看我如何黑进邻居的电视

标题只是个玩笑，请大家不要模仿。本文的目标是提高大家对互联网设备安全的重视。

首先要接入邻居的wifi。关于如何破解wifi，这里我提供三个方法：

1. 用reaver跑pin码。但是现在拉宽带送的无线路由器都跑不了了，成功率不算高
2. wifi万能钥匙，对于缺乏网络安全常识的邻居来说，这招很好用。已root的手机连上wifi后，通过文件管理器打开data/misc/wifi/wpa_supplicant.conf文件，看到ssid和对应的psk就是wifi名称和密码了。
3. 抓握手包。目前常规配置的电脑跑弱密码的话效率还不错，也可以拿去淘宝跑。不过对于这种看不到进度条的随缘工作我是没有什么耐心的。
4. 问邻居。没错，你要是个可爱的男孩子，去邻居家蹭饭的时候问下密码最简单了

得到密码后，电脑就可以连接了。当然，以下的工具在安卓手机上也是可以完成的。见我关于手机上安装linux环境的文章。

先看一下dhcp分配给你的ip，然后nmap扫码一下C段。比如nmap -sP -T5 192.168.1.1/24

扫出来设备为Unknown的，可以去mac地址厂商查询网站查询一下。比如我这次的目标，nmap扫描出来的mac就是unknow，然后查询一下才知道是创维电视。

再对这个电视的ip扫一下

nmap -A -Pn -T5 192.168.1.3
Starting Nmap 7.70 ( https://nmap.org ) at 2018-11-18 01:15 ?D1ú±ê×?ê±??
Nmap scan report for 192.168.1.3
Host is up (0.0029s latency).
Not shown: 995 closed ports
PORT     STATE SERVICE         VERSION
2010/tcp open  search?
7100/tcp open  font-service?
8087/tcp open  http            Pcounter httpd
|_http- : Site doesn\'t have a   (text/plain).
8200/tcp open  trivnet1?
| fingerprint-strings:
|   DNSStatusRequestTCP, DNSVersionBindReqTCP, FourOhFourRequest, GenericLines, GetRequest, HTTPOptions, Help, JavaRMI, Kerberos, LANDesk-RC, LDAPBindReq, LDAPSearchReq, LPDString, NCP, NULL, NotesRPC, RPCCheck, RTSPRequest, SIPOptions, SMBProgNeg, SSLSessionReq, TLSSessionReq, TerminalServer, WMSRequest, X11Probe:
|     HTTP/1.1 200 OK
|_    Content-Type:text/html;charset:GBK
8888/tcp open  sun-answerbook?
| fingerprint-strings:
|   FourOhFourRequest:
|     HTTP/1.0 500 Internal Server Error
|     Access-Control-Allow-Headers: Content-Type,Accept,Origin,No-Cache
|     Access-Control-Allow-Origin: *
|     Access-Control-Allow-Credentials: true
|     Date: Sat, 17 Nov 2018 17:15:25 GMT+00:00
|     Server: CMCC Http Server
|     Content-Length: 0
|   GenericLines:
|     HTTP/1.0 400 Bad Request
|     Date: Sat, 17 Nov 2018 17:15:31 GMT+00:00
|     Server: CMCC Http Server
|     Content-Length: 22
|     Content-Type: text/plain; charset=US-ASCII
|     Connection: Close
|     Invalid request line:
|   GetRequest:
|     HTTP/1.0 200 OK
|     Access-Control-Allow-Headers: Content-Type,Accept,Origin,No-Cache
|     Access-Control-Allow-Origin: *
|     Access-Control-Allow-Credentials: true
|     Date: Sat, 17 Nov 2018 17:15:25 GMT+00:00
|     Server: CMCC Http Server
|     Content-Length: 212
|     Content-Type: text/html; charset=UTF-8
|     <!DOCTYPE html>
|     <html lang=\"en\">
|     <head>
|     <  charset=\"UTF-8\">
|     < >
|     </ >
|     < >
