WARYBYTE blog...

January 23, 2016: Hacking my DLink wireless IP camera...

So begins my exploration of IP security cameras. I ordered a DLink wireless IP camera just to mess around. All the DLink documentation says to install some app from DLink along with setting up an account in order to create a secure login. I wasn't really interested in all that, so I did some testing to work around it.
Lets start with finding this sucker on the network. Since I wasn't sure if DHCP was running by default on the camera, I had to run some scans on the network to see what what was showing. NMap is my go to tool for this. I only needed to match the MAC address with one of the IP addresses that popped.

                        $ sudo nmap sT
                        Starting Nmap 5.51 ( http://nmap.org ) at 2016-01-23 19:45 EST
                        Failed to resolve given hostname/IP: sT.  Note that you can't use '/mask' AND '1-4,7,100-' style IP ranges
                        Nmap scan report for
                        Host is up (0.025s latency).
                        Not shown: 998 closed ports
                        PORT    STATE SERVICE
                        80/tcp  open  http
                        443/tcp open  https
                        MAC Address: C0:C1:C0:EE:34:A1 (Unknown)

                        Nmap scan report for
                        Host is up (0.0042s latency).
                        Not shown: 994 closed ports
                        PORT      STATE SERVICE
                        80/tcp    open  http
                        515/tcp   open  printer
                        631/tcp   open  ipp
                        5200/tcp  open  targus-getdata
                        9100/tcp  open  jetdirect
                        10001/tcp open  scp-config
                        MAC Address: 30:CD:A7:97:59:BA (Unknown)

                        Nmap scan report for
                        Host is up (0.0097s latency).
                        Not shown: 998 closed ports
                        PORT    STATE SERVICE
                        80/tcp  open  http
                        443/tcp open  https
                        MAC Address: B0:C5:54:20:EB:E1 (Unknown)

So, say we didn't have a MAC address to go off of in finding this device. We can rule out most devices if they are labeled. My Wii for example showed up on the network as a Nintindo device, so obviously not our new camera. But what about some of the protocols? JetDirect doesn't run on anything I've ever worked on other than a printing device, so it's a safe bet that is my network copier (coupled with the fact I have it's IP address in my routers DHCP reserve list.) The top device is the gateway, what everything if connecting from, so that leaves Since I know there must be some way to "securely" connect to this device over a web browser, it makes sense that port 80 (HTTP) and port 443 (HTTPS) would be up and running. Telnet didn't reveal anything, so I went straight to the browser, where I was greeted by this happy page:

I'm just guessing, but since this SSL cert is probably authenticated by DLink when you register the device...but since I didn't do that I get to click through the nasty-gram to the login prompt below:

Ok so here I was stumped...for about 5 minutes. DLink never provided a default login password, as your device is authenticated by your DLink account you are suppose to set up along with the application you install that came with the device. I had none of these, so I guessed there must be some default admin account. I googled the device, but didn't find a lot, so I simply tried 'admin' | 'password' for the login as these are common. After a couple of tries I guess the password and was in the box. Apparently this is a generic account that is designed for manual set ups like I'm doing...would be interested to see if it would be vulnerable after some one set things up over the app...food for thought... Anyway, this brought us to our http web frontend administration page, allowing me to finally be able to configure this device.

Most of the configuration is pretty basic stuff. Anyone who has configured a SOHO (small office/home office) router before should have little difficulty. Turns out this thing has a lot of features I didn't expect, but I won't get into them here. The big fun I had was just getting into it without any documentation. Maybe one day I'll set up the DLink account just to see if it works, but getting something to do what I want on my terms without third party software was a real treat. I look forward to picking on the rest of the features contained in this neat little package.