc-CU

Now that we got that out of the way... I have been seeing posts on sites with people having fun with embedded systems/devices and I was feeling left out. I didn't really want to go out and buy a device so I looked at what was laying around. 

Enter the Trendnet TV-IP110w - http://www.trendnet.com/products/proddetail.asp?prod=145_TV-IP110W

To start off the latest firmware for this device can be found at the following location :

http://downloads.trendnet.com/tv-ip110w/firmware/FW_TV-IP110W_A1.x(1.1.0.104).zip

First order of business was to update the camera with the most recent firmware:

Device info page confirming firmware version

Now that the device was using the same version of firmware as I was going to dive into, lets get to work. I will be using binwalk to fingerprint file headers that exist inside the firmware file. Binwalk can be downloaded from the following url: http://code.google.com/p/binwalk/

Running binwalk against the firmware file 

binwalk FW_TV-IP110W_1.1.0-104_20110325_r1006.pck 
DECIMAL   HEX       DESCRIPTION
-------------------------------------------------------------------------------------------------------
32320     0x7E40     gzip compressed data, from Unix, last modified: Thu Mar 24 22:59:08 2011, max compression
679136     0xA5CE0   gzip compressed data, was "rootfs", from Unix, last modified: Thu Mar 24 22:59:09 2011, max compression

Looks like there are two gzip files in the "pck" file. Lets carve them out using 'dd'. First cut the head off the file and save it off as '1_unk'

#dd if=FW_TV-IP110W_1.1.0-104_20110325_r1006.pck of=1_unk bs=1 count=32320
32320+0 records in
32320+0 records out
32320 bytes (32 kB) copied, 0.167867 s, 193 kB/s

Next cut out the first gzip file that was identified, we will call this file '2'

#dd if=FW_TV-IP110W_1.1.0-104_20110325_r1006.pck of=2 bs=1 skip=32320 count=646816
646816+0 records in
646816+0 records out
646816 bytes (647 kB) copied, 2.87656 s, 225 kB/s

Finally cut the last part of the file out that was identified as being a gzip file, call this file '3'

#dd if=FW_TV-IP110W_1.1.0-104_20110325_r1006.pck of=3 bs=1 skip=679136
2008256+0 records in
2008256+0 records out
2008256 bytes (2.0 MB) copied, 8.84203 s, 227 kB/s

For this post I am going to ignore files '1_unk' and '2' and just concentrate on file '3' as it contains an interesting bug :) Make a copy of the file '3' and extract it using gunzip

#file 3
3: gzip compressed data, was "rootfs", from Unix, last modified: Thu Mar 24 22:59:09 2011, max compression
#cp 3 3z.gz
#gunzip 3z.gz
gzip: 3z.gz: decompression OK, trailing garbage ignored
#file 3z
3z: Minix filesystem, 30 char names

As we can see the file '3' was a compressed Minix file system. Lets mount it and take a look around.

#mkdir cameraFS
#sudo mount -o loop -t minix 3z cameraFS/
#cd cameraFS/
#ls
bin  dev  etc  lib  linuxrc  mnt  proc  sbin  server  tmp  usr  var

There is all sorts of interesting stuff in the "/server" directory but we are going to zero in on a specific directory "/server/cgi-bin/anony/"

#cd server/cgi-bin/anony/
#ls
jpgview.htm  mjpeg.cgi  mjpg.cgi  view2.cgi

The "cgi-bin" directory is mapped to the root directory of http server of the camera, knowing this we can make a request to http://192.168.1.17/anony/mjpg.cgi and surprisingly we get a live stream from the camera. 

video stream. giving no fucks.

Now at first I am thinking, well the directory is named "anony" that means anonymous so this must be something that is enabled in the settings that we can disable.... Looking at the configuration screen you can see where users can be configured to access the camera. The following screen shows the users I have configured (user, guest)

Users configured with passwords.

Still after setting up users with passwords the camera is more than happy to let me view its video stream by making our previous request. There does not appear to be a way to disable access to the video stream, I can't really believe this is something that is intended by the manufacturer. Lets see who is out there :)

Because the web server requires authentication to access it (normally) we can use this information to fingerprint the camera easily. We can use the realm of 'netcam' to conduct our searches 

HTTP Auth with 'netcam' realm

Hopping on over to Shodan (http://www.shodanhq.com) we can search for 'netcam' and see if there is anyone out there for us to watch

9,500 results

If we check a few we can see this is limited to only those results with the realm of 'netcam' and not 'Netcam'

creepy hole in the wall

front doors to some business

Doing this manually is boring and tedious, wouldn't it be great if we could automagically walk through all 9,500 results and log the 'good' hosts.... http://consolecowboys.org/scripts/camscan.py

This python script requires the shodan api libs http://docs.shodanhq.com/ and an API key. It will crawl the shodan results and check if the device is vulnerable and log it. The only caveat here is that the shodan api.py file needs to be edited to allow for including result page offsets. I have highlighted the required changes below.

    def search(self, query,page=1):
        """Search the SHODAN database.
     
