AXIS cameras have a severe remote compromise bug. I guess the cameras need to be found and patched. But, you know, I don’t recall where they’re at.
Let’s find them.
I do not remember, off the top of my head, all the subnets around. Happily, I'm in a mixed shop and Active Directory Sites and Services tells me what subnets are which. Cool.
On an AD controller, run PowerShell and enable script execution.
> Set-ExecutionPolicy RemoteSigned
Run the following cmdlet:
[cmdletbinding()]
param()
$Sites = [System.DirectoryServices.ActiveDirectory.Forest]::GetCurrentForest().Sites
$obj = @()
foreach ($Site in $Sites) {
foreach($sub in $site.subnets){
$obj += New-Object -Type PSObject -Property (
@{
"site" = $site.Name
"subnet" = $sub.name
}
)}
}
$obj | Export-Csv 'ADsites.csv' –NoType
The csv output shows:
"subnet","site"
"6.6.66.0/24","HELL"
"6.7.67.0/24","PANDEMONIUM"
"6.8.68.0/24","HELLS-GATE"
2. AXIS cameras have the following ports open by default:
TCP 21,80,554,49152
We can use nmap to discover and filter hosts that have the above:
$ nmap -p 21,80,554,49152 10.97.232.* -oG - | grep open | awk '!/closed/ && !/filtered/' >> axis
However, scanning UPnP port 49152 is unreliable. We could then narrow the ports, but we would be left with a guessing game as to whether or not the system is an Axis camera.
Luckily, Axis cameras all have a banner on FTP 21. It is either Axis or AXIS. This works better:
$ nmap -sS -sV -p 21 -n -Pn --script banner IPRANGE/CIDR -oG - | grep -i axis >> axis
To scan all the ranges, all we need to do is create a file and feed it the CIDR notated networks. I'm only concerned about my isolated networks, HELL and HELLS-GATE:
$ vi axis.subnet
6.6.66.0/24
6.8.68.0/24
Now, the completed command would be:
$ nmap -sS -sV -p 21 -n -Pn --script banner -iL axis.subnet -oG - | grep -i axis >> axis
Thursday, July 20, 2017
discover axis webcams when you're clueless
Subscribe to:
Post Comments (Atom)
No comments:
Post a Comment