Infiltrating Webcams

So i’m back to blogging, soon new website coming!

This is a post showing how easy it is to spy on anyone, through a loophole in a webcam vendors software.

Webcam

Gaining access is simple, and what’s more simple is staying a ghost knowing they have no idea you are watching them.

Basically the way I approached this, was look at various webcam software vendors that allow remote access.

Then finding a vulnerability within authentication bypass of administrator you can gain access to an admin panel of the host allowing the open port.

The server omits special headers which you can use to find more vulnerable hosts.

Then selecting which country to choose from, you grab the list of hosts, and gain complete control of their cameras.

Here is what I found last night within around 10-15 minutes or so of looking:

Unsuspecting victim

This was a users home PC. There were two computers and I gained access to only one.

There is a couple, and they are completely unaware that I can see everything they’re doing.

Phillipino Net Cafe

This is a Phillipino Net Cafe witnessing life there, and seeing multiple users. But it’s just not fun enough, I need something more interesting, more spy worthy, more people to monitor.

So I kept searching for vulnerable hosts.

3

This is more like it, I can see more cameras through my camera.

“Spy on the people, spying on you.”

I tried to access a monitor with multiple cameras on, so I could get a better and faster view at the cameras.

So I found another host that had the same type of monitoring software:

Monitoring More Users

I decided it still wasn’t enough, I wanted to have an outside view on things.

So I found some hosts in Russia that were vulnerable showing building sites and basic traffic stops.

Russian Traffic

Quite basic, and here’s a block of apartments in Russia:

2

The title here translates to:

Moscow – Camera 1

To protect from this:

If you do run webcam software on your computer system, I suggest you enforce strong passwords, disable administrator login and add a new user with admin rights.

Also maybe deny all hosts connecting to the WebUI apart from your trusted connections. You can also on most webcam software be emailed/notified when someone has logged in from an un-trusted source.

So always remember that people can watch you, all the time, whenever they wish, you can only reduce the risks.

And there’s not much you can do to really prevent it. The steps I’ve shown above, simply reduce the risk of it happening to you.

Someone else had a same idea on my topic, except they used Google Dorking to gather possibly vulnerable hosts, and didn’t use any administrator bypass, just blank passwords on Toshiba Web Camera software to gain access to users accounts:


That’s all for now ;-)

– X

IPTraf – Monitor hackers…and traffic

Здорово!)

Network Monitoring

This post will be about the tool called: IPTraf

It’s quite an old tool, however it is still very effective at network monitoring techniques. The format is in console-based, so it’s very simple to use.

It recognises these various protocols:

  • IP
  • TCP
  • UDP
  • ICMP
  • IGMP
  • IGP
  • IGRP
  • OSPF
  • ARP
  • RARP

Along with being able to be used over a wide range of  network cards.

Step 1:

Login to your server via SSH, then update and upgrade.

xakep@proxy:~$ sudo apt-get upgrade && sudo apt-get update

Step 2:

Download the IPTraf tool via apt-get.

xakep@proxy:~$ sudo apt-get install iptraf

Step 3:

Run it, via root privileges.

xakep@proxy:~$ sudo su

root@proxy:/home/xakep# iptraf

Now you should be here:

IPTraf Splash page

Then press any key, and you get the main menu:

Main Menu

I’m going to select: IP Traffic Monitor.

Then i’m going to select: All Interfaces.

Selecting interfaces

Then, finally you should hit the main screen:

Main Page

As you can see, you can witness;

  • Your connection to the server.
  • The number of packets being sent to one another.
  • The number of Bytes being sent to one another.
  • Various flags.
  • And on what interface it is being used on.

At the bottom of the screen, is a flowing list, showing:

PROTOCOL (NUM BYTES) from HOST1 to HOST2 on INTERFACE

Which comes up showing various connections of users and servers interacting with your server.

Now.. this is where it gets interesting…

Depending on your host/country you might recieve less or more connections to your server, which are servers scanning for various open ports. For then the hacker can use to bruteforce/gain access to your server via that method.

Main Window left for 10+ minutes.

So there’s connections from the USA to: Russia (My network located).

Lots of USA connections, and couple Russian connections.

So let’s wait another 10 minutes and see what else to find.

20 minutes after using IPTraf

So all, in all, you have lots of connections from different countries. On a good day, there can be various types of ports they’re connecting to, and you can actually find yourself a server that is used, just to harvest open boxes for botnets.

