 Okay, this is part of an ongoing series on the WANZU IPCAM camera, wireless camera, and I recommend you watch the previous videos before you get into this. I'll show you how in the previous videos how to get a root shell on the device. But today I want to talk about security a little bit on these cameras and basically tell you that there is none. Now, of course, I tell you by default there's a telnet client and the password is 123456. Which is great, you can go in there and change it, we change that, that's fine. It's a telnet, so it's not encrypted, it's not like other devices we've looked at that we can SSH into. We're telnetting into it, so that's unencrypted. Nothing's encrypted on this device. Not a big deal if you're on your own private network, the network is encrypted and you keep it secure. But if you're accessing this device remotely, you need to keep things into consideration. Basically what I'm telling you here is, and this will probably be true of a lot of IPcams, because security certificates cost money in most cases. The prices are coming down, there's projects working on them. If you don't buy them, then you don't really know if the key is legit, blah, blah, blah. But just some things you should know about. So first off, let's go to our web browser here. I'm already logged in. Let me go ahead and go to the mobile view here. My daughter is sleeping, everyone be quiet. This is why I'm able to record these videos right now because she's sleeping. So there we are, we're looking at her, and this is the mobile view. Right now, multiple times a second, five to ten probably, it's grabbing a still image from the camera. If I hit F12 in Chrome here, it opens up the console here, and I'm on the network tab. And right down you can see it grabbing a screenshot, it's using a snapshot.cgi file. And you can see it says question mark user, and you can see part of the username. I can tell you that right now I moved over this little bar here so you can't see it all, because multiple times a second, unencrypted, it is sending your username and password to that device. If I was to hover over that or move that bar out, you would see my password multiple times. So if you're on a network with somebody and they're sniffing the network, multiple times a second they're going to be seeing your username and password. Not again, not a big deal if you have a secure network and you're at home and you're just looking at something on the other side of the house. You're out at a coffee shop, you're on the Wi-Fi, someone's sniffing, they're going to have access to your camera. So first off, do not use a username and password that you use anywhere else, because it's just out there when you're using this device. If you are out and about and you want to connect and you're concerned about that security, you don't want someone sniffing it, I recommend setting up a tunnel to your house through SSH. Once you're tunneled in and you tell your web browser to use that tunnel, you can now connect to the device, that way the device itself isn't open up to the world, just your SSH server, wherever that is on your network, but the camera itself is not and everything's encrypted to it up until you get within your network. That's one thing to keep in mind. The other thing is, you know, again, right down here it's saying snapshot.cgi, which we know CGI are scripts, oh, she's waking up. CGI's are programs or scripts running on the web server. If I go back out here and I go into the full mode and I bring up that console, I can do things like change the resolution of the camera and you can see it's calling there a CGI script called camera control. It's calling a getcameraparameters.cgi and basically if I move the camera, which I'm not going to do because she'll hear it move and get up and look at it, but basically anything we do in here is going to call some sort of CGI script. Again, every time sending your username and password. If you wonder why it just flashed or the room got dark enough that night vision just came on so it flipped over to night vision. That's why we kind of lost the color there. Cloud may have floated over the house or something. So anyway, let's go ahead and look at some of these CGI scripts. So I'm going to go back to our console here in our root of our file system. We already said that under our systems folder, there is a www folder and if we list here, you can see all our HTML files. Great, let's list out .cgi. We only have one CGI file in here. Without looking at that, I'm going to tell you right now it's a binary file but you can cat it out or even better use strings and your username, password, name of your network, your SSID, the key for your password, for your network so your security key for your password is all in there in plain text as well as a DNS client that one's view sets up for you if you want to remote access your camera if you had to open up ports. All that stuff plain text in that file. That is one place where it's stored. There's actually other places where that information is stored unencrypted on this device. So if you ever get access to a device through Telnet, I mean you already have a root shell, so whatever, you can come here and look at that file and see all that information there. So again, another security issue there, really, things should be encrypted but again, you just assume a device like this is not. I mean it's a cheap Chinese knock-off camera. It's made by people who don't care that it's pumping out this low-cost product. You're going to assume that it's not secure. I would hope. But we're all of our other CGI files. So that's the second part of this tutorial. I want to talk about that. So let's just go to our home directory, our root directory and I'm going to scan the whole hard drive for CGI files. So I'm going to use the busybox that we downloaded because the busybox that comes with the camera does not have FIMES. We're going to say 10th busybox FIMES. Again, hopefully you watched previous tutorials and you know where we got that busybox file. And I'm going to say dash imame, meaning don't worry about the case, but look for files with this name. I'm going to say .astric.cgi. I'll hit enter. It found parameters login. I think that's one of the other files. You go there, it shows your username and password for the web interface. So basically it's showing two CGI files, both of which do nothing but leave your information unencrypted. So where are our other CGI files? I mean, there are a lot of CGI files that the web interface is calling. And normally those are files on the computer. Well, remember when we ran our original busybox, there's no HTTPD in here. So a lot of devices will be using HTTPDemon, and the web server built in busybox, but this busybox doesn't have it. That's because they have