CCTV Interception
PDF Download
Made by: The Noodle Hackerspace.
Published by: AT Products LLC.
Published on: May 17th, 2023.
Prenote
Needed Items
A computer with Wireshark and AirCrack, a Wi-Fi adapter that supports monitoring, and sufficient time.
To execute this process, Wireshark will be utilized to capture network traffic between hosts. The objective is to intercept unencrypted HTTP traffic directed to a target computer.
Initially, encryption must be bypassed. Even if the network password is known, connecting immediately is not recommended, as it increases the likelihood of detection. Instead, Wi-Fi keys should be added to Wireshark for decryption. Capturing traffic without connecting to the network ensures a passive attack, reducing exposure to detection.
A critical requirement for decryption is obtaining a Wi-Fi handshake. Wireshark relies on observing a four-way WPA handshake to decrypt subsequent traffic. A device with appropriate filtering capabilities can capture this handshake, allowing data decryption using the known password.
Several conditions must be met for this approach to be effective. If the target camera uses a secure interface, data will remain encrypted and unreadable. Additionally, if the camera feed is not actively monitored, no insecure traffic will be available for interception. Furthermore, if a client cannot be disconnected from the network to force a handshake, possession of the password becomes irrelevant. Finally, being outside the network’s range prevents interception of traffic entirely.
Despite these constraints, this method is frequently viable. If a Wi-Fi security camera is in use and a display is actively showing its feed, a Wi-Fi password and compatible adapter are the primary requirements.
Once within range, with an appropriate operating system and necessary tools installed, preparation can begin. The Wi-Fi adapter should be plugged in, and Wireshark must be installed. If Wireshark is not available, one of the following commands can be used depending on the system:
sudo apt install Wireshark -ysudo pacman -S Wireshark -yStep 1
To begin, access the built-in interface of the targeted webcam or Wi-Fi security camera. In a browser window on the host computer, navigate to the HTTP interface, enter any required credentials, and initiate the live feed.
If the camera’s network location is unknown, an Nmap scan can be performed to identify devices running insecure HTTP ports.
The network range is required for this scan, which can be determined by running the command ifconfig to obtain the assigned IP address. Using ipcalc with this IP will calculate the network range, which should resemble 192.168.0.0/24. Replace "IP" in the command below with the determined network range:
ipconfig ipcalc sudo nmap -p 80,81,8080,8081 IPThis scan identifies open ports. If a device with an open port is found, it can be accessed by entering the corresponding IP address followed by :81. For example, navigating to port 8081 requires entering 192.168.0.1:8081 in a browser.
Step 2
Connecting a Wi-Fi adapter is required. The "Alfa AWUSO36NHA" is a recommended choice. Before launching Wireshark, two steps must be completed: placing the adapter into monitor mode and identifying the router’s broadcasting channel.
The adapter’s name can be determined by running ifconfig, which will return an interface name such as wlan0 or wlan0mon.
Once identified, the adapter must be placed into monitor mode using the following command, replacing wlan0 with the correct interface name:
airmon-ng start wlan0 airodump-ng start wlan0monThis process modifies the interface name by appending "mon" and initiates Airodump-ng, which scans for available wireless networks. The target network must be identified, and its channel noted for subsequent steps. A sample output is provided below:
CH 4 ][ Elapsed: 0 s ][ 2018-12-24 02:42
| BSSID | PWR | Beacons | #Data, | #/s | CH | MB | ENC | CIPHER | AUTH | ESSID |
|---|---|---|---|---|---|---|---|---|---|---|
| C0:8A:DE:39:CD:D9 | -46 | 2 | 0 | 0 | 1 | 130 | WPA2 | CCMP | MGT | TWCWiFi-Passpoint |
| C0:8A:DE:F9:CD:D8 | -47 | 2 | 0 | 0 | 1 | 130 | OPN | TWCWiFi | ||
| C0:8A:DE:B9:CD:D8 | -46 | 2 | 0 | 0 | 1 | 130 | OPN | SpectrumWiFi | ||
| C0:8A:DE:39:CD:D8 | -47 | 2 | 0 | 0 | 1 | 130 | OPN | CableWiFi | ||
| 78:96:84:00:B5:B0 | -42 | 2 | 0 | 0 | 1 | 130 | WPA2 | CCMP | PSK | The Daily Planet |
| 00:9C:02:D2:5E:B9 | -60 | 3 | 0 | 0 | 1 | 54e. | WPA2 | CCMP | PSK | HP-Print-B9-Officejet Pro 8600 |
| 20:10:7A:92:76:43 | -51 | 2 | 0 | 0 | 1 | 130 | WPA2 | CCMP | PSK | SBG6580E8 |
| DE:F2:86:EC:CA:A0 | -45 | 1 | 0 | 0 | 11 | 195 | WPA2 | CCMP | PSK | Bourgeois Pig Guest |
| D6:04:CD:BD:33:A1 | -55 | 1 | 0 | 0 | 11 | 130 | WPA2 | CCMP | PSK | DirtyLittleBirdyFeet |
| BSSID | STATION | PWR | Rate | Frames | Lost | CCMP | Probe |
If the target network operates on channel 11, the following command sets the adapter to the correct channel:
airmon-ng start wlan0mon 11This ensures traffic interception occurs on the intended channel.