|     window.location.href=\"./remote/index.html\";
|     </ >
|     </head>
|     <body>
|     </body>
|     </html>
|   HTTPOptions:
|     HTTP/1.0 200 OK
|     Access-Control-Allow-Headers: Content-Type,Accept,Origin,No-Cache
|     Access-Control-Allow-Origin: *
|     Access-Control-Allow-Credentials: true
|     Date: Sat, 17 Nov 2018 17:15:25 GMT+00:00
|     Server: CMCC Http Server
|     Content-Length: 0
|   LSCP:
|     HTTP/1.0 400 Bad Request
|     Date: Sat, 17 Nov 2018 17:15:31 GMT+00:00
|     Server: CMCC Http Server
|     Content-Length: 35
|     Content-Type: text/plain; charset=US-ASCII
|     Connection: Close
|_    valid protocol version: INFO
3 services unrecognized despite returning data. If you know the service/version, please submit the following fingerprints at https://nmap.org/cgi-bin/submit.cgi?new-service :
==============NEXT SERVICE FINGERPRINT (SUBMIT INDIVIDUALLY)==============
SF-Port2010-TCP:V=7.70%I=7%D=11/18%Time=5BF04CAC%P=i686-pc-windows-windows
SF:%r(NULL,5,\"\\x12V\\x124c\")%r(GenericLines,5,\"\\x12V\\x124c\")%r(GetRequest,5
SF:,\"\\x12V\\x124c\")%r(RTSPRequest,5,\"\\x12V\\x124c\")%r(DNSVersionBindReqTCP,5
SF:,\"\\x12V\\x124c\")%r(Help,5,\"\\x12V\\x124c\")%r(TLSSessionReq,5,\"\\x12V\\x124c\"
SF:)%r(SMBProgNeg,5,\"\\x12V\\x124c\")%r(FourOhFourRequest,5,\"\\x12V\\x124c\")%r(
SF:LDAPSearchReq,5,\"\\x12V\\x124c\")%r(SIPOptions,5,\"\\x12V\\x124c\")%r(LANDesk-
SF:RC,5,\"\\x12V\\x124c\")%r(NCP,5,\"\\x12V\\x124c\")%r(JavaRMI,5,\"\\x12V\\x124c\")%r
SF:(oracle-tns,5,\"\\x12V\\x124c\")%r(afp,5,\"\\x12V\\x124c\");
==============NEXT SERVICE FINGERPRINT (SUBMIT INDIVIDUALLY)==============
SF-Port8200-TCP:V=7.70%I=7%D=11/18%Time=5BF04CA6%P=i686-pc-windows-windows
SF:%r(NULL,34,\"HTTP/1\\.1\\x20200\\x20OK\\nContent-Type:text/html;charset:GBK\\
SF:n\\n\")%r(GenericLines,35,\"HTTP/1\\.1\\x20200\\x20OK\\nContent-Type:text/html
SF:;charset:GBK\\n\\n\\n\")%r(GetRequest,35,\"HTTP/1\\.1\\x20200\\x20OK\\nContent-T
SF:ype:text/html;charset:GBK\\n\\n\\n\")%r(HTTPOptions,35,\"HTTP/1\\.1\\x20200\\x2
SF:0OK\\nContent-Type:text/html;charset:GBK\\n\\n\\n\")%r(RTSPRequest,35,\"HTTP/
SF:1\\.1\\x20200\\x20OK\\nContent-Type:text/html;charset:GBK\\n\\n\\n\")%r(RPCChec
SF:k,34,\"HTTP/1\\.1\\x20200\\x20OK\\nContent-Type:text/html;charset:GBK\\n\\n\")%
SF:r(DNSVersionBindReqTCP,34,\"HTTP/1\\.1\\x20200\\x20OK\\nContent-Type:text/ht
SF:ml;charset:GBK\\n\\n\")%r(DNSStatusRequestTCP,34,\"HTTP/1\\.1\\x20200\\x20OK\\n
SF:Content-Type:text/html;charset:GBK\\n\\n\")%r(Help,35,\"HTTP/1\\.1\\x20200\\x2
