Finding WEIRD Devices on the Public Internet
2024 ж. 21 Сәу.
147 958 Рет қаралды
jh.live/censys || Get started with the leading Internet Intelligence Platform for threat hunting and attack surface management -- find what is exposed out on the open Internet with Censys! jh.live/censys
Learn Cybersecurity - Name Your Price Training with John Hammond: nameyourpricetraining.com
Read The Hacker Mindset by Garret Gee: jh.live/hackermindset
📧JOIN MY NEWSLETTER ➡ jh.live/email
🙏SUPPORT THE CHANNEL ➡ jh.live/patreon
🤝 SPONSOR THE CHANNEL ➡ jh.live/sponsor
🌎FOLLOW ME EVERYWHERE ➡ jh.live/twitter ↔ jh.live/linkedin ↔ jh.live/discord ↔ jh.live/instagram ↔ jh.live/tiktok
💥 SEND ME MALWARE ➡ jh.live/malware
🔥KZhead ALGORITHM ➡ Like, Comment, & Subscribe!
I think those cameras on the billboards are supposed to be public. It's probably so clients can confirm their ads are being shown.
You would think they would disable the ability to interact with the camera controls AND have a restricted general account with a password.
@@omegadroidzero That's a very good point. Although, maybe the controls don't actually work.
@@drooplug The one where it had the lady working, the controls do indeed work (but you can only rotate the camera left for some reason but yea they do work or atleast that one did)
I doubt it. If you search long enough you will find there are cameras from the same vendor inside peoples houses. I doubot those are supposed to be public.
To everyone saying he didn’t hide the IPs, it’s literally on the open internet
EXACTLY
And most of these are gonna be honeypot traps. So noobs beware😂
i mean just because my house is open to the public doesn't make it any less a crime to go into my house. So him showing the IP's of the places he's gray area illegally going................
@@NOMAd_THe_HACKEr No man people are crazy whole factories have their siemens s7 public. You stop the factory youll see theyll fix it in 1 day lol
@@johndorian4078 in law there is no such thing as grey area, either its legal or its not. im not a lawyer and i cant tell about laws in other countries but i believe at least here in germany your fine as long as you make sure to only show publicaly available information. which would mean he wouldnt even need to censor anything.
Isn't it reassuring that embedded products are generally mature and secure, without firmware vulnerabilities... Oh... Wait...
At which point did we go from "i just wanna host a Buffy fansite" or "i just wanna share a couple tunes with buddies" to "anything you post publically is going to be relentlessly scraped, vulnerability scanned for profit, and used in the next LLM model whether you like it or not" ?
People have been scraping and scanning for decades. Tools like nmap have existed since 1997. Governments have most likely been on top of this way before then. The LLM stuff is debatable though.
I once found a camera system on the Internet at someone's house in the middle of nowhere...and somehow ended up moving into the house about a decade later...
I think that puts you the beginning of a horror movie or true crime podcast. I'll try to watch when you are on 48 hours or wherever you end up.
Do the owners know you moved in ?
Two sentence horror right here.
Wow
I saw that movie... did you ever cure the trolls? Or are they still rampaging around with rabies ruining everyone's vacation?
This isn't only useful to cyber security experts, but also to show people why they shouldn't easily trust anything that connects to the internet, especially things with weak authentication, and even more so with none
It may be useful for end users, but it's not nearly user friendly enough for most people to understand, so it's most useful for anyone who find and take advantage of those with weak authentication.
Lmao use shodan shit you can actually just use google to search for shit if you know the right commands
geoguessr guy needs to find them to email the people that their devices are open
This is incredibly worrying, but it's also important to show how much of your connections are available on the internet, and why securing those connections is so very necessary. Today it's a demonstration, tomorrow it's a legitimate malicious agent.
Not something you have to worry about unless you’re actively port forwarding your cctv cameras for all to see (or using upnp)
What is even more worrying is how easy it is to index them all ;) I have over 30k indexed worldwide, and it doesn't even matter if they shut the camera down. I still see everything and gave access to my GPT-4 model.