Step 3
With the adapter configured to the correct channel, Wireshark must be launched. Upon opening, double-click the monitored interface to start capturing packets. However, without the network password, data will remain unreadable. Encryption keys must be added to Wireshark to facilitate decryption.
Step 4
To add encryption keys, navigate to "Edit" in the menu bar and select "Preferences" to open the settings menu.
Within the "Protocols" section, locate and select IEEE 802.11 to access Wi-Fi decryption settings. Ensure the "Enable Decryption" box is checked, then click "Edit" next to "Decryption keys" to open the key management panel.
In the key menu, choose "pa-psw" as the method for adding a key. While a wpa-psk option is available, manual calculation is required, making pa-psw the preferred choice.
The key must be added using the plus (+) icon, formatted as (password:networkname).
Confirm by clicking "OK." If a four-way handshake is successfully captured, decryption of network traffic should now be possible.
Step 5
In the Wireshark capture, ensure that a significant amount of traffic is visible. While decryption is not possible without a handshake, a filter can be created to display only traffic directed to the target device.
The most effective method over a Wi-Fi network is to locate a piece of traffic directed to the target device and create a display filter to show only packets heading to that MAC address. This ensures that only traffic directed to the target device is displayed, while other network traffic is ignored.
Under the packet information, right-click the "Receiver address" for a packet being sent to the target device, select "Apply as Filter," and then "Selected." This will filter the packets to display only those directed to the target.
Step 6
After isolating the traffic from the target device, a four-way handshake can be generated by temporarily disconnecting the target device from the network while Wireshark is capturing traffic. A tool named MDK3 can be used to disconnect devices connected to Wi-Fi and generate a handshake. MDK3 is recommended for advanced Wi-Fi jamming.
Since the channel of the Wi-Fi network is already known, MDK3 can be used to disrupt any device operating on that channel. To generate a WPA handshake, run the following command in a terminal window, replacing "wlan0mon" with the name of the wireless card and "11" with the channel being targeted:
mdk3 wlan0mon d -c 11
After a short period, nearby devices on the network should automatically reconnect, allowing the WPA four-way handshake to be intercepted. To verify the handshake, open a new terminal and run Airodump-ng to monitor for WPA handshakes. Use the following command, substituting wlan0mon and 11 with the actual interface and channel:
airodump-ng wlan0mon 11 Once the WPA handshake is visible, ensure that the MAC address matches the wireless network being targeted to avoid capturing a handshake for the wrong network. With the four-way handshake captured and the network key entered, full access to data flowing over the network is possible. While HTTPS traffic remains encrypted, raw HTTP traffic should be visible.
Step 7
After gaining access to the network traffic and isolating it to the target device, unrelated traffic may still be present, making it difficult to focus on the desired data. To address this, another network filter can be added to display only HTTP traffic flowing through the network.
In the Wireshark main view, type HTTP into the display filter bar to narrow down the traffic.
Step 8
With the HTTP traffic from the web application visible, the encoded JPEG files can be selected and processed. Stop the capture, then click on "File" and select "Export Objects." Choose "HTTP" to open the list of intercepted HTTP objects.
In the HTTP object list, a selection of intercepted JPEG images will be available. Select one or multiple images, then click "Save" or "Save All" and choose a location to export the files.
After exporting, navigate to the folder containing the exported images. The number of files will depend on the duration of the capture.
Open one of the images to view a frame from the intercepted video feed.