Giters

Relkci / NightOwlSP-WNIP2-Vulns

Geek Repo:Geek Repo

Github PK Tool:Github PK Tool

NightOwlSP-WNIP2-Vulns

I found a solution to this that provides full onvif for all the cameras that operate “behind” the secure-enclave wireless WNVR (WNIP2). I’ll be writing up something shortly. Its nothing insignificant and involves packet captures. That said, I’m working with NightOwl to provide them responsible disclosure since, I believe it to be a security related oversight.

Regardless, the result is the cameras working with BlueIris/Hubitat/HomeAssistant with or without the WNIP2 WNVR recorder.

I’m open to working with another owner of a WNIP2 to produce the same results, to confirm that each WNIP2 uses a dedicated, non-similar wireless PSK. If anyone would like to be part of that research, let me know.

After penetration into the WNIP2’s (secure enclave) wireless network, it is possible to interact with the wireless cameras directly on the broadcast network. The cameras themselves (at least the WNIP-2LTA-BS models). profiles’ are /ch0_0.264 and /ch1_0.264 respectively. RTSP is port 554 and ONVIF discovery is port 8089. Model loads as “generic ONVIF” “*RSP H.264/H.265/MPJG/MPEG4” in Blue Iris auto-discovery. Doing the above also allows the opportunity to remove the WNIP2 camera’s internet requirement that otherwise relies on a generated P2P tunnel between the camera wLAN network and the camera manufacture’s P2P tunnel service.

WNIP-2LTA-BS differs from WNIP-2LTA-BS-U which is the stand-alone camera that can be arbitrarily added to an existing wireless network and is not dependent on the WNIP2 WNVR for provisioning. WNIP-2LTA-BS is locked to its paired WNVR (WNIP2) that it was bundled with, and, without penetrating its secure network, cannot be modified to work on other wireless networks directly.

Regarding capturing the camera feeds from the LAN side of the WNIP2, I did not find a method. It appears that the WINIP2 service relies on the P2P tunnels generated by the applications to generate the feeds. I was able to identify the methods necessarily to arbitrarily re-create the P2P tunnel and create a dedicated camera feed over the P2P tunnel, re-serving it as a typical RTSP service. This is effectively exactly what the Night Owl Protect CMS application does. To that end, the re-serving of the RTSP services via Night Owl Protect are also served to the localhost, thus it is possible to login to Night Owl Protect CMS and import the re-serviced RTSP service into BlueIris/HomeAssistant, etc. Unfortunately the reliance on the P2P tunnel seems to cause the feeds to disconnect at least one every couple days. The Night Owl CMS application’s reserved RTSP service uses the following URIs: rtsp://admin:@127.0.0.1:10080/ch0_1.264 rtsp://admin:@127.0.0.1:10080/ch1_1.264 rtsp://admin:@127.0.0.1:10080/ch2_1.264 etc… Again, this wiill only work on the local host where Night Owl Protect CMS is running. To test, login to Night Owl Protect CMS, log in, open the live view & finally open VLC and connect to the URI.

--

01272022 - No one has time for this. Written up methodology here: https://github.com/Relkci/NightOwl-WifiCamera-Config-wnip2/

About