search

UND-ARC / IPCam

Everything we know about the DigiHero IPCam.
The Unlicense
20 stars 8 forks source link

Web spider on software host #6

Closed mishaturnbull closed 5 years ago

mishaturnbull commented 5 years ago

This is a request for information issue In the ASP index from www.p2plivecam.com, there is an IP address linked with downloading PCTools and the Android APK software. The address is 112.124.40.254:808 and appears to be a Chinese IPCamera software upgrade management platform.

The test I would like to be run is: 

$ nmap -sS -sU -T4 -vvv -p 1-65535 112.124.40.254
$ nmap -F -T4 -A -vvv --script all 112.124.40.254

This will require root privileges.

Is there any chance that this will cause damage/in some way alter the code executing on the camera? No.

Does this test prelude/follow up on others? If so, what? No idea.

mishaturnbull commented 5 years ago

Scan 1 nmap -sS -sU -T4 -vvv -p 1-65535 112.124.40.254 results:

Interesting results:

PORT      STATE         SERVICE           REASON
808/tcp   open          ccproxy-http      syn-ack ttl 100
10220/tcp open          unknown           syn-ack ttl 101
10230/tcp open          unknown           syn-ack ttl 101
45342/tcp open          unknown           syn-ack ttl 101
45514/tcp open          cloudcheck        syn-ack ttl 64

Every single UDP port was listed as open|filtered with it's corresponding service. Sample:

1/udp     open|filtered tcpmux            no-response
2/udp     open|filtered compressnet       no-response
3/udp     open|filtered compressnet       no-response
4/udp     open|filtered unknown           no-response
5/udp     open|filtered rje               no-response
--clip--
65530/udp open|filtered unknown           no-response
65531/udp open|filtered unknown           no-response
65532/udp open|filtered unknown           no-response
65533/udp open|filtered unknown           no-response
65534/udp open|filtered unknown           no-response
65535/udp open|filtered unknown           no-response
mishaturnbull commented 5 years ago

Scan 2 nmap -F -T4 -A -vvv --script all 112.124.40.254 results:

|   IP: fd00:f81d:f8e:6122:785e:8809:25bf:45     MAC: 00:cd:fe:e2:50:0d  IFACE: wlan0
|   IP: fd00:f81d:f8e:6122:8ca8:ac9c:b5f8:2d81   MAC: 9c:e3:3f:31:8e:d4  IFACE: wlan0
|   IP: 2001:48f8:3035:128d:bce7:4927:4fb3:a2b9  MAC: 00:cd:fe:e2:50:0d  IFACE: wlan0
|   IP: fe80::1897:2bd6:832b:704a                MAC: 00:cd:fe:e2:50:0d  IFACE: wlan0
|   IP: fe80::fa1d:fff:fe8e:6122                 MAC: f8:1d:0f:8e:61:22  IFACE: wlan0
|   IP: fe80::5a6d:8fff:fe77:1401                MAC: 58:6d:8f:77:14:01  IFACE: wlan1
|   IP: 2001:48f8:3035:128d:c554:4078:f500:f37b  MAC: 9c:e3:3f:31:8e:d4  IFACE: wlan0
|_  Use --script-args=newtargets to add the results as targets
| targets-ipv6-multicast-mld: 
|   IP: fe80::5a6d:8fff:fe77:1401  MAC: 58:6d:8f:77:14:01  IFACE: wlan1
| 
|_  Use --script-args=newtargets to add the results as targets
Initiating Ping Scan at 21:13
Scanning 112.124.40.254 [4 ports]
Completed Ping Scan at 21:13, 0.30s elapsed (1 total hosts)
Initiating Parallel DNS resolution of 1 host. at 21:13
Completed Parallel DNS resolution of 1 host. at 21:14, 5.90s elapsed
DNS resolution of 1 IPs took 5.90s. Mode: Async [#: 4, OK: 0, NX: 1, DR: 0, SF: 0, TR: 3, CN: 0]
Initiating SYN Stealth Scan at 21:14
Scanning 112.124.40.254 [100 ports]
Completed SYN Stealth Scan at 21:14, 26.06s elapsed (100 total ports)
Initiating Service scan at 21:14
Initiating OS detection (try #1) against 112.124.40.254
Retrying OS detection (try #2) against 112.124.40.254
Initiating Traceroute at 21:14
Completed Traceroute at 21:14, 3.18s elapsed
Initiating Parallel DNS resolution of 18 hosts. at 21:14
Completed Parallel DNS resolution of 18 hosts. at 21:14, 5.81s elapsed
DNS resolution of 18 IPs took 5.81s. Mode: Async [#: 4, OK: 6, NX: 12, DR: 0, SF: 0, TR: 28, CN: 0]
NSE: Script scanning 112.124.40.254.
NSE: Starting runlevel 1 (of 4) scan.
Initiating NSE at 21:14
NSE: [ip-geolocation-maxmind 112.124.40.254] You must specify a Maxmind database file with the maxmind_db argument.
NSE: [ip-geolocation-maxmind 112.124.40.254] Download the database from http://dev.maxmind.com/geoip/legacy/geolite/
Completed NSE at 21:15, 21.29s elapsed
NSE: Starting runlevel 2 (of 4) scan.
Initiating NSE at 21:15
Completed NSE at 21:15, 0.00s elapsed
NSE: Starting runlevel 3 (of 4) scan.
Initiating NSE at 21:15
Completed NSE at 21:15, 0.00s elapsed
NSE: Starting runlevel 4 (of 4) scan.
Initiating NSE at 21:15
Completed NSE at 21:15, 0.00s elapsed
Nmap scan report for 112.124.40.254
Host is up, received echo-reply ttl 101 (0.26s latency).
All 100 scanned ports on 112.124.40.254 are filtered because of 100 no-responses
Too many fingerprints match this host to give specific OS details
TCP/IP fingerprint:
SCAN(V=7.70%E=4%D=2/7%OT=%CT=%CU=%PV=N%DS=21%DC=T%G=N%TM=5C5CF43F%P=x86_64-pc-linux-gnu)
U1(R=N)
IE(R=N)

