95e15b No.553
this thread will now be home to cool stuff
95e15b No.554
New File Downloader:
https://mega.co.nz/#!DgECDb7B!AxQIPuuRs9zcaS9i22p8dSnRcNLdN1f_iHD0DYlFhh4Supports multiple asynchronous downloads and download cancelling, snapshots, and auto-URL formatting.
This is not a magic downloader. It will not always download kcores successfully. I'm sorry.
First, paste URL of camera in the top textbox.
The buttons named "1" and "2" format the URL to include //proc/kcore or the other privilege escalation exploit (#2 requires working operator credentials)… press the download button to start downloading.
Press the button named "->" to use the current credentials and attempt to take a snapshot. This does not leave logs on the camera. I'm planning to implement a sort of brute-force function which will scan the kcore for user/pass combos and attempt to get screenshots with them (if successful, credentials work).
Right click download(s) on the list to show the menu. You can cancel them or delete them (from the list).
The source is included in the package. If you don't trust "a random channer's exe" you can compile from source or continue with wget.
5103c0 No.555
>>553I really really, really, really, like that picture, do you mind if I save it?
95e15b No.556
http://pastebin.com/aD8Ks0aiShodan.io Greasemonkey Helper
As posted in another thread, this script (used with the Greasemonkey or Tampermonkey extension) shows camera previews for IPs on Shodan.io. This new version adds support for checking //proc/kcore vulnerability, hiding broken images, and multiple default credentials (admin:, admin:123456, and admin:12345). Feel free to modify it.
f88cef No.561
>>556>>554That's EPIC. That's EPIC for the WIN! (^_*)
No, seriously, I got something like 70 cams in about 2 hours, and I ignored at least 70% of the ones that I previewed. The combination of these tools is amazing. I wrote the AutoHotkey script a few weeks back, and this makes that utterly obsolete. Even for the filthy casuals, the Greasemonkey script is a must (and everyone can see it's safe). Previewing the cams on the shodan page itself is fucking amazing. This new version is even better. I've only seen one problem, which is that sometimes the vulnerable/not vulnerable text doesn't show up. I assume this is because it's taking forever to get the request.
The new file downloader is also great stuff. Saves a load of time and makes using the kcore that much less frustrating. Here are a few suggestions for improvement:
- Some kind of file extension on the files, maybe .joe. I like that the IP is written as the filename, but with an extension we could associate it with our favorite editor to easily open. Then the Edit cmd in right click would be as simple as issuing the default open.
- Would be nice to have a button to grab what's in the clipboard and put it in the IP field, automatically add //proc/kcore, and begin the download. Or, at the very least, when you click the IP textbox, have it autoselect all text so that anything you paste in replaces it. (Standard behavior for most textboxes)
- Option to have the download cancel at a specified amount. I've never had a need for anything beyond 4MB.
- You get a dirty error message when you try to get a snapshot with bad creds, rather than just "you have bad creds" or the like.
Thanks again, man. Best work of /ipcam/ so far, I think we can all agree.
I might contribute to the downloader if I get some time, but I'll wait until you put up your definitive release before touching it.
0ea4e0 No.564
>>553Thanks for starting this thread, we're due for a new sticky.
I took a few minutes today to wrap up the 4th revision of my CLI tool for mac/linuxfags (you can run it with Cygwin in Windows if you want, too). This script will:
1. Check a list of IPs for default u/p and save those that authenticate and
2. Optionally check whether kcore has been patched for cams that do not authenticate with default creds and save IPs for unpatched kcores
Updates:
- (dokcore | nokcore) argument is ideal for switching between nearby cams and those that you have no hope of getting a full kcore on
- curl timeout option ("2" recommended unless you're trolling other continents) provides a little more flexibility for those on slower connections or when you're looking for default creds on very far away cams
- kcore out file and command line argument so you can organize your shit better (i.e., "PortlandORkcores.txt")
If you have a paid Shodan account (for exports or API access) or are just really anal about your workflow, this is a good option for processing thousands of raw IPs at a time. On a good connection you're looking at something in the neighborhood of 10,000 IPs per day.
http://pastebin.com/SAFQCMjxI'm learning this shit on the fly so any help is appreciated (thanks again to Donkus in the IRC channel)! Joe's *monkey script inspired me so I'm thinking about adding a HTML out file to load a montage of streams to make reviewing default credential cams easier to parse through.
