ok, so I picked up this cheap IP cam to crew around with, and as I was looking around for info, got some cool ideas:
Now, you've never heard of "carpo cam" because it's a chinese rebrand. The model number, CP-7892wip, shows up in a google search with a near match on T-7892wip which is on a list of webcams with known vulnerabilities. A port scan shows
Discovered open port 23/tcp on 192.168.0.111 Discovered open port 81/tcp on 192.168.0.111 Discovered open port 8600/tcp on 192.168.0.111 Not shown: 64726 closed ports, 806 filtered ports PORT STATE SERVICE VERSION 23/tcp open telnet BusyBox telnetd 81/tcp open tcpwrapped 8600/tcp open tcpwrapped MAC Address: XXXXXXXXX (Ferran Scientific) Device type: general purpose Running: Linux 2.6.X OS CPE: cpe:/o:linux:linux_kernel:2.6 OS details: Linux 2.6.9 - 2.6.30 TCP Sequence Prediction: Difficulty=202 (Good luck!) IP ID Sequence Generation: All zeros TRACEROUTE HOP RTT ADDRESS 1 2.31 ms 192.168.0.111
So, 3 ports, some version of linux. Most notably, there's that telnet port on 23. I've tried a few passwords from similar situations, root:123456/111111/888888, etc, but no luck so far.
The stream I guess is on 81, no HTTP service found, no ftp, no rtsp.
I've done some brief poking around with wireshark, but nothing jumped out at me of particular utility. I'll try again when I have time to really dig through it. I'm hoping to snag the stream password/protocols from that.