Then let’s say you infiltrate one of these servers… ;)  Think of the things you could achieve from hacking actual hackers themselves.

For now, that is all.

Sorry for long time, not posting, have been very busy.

Until next time!

– X

Phreaking Awesome Distro

Hello hello!

It’s been a while since i’ve done one of these, as I have moved around alot lately.

Anyways!

So I got an email about this, and it’s actually quite fucking awesome.\

There’s a new distro that’s been released that’s called: Santoku-Linux

It’s purpose? – Mobile Malware AnalysisMobile Forensics and Mobile Security Testing

Find the official website here!

Let’s view some screenshots of it:

 

 

 

 

Taking Look at Echelon SCADA Systems

Gaining access to SCADA systems seems like challenge. When you do research on targets, and learn about how they are setup by engineers, it can be more simple.

Hacking into database is a lot different then hacking into SCADA systems, because with this system, you can interact with real world, and you’re playing with real life machinery. But with database, is like numbers on a computer, and it can be saved with backups etc.

Today im going to look @ i.LON echelon scada systems.

Ok, I will begin on how I found them.

First you start with IP-range scans. But you need the ranges yes? So you make scanner to pick out specific ranges.

Here is an example of my ISP find:

So you start like this, for your target.

Then you find servers with the web header as: WindRiver-WebServer

Then you look at the www-auth: Basic realm-“i.LON”

This already tells you they run echelon Smart server 2.0 Which is vulnerable to 2 0days released. One released little while ago, and one is new.

To learn more about the i.LON systems, look here: http://www.lon-catalog.ru/

To see source code for WindRiver firewalls and more, here is a chinese website I stumbled on: WindRiver-Firewall-Source

After finding target, you use the arbituary code exploit, (if u cant find it, then you wont need it).

Then you should have the admin panel to change everything on the box:

This certain system, is mainly for heating purposes. Is like boiler, air conditioners etc.

I also had control over a couple of apartments heating:

So, there is no point to this blog today. But just to show it is very easy to affect real life, just with shit laptop + shit connection haha ))).

Пока!))

How NASA Deals with a hacker

Now, before I begin I’ll make a disclaimer, This post is from 2003.

The material here, is open and free for the public to use, I have not gained access to any NASA servers to get it. The information here is 10 years of age, and is allowed to be public, due to: Blah blah blah.. etc.

Now, I’ve been reading through these, and can’t decide which hacker breached the server. I mean, the NASA employee claim he has not had a breach for 10 years. So at first I was guessing Gary McKinnon, then maybe Adrian Lamo, but cannot find any other files on it.

Here is the part1 of announcements made to all staff:

PART 1: Original message from 01:30 UT 14 Feb 03
To: All GCN Sites
Re: GCN Notices off-line due to hacker attack

Around 20:00 UT today (13 Feb 03), the GCN computer (capella) was compromised
by a hacker. At ~21:30 the Goddard IT Security office blocked all
incoming and outgoing internet activity for capella. With this block,
the GCN Notices system is off-line to the rest of the world; there can be no
socket connections or email Notices. (Please note that this does NOT effect
the Circulars. The GCN Circulars is on a separate computer which is still
operating, so any Circulars submitted will be distributed to the Circulars list.
It is only the Notices that is off-line.)

I immediately started the reconstruction and recertification of the machine,
but given that this happened late in the normal business day,
the work will not be completed until sometime tomorrow (Friday).
The Goddard IT Security office needs to sign off that capella is safe,
and they can not do that until normal business hours. I will keep you posted.

After 10.5 years of hacker-free operations, GCN has finally fallen. There have
been 3 previous attacks, but they never compromised the system because of a
combination of the normal system protections and special protections
I had implemented.

This has been a particularly bad day following within a day of the INTEGRAL
distribution problem. These are totally coincidental, but it does not make
me feel any better. I apologize for the loss of service (18-24 hrs is expected).

Sincerely,
Scott Barthelmy

After 10.5 years of hacker-free operations

hahah, I know people that might disagree with that statement.

So basically, once someone had found that a hacker had breached the server, they took it completely offline not allowing outside access to this. Then they make backup server in next part of email:

To: All GCN Sites
Re: GCN Noticess back on-line

PART 2 (a status update message, 02:30 UT 14 Feb 03):

Some good news.
I was able to port the GCN program to another machine (gcn1.gsfc.nasa.gov)
as a temporary solution until the original capella machine can be put back
on the air tomorrow. And it is now running with the normal set of sites.
The bad news is that about half of the socket sites are not connecting
(“connection refused”). I suspect this is due firewalls at those sites
that have been programmed to only let the capella.gsfc.nasa.gov machine
in through each firewall. There is some delay during connection attempts
in this interim setup due the usual subset of socket sites that do not connect
(they are offline). The email sites are unaffected by this machine change.
More than 95% of the sites are back to normal service by GCN (a 5-hr gap).

This interim-GCN is connected to HETE and to INTEGRAL, and is distributing
the normal set of imalive packets, test Notices, and any GRB notice
that might be generated by HETE and INTEGRAL.

Sincrely,
Scott Barthelmy

So far, has taken NASA staff 5 hours to take server offline, and move to another server temporarily. Then to check if other machines are infected/hacked as well. In the 3rd part of email, they finally get systems back online and with new security patches.

Total time taken to fix problem: 22 hours?

The hacker, gained access to the server late at night. This is crucial, because everyone is sleeping and no one is around to disable comms until 9:00am next morning.

So between the timing of getting in, and the timing of NASA noticing hacker, he could have stolen a lot of files.

They disable comms when they see the hacker inside the machine. They then move the backup files to other server, which may or may not be less vulnerable. Something to remember, if you get blocked when you hack NASA.

There is a lot of investigations after the breach. So if you are hacking a government server, remember to delete any logs that you make. Whilst obviously bouncing your real connection off anonymous servers.

The emails were from an admin directory within Goddard Space Flight Center subdomain, I am guessing they have given up and allowed anyone total remote access to the machine…

Пока!))

CIA Honeypots

Hello, здарова как дела?

So I find that there is a CIA honeypot. Possibly. Yes.

########################################################

IP range of public CIA Servers:

198.81.128.0 – 198.81.191.255
########################################################

So here is my average output of a scan:

I scanned every server in the range, for ports: 21,22,23,80,443 (ftp,ssh,telnet,http,https)

Out of all of these public open ports, only 1 server had port 22 open. The rest had ports 80 + 443 open. They probably run SSH on high port like 65000 etc. …. But I am looking for open/easy to find ports.

So let’s take a look at the IP in question more detail:

Let’s NMAP it to find more ports:

SSH – Secure Shell

SMTP – Simple mail transfer protocol.

domain – DNS.

http – Webserver.

https – Secure Socket Layers.

port 9418 – Git pack transfer service.

Why do I believe this to be a honeypot?

SSH – You can bruteforce this, (depending if there is any IPS in place) to gain access. – Tool Example

SMTP – Buffer overflow, dos, etc. Here + Here

Domain – You use: W32.Dasher.B which Listens for remote commands on port 53/tcp. Connects to an FTP server on port 21211/tcp. Scans for systems vulnerable to the [MS05-051] exploit on port 1025/tcp. – Exploits here

Http – you can use web app vulns, http floods, password cracking + more.

Https – the same as above. + SSL exploitation. See: THC-SSL-DOS + SSL Stripping etc

Port 9148 – DOS, trojans and remote code execution.

You can also extract data from other servers and use to exploit on here. For example:

Where they have passwords such as:

Jme8ckX8

9r4KuyEJ

SaHcbZWP

CqjR3bTk

Etc. It is shot in the dark, but hey maybe get lucky?

Before you attempt to hack this box:

I can assure you it’s already patched. I did all of these scans on: 12/05/2012.  ;-)

Maybe this wasn’t a honeypot? Actually a vuln?

Maybe they see lots of people poking at it and close it off? Who knows.

Пока))

Twitter phoneys

IRRELEVANT POST OF THE WEEK

Totally irrelevant, but something that has to be said.

Girls…

There are none on the internet.

;-) (lolwut?)

Ok, so you have some female twitter user ooohhh i dont know maybe this?:

Now I’m not going to say right away that this is not a female.

However most females Do Not post “girl” or “chick” or “woman” in their names/bios.

Because:  fuck

Maybe this is a nice girl who likes drugs… who knows.

Second observation:

The picture! Always fucking picture. Look at this, and tell me if you think it is her:

I wonder if you google this:

Hot-Stoner-Babe-Smoke-Hydrant-300×300.jpg

Oh look, here we have stone forum: http://www.dabtube.com/community/viewtopic.php?f=39&t=886

XFLIX prognosis: MAN

….. or random female who should not be afraid of what people think of her. (bla bla etc)

Do not be fooled once more, innocent twitter personals!

Пока))