EDIT: Fixed a minor bug and re-pasted
Post last edited at
0ea4e0 No.567
>>564I should have also mentioned that I have a LAMP stack web server running ZoneMinder for DVR. I do my kcore getting via SSH tunnel to a high bandwidth VPS. I've had some luck with VLC, streaming, recording and webm/mp4 conversion.
Basically, I'm happy to help linuxfags with tools and scripts where I can.
http://www.zoneminder.com/ ee74bb No.568
>>556http://pastebin.com/zJ7b2Sjpnew version of script that now starts from the top of the page and does not break if a camera is unreachable.
Working on the filedownloader now, incorporating suggestions and a kcore searcher/camera "bruteforcer". Soon it will be fully automated.
0ea4e0 No.569
>>568Do you have a strategy in mind for automating the kcore analysis? I've thought about trying a string search for something like "nist" ("admin" would get maybe half of them) and then grabbing all alpha-numeric chars within a certain range of the string match using regex. Hoping I can crib off of what you come up with!
0ea4e0 No.570
>>568kek, dat email. imposter! if you want to mod i'll pass you the creds in irc… then you can capcode like a real attention whore :^)
ee74bb No.571
>>569so far what I have found works best is skipping to ~0x380000 in the file (not too sure, most files are after 0x3A0000 but I have one at 0x390000).
Searching for the MAC address of the camera after this (can be retrieved from camip/get_status.cgi without login) usually brings you to the location of the username and password. I've made this into a simple tool so far and am working on implementing it into the FileDownloader.
Here's the uncompiled code if anyone wants to poke around:
http://pastebin.com/tHKxg7XGIt grabs the MAC address from the camera, opens the kcore and skips to 0x380000, finds all strings after that point, and then only uses strings found after the MAC (if applicable). Logs in at /get_params.cgi. I'm sure there are better ways to do it (there must be a pattern somewhere!) but this works for now.
0ea4e0 No.572
>>571Wow. Guess I can grab the alias and ddns info from here and include them in my kcore out file. That will be useful for extending the shelf life of my "unpatched" list.
I'll play around with the MAC string, good find!
var id='78A5DD017BAA';
var sys_ver='21.37.2.39';
var app_ver='0.0.4.18';
var alias='002iyzx';
var now=1426724920;
var tz=0;
var alarm_status=0;
var ddns_status=0;
var ddns_host='';
var oray_type=0;
var upnp_status=0;
var p2p_status=0;
var p2p_local_port=25296;
var msn_status=0;
95e15b No.573
>>554https://mega.co.nz/#!itUE3aIQ!NoizbGX4W3AxeQa0HyHcYh_4jP0wmm-jlgorqCMXXoQUpdated FileDownloader… it is cool beans now. Bruteforcer does not find empty passwords.
General
- (requested) Saves kcores with the extension *.joe, and enables editing because of this. Extension handling is done through windows.
- "Sorted" code into regions
- (requested) Pasted URLs are automatically formatted according to enabled radio button
- Double-clicking an item in the list that has been bruteforced will load the url/username/password boxes with saved information (for snapshot viewing)
Snapshots
- No longer runs on the UI thread (doesn't freeze everything)
- 2s timeout added
- Clicking the snapshot after loaded will open it in your browser
Bruteforce
- Added "Bruteforce" functionality to the right-click menu for downloaded kcores
- Attempts to find a working username:password pair in the kcore. (Starts at 0x380000, skips to MAC if found)
- White box on right side is the brute force log. You can type in it, but I don't recommend it.
- Logs to "bruteforce.log"
Options
- (requested) "Autocancel at 4.4MB"
- "Auto Bruteforce" : Adds the kcore to the bruteforcing queue once download is complete
- "Strict" : Cancels brute forcing if the camera's MAC address is not found after 0x380000 (tries to avoid false positives)
- Buttons 1 and 2 made into radio buttons ("kcore" and "decoder")
Bugs
- Attempted to fix progress bars crashing application
- Fixed picture box timing out
Fun
- Custom form titles on startup
One step closer to automation
5103c0 No.575
>>574truly the beginning of the end
0ea4e0 No.576
>>556Here's another *monkey script. I tend to process batches of IPs so the easier it is to zip through Shodan results the better. This script strips all of the bullshit away and just leaves a list of links, which is auto-selected for quick copy and paste.
Pic related.
http://pastebin.com/8cYX4wwV 0ea4e0 No.577
>>573Cross platform, bitches!
