THE CYBER INFORMANT

Projects/Sniffing Packets From an Ankee Wireless IP Camera

WHOAMI Projects Articles Homepage Hacking Wallpapers Events-VLOG

2.Sniffing Packets From an Ankee Wireless IP Camera

1/28/2024

Surveillance cameras and suburban homes. One, a symbol of modern security technology, and the other, a typical part of the American dream. In the United States, where the pursuit of safety and privacy is as paramount as the pursuit of happiness, the integration of surveillance cameras into suburban landscapes has become a defining feature of middle-class living. As families seek peace of mind within the confines of their enclosed communities, the purchase of 2-3 wireless cameras has become commonplace, with some opting for even more extensive surveillance for both outdoor and indoor spaces. From this, arises such a profitable market, a subsector industry involving security engineers, IT repairmen, networking engineers, etc.. Whole companies have built their wealth on this subsector that keeps growing as individuals become conscious of the dangers their environment. Therefore it is important for us, the good actors with non-ill will to find vulnerabilities before the ill-willed actors do.

The most popular home-security companies are: ADT, Ring, SimpliSafe, Vivint, Securitas, and many others. The product we'll pick on today is from a less-known company that goes by the name "Annke". Established in 2014, a "world leader in the home & business security solutions industry" - according to their website. They have over 5 million customers worldwide. Below will be the info of the cam we're working with:

Make: Annke
Model: Camera I41EJ

The camera can be accessible through the "Myannke" app on both IOS and Android. You'd have to scan the QR code shown in the 2nd pic to connect to the camera. Another way to access the camera's feed and settings is through the port 80 the camera sets for its webapp. For that you'd need to discover the IP address of your cam.
To discover the IP address of the camera you have to be connected on the same wifi network as the camera, then run the command below to figure-out the private IP address:

$ ip addr
        

The output will display a list of interfaces that are available for your device to make connections, be it ethernet, wireless, bluetooth, or even docker if you have that installed. Most likely than not, your wireless interface will be named "wlan0". Under which you'll have a line similar to what's below:

inet 192.168.0.49/24 brd 192.168.0.255 scope global dynamic noprefixroute wlan0
        

the "inet 192.168.0.49/24" part indicates that the IPv4 address assigned to your wifi interface (wlan0), has the IP address of 192.168.0.49 and the /24 subnet mask. Telling us that the first 24 bits of the network portion, and the remaining 8 bits are for host addressing in the subnet. To scan for all the devices on our network we can substitute the last octet in the IP address with a "0", making our IP address 192.168.0.0 . This specific IP address is reserved for your router. We picked this IP addr so we can add the /24 to it, which enable us to scan all devices on our network that have IP addresses ending in 1 all the way to 254.

Our nmap input will be below:

$ nmap  192.168.0.0/24
            

As for me, the output that coorelates to the camera is:

Nmap scan report for 192.168.0.36
Host is up (0.042s latency).
Not shown: 996 closed tcp ports (conn-refused)
PORT     STATE SERVICE
21/tcp   open  ftp
80/tcp   open  http
8600/tcp open  asterix
8888/tcp open  sun-answerbook
        

We can visit the port 80 http using our browser by typing the [IP address]:80

192.168.0.36:80
        

That would direct us to this portal:

Now that we've identified our target and the port we're targeting, we can go ahead with sniffing the data and decrypting it!

To start, you need the SSID (name) of the network that the camera is connected to, as well as the passphrase to it. I you do not have the network's passphrase, you can use a handshake to force disconnect and reconnect everyone to the network and obtain the passphrase. I'll be sure to write something about the different techniques at a later time.
Once you have those, go visit the following url to input the SSID and passphrase to compute the PSK needed to decrypt the traffic: wireshark.org/tools/wpa-psk.html
Now copy your generated PSK key, open Wireshark, head to preferences under the "Edit" tab, click on the arrow besides the "protocols" tab to open the scroll bar, and from There pick the IEEE 802.11 protocol, check the "Enable decryption" box, then click on the edit option in "Decryption Keys", create a mew entry with wpa-psk as the key type and input your PSK key in the key field

After you've done the above, you need to switch your Wi-Fi card to monitor mode, the most simple way to do that is to use Airgeddon, input option 2 which will switch your card from managed mode to monitor mode. Now switch back to Wireshark, refresh it, and all the network traffic coming from the router the camera is on should be decrypted! Now you can filter by JPG/JPEG or PNG and export the images! Please don't shy from sending suggestions or anything to the contacts listed in Whoami.