Network Distance: 21 hops

Host script results:
|_asn-query: No Answers
| dns-blacklist: 
|   ATTACK
|     all.bl.blocklist.de - FAIL
|   SPAM
|     all.spamrats.com - FAIL
|     spam.dnsbl.sorbs.net - FAIL
|     bl.spamcop.net - FAIL
|     l2.apews.org - FAIL
|     sbl.spamhaus.org - FAIL
|     dnsbl.inps.de - FAIL
|     list.quorum.to - FAIL
|     bl.nszones.com - FAIL
|   PROXY
|     socks.dnsbl.sorbs.net - FAIL
|     dnsbl.tornevall.org - FAIL
|     http.dnsbl.sorbs.net - FAIL
|     misc.dnsbl.sorbs.net - FAIL
|_    tor.dan.me.uk - FAIL
|_dns-brute: Can't guess domain of "112.124.40.254"; use dns-brute.domain script argument.
|_fcrdns: FAIL (No PTR record)
|_firewalk: None found
| hostmap-ip2hosts: 
|_  hosts: Error: found no hostnames but not the marker for "no hostnames found" (pattern error?)
|_hostmap-robtex: ERROR: Script execution failed (use -d to debug)
| ip-geolocation-geoplugin: 
|_112.124.40.254
|_tor-consensus-checker: ERROR: Script execution failed (use -d to debug)
|_traceroute-geolocation: ERROR: Script execution failed (use -d to debug)
| unusual-port: 
|_  WARNING: this script depends on Nmap's service/version detection (-sV)
|_whois-domain: You should provide a domain name.
| whois-ip: Record found at whois.apnic.net
| inetnum: 112.124.0.0 - 112.127.255.255
| netname: ALISOFT
| descr: Aliyun Computing Co., LTD
| country: CN
| person: Li Jia
|_email: jiali.jl@alibaba-inc.com

TRACEROUTE (using proto 1/icmp)
HOP RTT       ADDRESS
1   5.91 ms   192.168.0.1
2   16.47 ms  10.11.128.1
3   16.56 ms  24-220-255-126-static.midco.net (24.220.255.126)
4   18.57 ms  24-220-255-51-static.midco.net (24.220.255.51)
5   18.62 ms  24-220-6-224-static.midco.net (24.220.6.224)
6   150.38 ms mini-b1-link.telia.net (62.115.152.104)
7   150.43 ms kanc-b1-link.telia.net (62.115.123.241)
8   150.47 ms sjo-b21-link.telia.net (213.155.132.180)
9   150.47 ms 218.30.54.181
10  150.57 ms 202.97.62.5
11  225.12 ms 202.97.71.197
12  223.49 ms 202.97.90.30
13  251.28 ms 202.97.94.238
14  238.87 ms 202.97.55.18
15  251.22 ms 220.191.200.26
16  228.81 ms 122.224.214.78
17  242.64 ms 42.120.247.97
18  ... 20
21  215.15 ms 112.124.40.254

NSE: Script Post-scanning.
NSE: Starting runlevel 1 (of 4) scan.
Initiating NSE at 21:15
Completed NSE at 21:15, 0.00s elapsed
NSE: Starting runlevel 2 (of 4) scan.
Initiating NSE at 21:15
Completed NSE at 21:15, 0.00s elapsed
NSE: Starting runlevel 3 (of 4) scan.
Initiating NSE at 21:15
Completed NSE at 21:15, 0.00s elapsed
NSE: Starting runlevel 4 (of 4) scan.
Initiating NSE at 21:15
Completed NSE at 21:15, 0.00s elapsed
Post-scan script results:
|_ip-geolocation-map-bing: Need to specify an API key, get one at https://www.bingmapsportal.com/.
|_ip-geolocation-map-google: Need to specify an API key, get one at https://developers.google.com/maps/documentation/static-maps/.
|_ip-geolocation-map-kml: Need to specify a path for the map.
|_reverse-index: 
Read data files from: /usr/bin/../share/nmap
OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 105.36 seconds
           Raw packets sent: 368 (19.396KB) | Rcvd: 40 (2.926KB)