95e15b No.578
>>577that's sexii yo
i'm working on fixing the filedownloader now (progressbar bugs, bruteforcer) and porting getmecamtool to C# .NET (windows mainly… but I guess mono works as well)
0ea4e0 No.579
>>578i got a couple of warnings when i compiled but it seems to work well. jump on irc if you're still lurking.
0ea4e0 No.581
This is just a good reference and I don't know where else to put it, so:
http://www.foscam.es/descarga/ipcam_cgi_sdk.pdfFoscam CGI SDK documentation
0ea4e0 No.594
>>571Thanks for the tip on get_status.cgi. I'm now pulling in the cam alias from the output of this script in my unpatched cam list. Pic related.
I'm going to add an HTML output file for default cam previewing and make another release of this script ASAP.
0ea4e0 No.598
>>564Some updates. First, I'm shitting up the thread with updates. Sorry. We'll make a new sticky with the most recent versions of various tools.
Another update to findcams.sh. The script now produces a HTML file for reviewing hits on default credentials. If you want to run a check for default creds and/or kcore vulnerability on tens or hundreds of IPs, this might be a good option. I'll post a step by step of my linuxfag-slash-bulk approach soon for those who might be interested.
camfinder.sh v.5 See below for updated release.
Post last edited at
660f01 No.604
Absolutely amazing work.
cec232 No.616
Some minor updates to this tool.
- Cleaned up the code because nerd.
- Overhauled the way that in and out files are created and named. Fewer params to enter now when running.
- Added "12345" check to get more hits on, primarily, Asian cams.
camfinder.sh v.6 http://pastebin.com/CwLxemTaPost last edited at
690237 No.617
ever thought of going after backups?
cec232 No.618
>>617Got any dorks and/or exploits on hand?
690237 No.619
>>618No, sorry. I've seen threads on /b/ where people dump them like you're doing with cams, so it probably isn't difficult, and it is worth it
cec232 No.622
>>619Interesting, thanks anon!
51b88f No.640
>>573Is there anyway to allow for bulk IP drops in the file downloader? Im looking for a way to add a list of ips to this and either run them all at once or queue them up to run one right after each other. Is that possible?
61e94f No.641
>>640not yet, but I can add it once I get back home.
51b88f No.642
61e94f No.656
>>642before the release I'm attempting to fix up the bruteforcer. I used to have 0x390000 as the offset to start the search, but now I've found that passwords can show up as early as 0x290000 or 0x2D0000.
The offset is modifiable in the new version, but I'm looking for a good default to set it to. Has anyone found credentials before 0x290000?
0ea4e0 No.657
>>656I can't even into hex. Is the mac used elsewhere in kcore?
Incidentally, the kcore does include u/p in a really low string if the cgi has been hit with creds in the query string. But this is like 1:20 so not worth the effort most likely. Saved me on a few kcores short of 4mb though.
95e15b No.659
>>573https://mega.co.nz/#!ChNyxSxT!ZjL1_cIVegcTNGn3XhvTPeiiJCU984wkFENsPuXn_R4General
- Added settings window
- Removed progress bars
- Added "Import -> List…" functionality
Downloading
- Downloads now save to a "Downloads" folder
- Downloads are now queued
Bruteforce
- Removed lots of bruteforce log output because it was messy. Replaced others with more descriptive wording
- Multiple bruteforcers can work on different dumps at the same time
- Retry bruteforcing if the camera times out
I do not recommend disabling strict mode or changing the offsets/buffer as they will likely cause unwanted effects. Most of the time if you can't find the username:password with strict mode on, it isn't in the dump.
The offset is set to 0x00390000 by default. Some cams have credentials lower than that, but lowering the offset makes the bruteforcer take longer. I think *39 is the sweet spot.
As always, source included in download.
51b88f No.660
Best One yet Keep Up the Good work!!!!
fdc454 No.662
Hey Joe, whenever I try to use the cam finder script, I get an undefined document error. What am I doing wrong?
bd6d79 No.673
>>659Import a list? Holy shit, Batman. Hell fucking yes.
Can you do a list of 100, and then import and go, and it will bruteforce them all? (Doing just 5 at a time, of course.)
Amazing work as always. You guys are taking this shit to a whole new level.
95e15b No.676
>>662Paging evil
>>673It will attempt to, yes. It still has trouble downloading the files (as do all methods AFAIK) and will not be able to work on all cameras because of that. It works very well with a shodan membership or scanner.go from getmecamtool
a1ec20 No.678
>>662What are you entering at the command line?
fdc454 No.679
Command line… look, I got to admit, when it comes to scripts & programming I'm fucked. I'm a writer, not a hacker, Jim. So I'm sure I'm doing something wrong, because the cam search helper script isn't working in my searches (I have greasemonkey installed).
