Sunday, July 17, 2016

Toying with a Hosafe IP Camera

I was curious about a few things, and one thing led to another.  I purchased a HoSafe IP camera, HOSAFE-2MB3W 1080P, and wanted to see what it would do on the network.  I tossed squid into the mix and forced everything on the IP camera's network to funnel through Squid, only to find :
    1468748798.090    711 TCP_MISS/200 591 GET - HIER_DIRECT/ text/plain
That returned :
Those IP addresses are owned by :
    person:         Chinanet Hostmaster
    nic-hdl:        CH93-AP
    address:        No.31 ,jingrong street,beijing
    address:        100032
    phone:          +86-10-58501724
    fax-no:         +86-10-58501724
    country:        CN
    changed: 20070416
    changed: 20140227
    mnt-by:         MAINT-CHINANET
    source:         APNIC
Looks like a legitimate request, right?  Ouch.  I knew those ports needed to get blocked (port 9210).  Next, I thought I'd try to scan it to see some details :
    [root@hostname squid]# nmap -sT -O
    Starting Nmap 6.40 ( ) at 2016-07-17 20:03 MDT
    Nmap scan report for
    Host is up (0.0013s latency).
    Not shown: 995 closed ports
    23/tcp   open  telnet
    80/tcp   open  http
    554/tcp  open  rtsp
    8099/tcp open  unknown
    9101/tcp open  jetdirect
    MAC Address: E0:62:90:E4:E2:34 (Jinan Jovision Science & Technology Co.)
    Device type: general purpose
    Running: Linux 2.6.X|3.X
    OS CPE: cpe:/o:linux:linux_kernel:2.6 cpe:/o:linux:linux_kernel:3
    OS details: Linux 2.6.32 - 3.2
    Network Distance: 1 hop
    OS detection performed. Please report any incorrect results at .
    Nmap done: 1 IP address (1 host up) scanned in 4.98 seconds
    [root@hostname squid]#
A little research, and I found ports 8099 and 9101 were related to some ONVIF and DVR functionality of the camera.  I was actually more interested in the "23/tcp open telnet" line to gain root access.  I currently cannot find the default credentials.  I may have to really get more in depth.

I also threw a simple HTTP request at it to see what it returned.
    GET / HTTP/1.0
    Host: camera-backporch
    HTTP/1.0 200 OK
    Server: thttpd/2.25b 29dec2003
    Content-Type: text/html; charset=utf-8
    Date: Sat, 15 Jan 2000 05:43:43 GMT
    Last-Modified: Thu, 26 Mar 2015 02:37:24 GMT
    Accept-Ranges: bytes
    Connection: close
    Content-Length: 9872
    <!doctype html>
        <!-- use webkit mode for 360 -->
        <meta name="renderer" content="webkit">
        <meta http-equiv="X-UA-Compatible" content="IE=10" />
        <meta charset="utf-8" />
        <script src="js/jq.js">
        <script src="js/jq.browser.js">
        <script src="js/jq.i18n.p.js">
        <script src="js/u.js">
        <link rel="stylesheet" href="css/reset.css" />
        <link rel="stylesheet" href="css/style.css" />
        <script src="js/index.js">
        <title data-i18n-l="jovision">
    [ ... snip ... ]
        <div id="footer" data-i18n-l="jovision">
    Connection closed by foreign host.
    [root@ch squid]#
The "Server: thttpd/2.25b 29dec2003" header was beneficial, but the last "<div id="footer" data-i18n-l="jovision"></div>" line seemed to match the MAC address description with a reference to "Jovision", and also corresponds to the "jovetech" reference from Squid.  Huh!  Looks like it tries to dial home!

No comments:

Post a Comment