everything except rtmp

2024-05-20 23:34:22 -07:00 · 2024-05-20 23:34:22 -07:00 · e599c4632f
commit e599c4632f
parent dbec02aa2a
6 changed files with 60 additions and 6 deletions
--- a/hw3/archer-scan.png
+++ b/hw3/archer-scan.png
--- a/hw3/bookworm-scan.png
+++ b/hw3/bookworm-scan.png
--- a/hw3/hw3.md
+++ b/hw3/hw3.md
@ -70,26 +70,57 @@ MAC Address: 28:87:BA:75:7E:98 (TP-Link Limited)
 Nmap scan report for bookworm (192.168.0.139)
 MAC Address: D8:3A:DD:7E:3C:31 (Unknown)
 Nmap scan report for 192.168.0.47
 Host is up (1.2s latency).
 MAC Address: 70:F7:54:FF:1C:59 (Ampak Technology)
 Nmap scan report for 192.168.0.240
 MAC Address: E4:5F:01:91:0C:52 (Raspberry Pi Trading)
 ```
-We have one router/gateway (archer/28:87:BA:75:7E:98), one persistant client device (bookworm/D8:3A:DD:7E:3C:31). The other devices shown in some of these scans do not seem to persist and are not shown in my last scan which is at the time of writing. I will now scan for open ports on these available devices.
+We have one router/gateway (archer/28:87:BA:75:7E:98), one persistant client device (bookworm/D8:3A:DD:7E:3C:31). The other devices shown in some of these scans do not seem to persist and are not shown in my last scan which is at the time of writing. I will now scan for open ports on these available devices. Specifically, I will scan the default 1000 common ports.
 ### Open ports and services on archer
 As the router/gateway, I do not expect any interesting servcies to be running here. But let us make sure
 ![archer-scan](./archer-scan.png)
-As probably expected, our gateway is responding to DNS requests, and has web interfaces open on http/s.
+As probably expected, our gateway is responding to DNS requests, upnp, and has web interfaces open on http/s.
 Using ssh tunneling from 192.168.0.1:80 to localhost:8080, I can take a look at the web page on http. As shown, it prompts for a password, but is otherwise unremkable. When looking at the page on https, it is also un-remarkable, and just says that https is not supported and to use http instead. (not shown)
 Using ssh tunneling from 192.168.0.1:80 to localhost:8080, I can take a look at the web page on http. As shown, it prompts for a password, but is otherwise unremkable. When looking at the page on https, it is also un-remarkable, and just says that https is not supported (not shown)
 ![tp-link-page](./tp-link-page.png)
 I decided not to try any attacks against the router and will be moving on.
 ### Open ports and services on bookworm
 Bookworm is running rtmp and sun-answerbook services. This is interesting. I will explore the rtmp stream later on
-### Access the RTSP stream
+![bookwork-scan](./bookworm-scan.png)
-#### Screenshot
+### Open ports and services on khadas
 Upon scanning, the machine with MAC 70:F7:54:FF:1C:59 revealed its hostname as Khadas and has a port for ipp (printing) service open
-#### Camera make, model, brand, capacity, and manufacture date
+ssh connection can be made to khadas with default credentials (root/khadas)
 ![khadas-scan](./khadas-scan.png)
 ### Open ports and services on Raspberry Pi Trading (reterm-i)
 The only interesting service running here is ssh. Moving on
 ![rpi-trading](./rpi-trading.png)
 ### Access the RTMP(RTSP in assignment) stream
 As shown above, I have discovered an rtmp network video stream on the bookworm device. My research shows the stream url likely consists of a format like rtmp://192.168.0.139:1935/${path}/${key}
 I have tried various things to recover the stream url path and key. It seems like the path may be 'live', but I cannot figure out the key
 * Guess random plausible stream keys or default keys common on raspberry pi cameras
 * Try to see if the media stream is actually RTSP and not RTMP (it's on an rtmp port, but assignment suggests it should be rtsp)
 * brute force stream keys with a bash script using ffmpeg and rockyou.txt
 * poke around khadas (root and khadas user) to see any reference to rtmp streams
 * perform de-auth attack and try to capture handshakes on 802.11 to see if I can get the datagrams (via wireshark) for any clients who many be streaming from the stream (which streams would include the path and key)
 For now, this is as far as I have come
 #### Screenshot - TODO
 #### Camera make, model, brand, capacity, and manufacture date - TODO
--- a/hw3/khadas-scan.png
+++ b/hw3/khadas-scan.png
--- a/hw3/rpi-trading.png
+++ b/hw3/rpi-trading.png
--- a/hw3/scans.txt
+++ b/hw3/scans.txt
@ -0,0 +1,23 @@
 Nmap scan report for 192.168.0.47
 Host is up (1.2s latency).
 MAC Address: 70:F7:54:FF:1C:59 (khadas/Ampak Technology)
 Nmap scan report for 192.168.0.139
 Host is up (0.62s latency).
 MAC Address: D8:3A:DD:7E:3C:31 (bookworm)
 Nmap scan report for panda-kali (192.168.0.165)
 Host is up (0.70s latency).
 MAC Address: 00:C0:CA:B2:EB:4B (Alfa)
 Nmap scan report for 192.168.0.187
 Host is up (0.55s latency).
 MAC Address: 00:C0:CA:B2:EB:61 (Alfa)
 Nmap scan report for reterm-i (192.168.0.240)
 Host is up (0.91s latency).
 MAC Address: E4:5F:01:91:0C:52 (Raspberry Pi Trading)
 Nmap scan report for mallory (192.168.0.161)
 Host is up.
 Nmap done: 256 IP addresses (8 hosts up) scanned in 27.42 seconds