SF:0OK\\nContent-Type:text/html;charset:GBK\\n\\n\\n\")%r(SSLSessionReq,35,\"HTT
SF:P/1\\.1\\x20200\\x20OK\\nContent-Type:text/html;charset:GBK\\n\\n\\n\")%r(TLSSe
SF:ssionReq,35,\"HTTP/1\\.1\\x20200\\x20OK\\nContent-Type:text/html;charset:GBK
SF:\\n\\n\\n\")%r(Kerberos,35,\"HTTP/1\\.1\\x20200\\x20OK\\nContent-Type:text/html;
SF:charset:GBK\\n\\n\\n\")%r(SMBProgNeg,34,\"HTTP/1\\.1\\x20200\\x20OK\\nContent-Ty
SF:pe:text/html;charset:GBK\\n\\n\")%r(X11Probe,34,\"HTTP/1\\.1\\x20200\\x20OK\\nC
SF:ontent-Type:text/html;charset:GBK\\n\\n\")%r(FourOhFourRequest,35,\"HTTP/1\\
SF:.1\\x20200\\x20OK\\nContent-Type:text/html;charset:GBK\\n\\n\\n\")%r(LPDString
SF:,35,\"HTTP/1\\.1\\x20200\\x20OK\\nContent-Type:text/html;charset:GBK\\n\\n\\n\")
SF:%r(LDAPSearchReq,35,\"HTTP/1\\.1\\x20200\\x20OK\\nContent-Type:text/html;cha
SF:rset:GBK\\n\\n\\n\")%r(LDAPBindReq,34,\"HTTP/1\\.1\\x20200\\x20OK\\nContent-Type
SF::text/html;charset:GBK\\n\\n\")%r(SIPOptions,35,\"HTTP/1\\.1\\x20200\\x20OK\\nC
SF:ontent-Type:text/html;charset:GBK\\n\\n\\n\")%r(LANDesk-RC,34,\"HTTP/1\\.1\\x2
SF:0200\\x20OK\\nContent-Type:text/html;charset:GBK\\n\\n\")%r(TerminalServer,3
SF:4,\"HTTP/1\\.1\\x20200\\x20OK\\nContent-Type:text/html;charset:GBK\\n\\n\")%r(N
SF:CP,34,\"HTTP/1\\.1\\x20200\\x20OK\\nContent-Type:text/html;charset:GBK\\n\\n\")
SF:%r(NotesRPC,34,\"HTTP/1\\.1\\x20200\\x20OK\\nContent-Type:text/html;charset:
SF:GBK\\n\\n\")%r(JavaRMI,34,\"HTTP/1\\.1\\x20200\\x20OK\\nContent-Type:text/html;
SF:charset:GBK\\n\\n\")%r(WMSRequest,34,\"HTTP/1\\.1\\x20200\\x20OK\\nContent-Type
SF::text/html;charset:GBK\\n\\n\");
==============NEXT SERVICE FINGERPRINT (SUBMIT INDIVIDUALLY)==============
SF-Port8888-TCP:V=7.70%I=7%D=11/18%Time=5BF04CAB%P=i686-pc-windows-windows
SF:%r(GetRequest,1F4,\"HTTP/1\\.0\\x20200\\x20OK\\r\\nAccess-Control-Allow-Heade
SF:rs:\\x20Content-Type,Accept,Origin,No-Cache\\r\\nAccess-Control-Allow-Orig
SF:in:\\x20\\*\\r\\nAccess-Control-Allow-Credentials:\\x20true\\r\\nDate:\\x20Sat,
SF:\\x2017\\x20Nov\\x202018\\x2017:15:25\\x20GMT\\+00:00\\r\\nServer:\\x20CMCC\\x20H
SF:ttp\\x20Server\\r\\nContent-Length:\\x20212\\r\\nContent-Type:\\x20text/html;\\
SF:x20charset=UTF-8\\r\\n\\r\\n<!DOCTYPE\\x20html>\\n<html\\x20lang=\\\"en\\\">\\n<hea
SF:d>\\n\\x20\\x20\\x20\\x20< \\x20charset=\\\"UTF-8\\\">\\n\\x20\\x20\\x20\\x20< 
SF:>\\xe6\\x89\\x8b\\xe6\\x9c\\xba\\xe9\\x81\\xa5\\xe6\\x8e\\xa7\\xe5\\x99\\xa8</ >\\n
SF:\\x20\\x20\\x20\\x20< >\\n\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20window\\.locat
