Continuation Analysis of Honeypot Camera Traffic Edimax IC-7113W
Authors: Simona Musilova and Sebastian Garcia
This is another blogpost from the IoT Honeypot traffic analysis series. The captured traffic is from the IoT camera model Edimax IC-7113W and contains all the traffic from and to the camera for 24 hours starting on Oct 16th, 2018 at 7:43:55 CEST. The total number of captured packets is 37,824.
The camera uses the internal IP address 192.168.100.109 and the gateway router is 192.168.100.1. Port 80/TCP on the external IP address is redirected from the internet to this device to have access to its webpage.
The complete set of files for this dataset can be found here
https://mcfp.felk.cvut.cz/publicDatasets/IoTDatasets/CTU-Honeypot-Capture-2-154/
This analysis focuses on the following questions:
Did anyone try to connect to the camera?
Did anyone try to exploit any known vulnerabilities?
Which tools were used to attack our camera?
What is the normal traffic of the camera?
Scanners
Being scanned by others while being connected to the Internet can be considered as normal. In this capture our camera was scanned by the ZGrab scanner [1] which is an application layer scanner which works with zmap.
IP address of scanner:
198.108.66.112
[1] https://github.com/zmap/zgrab
GPON Vulnerability
We saw attempts to exploit this vulnerability also in the previous capture here. The attacker tried to gain access to the device by exploiting the well-known GPON vulnerability. After gaining access it is supposed to download and execute the gpon script from the IP address 206.189.12.31. Our honeypot camera is not a GPON router so this attack was not successful. However, there was no previous check to see if the camera was vulnerable. Possibly because it is simpler and more effective to just exploit what you can.
IP address of attacker:
41.238.106.161
phpMyAdmin Access Attempts
We also captured attempts to exploit the phpMyAdmin tool. In one case we could identify the tool used for exploiting the phpMyAdmin vulnerabilities, it was the ZmEu tool [2]. This attack came from the IP address 76.74.178.215. The ZmEu tool is a bot that tries to find vulnerabilities in phpMyAdmin and is sending its characteristic HTTP request “GET /w00tw00t.at.blackhats.romanian.anti-sec:)” followed by HTTP requests trying to exploit known vulnerabilities.
Another attempt to exploit phpMyAdmin was captured from the IP address 139.199.131.245. In this case we could not identify which tool was used. From this IP address we also captured an attempt to exploit the know vulnerability of the WebDAV service in Microsoft Windows Server 2003 R2 (CVE-2017-7269). This vulnerability would allow the attacker to remotely execute code by sending a long header starting with “If: <http://“ in a PROPFIND request.
IP addresses of the attackers:
139.199.131.245
76.74.178.215
[2] https://ensourced.wordpress.com/2011/02/25/zmeu-attacks-some-basic-forensic/
The Normal Behavior of the Edimax Camera
We have been dealing with the normal traffic of the Edimax IC-7113W camera for some time now, and it is a difficult task. It seems overly complex and mysterious, so we spent more time on it. To fully understand what is happening in the traffic we had to decrypt/decode the payloads of packets going from and to the camera. For this purpose we used the scripts available at the blog http://blog.guntram.de/?p=37.
As mention in the previous post, the camera is continually doing the following activities:
DNS Requests to MyEdimax
The hostname www.myedimax.com has a CNAME to ddns.edimax.com which has a CNAME to ns.edimax.com. This last hostname then resolves to the IP address 122.248.252.67. From a further analysis of the traffic we know that this is probably a registration server for the camera.
Registration of the Camera in Edimax without Consent
After the camera receives the IP address of the registration server it sends a packet to this IP address with parameter <opcode value = “1“> to port 8760 which is the port used for registration.
The registration server then replies with parameter <opcode value=”10”> and information about the command relay server IP address 122.248.234.231 and port, and the external IP address and port of the camera.
The camera then registers itself to the Command Relay Server with the registration parameter <opcode value = “1“>. The server never answers to this packet.
Next, the camera sends a packet with parameter <opcode value = “3000“> to the registration server (122.248.252.67) port 9765 acknowledging that it is online. According to our research the port used for this packet should be 8765 [3] and not 9765 as seen in the traffic.
Next the camera should send a packet with <opcode value=”1010”> and other information about the camera. Instead, the camera sends three packets, with a length of 660 Bytes. Only the first packet contains data which we were not able to decode, the second and third packets contains only zero bytes.
This cycle repeats approximately every 42 seconds.
[3] http://jin.ece.ufl.edu/papers/GlobeCom17-CR.pdf
General scanning
Our honeypot camera was scanned 48 times in this 24 hours from the following IP addresses:
103.61.101.110
110.77.201.43
139.199.131.245
146.88.240.128
165.16.37.182
170.254.46.96
185.83.182.151
189.46.191.58
192.222.30.135
193.77.43.201
195.34.91.222
196.52.43.89
198.108.66.112
200.127.116.127
41.238.106.161
71.92.206.240
76.74.178.215
89.43.150.111
94.190.56.151
96.89.80.109
Conclusions
In this 24 hours we captured scans of the camera IP address and some attempts to exploit well-known vulnerabilities. Attackers mainly focused on phpMyAdmin vulnerabilities and on the vulnerability of the WebDAV service of the Microsoft Windows Server 2003.
We managed to decrypt and understand some of the normal camera background traffic. Since we found some differences from the reported normal camera traffic, further analysis will follow.
Acknowledgement
This research was done as part of our ongoing collaboration with Avast Software in the Aposemat project. The Aposemat project is funded by Avast Software.