        Arguments:
        query    -- search query; identical syntax to the website
        page     -- page number of results      

        Returns:
        A dictionary with 3 main items: matches, countries and total.
        Visit the website for more detailed information.
     
        """
        return self._request('search', {'q': query,'page':page})

Last I ran this there was something like 350 vulnerable devices that were available via shodan. Enjoy.

Update: We are in no way associated with the @TRENDnetExposed twitter account.

Related posts

1. Pentest Tools Open Source
2. Underground Hacker Sites
3. Hacking Tools For Mac
4. Hacking Tools Usb
5. Pentest Tools Github
6. Hacking Tools Usb
7. Best Pentesting Tools 2018
8. Hak5 Tools
9. Hacking Tools Software
10. Hacking Tools Download
11. Tools Used For Hacking
12. Wifi Hacker Tools For Windows
13. Black Hat Hacker Tools
14. Hacking Tools 2019
15. Wifi Hacker Tools For Windows
16. Hack Tools
17. Hacker Techniques Tools And Incident Handling
18. Hack Tools For Games
19. Hack Tools 2019
20. Pentest Tools List
21. Hacker Tools For Windows
22. Pentest Tools Review
23. Pentest Tools Find Subdomains
24. Best Hacking Tools 2019
25. How To Make Hacking Tools
26. Hack Tools Pc
27. Usb Pentest Tools
28. Hacker Tools Online
29. Nsa Hacker Tools
30. Hacker Security Tools
31. Hack Tools
32. Hacking App
33. Hacker Tools Mac
34. Hack Tools Online
35. Hacking Tools Mac
36. Hacker Tools Software
37. Hack Tools
38. Hak5 Tools
39. Hacking Tools For Kali Linux
40. Hacker Tools For Ios
41. Tools For Hacker
42. Hack Apps
43. What Is Hacking Tools
44. World No 1 Hacker Software
45. Hack Tools For Ubuntu
46. Hack Tools For Ubuntu
47. Hacker Tools Hardware
48. Pentest Tools Website
49. Top Pentest Tools
50. Hacking Tools And Software
51. Hacker Tool Kit
52. Hack Tools
53. Usb Pentest Tools
54. Hacker Tools 2020
55. Blackhat Hacker Tools
56. Pentest Tools Tcp Port Scanner
57. Hacking Tools Mac
58. How To Make Hacking Tools
59. Hacker Tools List
60. Hacking Tools Free Download
61. Black Hat Hacker Tools
62. Hacker Tools Hardware
63. Install Pentest Tools Ubuntu
64. Pentest Tools Tcp Port Scanner
65. Best Hacking Tools 2019
66. Pentest Automation Tools
67. Pentest Tools Find Subdomains
68. Hacker Techniques Tools And Incident Handling
69. Hackrf Tools
70. Hacking Tools For Kali Linux
71. Pentest Reporting Tools
72. Pentest Tools Review
73. Hacker Tools 2020
74. Pentest Recon Tools
75. Hacking Tools Software
76. Hacking App
77. Hacker Tools Hardware
78. Pentest Tools Tcp Port Scanner
79. Hacking Tools Free Download
80. Pentest Tools Subdomain
81. Hacking Tools For Windows
82. Pentest Tools Tcp Port Scanner
83. Hack Website Online Tool
84. Hacking Tools 2019
85. Hacker Tools Free Download
86. Hacker Tools Online
87. Hacking App
88. Hacker Tools Apk Download
89. Hacking Tools For Games
90. Hacking Tools For Windows 7
91. Beginner Hacker Tools
92. Hacker Security Tools
93. Hacks And Tools
94. Hacker Security Tools
95. Hacker Tools For Ios
96. Hacking Tools Software
97. Hacking Tools Pc
98. Underground Hacker Sites
99. Pentest Tools Review
100. Hack Tools For Windows
101. Hacker
102. Hack App
103. World No 1 Hacker Software
104. Hack Tool Apk
105. Top Pentest Tools
106. Pentest Tools Github
107. Pentest Tools Url Fuzzer
108. Hacker Tools Hardware
109. Tools Used For Hacking
110. Hacking Tools And Software
111. Hacker Tools For Pc
112. Pentest Tools Review
113. Hacking Tools Download
114. Blackhat Hacker Tools
115. Hacking Tools For Windows 7
116. Pentest Box Tools Download
117. Hacking Tools 2019
118. Hacking Apps
119. Hacking Tools Usb
120. Hack Tools For Ubuntu
121. Nsa Hack Tools Download
122. Hacking Apps
123. Hacker Tools List
124. How To Hack