If you’ve purchased a piece of consumer electronics in the last few years, there’s an excellent chance that you were forced to use some proprietary application (likely on a mobile device) to unlock its full functionality. It’s a depressing reality of modern technology, and unless you’re willing to roll your own hardware, it can be difficult to avoid. But [krishnan793] decided to take another route, and reverse engineered his DDPAI dash camera so he could get a live video stream from it without using the companion smartphone application.
Like many modern gadgets, the DDPAI camera creates its own WiFi access point that you need to connect to for configuration. By putting his computer’s wireless card into Monitor mode and running Wireshark, [krishnan793] was able to see that the smartphone was communicating with the camera using some type of REST API. After watching the clear-text exchanges for awhile, he not only discovered a few default usernames and passwords, but the commands necessary to configure the camera and start the video stream.
After hitting it with the proper REST messages, an
nmap scan confirmed that several new services had started up on the device. Unfortunately, he didn’t get any video when he pointed VLC to the likely port numbers. At this point [krishnan793] checked the datasheet for the camera’s Hi3516E SoC and saw that it supported H.264 encoding. By manually specifying that as the video codec when invoking VLC, it was able to play a video stream from port 6200. A little later, he discovered that port 6100 was serving up the live audio.
Technically that’s all he wanted to do in the first place, as he was looking to feed the video into OpenCV for other projects. But while he was in the area, [krishnan793] also decided to find the download URL for the camera’s firmware, and ran it through binwalk to see what he could find out. Not surprisingly the security turned out to be fairly lax through the entire device, so he was able to glean some information that could be useful for future projects.
Of course, if you’d rather go with the first option and build your own custom dash camera so you don’t have to jump through so many hoops just to get a usable video stream, we’ve got some good news for you.
We’ve all been there. Your roommate is finally out of the house and you have some time alone. Wait a minute… your roommate never said when they would be back. It would be nice to be warned ahead of time. What should you do? [Mattia] racked his brain for a solution to this problem when he realized it was so simple. His roommates have been warning him all along. He just wasn’t listening.
Most Hackaday readers probably have a WiFi network in their homes. Most people nowadays have mobile phones that are configured to automatically connect to these networks when they are in range. This is usually smart because it can save you money by not using your expensive 4G data plan. [Mattia] realized that he can just watch the wireless network to see when his roommates’ phones suddenly appear. If their devices appear on the network, it’s likely that they have just arrived and are on their way to the front door.
Enter wifinder. Wifinder is a simple Python script that Mattia wrote to constantly scan the network and alert him to new devices. Once his roommates are gone, Mattia can start the script. It will then run NMap to get a list of all devices on the network. It periodically runs NMap after this, comparing the new host list to the old one. If any new devices show up, it alerts with an audible beep and a rather hilarious output string. This type of scanning is nothing new to those in the network security field, but the use case is rather novel.
With all the noise about Conficker turning your computer into liquid hot magma on April 1st, there’s actually some positive news. Researchers from the HoneyNet Project have been following the worm since infections started in late 2008. They recently discovered an easy way to identify infected systems remotely. Conficker attempts to patch the MS08-067 vulnerability during infection. A flaw in the patch causes the machine to respond differently than both an unpatched system and an officially patched system. Using this knowledge, the team developed a proof of concept network scanner in python to find infected machines. You can find it in [Rich Mogull]’s initial post. [Dan Kaminisky] has packaged it as an EXE and has instructions for how to build the SVN version of Nmap, which includes the new signature. Other network scanner vendors are adding the code as well.
In conjunction with this detection code, the team has also released the whitepaper Know Your Enemy: Containing Conficker. It discusses ways to detect, contain, and remove Conficker. They’ve combined this with a tool release that covers Conficker’s dynamic domain generation among other things.
Midnight Research Labs has just published a new tool. Depant will scan your network and check to see if services are using default passwords. It starts by performing an Nmap scan to discover available services on the network. It organizes these services by speed of response. Using Hydra it does brute force password checking of these services with a default password list. The user can supply an alternate list for the first phase or an additional list to be used in a followup check. Depant has many different options for configuring your scan and will certainly help you find that rogue piece of hardware on your network that someone failed to set up securely.
[Irongeek] has been working on changing the OS fingerprint of his Windows box. Common network tools like Nmap, P0f, Ettercap, and NetworkMiner can determine what operating system is being run by the behavior of the TCP/IP stack. By changing this behavior, you can make your system appear to be another OS. [Irongeek] started writing his own tool by checking the source of Security Cloak to find out what registry keys needed to be changed. His OSfuscate tool lets you define your own .os fingerprint file. You can pretend to be any number of different systems from IRIX to Dreamcast. Unfortunately this only works for TCP/IP. Other methods, like Satori‘s DHCP based fingerprinting, still work and need to be bypassed by other means. Yes, this is just “security through obscurity”, but it is something fun to play with.