Monday, May 18, 2020

VR Model P1 - 360 degree camera


This article is one of my very old assessment for fun i did (and it is done 2017) got it by recovering hard disk and assigned CVE ID - (CVE-2020-23512).

Here my target to  test 360 degree camera which trending in the IP camera world recently, what we going test model P1 VR camera.

What is VR camera..?
In photography, an omnidirectional camera (from "Omni", meaning all) is a camera with a 360-degree field of view in the horizontal plane, or with a visual field that covers (approximately) the entire sphere. Omnidirectional cameras are important in areas where large visual field coverage is needed, such as in panoramic photography and robotics.



VR CAM P1 Proxy Eye Fisheye Camera IP 3D Vr 360 Degree Panoramic 960P Wi-Fi CCTV Camera With Sd Memory Card Slot Multi Viewing Mode

Features of this VR CAMERA:
  
Brand VR CAM
Model P1
Product Dimension 15 x 15 x 5 cm
Resolution 960p
Android/iOS Devices Additional Features
Additional features * 360 Degree Panorama + 3D VR + WIFI & Wired RJ45 + TF Card Slot + Two Way Audio
*Multi Angle Monitor: Mode 1: Electronic PTZ, Mode 2:Panoramic, Mode 3: Corridor, Mode 4:Tranditional Split Screen,
*1/3 Inch CMOS Sensor, Resolution: 1536 x 1536, Lens 1.19mm Visual Angle 360 degree, 3MP HD
*One Camera = 4 to 6 piece common camera
Optical Zoom 16 X
Connector Type Wireless ,Wired
Material Plastic
Lens Type Fisheye
Voltage 12 Volts
Wattage 130


For config the Device follow the document : 

Lets start the assessment:
As part of the security assessment i just connected Ethernet to device and it is assigned IP

started scanning the IP address of the device and got the results as shown below


That's interesting some ports are open like 21,23,6789 with details and it is port number 21 ftp-anon is possible means anonymous credentials will work and if there is no "auth" direct will get
- lets see 


There is no authentication on the FTP and it is giving the direct access to the filesystem of camera.We already got the firmware access from port number 21 (FTP) will check through web interface or we can download firmware from the FTP location using WGET (wget –r ) or use FTP Client download filezilla)


FTP client File-zilla Access



Filesystem analysis is always main part of the IoT Devices Pentesting , After downloading firmware just dig deep all files to get confidential information.In etc/password and etc/shadow having the hardcoded information’s 

MD5 Hashed

And JFFS filesystem files consisting
Remote FTP Server IP information with credentials



Digging around some more i found some treasure in the form of the router’s (yes the work network) Wi-Fi password in plaintext at /tmp/wifi_info.



When we checking the web interface of device, and we got to know the login page having the business logic vulnerability,

That is without credentials we can get access of admin control panel, below image shows the login page


There are some parameters from embedded application  it was observed that the application is possible to access the direct admin control panel without credentials








Share:

Monday, April 13, 2020

IoT-PT(Internet of Things Penetration Testing OS)

I would like to share a Virtual environment to Pentesting IoT devices in an easy way.Most of the questions that I got from Telegram group < https://t.me/iotsecurity1011 >. 

How to start IoT Security and any good resources 

I have made 3rd Opensource learning gift  from my side to learners and enthusiast it is IoT-PT Virtual OS 



---------------------------------------------------------------
/                                                             /
/    OS info and Requirements :  https://github.com/IoT-PTv   /
/    Base OS     : Lubuntu 18.04 LTS                          /
/    Processors  : 2 (By default 4)                           /
/    RAM         : 3GB (By default 8)                         /
/    VirtualBox 6+                                            /
/                                                             /
/    username : iotpt ; password : iot1                       /
---------------------------------------------------------------

why i created this VM?

Well IoT is coming to the new picture and unique way even the tools also major difference is there for pentesting the IoT devices. well the main problem is dependencies because multiple architectures which not support without proper dependencies.



Tools got installed in the OS please go through this link (tools link). Mainly we concentrated on the basis of the requirement like exploitation frameworks for IoT, and BLE hacking tools, Reverse engineering firmware (automated and dynamic), apk and iOS Application analysis, network related tools. 




List of the tools which is installed in the OS Version 1


Software Tools
Version
Link
IoT Penetration Testing Frameworks


Expliot Framework
v0.7.2
IoTSecFuzz
v1.0
Routersploit
v3.4.1
Firmware Reverse engineering Tools


binwalk
v2.2.0
firmwalker

FACT-core
v3.1-dev
flawfinder
v1.31
firmware modkit

r2ghidra-dec

trommel

Firmwareslap

angr

Dynamic Analysis Tools :


Qemu
v2.11.1
Qiling
v1.0-rc1
Firmadyne

Reverse Engineering Tools


Cutter
v1.10.0
ghidra
v9.0.4
radare2
v4.2.0
Bluetooth Tools


Bluez
v5.48
gattacker

bettercap
v2.26.1
btlejuice
v1.1.11
nrfconnect
v3.0.0
sniffle

Hardware Tools:


flashrom
v0.9.9-r1954
openocd
0.10.0
screen
v4.06.02
putty
v0.70
Android and iOS Analyzer Tools:


MobSF
v3.0
QARK
v4.0.0
Objection
v0.0.1
frida
v12.8.7
burpsuite
v2.1.07
Vulnerability Assessment Tools_


Openvas
v9
Radio Assessment Tool


rtl_433
19.08-159-gfd815c7
Network assessment Tools


Nmap
v7.60
masscan
v1.0.3
tshark
v2.6.10
Requirements


capstone

unicorn engine
v1.0.2rc3


Video Tutorials






Share:

Friday, January 17, 2020

Some IoT Pentesting hints -- keep on update


A. Collect the information about the device
    i.data sheets
    ii.product features
    iii.installation guide and user manual download from the vendor
    website or use google dorks to get the data

B. as per device name and model number or hardware information check for publicly available exploits -exploit db , or exploit search engines useful search engines for the exploits
    https://sploitus.com/
    https://vulmon.com/
    http://www.exploitsearch.com/
    https://www.nmmapper.com/searchindex/s/

    There are special search engines for IoT which helps us to find the more insecure devices which is publicly available
     i. shodan
     ii. censys
     iii.zoomeye
     iv. onphye

C. Making a detailed list
    i. Write all features list of the device
    ii. Make list publicly available exploits
    iii.Start making your own method to pentest it -
    before that understand device more clearly

D. Common approach for the IoT Pentesting Methodology
     i.Network
     ii.embedded applications
     iii.mobile apps Android and ios
     iv.wireless communications
     v.firmware reversing
     vi.hardware exploitation
     vii.Side channel attacks
     viii. radio communication attacks





A little more information 



I.Network:

There is a much difference between the network pentesting in the IoT World until new protocol is added.

1. scan for the open ports and services version 
2. easy one we can search for the already available as per the running services version 
3. internal connected device connected to any other network outside use "netstat -antp" but we need a telnet access for this 
4. FTP anon is a common bug in many IoT devices 
5. search in firmware any network service related binary or script which help us lead the find a bug 
6. debug the all network services (from extracted firmware)

II. Embedded Applications:

1. Do not think SQL injection until we got to know that device is communicating to a db with help of SQL 
2. Most we need to look for the Command Injection and RCE 
3. XSS(Stored high chances) Input locations always there to configure some of the settings which saves data
4. Mostly hardening is the solutions to fix the broken security configurations like authentication and authorization 
5. Bruteforce on auth pages
6. Finding the parameters and access them without auth directly 
7. Surely we will get more logical bugs than the technical bugs 
8. all depends web technologies what they use 
9. CSRF can always possible to depends on the Options enabled and account creation or settings pages
10. Webservices CoAP, REST Api
and MQTTweb configurations for auth issues encrypted communication  
10. Useful tools 
    i. Burpsuite ( with plugins) & ZAP Proxy 
    ii. Wireshark 
    iii. Postman 
    

III.Mobile APPS android and iOS:

For Android:
i. use dex2jar to convert the apk to jar file a
2. manually check for the data and look for write data service working exposure
3. check for the data is going to communicate with the device encrypted way or not 

Usefultools
    1. MobSF - Static analysis
    2. Frida , burpsuite, apktool, dex2jar
    3. OS- android tamer or Moblexer or IoT-PT 
For iOS:
(will write soon)

IV.Wireless Communications:

1. Wireless communications -  WiFi (ClientSide), ZigBee, Zwave, Bluetooth,LoRA
WiFi(Wireless Fidility):


V.Firmware Reversing:

1. basic checks for hardcoded credentials and private certificates 
2. services exploits - running services binaries - like (ipv4, telnetd, ssh services , FTPD, encrypted binaries , authentication related binaries , decryption related binary/scripts 
and search for more services and features and config files 
3. check for syslinks will give an idea for the working way or services saving files one folder saving or communication will update here
4. Tools which helps you: 
    1. binwalk - extractor and many more 
    2. FACT tool - static analysis 
    3. Firmware Mod Kit
    4. Fwanalyzer 
    5. Qemu - dynamic analysis
    6. Qiling - for dynamic analysis
    7. FAT - Firmware analysis tool 

Share: