In a previous guide, I showed how to extract images from a security camera via Wi-Fi via Wireshark, provided you know the password. If you do not know the password, you can always get physical with Hak5 Plunder Bug. Using this small LAN crane, we can capture traffic as images from a Wi-Fi or IP security camera if we can get physical access to the Ethernet cable carrying data.
Many IoT devices use weak security because they assume that these devices will stay within Wi-Fi networks with strong passwords. This does nothing to protect them from physical attacks, so if you access an Ethernet cable, these devices can often be accessed in unexpected ways without even requiring a password.
In this guide, we try to take pictures from a security camera connected to a local network that someone shows on a monitor. Our goal is to sniff the traffic from the insecure web page of the device to see if we can pull pictures from the traffic we are listening, so that we can "see" what the receiver sees.
] While Wi-Fi allows us to see everything happening on a network, there are also some disadvantages. Firstly, for the attack we are talking about to work, we need to know the password of the Wi-Fi network. We would also need to kick off the device we were looking for to snore for a while so we could listen to when the device and the Wi-Fi router were negotiating the keys for their connection.
This means that two major conditions must be met in order for the Wi-Fi version of this to work. First, someone has to be online to kick, and secondly, we need to know the password to put everything together. When we have all this information, it is easy to listen to the pictures. The difficult part can often get the Wi-Fi password in the first place.
Hak5 Plunder Bug is a 10/100 Base-T Fast Ethernet Switch with the mirrored traffic leading to an integrated USB Type-C Ethernet adapter. Everything lets go between where a router and Ethernet cable are cut, giving you access to any unencrypted traffic flowing inside.
] Unlike Wi-Fi, we do not need a password to see unencrypted traffic as scary IP security camera display pages. What we need to remember is that unlike Wi-Fi, which shares a common channel transmitted over the air, Ethernet cables coming from the router to an end unit will only contain traffic for that particular device that the cable connects to the network.
Simply put, if you tap the wrong Ethernet cable, you look at the wrong computer, because Ethernet only sends the data we are searching over the cable that directly connects the router to the computer on which the target is looking at the camera.
What You Need
To do this, you need a wired or wireless security camera connected to your network to experiment, as well as a "victim" computer looking at the camera's flow in a browser window. The webcam must use HTTP, not HTTPS. You also need a Hak5 Plunder Bug for $ 49.99, and a USB Type-C for USB-type A cable to connect Bug to your computer.
If you do not have Ethernet cables, ll also need a length of Ethernet cable to release Plunder Bug between the target Ethernet connection and the router.
To start, you need to access the built-in interface on any webcam, IP security camera or DVR system you want to listen to pictures from. This attack is due to the goal of accessing the insecure site located on the device to display the camera flow, so if they use HTTPS it will not work. To set up our test computer, we need to access and watch the camera.
In a browser window on your "target" computer, navigate to the HTTP interface, enter any required password and start watching live webcam. Make sure "HTTP" is enabled and not "HTTPS." Below you can see a typical sign-up whistle.
If you need to find your camera on the network, you can run an Nmap scan to detect various devices on the network using common HTTP ports that often hear with cameras.
For this command, you need to know the network interval. You can find this by typing ifconfig and copying the IP address assigned to the computer. Then you can enter ipcalc and your IP address to calculate the network interval. It should be something like 192.168.0.0/24. Run the following command, replace 192.168.0.0/24 for your own network area.
sudo nmap -p 80,81,8080,8081 192.168.0.0/24 --open
When you find a device on the network With a port open, you can navigate to it by typing the IP address and then the port number in a browser window. For example, if you want to navigate to port 8081 on 192.168.0.1, type 192.168.0.1:8081 in your browser window.
] In the above example, we can see that the webcam viewer page is vulnerable!
Now comes the simple part. Connect the plunder bug to your laptop via USB Type-C to the USB Type-A cable. Disconnect the Ethernet cable from any device you want to monitor from the router and connect an Ethernet cable along both the router and one side of the Plunder Bug. Then insert the Ethernet cable leading to the target into the remaining slot on the Plunder Bug.
With Plunder Bug sitting between the two cables, we can now see the data that passes by connecting the USB cable to the computer.
After inserting Plunder Bug, see a second USB Ethernet device. To check, run ifconfig before and after and look for something like eth1 to display. If your computer lacks an Ethernet port, eth0 is usually your internal adapter. Ifconfig
eth0: flags = 4099
mtu 1500 ether 50: 7b: 9d: 7a: c8: 8a txqueuelen 1000 (Ethernet) RX packet 0 byte O (0.0 B) RX error 0 fell 0 exceeded 0 frame 0 TX packet 0 byte 0 (0.0 B) TX error 0 dropped 0 exceeded 0 carrier 0 collisions 0 etl: flags = 4163 mtu 1500 inet6 fe80 :: e476: ed83: a72c: 72b4 prefixes 64 scopeid 0x20 eat 00: 13: 37: a7: 25: cf txqueuelen 1000 (Ethernet) RX package 25 bytes 6272 (6.1 KiB) RX error 0 fell 0 exceeded 0 frame 0 TX package 50 bytes 7364 (7.1 KiB) TX error 0 dropped 0 exceeded 0 carrier 0 collisions 0
Now that we know the name of the adapter, in this case eth1 we can start Wireshark and start monitoring traffic flowing over this interface.  Step 4: Starting Wireshark
While we have gained access to the network traffic and limited it to the target computer, there may be other traffic that is not related to the images we are trying to capture and makes it difficult to focus on what we are looking for.
Start Wireshark by selecting it from the drop-down menu for applications in Kali or via a quick search. Then select the interface we found earlier, in my case eth1 .
Double click on the interface to launch Wireshark. A flood of packages should start filling up the window.
There is far too much traffic to parse through. To cut data, we add another network filter to show only HTTP traffic flowing in the network. In the main Wireshark image, type http in the display field.
This only allows HTTP traffic to be sent to the computer we Monitor is displayed, filtering our vision even further until we only look at the traffic to our insecure web app. Now we actually have to decode the eavesdropped packages to pictures so we can see what our goal is. Stop Wireshark by clicking on the red box and exporting the JPEG images we have taken.
Now that we can see the HTTP traffic from the web application, we You must select the encoded JPEG files to make them something we can work with. Click "File" and then "Export Items". We export the HTTP objects we found, then click "HTTP" to open the object list.
In the HTTP object list, we see a list of HTTP objects that we have been listening to. Here we can see the JPEG images we want to decode. You can choose one or all of them, then click "Save" or "Save All" and select a location to export the files to.
Click on "Close" and then navigate to the folder to which you exported the images. You should see a list of files that Wireshark exported from our catch. This will be more or less depending on how long you drove the catch.
Finally, click on one of the pictures to see the picture that was listened to the path to the target computer. You should see a frame from the video file!
Because Plunder Bug can be displayed, physical access is all. Especially for IoT devices designed to be used in the security of a protected LAN, physical access to the network can allow access to devices such as security cameras in an unintentional manner. More advanced IoT devices using HTTPS are safe from these attacks because their traffic is encrypted at the end, but critical details such as HTTPS security are often ignored when connected devices are designed.
This is just the beginning of what you can do with this amazing Hak5 tool. You can download a Plunder Bug from the Hak5 store and check out the official documentation for more information on setting up active and passive modes on the device.
I hope you had this guide to using Hak5 Plunder Bug to capture webcam images. If you have any questions about this tutorial on LAN cranes or if you have a comment, write it below in the comments or reach me on Twitter @KodyKinzie .
Do not miss: ] Use MDK3 for advanced Wi-Fi jamming