david/netsec-djw2
Archived
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

update

Browse Source
This commit is contained in:
David Westgate 2024-05-21 15:35:05 -07:00
parent e599c4632f
commit 9a83b1bcd7
1 changed files with 4 additions and 10 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

14
hw3/hw3.md
View File

@ -100,7 +100,7 @@ Bookworm is running rtmp and sun-answerbook services. This is interesting. I wil
### Open ports and services on khadas ### Open ports and services on khadas
Upon scanning, the machine with MAC 70:F7:54:FF:1C:59 revealed its hostname as Khadas and has a port for ipp (printing) service open Upon scanning, the machine with MAC 70:F7:54:FF:1C:59 revealed its hostname as Khadas and has a port for ipp (printing) service open
ssh connection can be made to khadas with default credentials (root/khadas) ssh connection can be made to khadas with default credentials (root/khadas). This is interesting, but I did not find anything related to this assigmnet while exploring the khadas file system.
![khadas-scan](./khadas-scan.png) ![khadas-scan](./khadas-scan.png)
@ -109,17 +109,11 @@ The only interesting service running here is ssh. Moving on
![rpi-trading](./rpi-trading.png) ![rpi-trading](./rpi-trading.png)
### Access the RTMP(RTSP in assignment) stream ### Access the RTSP stream
As shown above, I have discovered an rtmp network video stream on the bookworm device. My research shows the stream url likely consists of a format like rtmp://192.168.0.139:1935/${path}/${key} So far, it seems the RTSP stream likely resides on bookworm. I first explored the server on port 1935, testing RTMP and RTSP streaming, as well as HTTP requests but I did not find a feed.
I have tried various things to recover the stream url path and key. It seems like the path may be 'live', but I cannot figure out the key
* Guess random plausible stream keys or default keys common on raspberry pi cameras
* Try to see if the media stream is actually RTSP and not RTMP (it's on an rtmp port, but assignment suggests it should be rtsp)
* brute force stream keys with a bash script using ffmpeg and rockyou.txt
* poke around khadas (root and khadas user) to see any reference to rtmp streams
* perform de-auth attack and try to capture handshakes on 802.11 to see if I can get the datagrams (via wireshark) for any clients who many be streaming from the stream (which streams would include the path and key)
For now, this is as far as I have come I then tested the service on port 8888. It appears to be running an HTTP server, so I will take a look at this in a browser
#### Screenshot - TODO #### Screenshot - TODO