Intercept Images from a Security Camera Using Wireshark [Tutorial]

Video Statistics and Information

Video
Captions Word Cloud
Reddit Comments
Captions
Wireshark is a powerful Wi-Fi sniffing tool that's even able to intercept images out of thin air today we'll show you how to intercept images from unsecure Wi-Fi security cameras on this episode of cyber weapons lab [Music] [Applause] [Music] most people watching security cameras rely on the usually insecure HTTP web server that's running on the camera in order to watch the security feed or change settings on the camera now this is commonly HTTP rather than HTTPS and most people don't really bother to make the distinction or prefer to buy one that's secure because they don't understand the risk that it poses now on a security on a network that has security like a WPA network that has passwords if you just have one person on the network you're probably going to be okay if you have a pretty strong password and nobody can see the traffic that's going through it but the second somebody else gets your password or if it's on an open or shared network then you can really start to get in trouble because anybody can see these insecure HTTP requests over the network now what this boils down to is we can actually see what the person is seeing on their screen so if they're watching the security camera or as is common they have a dedicated monitor set up to watch it somewhere in their business or home then we can literally just download the packets as they're transferring from one device to another and then use Wireshark to export them and look at them on our screen so to do this we'll need to have the password to the network so we can decrypt the traffic that's flowing and we'll also need to initially kick them off the network for a moment so we can capture the per transaction session information that allows us to see everything in this particular Wi-Fi connection because if we were to intercept this without getting that four-way handshake then we wouldn't actually be able to see the packets that are flowing over the wire we just kind of see that it was data but not exactly what was contained once we have a handshake and we also have the password of the network we should be able to use Wireshark and a wireless network adapter that supports monitor mode to intercept these packets and turn them into actual images once you have Wireshark set up then we can begin so to start out with this tutorial on Wireshark I want to give you an indication of what you should get at the very end and in this case we're going to take a look at the HTTP traffic that's flowing on the network and when I press Start and I'll click continue without saving then we should be able to start seeing some information that's flowing between various hosts on this network now here you can see that Wireshark is also detected that there is a jpg involved which means it's likely that we're intercepting images which is our intention in this case so how is this happening and how is it possible well a lot of different webcams use insecure HTTP servers in order to show people what's going on and most people will just use the default HTTP server that's included on the camera in order to watch what's going on and maybe you just have that on a screen somewhere in the building now this opens up the possibility of intercepting the insecure HTTP traffic so what we'll be doing in this example is intercepting the HTTP traffic from a different host listening to it and then actually extracting an image so that we can try to see what they're seeing on their screen now you can see that the traffic that I'm intercepting is relatively organized and if I click here we can see all the most recent packets that are being intercepted but if I were to delete this filter I'll click one of these just so we don't get too far in the weeds there we go there's actually going to be a lot of other filters a lot of other packets to be displayed because we were only selecting one in a very very large group of available package that we're being passed now you can see that some of these aren't being decrypted and that's another important thing that I'll get to a little bit later about what we will need in order to have a circumstance where we can kind of look into the packets and see what's being sent provided the person is using HTTP HTTP instead of HTTP so now we have a pretty good amount of packet so I'm gonna press stop and let's look at one of these and see if we can find some identifying things we can use to create a filter and find two other packets like it now obviously I've selected the hypertext Transfer Protocol so I want to find get HTTP requests I can also use the host so it's going to port anyone which is a very common port for webcams to host a HTTP server on to let people kind of check out what's going on on the camera or change the configuration options so in this case I can right mouse click on this host we want to surveil and then click on apply as filter and then select it so if we want to see then what this looks like we can start up our Wireshark again and we will start a fresh capture and be able to see all the traffic coming from this host which is pretty and see let's get started continue without saving and there we go so we can see there's a bunch of HTTP traffic and we're not specifying I actually know we are specifying that we want to find traffic that's HTTP and then the host equals 192 168 0 31 so great we've identified a target that we want to monitor and in this case we've kind of sniffed out some traffic from the overall network traffic that was more interesting to us and then created a filter so that we're just watching things that are coming from packets in this case that are coming from this particular host now we're also getting more information and the reason we've done that is because we were able to grab a handshake earlier on in the session now that's important because each one of these sessions is negotiated at the beginning of when the client connects to the Wi-Fi network so if we weren't there to sniff this out in in the beginning then we won't be able to decrypt the traffic for this particular session although it's pretty easy for us to just go ahead and disconnect the person with another command and ensure that we capture this traffic now let's say that we didn't meet the first demand where we need to be able to kick some of the office network and grab a handshake well the way to do that is we can jump into a terminal window and I can just use a simple MD k3w Lindsey Rahman which is our wireless network adapter that we're currently listening on than d4d authenticate so it's only going to take a quick second of this until we see something up here in Wireshark and in general that means that we're seeing D authentication packets so I'll go ahead and stop and we've seen a complete secession of anything coming from our house so I will copy this filter and then I'm going to exit it and let's take a look at what was going on at the network at large as soon as we started attacking things with MDK 3 so here we can see things are kind of back to it to usual on the network but earlier we have these this wave of packets attacking the network that was forcing everybody who is connected to automatically reconnect so these packets that you can see here the orange ones and yellow ones are basically attempts to disconnect everybody who's connected and following it you should start to see people attempting to reconnect and that's where we'll be able to grab the handshake that we were looking for in order to make sure we can decrypt everything that follows now this is great for us because we can start to see the plain HTTP traffic but if we don't actually have the password then we still won't be able to see everything that's going on so here we can see we disconnected people and then people who have been connected to the network before have been forced after this wave of D authentication here we go to submit their keys so this is the handshake and this is great because now we're able to see all the communication between death host and the router so all right great what we've done now is we've been able to identify HTTP traffic on the network and to do that we first had to kick the host off for a brief second so that we could be able to capture the the basic initial keys for this session and of course this is assuming that we know the password so how do we enter this well that's a great question Wireshark allows you to actually decrypt a number of protocols and if you have credentials or keys for them you can go ahead and enter them in in the settings under preferences so here you can see list on the side of all the various protocols that Wireshark can decrypt and in our case we will go here and type I to I and then select ie II 802 11 so you need to click enable decryption and then when I click Edit we can go ahead and see the keys that we then put it here and in this case we have the password for the network we have the name of the network and there's a colon separating them so that's it first the password then the network and on this side you have the ability to input either the password or the PSK which is computed from the password and some other information or the WEP key if that's the kind of traffic that you're intercepting now what this does is give Wireshark the tools to decrypt traffic as it intercepts it so that means that we're actually able to see all the traffic on this network even though we're not actually a part of it so you might see some examples where you know we're on the same network as the target but in this case we're actually two sniffing packets and decrypting them because we have added the keys to Wireshark and we've also been able to kick the person often at work for a minute and be able to get it the handshake as soon as they connect back so great we have these two things and now we can actually start to intercept this traffic so that's really really cool but what can we actually do in terms of music this doesn't exactly look like an image so if I apply this filter and we start intercepting only the things that we want to see from the host we're monitoring in this case it's going to be the person who is watching the feed for the webcam then what exactly can we do to reconstruct it and see what they're seeing well let's take a look at these packets so far we've intercepted well over well over a thousand and let's go to the most recent one and see if we can reconstruct it into an image all right so let's grab this one right here so I'm going to stop the capture and here we can see we can decode as various things but instead I'm gonna select this one and click on file export objects and then HTTP because that's the protocol we're working with so here well we can see that all these objects have been identified as the content type image slash jpg so suddenly we have all these available images that we've actually intercepted within these packets that we can decode the data and reconstruct it into an image that we can see so let's wait for a second for it to identify all these and then we're gonna select the one we have selected here and let's go ahead and save this so we can take a look at what it looks like so we're gonna name this null by dot jpg and we're gonna save it to the desktop so finally what we're gonna do is go to our files there we go and in our files we're gonna go ahead and look for the one on the desktop that we just saved that matches what we just downloaded from wire Trek now here on the desktop you can see the file that we exported no-buy jpg and let's go ahead and open it and see what we can find inside there we go we have a still from a webcam which we've intercepted from a computer that is not actually connected to this wireless network now to do that we had to first intercept a wireless handshake by kicking the person off the network for a moment and then we had to put in the password so that Wireshark would have everything it needed to decode the information and see the plaintext HTTP that was going over the network once we had that we can simply take the packet and export it and then we had this very nice image of what was being displayed on the person screen wherever they are watching the web cam feed and again this will not work if somebody's not accessing the insecure HTTP web server running on the camera so if you're having some trouble with this a couple things might be wrong and you might notice that the wlan0 mod is the is the wireless network interface that I'm using to intercept on so if you're having some trouble with this then my first kind of troubleshooting tip is to make sure that your card is a wireless monitor mode and you can type ifconfig to see the list of different devices and here you can see this card is w @ w + 0 mon but if yours just says WL n 0 or if you've just plugged it in and you need to put it into monitor mode you can type airmon-ng start wlan0 and of course i have already done so so it's gonna say that it doesn't exist but just a quick showing you how it works if i were to type stop it would go back to state we can see it's now a station monitor mode has been disabled and station mode has been enabled so I can type ifconfig and we're back to Debby LAN zero so now if I type airmon-ng start wlan0 I can go ahead and put that into monitor mode and further if I identify the channel that I want to listen on I can type sudo it well I've already root so Ehrmann oh sorry error dump ng wlan0 lon and now I have a list of all the different networks in the area including what channel they're on so I can go ahead and put my card into whatever channel I need to monitor so that Wireshark can kind of intercept all the packets on that channel and not mess around with a bunch of other things that might make it just too complicated or even miss a lot of packets that we're looking for so let's say I want to go after this one right here this is our test network so if I want to specifically look at this I can see it's on channel 11 and I can use that as basically the way that we filter the traffic down and set up wireshark before opening it so once our card is in Wireless monitor mode I can type airmon-ng start wlan0 Mon and then the channel I want to set it to 11 and just like that we should be able to open up Wireshark and start intercepting traffic from different devices that are operating on the 11th channel so once we're back in Wireshark we can start it up it'll be sniffing on channel 11 and provided we have intercepted a handshake and we've also entered the credentials we should be able to see everything and intercept just about anything going on in HTTP if you own a Wi-Fi security camera this is a perfect example of why it's important to keep your Wi-Fi network secure don't give out your password if you don't need to and make sure to select a password that's pretty difficult because otherwise it's relatively easy for anybody with access to that password to see everything going over your network you can also take steps to buy a camera that supports HTTPS instead of HTTP which will also protect you from these sorts of attacks that's all we have for this episode of cyber weapons lab make sure to LIKE comment and subscribe and if you have any thoughts or feedback on the show send me a message on Twitter because we'd love to hear from you we'll see you next time
Info
Channel: Null Byte
Views: 524,122
Rating: 4.9354029 out of 5
Keywords: wht, wonderhowto, nullbyte, null byte, hack, hacking, hacker, hacks, hackers, how to hack, howto, how to, tutorial, guide, cyber weapon, cyber weapons, cyber, Wireshark, Security Cameras, Hacking security cameras, Kali Linux, security, camera, webcam, dropcam, nest cam, security camera, wireless, network, Wi-Fi, WiFi, airodump, airmon, http, https, web app, WPA
Id: va1wUSPGgSU
Channel Id: undefined
Length: 16min 46sec (1006 seconds)
Published: Mon Feb 04 2019
Related Videos
Note
Please note that this website is currently a work in progress! Lots of interesting data and statistics to come.