Again, it's my problem; thank you very much for taking the time to put it together. The FileDownloader is the tits, too!
cac216 No.680
>>679are you talking about
>>616 or
>>568?
616 is a bash script that uses the command line, and 568 is a greasemonkey script used on shodan
fdc454 No.681
>>680568, can you explain to me how to use it, uh, step-by-step?
What I'd really like to do is pull the ip addresses from a downloaded shodan file, to use them with the Downloader. Any suggestions on that as well, please? Cheers.
a1ec20 No.682
>>681Ah.
>>568, can you explain to me how to use it, uh, step-by-step?
I'll give it a shot.
Go here:
http://pastebin.com/zJ7b2Sjp… scroll down to RAW Paste Data, select all and copy.
Go to FireFox and click the little drop down on the monkey icon. Select "New User Script."
Click "Use Script From Clipboard" at the bottom.
A new window will open showing the script. Click "Save" and close the window.
You can go to "Manage User Scripts" to turn the script off or on.
When you do your Shodan.io search you will see snapshots for default credential matches and "Vulnerable to //proc/kcore" for cams that are susceptible to the kcore exploit. See pic.
Joe, I've only used this with TamperMonkey up until now. I got hit with user/password prompts for each cam as the script iterated through, which I don't get in Chrome. Not sure if I skipped a setting by creating the script from clipboard or if it's a FF on Linux thing.
>>What I'd really like to do is pull the ip addresses from a downloaded shodan file, to use them with the Downloader. I'll defer to Joe on how to best use the Downloader for this. Is it efficient to run a raw IP dump or would it be be preferable to have a clean list that excludes non-vulnerable IPs and maybe even default cred cams?
Hope that helps!
cac216 No.683
>>682I've also only used it on Tampermonkey (with Chrome). Perhaps Greasemonkey does things differently?
>>What I'd really like to do is pull the ip addresses from a downloaded shodan file, to use them with the Downloader. You can use raw IP lists with the downloader although it may take a bit longer as it will connect to each IP and attempt to download the kcore (usually ending at 0kb). I recommend enabling "Remove from list when done" in the settings to clean up a lot of the clutter.
I have never tested with Shodan dumps because I don't have a membership, but if they are just lines of IPs or domains it should work fine.
Post last edited at
fdc454 No.684
>>682I got it working thanks to you. You rock, but I guess you knew that. Cheers. ;)
a1ec20 No.685
fdc454 No.686
>>685Definately! I'm going to hop on the rizon channel in the near future, to share and give a big thank you to joe and everyone else for the scripts and especially the FileDownloader.
No offense, just some constructive criticism: should'nt the FileDownloader have a more accurate and imaginative name to fully describe its function & glory? Maybe "Joe's Kcore Prober"? How about "The Foscam Fucker"?
Work with me here, fellow Owls in the night ;)
a1ec20 No.687
>>686My vote…
JOE'S FOSCAM FUCKERJump on Rizon, we're around.
Post last edited at
bd6d79 No.692
>>683Re: Shodan dumps, another anon posted a way to extract links from a Shodan page using a FF extension called Link Gopher. You get the IPs at the top.
Probably would not be too tricky to do this with a GM script either. You still have to do it on a per-page basis, but it's faster than copying each link individually. Still, would be nice not to have to trim the list of the default PW cams and those that are not vulnerable to the kcore exploit. Or at the very least the latter.
51b88f No.695
9c892a No.696
>>659Found a bug. File downloaded, but only partially. Then downloader keeps saying "Error reconnecting to server, is it up? Retrying later…"
It repeats this every second. First I hit Stop on the download; then I hit Delete. Kept spamming the log.
Unfortunately this wiped all the bruteforced login info I had, at least in the window itself. Thanks for throwing the successes to a file output.
Is there a possibility of including the failed bruteforces to log? (Perhaps in a separate file?) That way I'd know which ones to try manually, or try with different parameters.
Also, would be cool to be able to use the bruteforcing aside from the downloader. I.e., file->open kcore and it starts bruteforcing a particular file. This would let you try various search parameters on the tougher ones.
Thanks for all your hard work on this, man.
9c892a No.697
>>696Update: it eventually did connect to this server and manage to download the file, then bruteforce it successfully. But it doesn't show up on the list.
Weird!
