Dahua / Intelbras MitM Attack

Dahua / Intelbras MitM Attack How to perform a very simple MitM Attack on a Intelbras/Dahua IP Cameras / DVR. This uses Ettercap to do an ARP Poison and a simple GoLang Script to fetch the username/password. Disclaimer: This type of attack is basically illegal anywhere in the world. My intentions with this tutorial is to demonstrate why you should ALWAYS use a TLS connection for ANYTHING. Use for you own risk. For the purpose of responsible disclosure, I contacted Intelbras on Twitter on 11/08/2019 and let them know I expected a reply from them until 17/08/2019. If they didn’t...

Reverse Engineering cheap chinese "VRCAM" protocol

Reverse Engineering cheap chinese “VRCAM” protocol That’s not the first time I get a Chinese hardware that has some proprietary protocol that does not follow a single standard. It’s funny because when you get a VERY cheap thing, you expect to use many standards as possible to reduce the development cost, but some chinese developers just want to do it yourselves. I present you the “VRCAM” and it’s SOUP protocol (any relation to SOAP is just a mere coincidence :P) The Hardware Let’s first start with the hardware itself. It’s a 2 Megapixel sensor with 1280x960 video resolution. It features...

GOES GRB First Light!

When the GOES-16 was first announced I got interested in their GRB Downlink (although the first try was at HRIT downlink). Basically GRB is a replacement for the old PDR downlink in GOES 13/14/15 generation, which gives few advantages over the old link: Uses market standard DVB-S2 Generic Stream Have FEC (as defined by DVB-S2) Higher bandwidth Easier to receive due DVB-S2 FEC For those who don’t know, the GRB is a direct rebroadcast of GOES data, with minimum processing as possible (usually just packaged into NetCDF files with calibration parameters) and is intended for anyone that want’s to get...

Linux shim for Patching executable in run-time

Linux shim for Patching executable in run-time That’s something I already did a long time and few people know. It’s not something hard or complex to do, but few people know how easy is to make a Library Shim. First, what’s a shim? A shim is a small library that can intercept API calls transparently for a specific program / library. Basically its a proxy library that can transparently intercept some API calls to either change the content, monitor the data or just making a API translation. That has its variants over all Operating Systems (Linux, Mac OSX, Windows) but...

Some LNA tests for HRIT/LRIT

So I was talking with @luigi on OSP RocketChat and he noticed that one of the LNA’s I suggested alogn with the LNA4ALL (the SPF5189) got a comment on ebay saying that it doesn’t work on L Band. So that was weird to me, since I have 5 of them, and one currently in use with my GOES setup. So I decided to do a small and crude benchmark for L Band comparing no LNA with LNA4ALL and SPF5189. So the test I wanted to do was pretty simple: check how the LNAs was effective over LRIT/HRIT band (L Band...