Find Vulnerable Webcams With Shodan [Metasploit Framework]

Posted by

As we all know that, Shodan is one of the most popular and dangerous search engines which gives you all information from the banners and pulls from web-enabled devices like routers/switches/traffic-lights/scada/cameras etc.

There are many ways to find webcams on Shodan. Usually, using the name of the manufacturer of the webcam is a good start. Remember, Shodan indexes the information in the banner, not the content.

Today we’ll show you that, how you can find the vulnerable webcams with the help of Shodan and Metasploit Framework. To start Metasploit Framework, type “msfconsole” from your terminal.

Screen Shot 2020-06-12 at 10.18.49 AM

Type “search shodan” to view all the available modules/exploits related to shodan search engine.

From all the above results, just type “use auxiliary/gather/shodan_search

This module uses the Shodan API to search Shodan. The output from the module is displayed to the screen and can be saved to a file or the MSF database.  Type “show options” for all required options related to the above module.

Please see the Shodan site for more information regarding API Key.

To set the Shodan Key, type “set SHODAN_APIKEY <Your key here>” and also you need to set the Query which you want to search.

In our case, we’re gonna demonstrate the vulnerable Webcams, so type “set QUERY webcamxp” and then execute the module by typing either run or exploit from the MSF console.

As soon as, you run the module, you’ll get all the results which shows all vulnerable open web cameras hosted at different locations.

Here is one of the cameras hosted at some roof building corner.

Although some of these webcams are unprotected, many of them will require authentication. The first step is to try the default username and password. We’ve compiled a shortlist of the default username and passwords of some of the most widely used webcams below.

  • ACTi: admin/123456 or Admin/123456
  • Axis (traditional): root/pass,
  • Axis (new): requires password creation during first login
  • Cisco: No default password, requires creation during first login
  • Grandstream: admin/admin
  • IQinVision: root/system
  • Mobotix: admin/meinsm
  • Panasonic: admin/12345
  • Samsung Electronics: root/root or admin/4321
  • Samsung Techwin (old): admin/1111111
  • Samsung Techwin (new): admin/4321
  • Sony: admin/admin
  • TRENDnet: admin/admin
  • Toshiba: root/ikwd
  • Vivotek: root/<blank>
  • WebcamXP: admin/ <blank>

There is no guarantee that these will work, but many inattentive and lazy administrators and individuals simply leave the default settings, and in those cases, these usernames and passwords will give you access to confidential and private webcams around the world!

You can do the same through a web portal too, for example, if you want to search the webcams of only US country, then the search query is “webcamxp country:US” which will show all the results of United States country as shown below.

To be even more specific, we can narrow our search down to an individual city. Let’s see what we can find in Mexico. We can find those webcams by typing “webcamxp city:Mexico

Shodan even enables us to be very specific in searching for web-enabled devices. In some cases, we can specify the longitude and latitude of the devices we want to find.

In this case, we will be looking for WebcamXP cameras at the longitude and latitude (19.4357,-99.1439) of the city of Mexico. When we search, we get a list of every WebcamXP at those coordinates on the globe.

Posted by Shubham ;)

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.