Would be amazing to have an option to retry a download, as I know sometimes you can be cut short one time and be able to get enough the next.
a1ec20 No.698
>>692I made a script that makes this easier, here:
>>576 95e15b No.699
>>698wow… how did I not notice this before? this is beautiful
d5466d No.704
New tool. I don't know shit about netcam firmware but I decided to test whether there were still unpatched cams (for this particular exploit) in the wild. I got ~10% hit rate on my first test with a couple hundred IPs so I'm guessing there are roughly 1,000 - 2,000 more cams out there to get got with this method.
http://pastebin.com/BzMsJPkpAnyone know anything about these?
cce9fc No.716
>>556Errr…I'm not getting any previews of the cams.
95e15b No.718
>>716Are you using Tampermonkey or Greasemonkey?
I think the script might have troubles with the actual Greasemonkey.
I've only used it on Chromium w/ Tampermonkey
2ce6df No.721
>>718Yeah, I'm using Greasemonkey in Firefox.
It was attempting to automate the login credentials, but that wasn't working either. It would make the login window come up for every single cam on the search screen. So basically 12 or 15 login windows would pop up. I removed the script, but I know there's some way to make it work because other people are saying they love it. I'm going to try it again with Tampermonkey.
0ea4e0 No.722
>>721I got the same in FF. Works well in Chrome.
12052e No.730
>>721It does that in FF, but clicking cancel over and over just isn't too big a deal.
5a57c0 No.735
Your tool is fucking awsome…
I have some requisitions, suggestions for the next update.
1. Brute force attempt
admin:
admin:123456
admin:admin
admin:12345
Before trying to download the kcore
2. A simple check if kcore is even possible on a list.
3. If brute force attempt failed, put the file in another folder, or mark the file not found.
For manual checking.
4 The possibility to save the the brute force file
http://ip:port/videostream.cgi?user=username&pwd=passwordInstead of
http://ip:port/ - username:password
952e57 No.736
>>735Fixed exception handling during downloads, now shows when download times out (or server is patched) instead of just saying "done! 0kb". Also attempts to delete empty files.
Updated settings form to accompany new options, experimental build:
> 1. Brute force attemptAdded under Settings->General->Default Password Check
Put default passwords one per line in the format username:password
> 2. A simple check if kcore is even possible on a list.Working on a command line part of the downloader that will have support for this.
> 3. If brute force attempt failed, put the file in another folder, or mark the file not found.Experimental: Added under Settings->General->File sorting
Still working out the bugs with this one… breaks randomly. It's off by default because of this – everything may break and your computer may combust if you enable it. (
> 4 The possibility to save the the brute force fileAdded under Settings->Bruteforce->Log format
{0} = IP, {1} = username, {2} = password.
The default is "{0} - {1}:{2}" which produces "
http://127.0.0.1/ - user:pass"
Alternatives are "{0},{1},{2}" which would be "
http://127.0.0.1/,user,pass"
(Getting the feeling I should really re-write the threaded sections of the program… they're a huge mess of spaghetti)
https://mega.co.nz/#!698FHbzJ!9D19ZT1RKQt_-K2S-DNXSz7ApUmIBRmMZKZ0KPtUgcI 6eebdc No.737
5b3d31 No.781
>>736
Really great work joe - such a time saver! together withevils greasemonkeyscript ( >>576 ) it works awesome.
especially bruteforce and preview is great. 2 days back, i needed 2-3 minutes for every ip.
thanks again!
small things you could change if you update your tool next time, so some unask feedback:
when the status is: "default found:admin" , and i double click it, could it change automatically the username and password for the preview into admin or admin 123456 etc?
the file sorting doesnt work for me…?
the report right to the preview window - if the bruteforcing found some and matched it to the ip and it apeared there, could it be a link, so my lazy ass has just to click that?
if i click an url in the url/status window (the big one), and it gets blue, could it stay blue even i click somewhere else? its hard to keep track and i have always have to double check if this is an ip i already check or not.
finally: the program works really stable, i got no problems, sometimes i am too fast for it, but thats my prob ;)
(sorry for the elaborated english,greets from germany)
7adbcb No.782
>>736
Nice.
Do you think you could increase the size of the application a bit?
a8385e No.783
Hey Joe!
Im the one who made the suggestions a week ago.
You are doing a great work, saves me alot of time and i almost have to many cams now… almost.
I wanted to provide some feedback.
The tool works stable for me.
The default brute force works great.
When i tried the sorting, it saved a couple in"Good" and then it stopped finding passwords and sorting anything at all.
