Strategic GeoIP Hacking and TV Streaming Theft

Fri, 16 Nov 2007 14:22:00 GMT

A couple of weeks ago, my wife pointed out to me this really cool appliance she saw on a magazine. Since she knows I like spending my free time hacking/researching embedded devices, she thought I'd be interested.

In summary, you hookup Slingbox to your TV box, be it digital TV, or cable. Then you can do streaming to your laptop, desktop computer or even mobile/cell phone. The best thing is that not only you can stream within your home (LAN) network, but also from the Internet, anywhere any time! Of course you would need to setup port-forwarding on your border router to accomplish this first. Don't be fooled and think that only geeks would enable such setups because of its difficulty. Truth is, SlingPlayer (the client), will help you automatically enable port-forwarding on your router through a easy-to-use wizard (which uses UPnP in the background to talk to your router, in case you are interested). Never the less there are also instructions to setup remote viewing manually.

After researching the device a bit, I learned that all you need is install the client called SlingPlayer. In order to receive the video stream, a connection is established to port 5001 on the appliance, and then you just authenticate with a username/password combination. As you can see it's a very standard client-to-server setup!

Most people that setup port-forwarding on their router to their Slingbox would forward port 5001 from their router to port 5001 on the Slingbox, simply because this is how the documentation available shows users how to manually setup remote viewing to their Slingboxes' video stream. SlingPlayer's can also be used to enable port-forwarding on such port by following an automatic wizard which is perfect for non-technical users. Cutting the story short, the target port to find Slingboxes on the Internet would be 5001.

Imagine someone found an authentication bypass bug. Or maybe, most users leave default credentials on. There is potential for stealing TV services. This of course doesn't only apply to this device but many others that are in charge of services such as TV streaming, VoIP telephony, etc ... How would a cracker come about finding these boxes on the Internet? Well, from a GeoIP hacking point of view, step number one would be to find the countries with Slingbox users. By browsing slingmedia.com, you learn that the device is available for the USA, UK, Canada and the Netherlands.

pdp wrote a script (do.sh) that downloads Maxmind's free GeoIP database and parses the IP ranges of all countries - sweet! The end result is a file with IP ranges using the following format which separates the start IP and end IP with a coma ( , ) : X.X.X.X,X.X.X.X. The problem is that this notation is not compatible with nmap. Since what we want is scan countries with Slingboxes for port 5001, we need to convert the IP ranges to a notation that can be understood by nmap, which can be done with the following script.

#!/bin/bash
# iprange2nmaprange.sh

# just change the following line to match the country csv file you want to convert
for i in `cat country-XX.csv`
do
        startIP=`echo $i | cut -d ',' -f 1`
        endIP=`echo $i | cut -d ',' -f 2`

        startA=`echo $startIP | cut -d '.' -f 1`
        startB=`echo $startIP | cut -d '.' -f 2`
        startC=`echo $startIP | cut -d '.' -f 3`
        startD=`echo $startIP | cut -d '.' -f 4`
        #echo $startA $startB $startC $startD

        endA=`echo $endIP | cut -d '.' -f 1`
        endB=`echo $endIP | cut -d '.' -f 2`
        endC=`echo $endIP | cut -d '.' -f 3`
        endD=`echo $endIP | cut -d '.' -f 4`
        #echo $endA $endB $endC $endD

        if [ $startA -eq $endA ]
        then
                nmapA=$startA
        else
                nmapA="$startA-$endA"
        fi

        if [ $startB -eq $endB ]
        then
                nmapB=$startB
        else
                nmapB="$startB-$endB"
        fi

        if [ $startC -eq $endC ]
        then
                nmapC=$startC
        else
                nmapC="$startC-$endC"
        fi

        if [ $startD -eq $endD ]
        then
                nmapD=$startD
        else
                nmapD="$startD-$endD"
        fi

        echo "$nmapA.$nmapB.$nmapC.$nmapD"
done
./test.sh > targets

In this case we're interested in the files country-US.csv, country-GB.csv, country-CA.csv and country-NL.csv. Once converted to nmap IP range notation with the previous script we're ready to go:

nmap -P0 -n -iL targets -p5001 -oG results

Everything is turning to TCP/IP these days. Not only consumer devices, but also corporate and governmental appliances. Although this approach makes it cheaper to build products by reusing existing implementations/frameworks/APIs, there is a price to pay: it makes it easier for people (including bad guys) to perform vulnerability research, since TCP/IP is widely understood.

Jason MacphersonJason Macpherson
Nmap tends to be a little slow for large scans like this. You'll get your results much faster if you used scanrand. http://www.doxpara.com/read.php/code/paketto.html
ZerylZeryl
I re-wrote the shell script for this, in PHP. It does all of the .csv's created from the other script, at once, and extremely quickly (about 5 seconds on a dual P3). Below is the code for it:
<?php

//Look through the local directory for *.csv
foreach (glob("*.csv") as $filename) {
    //Load the current file into the $lines array
    $lines = file($filename);
    
    $content = '';

    foreach($lines as $line)
    {
        //Explode the start and end ip from the current line
        list($startIP, $endIP) = explode(',', $line);
        
        //Explode each octet of the current ip into arrays
        $start = explode('.', $startIP);
        $end   = explode('.', $endIP);
        
        //Parse each array for the ip
        for($i = 0; $i<=3; $i++)
        {
            if($start[$i] == $end[$i])
            {
                $nmap[$i] = $start[$i];
            }
            else {
                $nmap[$i] = "$start[$i]-$end[$i]";
            }
        }
        
        //Write the current namp'ified IP to the variable
        $content .= "$nmap[0].$nmap[1].$nmap[2].$nmap[3]\r\n";
    }
    
    //replace the extension with target
    $newfile = str_replace('csv', 'target', $filename);
    
    //write the file
    $size = file_put_contents($newfile, $content);
    echo("Wrote $newfile with a size of $size<br />\r\n");    
}
Adrian PastorAdrian Pastor
Hey Jason! I will try Scanrand when I have time. I've also been wanting to play with Unicorn http://www.unicornscan.org/ for a while!
LordDoskiasLordDoskias
I think that "tcp/ip is widely understood" isn't a good argument. History has shown that "security through obscurity" doesn't work well. If tomorrow's technology is not tcp/ip or something else. Then it's a matter of time before someone document this technology. For example - "Silver needle in the skype" presented at BH '06. And skype is thought to be one of the most "hidden" technologies out there.
hackathologyhackathology
unicornscan is the way to go
DominikDominik
My personal experience has been that scanrand is indeed fast, but also misses quite some open ports. Yes, nmap _will_ run very slow with the provided command line. But you can speed it up quite a bit. First, scanning with -P0 is dead slow, because nmap has no round-trip-time information without a ping first, and will default to a slow scan mode. Second, nmap has a not-so-well documented fast single port scan mode. Third, you can speed things up by setting less conservative timing limits An updated nmap command line would be: nmap -PS5001 -S5 -n -iL targets -p5001 -oG results
DominikDominik
Sorry, just made a typo. It should read -T5 and not -S5
br4inmaticbr4inmatic
nmap -PS5001 -S5 -n -iL targets -p5001 -oG results yeah.. that's really make it much faster.
Adrian PastorAdrian Pastor
@LordDoskias - I agree that security through obscurity is not the way to go. However, we all are in a comfort zone, and that is highly reflected in public security research. btw, I will check out "Silver needle in the skype" :-) Nice nmap tips guys! I was familiar with the timing -T flags, but not the -PS flag.
mazemaze
anyone got an idea on how the auth works? im trying to get a brute forcer goin...
Adrian PastorAdrian Pastor
@maze - Just run Wireshark while you try to authenticate with SlingPlayer. You can use the following filter on Wireshark: ip.dst==targetIPaddress
seansean
Very interesting article. However, how do you handle the password part ? I understand you can designate a slingbox by its IP address, but how would you hack the password? Thanks
NerdBertNerdBert
I used a Slingbox for a while but ended up ditching it. Nowadays internet speeds are so fast that I can access TV via the internet. I'm in Europe, so I use a VPN service to connect to either the US or UK (VPN gives me a local IP address, thus working around the outside the "US/UK" country blocking). Three of the best sites are Hulu, SeeSaw and BBC iPlayer. Here is a good updated list of the US/UK TV networks with free internet streaming http://www.vpntelevision.com Good luck in your quest for TV online! Uncle Abe