Recently I was on vacation with my girlfriend. One night I couldn?t sleep so I decided to play around with the hotel WiFi, armed of my phone only.
As first thing, I tried to reach the router, so I opened my web browser and typed 192.168.1.1 without knowing the class of my IP. Surprisingly it worked and I was in front of the webpage of a modem/router owned by a bigger Italian operator, that asked me to insert username and passwords. ?No segregation ah, ok..?. So I typed admin:admin and voil, I was in. It was too easy.
Then I remembered the webcam at the front desk in the hall and I asked myself ?How cool would it be if I could reach and take that webcam?!?.
So, instead of searching through all the connected devices and ports, I decided to use an app to view the streams of the webcams that automatically finds all the webcams connected to a network.
The webcam was a Netwave and was reachable at the address 192.168.1.99.
Typed the address into the browser and it asked for username and password. This time admin:admin didn?t worked.
I decided to try the credentials used by ?hackers? to build up the (in)famous Mirai Botnet aaand? nothing. No luck this time.
So, I searched on Google and I found that the model of this webcam suffered of memory leak, here the exploit. Great! But, how could I use it from my smartphone?
Examining the exploit code, I found that essentially I only needed to make a GET and strings the output for post examination. The password should have been around the 10000th line. So I looked for a good terminal emulator for Android and I found Termux (if you don?t already use it, check it out because is really awesome!), then I typed
wget http://192.168.1.99//proc/kcore | strings | nano
Checking the memory leak I couldn?t find the password, so I searched for the word ?admin?, because I thought that the admin is the default user and the password is usually near the username and, lucky me, it was like I guessed!
As you can see above, the password was sandokan.
I played a little bit with the webcam. Here is the webcam reflected in the windows of the hall.
The next morning I warned the staff of the hotel about the problems 🙂