Skip to content

Hacking Into That Security Camera!

September 14, 2012

I had the pleasure of working at LaunchPad LA because of Triptrotting. In case you’re unfamiliar with Launchpad LA, it is a startup accelerator and mentorship program founded by Mark Suster.

One day, while I was at Launchpad…
I was staring at code too long, so I leaned back in my chair to rest my eyes. I zoned out for a moment and focused on a wireless DLink IP security cam that Kyle Taylor had set up.



Hmmm…. I wonder if I can hack into that thing.
I glanced over at Shawn Faison and said, “Hey Shawn, wanna race to see who can hack into that security camera first?”
Shawn is a fun guy and he loves a challenge, so naturally, he accepted. I later extended the challenge to Philip Hayes (a talented young programmer). Why am I so fascinated with security cameras at incubators? Lol.

First, I had to find the IP of this camera.
I started with a ‘ping -b’ to the broadcast IP followed by an ‘arp -a’. Yup… this router started listing out all the names of all the devices connected to the network along with the associated IP address. I saw names of peoples’ computers, iphones, ipads…. but no security camera.

Next, I ran a ‘nmap -sP 192.168.1.*’ to see a list of IP’s. With the help of nmap I narrowed down my search to just the IP’s with port 80 or 8080 open.
I tried entering each of these IP’s in my browser to see what showed up…. and there it was. A HTTP AUTH protected webpage that was titled “DLink DCS-932L”. But wait, there were 2 different IP’s that had DLink HTTP AUTH protected pages. I started looking around and noticed a second IP security cam! I never noticed that 2nd one before.

Okay, found the cameras. If by any chance the cameras kept the default passwords, all I would need to do is search online for a manual and try the default credentials. Nope. Didn’t work.

Now, I could technically perform a man-in-the-middle attack on Sam Teller or Kyle Taylor and wait for one of them to log into the camera feed and simply intercept the password…. But that is just plain wrong and against the spirit of this friendly competition. So I wrote a HTTP AUTH brute force cracker script. Believe it or not, I couldn’t actually find one online besides dictionary attack scripts. So here is my contribution to the script kiddies of the world:

Download from github

I let my script run for just a little while before I stopped it. It would take too long and I’m pretty certain Kyle picked a crazy long upper/lowercase alphanumeric + symbol password which I really didn’t want to bother cracking. The whole point of this exercise was to learn and have fun.

So in the end, while I got closest, none of us actually hacked into the Launchpad LA security cams. Important lesson for you readers: USE crazy long upper/lowercase alphanumeric + symbol passwords!

Good job Kyle Taylor. You win this one… you win this one… *evil grin.

About these ads

From → Hacks

35 Comments
  1. Shawn Faison permalink

    That was a fun break from work, it was harder than I expected to actually find those cameras on the network.

    You are a hacker icon! not cracker but hacker, you use your work and experiments to teach and help people.

  2. Thanks for the awesome reconnaissance tip. I’ve used nmap before but never pinging a broadcast address or ‘arp’. I’ve tried pinging a broadcast address before but the results are never what I expect. Is there a ‘cookbook’ in particular that highlights this type of recon that you’ve utilized here?

    • Hi chefwear,
      I’m not aware of any cookbook, but pinging the broadcast address does give you unexpected results. Depending on who’s active on the network at that time, sometimes it gives you too few arp records. I keep running the ping -b for variable amounts of time until it returns a good number of records. This is one of the main reasons why I haven’t taught Jarvis to run this type of reconnaissance. :P

      • Ah, I see. In my mind I think that pinging a broadcast address should broadcast icmp’s to all devices connected on the subnet (specifically, layer 2 broadcast to ff:ff:ff:ff:ff:ff), but that’s probably just wishful thinking. Adam Savage’s quote “I reject your reality and substitute my own” comes to mind. I do that a lot lol. I guess the device being likely being a layer 3 one, it inherently doesn’t forward broadcast packets. Anywho, keep up the blogging! Your adventures are always fun to read about.

      • Thanks chefwear. BTW, have you seen this?

        http://www.xsanity.com/article.php/2007062607504287

  3. Oh nice use for it there!

  4. I would like to thank you very much for your efforts. I spend most of my weekend time watching your tutorials and actually practice doing them. You are a gifted person. Thank you again and keep up the excellent work

  5. Rami permalink

    How Do you run the code

    • which code? The http auth crack? Just edit lines 2-10 in the php file and then from the command line, run:
      php httpauthcrack.php

      • Rami permalink

        Ok Thanks

      • Rami permalink

        Can you run it for hacking into the routers settings

      • Yes you can. :)

      • Mohammed permalink

        How do you do that?