There is a bug in the Log format.
If i want to save it like
{0}videostream.cgi?user={1}&pwd={2}
If the login is found in the kcore it works
http://ip:port/videostream.cgi?user=username&pwd=password
But if it is a default login it gets saved like this
ip:portvideostream.cgi?user=username&pwd=password
Thanks for your efforts.
952e57 No.784
>>783
>>782
https://mega.co.nz/#!ztEyzBIL!N_zDGnu0f_J6IsYanAk_FLGX7O0IdruHpc1k5fwteZI
fixed log output and you can now resize the main form… working on a total re-write for the next release.
7adbcb No.786
9e51a5 No.798
Just a quick one. On my little shitty laptop at home, when I click on the thumbnail preview pic of the cam, it logs you in with your browser, but on my actual desktop (running windows 7) it does nothing. Is this supposedly a universal feature?
Great job by the way, it's a fantastic little tool.
6c266b No.813
>>798
all it does is attempt to open "http://username:password@ip/". What this actually does is up to the OS
0f41fa No.817
>>798
I don't want to speak for Joe but I'm almost positive that he wrote his tool specifically to work on your laptop.
5a57c0 No.832
Hey Joe!
Do you think its possible to get the tool to check already downloaded kcore files?
42391d No.851
great tool!
I dont think its necessary to bruteforce any file below 3500kb
a9349e No.852
Some kcore file can't be downloaded over 4.5 Mo, why ?
a9349e No.853
>>852
to 4.5 Mo*
Then I can't find password and login :( I tried using Uget, I get the same thing …
c340c6 No.858
Hey Joe!
I have noticed that the tool pretty much always finds the password if the kcore file i over 4mb.
So the file sorting is unnecessary.
But i have another suggestion.
If a kcore download starts but nothing is found in it, those ips could be logged in a text file for retrying later.
92d2be No.870
>>576
can someone write me a greaseomnkey script, like evil did before, but this time without http:// and no port? just plain IP ?
would be awesome
92d2be No.871
>>870
>evil
the old script with 50 results on one page?
6164ca No.872
>>870
Can't be bothered at the moment but I'll try to make a modification for you. Or, you could install gentoo.
92d2be No.875
>>871
yeah, the old script with 50 results on one page! take your time, i am happy when i get it
152f73 No.878
is it possible to display all of the 50 ips at once with evil grease script?
538b7a No.879
>>878
No, you have to paginate through. The script will loop through all of the entries, though, so if there's a paid option to display more than 10 per page you'd be all set.
4e81d9 No.913
Posting my list parser: https://mega.co.nz/#!u8dSWb5Q!tHdh4SCPTQwNCmSpLchLfp3gj2ihpajnMz_9pBlGAMg
How to use:
Drag bruteforce log file onto "ListMasterFlex.exe"
Wait
How to configure:
Open settings.xml and edit certain values. If you break the config, just delete it and re-open the program. It will reset to default.
<BackgroundColor> - Background color of overlay in hex argb
<ForegroundColor> - Foreground color (font) of overlay in hex argb
<FontFamily>
<FontSize>
<OutputFormat> - Format string for overlay. {0} = IP, {1} = username, {2} = password
<OutputFolder>
<SaveParams> - If true, also saves "get_params.cgi"
<SaveStatus> - If true, also saves "get_status.cgi"
<Threads> - Number of threads. Higher amount means it will go faster, but it will also be more demanding. Recommended 4, not recommended above 25.
<MaxTries> - Number of times to retry connecting to the camera.
<SnapshotTimeout> - Timeout to get snapshot in ms
<PageTimeout> - Timeout to get misc pages in ms (Params, Status)
<MaintenanceEnabled> - If true, performs maintenance on the settings file. (Currently, adds a trailing slash to the output folder
<SnapshotFormat> - Image output format. Options: "png", "jpg", "bmp"
Example images attached.
5635b0 No.914
>>913
Unfortunately, I can't laucnh the EXE, it crashes.
5635b0 No.915
Nah, nothing, I didn't read the tutorial correctly
d5466d No.916
>>914
Is that Spanish for
>freaking the funk
?
6665c1 No.947
You guys know that the Kcore also holds the keys to someones E-mail address? I can post some if you want.
Joe, can you automate this? It's nice to look in someone's life and deleting any E-mail that informed them about me seeing them.
f7126b No.954
>>947
Seen the emails but never tried accessing one since the major providers (like gmail) get bent out of shape if they see a new IP / browser combo.
How's your success rate?
Post last edited at
6665c1 No.955
Success rate is 4 out of 5, Gmail does recognize that someone else is trying to log in.
You know how Google notifies 'm? By sending an E-mail to the address you're in, read it & delete it.
There are tons of people that don't use gmail, for example:
IPcam 79.199.191.73
Login harald
Pass harald
E-mail sportklause-altenhain@t-online.de
Pass harald46
I logged twice in on his E-mail box with tor.
Ones I've seen used most are Gmail and Yahoo! But man, people are just so freakin' brain dead, everyone has a password like arrex - arrex2015, has1pups - has1pups or even their phone number. How does that give someone the feeling of being secure?
Use the E-mail if you like, it's not mine anyway.
6665c1 No.956
>>955
I forgot the seconds pic.
fc3d60 No.957
>>956
Nice, hope things work out for Harald :^)
4675e6 No.979
I played a bit with this cool thing. I managed to grab loads of kcore files with a simple bash script (slightly modified the CLI/linux one posted somewhere here) running on servers around the world. Are there any scripts that test/search/grabs the login/pass from the kcore files ? Doing it by hand is really time consuming on hundred or thousand of kcore files. (Using 'strings' and 'grep' to find the credentials).
Here's how I would do it. The trouble is that we don't know exactly where are stored the credentials. However if you search for 'ipcamera_' from the 'strings' command output you will find something like 'ipcamera_006E0703D60A'
Now grab the cam id ('006E0703D60A in this example) and search (still from 'strings' command output) for lines that begin with it. Oh, very nice, the few next lines contain the login details. Store those in an array and test them (like testing for common credentials but for each pair of lines from the array). The good thing is that the password is often if not always on the line following the login.
I'm pretty sure it should be easy to write for someone experienced in 'bash' and could save us a lot of time.
I tried myself but my knowledge of bash is not that good, mainly because of the syntax.
What do you think ?
7060b0 No.980
>>979
there's an anon in the irc that's done this. i think the success rate is about 50%.
18db98 No.981
>>979
This is pretty much what the Filedownloader does with the "strict bruteforce" option enabled.
It retrieves the camera's MAC address, searches for it in the kcore, and then attempts to use every combination of strings after it.
Example strings found:
hh123
9969
admin
jamesbond007
xx;askd
It would test hh123:9969, 9969:admin, admin:jamesbond007, jamesbond007:xx;askd
In this case, it is easy to see the correct credentials (they are still using the default username).
By turning off "strict bruteforce", you have the option to attempt every combination of subsequent strings in the whole dump. This is never really needed because if the password is not found with the strict option, it probably isn't there.
4347ca No.1026
The latest version of Joe's Downloader crashes on windows :/
de0a0b No.1037
I'm experimenting with a little PHPscript to manage "bruteforce.log" files (produced by Joe's Downloader)
It currently supports reordering, deleting, and archiving (in a separate archive.log file)
I'm having a blast :) I might upload the source somewhere if someone's interested
f5089d No.1041
>>980
could you please help me get in the IRC
ive tried before with no success
2acbce No.1043
Yes IPKamz alpha would be nice to have that script!
5f4d3d No.1045
>>1037
Yes please. Does your ip get logged on the ipcam while using this script?
4ad7d1 No.1046
>>1045
from a quick test, it looks like it does, but only if you use the "live", streaming video.
grabbing still snapshots doesn't get logged by the ipcam.
on the other hand, the ip in the logs is the ip of the viewer (ie. you, not your web server hosting the script), but I guess they might have full connection logs somewhere, if they know what they're doing (although my guess is most people don't).
I'll try to iron out a few bugs and release it tomorrow (can't access my server right now)
7be59d No.1047
>>1037
hell yes! i want that!!
7fc08d No.1049
>>955
wait how do i open kcore file when i open it all i get is random characters how did you find the email in it?
de0a0b No.1052
>>1043
>>1045
>>1047
there you go, peepz.
let me know what you think!
https://mega.nz/#!yxkT1LiD
de0a0b No.1053
>>1052
oops, here's the key (never used mega before)
!Y8x5e5DaPcPJB1rbd9XZBf7SuTIGVrEnOqYhZPN7dwA
de0a0b No.1054
de0a0b No.1055
>>1054
also, I mention "archive.log" in the readme.txt while the actual filename is "old.log" but that doesn't change anything to it
8de3b6 No.1064
>>1054
Parse error: syntax error, unexpected 'text' (T_STRING) in C:\xampp3\htdocs\myfiles\ipk\ipkamz.class.php on line 73
is an error i keep getting
8de3b6 No.1065
Well good think i know programming there is problem well for me at line 73 '<script src="'._JQUERY_URI."
beside the equal there is " ' delete the single ' save it put bruteforce where it should go and run it everything how it should
I still like your thoughts developer
8de3b6 No.1066
8de3b6 No.1067
4ad7d1 No.1068
>>1065
Ah, weird, did you download it from the second mega link? that's the bug I was supposed to have fixed…
anyway, is it working like it should ?