SF:ion\\.href=\\\"\\./remote/index\\.html\\\";\\n\\x20\\x20\\x20\\x20</ >\\n</head
SF:>\\n<body>\\n\\n</body>\\n</html>\")%r(HTTPOptions,F6,\"HTTP/1\\.0\\x20200\\x20O
SF:K\\r\\nAccess-Control-Allow-Headers:\\x20Content-Type,Accept,Origin,No-Cac
SF:he\\r\\nAccess-Control-Allow-Origin:\\x20\\*\\r\\nAccess-Control-Allow-Creden
SF:tials:\\x20true\\r\\nDate:\\x20Sat,\\x2017\\x20Nov\\x202018\\x2017:15:25\\x20GMT
SF:\\+00:00\\r\\nServer:\\x20CMCC\\x20Http\\x20Server\\r\\nContent-Length:\\x200\\r\\
SF:n\\r\\n\")%r(FourOhFourRequest,109,\"HTTP/1\\.0\\x20500\\x20Internal\\x20Server
SF:\\x20Error\\r\\nAccess-Control-Allow-Headers:\\x20Content-Type,Accept,Origi
SF:n,No-Cache\\r\\nAccess-Control-Allow-Origin:\\x20\\*\\r\\nAccess-Control-Allo
SF:w-Credentials:\\x20true\\r\\nDate:\\x20Sat,\\x2017\\x20Nov\\x202018\\x2017:15:2
SF:5\\x20GMT\\+00:00\\r\\nServer:\\x20CMCC\\x20Http\\x20Server\\r\\nContent-Length:
SF:\\x200\\r\\n\\r\\n\")%r(LSCP,D7,\"HTTP/1\\.0\\x20400\\x20Bad\\x20Request\\r\\nDate:\\
SF:x20Sat,\\x2017\\x20Nov\\x202018\\x2017:15:31\\x20GMT\\+00:00\\r\\nServer:\\x20CM
SF:CC\\x20Http\\x20Server\\r\\nContent-Length:\\x2035\\r\\nContent-Type:\\x20text/
SF:plain;\\x20charset=US-ASCII\\r\\nConnection:\\x20Close\\r\\n\\r\\nNot\\x20a\\x20v
SF:alid\\x20protocol\\x20version:\\x20\\x20INFO\")%r(GenericLines,CA,\"HTTP/1\\.0
SF:\\x20400\\x20Bad\\x20Request\\r\\nDate:\\x20Sat,\\x2017\\x20Nov\\x202018\\x2017:1
SF:5:31\\x20GMT\\+00:00\\r\\nServer:\\x20CMCC\\x20Http\\x20Server\\r\\nContent-Leng
SF:th:\\x2022\\r\\nContent-Type:\\x20text/plain;\\x20charset=US-ASCII\\r\\nConnec
SF:tion:\\x20Close\\r\\n\\r\\nInvalid\\x20request\\x20line:\\x20\");
MAC Address: C8这里打上马赛克59 (Unknown)
Device type: general purpose
Running: Linux 2.6.X|3.X
OS CPE: cpe:/o:linux:linux_kernel:2.6 cpe:/o:linux:linux_kernel:3
OS details: Linux 2.6.32 - 3.10
Network Distance: 1 hop

TRACEROUTE
HOP RTT     ADDRESS
1   2.93 ms 192.168.1.3

OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 170.76 seconds

发现8888端口是个奇怪的服务，看到这段代码：

< >
|     window.location.href=\"./remote/index.html\";
|     </ >

用浏览器连一下http://192.168.1.3/就自动定位到http://192.168.1.3/remote/index.html。看图：

居然是遥控器，而且没有要求任何验证。使用burpsuite重放攻击了一下，观察返回值是有变化的。说明遥控器是生效的。也就是说我现在可以控制邻居的电视了。 好害怕。

然后我在另一个网络中发现了监控设备，可能是楼道里的闭路电视。目前发现了漏洞，还没找到能成功利用的exp。

扫描和利用的过程到此结束。而文章的目的从这里开始。

现在很多智能家居设备，然而对于普通用户来说，这些设备的安全性却不得而知。用户信任厂商而购买了他们的产品，而厂商却不打算对卖出的产品负责，安全性不重视，把客户的隐私暴露在光天化日之下。

身边很多朋友执意要买这些没有安全保障的互联网设备，我劝也没用。希望这篇文章可以引起大家的重视。