        P.S. Step by Step please. I am a COMPLETE beginner

        Thnx

  6. where did you enter the code? and how do you run it?

  7. jack permalink

    dear cranklin
    i m sure you could help me
    i have a girlfreind and her father has installed camera at thier house
    but its all locked , can i be able to stop that cam without trying to open the cabinet where the router must be placed , coz if she touches the cabinet , then it will also be recoreded
    please help

  8. jack permalink

    cranklin please help me
    i thougth i would get a reply from your side

    • Hey Jack, while I enjoy and promote hacking for education and knowledge, I cannot condone outright illegal acts. I understand it doesn’t seem like a big deal to break into your girlfriend’s father’s surveillance system. From an ethical standpoint, however, it doesn’t sit right with me, and the legal implications alone are not worth the risk. Please understand.

    • lurchpop permalink

      If the camera is infared-capable you can temporarily disable it with a high powered laser (e.g. a green laser greater at least 5mw). You can identify whether it’s infared by the ring of LEDs around the lens. If there aren’t LEDs there it might not work very well.

  9. THe phantom permalink

    ey cranklin i’ve descovered an open loop on every standard bank atm. as a cypherpunk idnt knw whethr 2 use my cyber inteligence against dem or for good.

  10. SWEET! Now I know how to at least find the cameras on my school’s network. This will be a lot of fun.

  11. Mohammed permalink

    Hi Cranklin,
    I am an utter beginner and I wanted to hack into my own IP camera. How do I edit lines 2-10 of the code. In what way?

    Thanks

  12. BioLashOut permalink

    Good day Cranklin,
    I have a question for you I know its nothing to do with this post.
    I want to create a brute force attack on my USB to break in to a pc mac username and password just like in Person of interest will you do a tutorial on it please.

    by the way love this post.

    Thanks

  13. Hey bro…..u really r a genius……….i wanna contact u…..can u give me ur fb profile link………mine is facebook.com/ayush.dangwal…….
    waitin for a reply soon..:)

  14. Richard permalink

    Out of curiosity I stumbled upon this page.. you my friend, are the man! Knowledge. is. power.

  15. Lim permalink

    Hiya cranklin :)

    You’re post inspired this little brain of mine to learn the magical powers of hacking
    The thing is, I am a completely fresh newbie who know nothing about hacking or where to start
    It would be awesome to get a mentor like you :)

    Waiting to hear tips lol

  16. I’m not sure where you’re getting your info, but great
    topic. I needs to spend some time learning more or understanding more.
    Thanks for wonderful information I was looking for this information for my mission.

  17. Genuinely when someone doesn’t be aware of after that its
    up to other viewers that they will assist, so here it
    occurs.

  18. This page really has all the information
    I needed concerning this subject and didn’t know who to
    ask.

  19. UFC 169 LIVE STREAM FREE permalink

    UFC 169: Dominick Cruz vs Renan Barao weigh-ins,all
    24 fighters using part in saturdy night’s UFC 169 fights will move on the scale Sat.
    February 1 evening and we’ll have the live online video info here Are you looking for UC 169 Live Stream?

    Special Fathom Features: UFC 169: Dominick Cruz vs Renan Barao broadcast LIVE to movie theaters nationwide
    from the Promotion Ultimate Fighting Championship MGM Prudential Center in Newark,
    New Jersey, United States

    NCM Fathom Events and the Ultimate Fighting Championship (UFC) are celebrating the organization’s
    20th Anniversary with UFC 169: CRUZ VS BARAO broadcast LIVE to select
    movie theaters nationwide on Sat Feb 1, 2014 at 10:00pm
    ET / 9:00pm CT.

  20. To increase blood flow in the scalp, end shampooing with a cold water rinse and massage.
    This is even supported by an Israeli research conducted by Dr.
    It can also lead to hair loss and the hair loss associated with this medicine can be profound (Ikeda, 1997).

  21. Hi there! This article could not be written any better!
    Looking through this post reminds me of my previous roommate!
    He always kept preaching about this. I most certainly will forward this post to him.
    Fairly certain he’ll have a very good read. Many thanks for sharing!

  22. Visité varios Sitios web sin embargo el audio de calidad característica
    de las canciones de audio existente en este website es verdad fabulosos
    .

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

Follow

Get every new post delivered to your Inbox.

Join 1,436 other followers

%d bloggers like this: