Hello all.

I thought I’d tell you a little about a side-project I’ve been working on, now that it is starting to take shape. It is still far from complete but I thought I’d share its development with 0x00sec.

We all know that the mythical Internet Of Things has been on the rise and that people make all kinds of interesting things publically addressable. Security cameras are one of them and for several years I have been wanting to write something that does the heavy lifting of finding them, places them on a map and if possible, streams them.

The technology stack

There were a couple of things I wanted when I started building this:

• The program should be able to run locally, rather than as a webservice.
• It should run on both Windows and Linux.
• Should be extensible, as we aren’t looking at a static environment.

For portability, Watcher is written in C++11. As there is a limit to how much of the wheel I’m willing to re-invent, SDL (Simple DirectMedia Layer) provides cross-platform window creation, OpenGL initialisation, input handling and a few other things. Layering on top of SDL and OpenGL, ImGui is used to create the user interface while keeping the bloat low. For data management, SQLite handles storing and retrieving data from a database local to the program, which requires no “real” database service to have to be installed. The much beloved cURL is used to interact with HTTP servers and finally, a JSON library serialises configuration files (such as rule sets) and messages between individual plugins.

Further building up on this, the map is built using tiles from a remote server: currently Stamen, but most tile servers which used the same specification as OpenStreetMap can be used.

Geolocation is handled by ipinfo.io, using their public API. This is rate limited to 1000 requests a day, but Watcher will just store the addresses which need to be resolved and try again later.

The current state

The plugin architecture is now working properly, allowing new components to be added without considerable overhead. The most basic way of finding cameras has been implemented: a simple multi-threaded portscanner scans the internet for webservers on certain ports (80, 81, 8000) and then forwards any results to a plugin which tries to identify if a webpage contains a camera or not, based on a growing ruleset. The vast majority of cameras have specific titles on their pages which makes this less of a faff than it would be otherwise.

Once a camera has been identified, the IP address is sent to the geolocation plugin so it can be represented on our map.

Increasing coverage

Obviously, scanning the entire internet takes a while. Quite a while, particularly if you’re thinking on being thorough and increasing the number of ports to scan for! Even using something like masscan, you’d need a fairly fat pipe and a serious router. So, there are two additional plugins in the pipeline: one which will leverage Shodan, another which will use Google with specially targetted search terms.

Next in the pipeline

The map is currently quite basic. The user can scroll around, zoom in/out and see the camera markers, but can’t select them. The tile streaming is also a bit flakey and it’s possible for a tile which is in use to be unloaded, only to get loaded again a few seconds later. It isn’t great work and I could take some shortcuts to get the entire flow running sooner, but since I have no time constraints I can build a solid foundation and get something I’m happy with.

Source?

Open source, of course. You’ll find the code in the project’s GitLab. At the moment it only successfully builds on Windows, I need to spend some time wrangling the makefile

Further posts?

Do you find this kind of development post useful or interesting? Or would you rather just have a post when the tool is ready?

Hey there , great idea by the way , best wishes on developing the tool

This project is very, very interesting, and so is the development post, I love finding out the underlying technologies of a program without having to dig through hundreds of files myself, but I guess I’ll be doing that anyway because I’m really curious to see the code and I need more exposure to C++11. Still, great job and good luck with this! Keep us updated.

Neat project, have you considered adding insecam.org to your coverage? It’s very similar in concept.

Thanks Baud! By all means, dig into it. The program is not particularly large and after some refactoring it is fairly well structured. Shout if you have any questions.

Thanks for the link. I had thought about it, but ended up deciding against it. Those websites use similar methodologies to gather their data, so I would rather spend time extending my rulesets. This should also require less maintenance, as the plugins I’m making use published APIs, rather than the more fragile alternative of scraping websites.

I’m excited, Please do tell when you’re done.

Hope to have a tutorial

i am not asking you to overload the tools capabilities, but i had to ask if you were going to include some known vulnerabilities or IOC’s , so that your are not just finding the cameras but , you have a view of vunerable ones , is this in the projects scope

It is in the project’s scope, and is part of why this program runs locally, as well as being one of the reasons for the plugin architecture it uses. Once I have the core in place, I’m planning on getting my hands on a few vulnerable models, set them up locally and assembling some plugins to target them. This is medium term though, still have a fair bit to do.

Creating a Google Search plugin

One of the historic ways of finding security cameras is via search engines: badly configured cameras are both publically addressable and often picked up by a trawling search engine. This has benefits over port-scanning, as we’d be looking into scanning the entire IPv4 address space - doable, but the ability of running e.g. masscan at full speed is beyond most of us.

Thankfully over the years people have created a substantial corpus of search queries to feed into Google which identify cameras from various manufacturers, mostly due the pages either having URLs which follow certain patterns or static titles.

Scraping results from Google is not a trivial task as it has various systems in place to prevent automated crawling, but they do provide an API we can make use of. The Custom Search Engine API can be used for free (rate limited to 10000 queries/day) and although intended to provide Google’s search within a certain domain / set of domains, it can be convinced to provide unrestricted searching capabilities.

In short, the steps are:

• Create a Custom Search Engine (https://developers.google.com/custom-search/v1/introduction).
• When creating the CSE, set it to a non-existing domain and to fallback on “searching the entire web”.
• After the CSE is created, edit it and remove the dummy domain.
• Generate an API key.
• Create queries using the API (you can experiment with https://developers.google.com/apis-explorer/#p/customsearch/v1/search.cse.list to see how results are formatted).

It is interesting to note that the API does not let us grab results in bulk: it identifies how many results there are and lets us set a starting point, but it’s limited to a maximum of 10 results at a time. This is not a show-stopper, it just means we need to break down every rule into multiple queries until we have retrieved all the results.

The basic functionality is now working, with Watcher being able to initiate queries and process the results. This now needs to be expanded to forward the results to the other plugins so the map and database are populated.

Here we can see a set of results from the first (currently hardcoded) query. One of the next steps is to make the queries be loaded from a JSON file and start creating the corpus of rules.

and a custom google dork could also be accepted perhaps

You’ll be able to add any custom queries to the queries file - none of this will be hardcoded, so extending it will be straightforward.

Once we start using it properly, if we find it is a bit clunky I can add a custom query field into the UI as well.

looking forward to that .

This is amazing! I have so much to learn from this. Thank you for sharing

Very smart idea! Thank you for the writeup

Hey @hostile.node , just wanted to know what’s happening…

Hey @messede. I’ve been away for most of the week (business) and haven’t had the chance opportunity to make real progress on this in the last few days. I’m expecting to be able to put up another update post towards the end of the coming week.

looking forward to it , ill keep bothering you here , so that this thread stays alive…

nicee good luck on programming pls post more updates on this one