their own custom web interface running. If we use ps to list all our processes, you can see there's one called encoder running a whole lot, and also a daemon version 5.5. And all these are in our system folder. So if we scroll all the way up, we can see a bunch of stuff here. We can see the telnet daemon is running. We have a shell running. Okay, so what processes are starting at boot time? I'm drawing a blank on where the file name is, but let me do another find command. Again, another great reason that we installed busybox, it makes it easier to find stuff. We'll say init something... I don't know if it's initsh or init... something.sh, so I'll just search that. And hopefully here we'll be able to find nothing. Okay, let's just do init... system init. Okay, let's go here. Let's go to our system folder. List out. And there is a folder called init. Initiate... oh, there we go. That's what it's called. ipcam.sh. This is where your startup script is. Anything you want to run at startup time, throw it in this script here. So vim ipcam.sh, not vim. Actually, I'm just going to cap it out. You can see that it creates some system variables here. We're exporting some paths, which are for when the camera is running, they actually don't associate over to when you tell that in, because this path is not in our path when we tell that in. Our telnet client is running, and then it's running this daemon.version 5.5, this command thread, and a gmail thread, because you can actually set this thing up to email you images if the camera detects motion in the camera. It really does do a lot of stuff. You can hook it up to your security system and have your alarm go off at the text motion. You can have it email you. You can have it upload images to an FTP server if it detects movement, lots of stuff. So let's go ahead and move into this system, system bin folder and list here. Okay, we have this daemon. We have an older version of the daemon that I don't even think is running. Again, we have our FTP client and a mail client, because it can email you stuff, encoder, which encoder is what we saw running when we ran PS to see our processes. It's running a whole lot. Well, if you've followed me on other tutorials on just working with images or binary files, there's a program called strings. Let's go, let's see if busybox contains strings. First of all, let's use the full version of busybox strings. Okay, good, strings is there. Another good reason for us installing the full version of busybox, and let's go ahead and tell it to look at this encoder file. Right now, it's going to ignore all the bind, because it is a binary file, ignore all that, just give us the strings inside this file. A lot of stuff. Now we can use our, again, our full version of busybox has grep. And unfortunately, if we weren't running busybox inside a temp folder, we can link all this stuff so we wouldn't have to type temp busybox every time. We could just type grep. So in the future, I may end up compiling my own version of busybox, but whatever, for right now, we have to type out the full name. So we're going to grep-i, I mean case and sensitive, even though I think it's all going to be lowercase, anything with .cgi in that file. So we're going to do that, and we get a list of a bunch of CGI files. And some of them will look familiar to us, like parameter backups, camera controls. Basically what I'm telling you here is these CGI scripts, even though you can create your own CGI scripts and put them in your web folder, most of the CGI scripts that the camera or it has preset are actually built in, they're embedded into their web server, which is this file here. Basically this encoder is at least part of their web server, and all their default CGI scripts are in there. So really we're not going to be modifying any of those, although you possibly could, but you could corrupt the file and mess up your camera too. Although you should still be able to tell that in and fix that with the image that we created in the last tutorial or two tutorials where whenever we did that. But if you were looking for those CGI files, they're embedded into the web server themselves. Okay, so I just wanted to point those things out. One, the whole security issue of don't assume this product is secure because things are stored unencrypted, send your information unencrypted multiple, multiple times a second when you're viewing stuff. So make sure your network's secure and if you're accessing it remotely, you probably want to tunnel through something encrypted like an SSH server, I guess maybe a VPN. I usually just use SSH. Also don't use any username and passwords that you use anywhere else because they're stored unencrypted on the device as well. So if someone gets access to the device through Telnet, which they should be able to, if it's on your network and your network's secure, and you don't have that Telnet, open up to the world, blah, blah, blah. Anyway, just keep these things in mind. Also, we pointed out where the CGI files are. But in the next tutorial, we're going to start looking at some of the web interface and customizing some of it, making it a little bit better because they didn't really put any effort into these web interfaces. They work, but a few lines of code, they could have made them a lot better. So as always, I thank you for watching. This is my website, filmsbychris.com. That's Chris of the K. There should be a link in the description to that, as well as links to notes on everything we're doing in these tutorials. Be sure to check out the full playlist in the next video, which should be coming in about a week. And as always, I hope that you have a great day. Okay, this is an introduction to filmsbychris.com. I'm Chris. That's Chris of the K. That's me right there. My daughter, Amber. And my wife, Jennifer. We pretty much live in the swamps of Florida. I'm a firefighter by day, as well as by night. We work long hours. But that's not why you're here. You're here about the videos I put up on YouTube. These videos are mainly about computers and programming, which means most of my videos look something like this. And if that's what you're interested in, great. If not, that's all right. I do videos on other topics too, such as video editing, special effects, photo editing, 3D design, and music creation. If you are one of my viewers and you enjoy my videos, my Patreon page is a place where you can go to help support my videos. So I ask that you take the time to go to my Patreon page and look at different levels of rewards you can receive for different levels of backing. There should be a link in the description of this video if you are watching it on YouTube. Otherwise, you can visit patreon.com forward slash metalx1000. And I thank you for your time and your support. Have a great day.