4ad7d1 No.1069
apparently the bug is indeed still in there. silly me.
so, you should replace line 73 with this:
'<script src="'._JQUERY_URI.'" type="text/javascript"></script>'
a9349e No.1080
>>1069
I've just installed wampserver on my computer. I got two errors on line 108 and 104, see the attached image.
a9349e No.1081
>>1069
And thanks for your script! I was thinking about programming the same kind of script but I suck at PHP lol. Could you add some pagination ? Like 20 or 50 per pages (user can choose it) ? Because my bruteforce.log is quite heavy …
Thanks!
5f4d3d No.1082
Hey Joe,
I got a few suggestions.
1. Can you add a feature for the ListMasterFlex that auto logs the IP's that don't have permission anymore? It will make it easier to pick out the ipcams who changed their usernames and passwords.
2. Could you add command line arguments for the FileDownloader? Something like: FileDownloader.exe -bruteforce -listname.txt. When launched it will instantly auto bruteforce the IP's in listname.txt
This would make things automated and faster instead of doing it manually. Also I need it for a small project I'm working on.
Thanks in advance.
Great work so far, Joe. Keep it up!
a9349e No.1083
>>1082
Hehe, suggestion n°2 is already done (I asked him the same thing yesterday) and 20min later, here what he built .
Unfortunately, it doesn't work at home : every time I write FileDownloader.exe ip.txt I get an error msg which says file can't be found … If you can fix the issue, don't hesitate to share !
https://mega.nz/#!fhQjHDZL!Za_7dMw5x-iv663SomJ2R4AMnhOZz31EasfJxoVSyXQ
5f4d3d No.1084
>>1083
Thanks,
I tried it and it works.
Make a simple batch file with this line:
"start FileDownloader.exe list.txt" and it should work. I only get that error if I put a '-' before list.txt.
http://pastebin.com/pD7ncgXB <- for the lazy
a9349e No.1086
Ok, I will try your command.
Here my (edited) contribution : Shodan IPCam Extractor
http://pastebin.com/G8VAyD2L
a9349e No.1088
Jesus Christ, I get the same error !!!! :(
5f4d3d No.1089
>>1086
Great stuff, though I'm not gonna pay 20$ a month (as stated in the pastebin) just to hack some cams on a daily basis. I'm pretty sure some other people would, but that's just not my thing.. Anyway, keep it up. I'll try to find a differend method.
>>1083
>>1088
I don't know why it doesn't work for you guys, but on my Windows 8.1 machine it's working fine. Most likely it's OS related.
a9349e No.1090
A template that will brings IPCam to the next level :p
d6689d No.1091
>>1090
Love the idea of a community template where everyone just embeds live cams
a9349e No.1092
Actually, it's only snapshot but maybe bootdisk could take inspiration of "my" template. I will share later, with Bash code, how to export bruteforce.log into this HTML page (no need of webserver, it's just Javascript and CSS)
5f4d3d No.1093
>>1092
That'd be great so we don't have to use xampp/wamp anymore. Can't wait.
a9349e No.1108
IPCam Viewer :
Here a way to export IP from your Joe's bruteforce file : https://mega.nz/#!A5BmCIDI!gQvnmjfvz_Rp-ZrFsriwch7QMrgpsmMn_yBKIIHl_CY
Bash script. cURL required :
./IPCam_viewer.sh "$path"
Two different views, two ways of filtering, four ways of sorting.
7daca0 No.1149
Hi, everything looks wonderful but sadly I cant install Joe's FileDownloader cause XP continues to tell me that it "is not a valid win 32 application"…did this happen to someone else as well? Please help me fix that :)
f5089d No.1166
>>1108
>from your Joe's bruteforce file
could someone please explain to me how to use this in windows i would be eternally grateful!
in exchange:
I know how to get a full shodan account if you have an EDU email
f5089d No.1167
nevermind i figured it out
i just used cygwin and made sure to add curl to it