監視カメラハッキング続き
nmap
ここに書いたカメラもう少し調べてみた。
pi@raspberrypi4:~ $ nmap -AT4 192.168.11.29 Starting Nmap 7.70 ( https://nmap.org ) at 2021-01-11 15:34 JST Nmap scan report for 192.168.11.29 Host is up (0.017s latency). Not shown: 997 closed ports PORT STATE SERVICE VERSION 21/tcp open ftp BusyBox ftpd (D-Link DCS-932L IP-Cam camera) | ftp-anon: Anonymous FTP login allowed (FTP code 230) | total 32 | drwxr-xr-x 2 1000 1000 1029 Jan 7 2017 bin | drwxr-xr-x 4 root root 0 Jan 1 1970 dev | drwxr-xr-x 5 1000 1000 300 Nov 4 2018 etc | lrwxrwxrwx 1 root root 11 Nov 4 2015 init -> bin/busybox | drwxr-xr-x 3 1000 1000 998 Mar 28 2017 lib | drwxrwxrwx 5 root root 32768 Jan 1 2010 mnt [NSE: writeable] | dr-xr-xr-x 56 root root 0 Jan 1 1970 proc | drwxr-xr-x 2 1000 1000 752 Jan 7 2017 sbin | dr-xr-xr-x 13 root root 0 Jan 1 1970 sys | drwxr-xr-x 4 root root 0 Jan 11 15:36 tmp | drwxr-xr-x 8 1000 1000 102 Jan 7 2017 usr |_drwxr-xr-x 6 root root 0 Jan 1 1970 var |_ftp-bounce: bounce working! | ftp-syst: | STAT: | Server status: | TYPE: BINARY |_Ok 23/tcp open telnet BusyBox telnetd 6789/tcp open ibm-db2-admin? Service Info: Host: anyka; Device: webcam; CPE: cpe:/h:dlink:dcs-932l Service detection performed. Please report any incorrect results at https://nmap.org/submit/ . Nmap done: 1 IP address (1 host up) scanned in 163.18 seconds
この行↓の記述を見ると、BusyBoxのftpdが動いている。
21/tcp open ftp BusyBox ftpd (D-Link DCS-932L IP-Cam camera)
BucyBoxというのはいろいろなコマンドというか実行ファイルを小容量化のために一つにまとめたもののようである。組み込み用か。
D-Link DCS-932L IP-Cam cameraというのはこのカメラとは違い、もう少し大きなロボット型の監視カメラの製品名であるが、ここになぜか出てくる。この製品のF/Wをそのまま持ってきたのか??
/usr/local/factory_cfg.ini
これが工場出荷時の設定なのか??ftpで接続して見てみる。
ftp> get factory_cfg.ini - remote: factory_cfg.ini 200 Operation successful 150 Opening BINARY connection for factory_cfg.ini (4547 bytes) #### #### Anyka IPC config file #### ## factory config file #### use four '#' to make note #### [global] user = admin secret = admin rtsp_support = 0 firmware_update = 0 dev_name = WiFi Camera soft_version = 2000 reset_flag = 1 [ethernet] dhcp = 1 ipaddr = 192.168.1.88 netmask = 255.255.255.0 gateway = 192.168.1.1 firstdns = 8.8.8.8 backdns = 108.108.108.108 [wireless] ssid = mode = Infra security = password = 12345678 running = softap [softap] s_ssid = powe000000 s_password = #### camera-video arguments [video] minqp = 10 maxqp = 36 v720pfps = 15 v720pminkbps = 250 v720pmaxkbps = 500 save_cyc_flag = 1 #### loop record flag, 1 -> loop, 0 -> common savefilefps = 15 savefilekbps = 480 recpath = /mnt/plan_record_dir/ #### save plan-record file path vgapfps = 15 vgaminkbps = 128 vgamaxkbps = 320 goplen = 2 quality = 80 video_index = 1 pic_ch = 0 #### plan-record arguments [record] video_index = 1 record_start_run1 = 1 #### 0 -> off, 1 -> on record_start_time1 = 0 record_end_time1 = 86399 record_cyc1 = 127 #### record time mask,7days,each day use one bit record_start_run2 = 0 record_start_time2 = 68760 record_end_time2 = 83160 record_cyc2 = 1 record_start_run3 = 0 record_start_time3 = 0 record_end_time3 = 33780 record_cyc3 = 16 record_time = 3 #### minutes #### alarm-record arguments [alarm] motion_detection = 3 #### detection level,0 ->close detection motion_detection_1 = 400 motion_detection_2 = 200 motion_detection_3 = 100 opensound_detection = 0 opensound_detection_1 = 10 opensound_detection_2 = 20 opensound_detection_3 = 30 openi2o_detection = 0 smoke_detection = 0 shadow_detection = 0 other_detection = 0 alarm_send_type = 0 alarm_send_flag = 1 alarm_interval_time = 500 #### milli second, detection interval alarm_default_record_dir = /mnt/alarm_record_dir/ #### default alarm record directory alarm_move_over_time = 60 #### alarm record time, seconds alarm_record_time = 300 #### the alarm file length alarm_send_msg_time = 60 #### send message interval time alarm_save_record = 0 #### save record flag motion_size_x = 8 #### screen division arguments motion_size_y = 8 ##### cloud supported current, 1 -> supported, 0 -> unsupported [cloud] dana = 0 onvif = 0 tutk = 1 tencent = 0 hk = 0 #### argument show on screen [camera] width = 1280 height = 720 osd_position = 1 #### 1->左下, 2->左上,3->右上,4->右下 osd_switch = 0 #### osd display channal name switch, 1 -> on, 0 -> off osd_name = H.264 IPC #### when "osd_switch" is on, display on the screen time_switch = 1 #### time message display switch, 1 -> on, 0 -> off date_format = 1 #### show date hour_format = 0 #### show hour week_format = 0 #### show weekends #### when support onvif, onvif cloud use [onvif] fps1 = 25 kbps1 = 2048 quality1 = 50 fps2 = 25 kbps2 = 800 quality2 = 50 #### ftp update information [ftp_info] ftp_server = 121.14.38.22 user_name = anyka_ipc ftp_pwd = Anyka_Ipc ftp_file_path = IntCamPTZ/IntCam-A/ update_start_time = 2 update_end_time = 4 226 Operation successful 4547 bytes received in 0.14 secs (31.2359 kB/s)