If you're old enough, you remember "IP Cam trolling" because people were lazy with securing their networked devices. Such hijinks were a thing for a while on at least one of the Chans. The main "feature" allowing the troll was that the cameras had a speaker in addition to the mic, allowing the observer to disturb the observed in some manner. KZhead took videos about those down after some TOS change in the 2010's, even the ones that were more silly than malicious. (The ones I liked is where the guy bugging people eventually tells them to put a password on it at least. So the troll served a basic lesson in network security.) Despite all that, seems some things really never changed much. The "hack" is that things are still exposed to a lot of search engines depending on how the hosting works, so it's just a matter of knowing the keywords to bring them up.
Fully expected John to be using Shodan lmao
Same lol, but it's cool to see a search engine of that sort that I hadn't heard of
@@revenevan11 You can scan the whole internet(every ipv4 adress) in 6-12 minutes. You only need a 10-20gbit internet speed. So in theory every person could know all device that are connected and interact with them. It is the whole purpose of this system.
Why? This dude is a joke
Me too
@@mapache2185 it would seem you find that joke funny
I haven't done this for years! I found a freaky lobby cam once that I never saw anyone enter or exit. It was like one of those creepy alternate world things people talk about. "An Empty World, A Time Traveler, Another Dimension" 🤣
Makes sense. Most of the more popular hotels, etc have higher security on their security systems. They wouldn't be publicly accessible online, so if it was a hotel or something else, probably was lower class. From what I can tell, the high class ones run on their own private networks, not just openly online.
@@ValiantNomad You think too highly of them, they will just hire cheapest company to do it for them, it's then their decision how they going to set it up and my friend for most of them "it works" is just good enough.
@@767corp ⬆ THIS! Lowest bidder. Third party contractors. I've been mortified by what pen testers have found in "secure office buildings" and hotels. There's a security flaw in "millions of hotel-room doors" right now that I'm not seeing get fixed too fast.
You mean like the back rooms? Liminal spaces with a webcam, cool!
@@stevengill1736 Exactly, it's very strange to see a camera inside a building at an entrance but never see movement. Not knowing where the camera was located only adds to the mystery.
I really like the fact that viewers can SEE the code (and terminal) that you discuss in your videos! I can always see your code clearly and thanks so much for doing this! Most content creators that I see on KZhead post their code in small size font where I can hardly see it.
I remember finding something similar back in like 08. There was a site that you could browse public IP's for various cameras in your geographic location. There was a map and you could increase or decrease the range. It was interesting some of the cameras you could access. A few of the colleges in the area were wide open.
0:06 that's a public webcam of the city of Stützerbach in Austria.
Ohh don't mention the names bro ;)
It says it at the top of the image ;)
@@Cypherx444 9:01 is Edmonton, Alberta. Recognized the area code and business lol
@@leaaon460 yes, it is lmao. 780 is the area code for edmonton, alberta. I live here. I think I know the area code and the dentist I go to
It's not, the camera would be upside down if it were Australia 🙃
I have never watched your channel before but I understand why you have 1.45 million subs, great booming voice coupled with some amazing oration skills added to some great video work, scripting and editing makes you really awesome at what you do. Great video and thank you for the information.
Brilliant! love the way you present with such energy! Cheers!
Way to represent, Melbourne! First St Vinnies, then billboard monitoring.
Thanks for sharing! I can see how easily you can go down the rabbit hole to find Alice.
There's a bunch of cameras that come out with open ports, there was a whole series of HIKvision cameras that are exposed if you only know the IP address in the correct port number
Baby monitors, nanny cams, webcams, security cams, ect... Only way to stop it is to practice safe networking
23:00 Blick vom Schlossberg - View from the castle on the hill. (down to the village, somewhere in Thuringia, Germany)
somewhere, to be more accurate: around a city called "Ilmenau". It is also located on the Mountain Range called "Rennsteig".
I'm more curious on the shirt/cloth John is wearing. It looks so shiny and cool looking.
What a fabulous video! I'm going to consider Censys for further analysis and exploration. It seems fun, interesting and helpful-thanks a lot! ❤
Remember looking at all this kind of stuff back before GUI, just using command line or crude level text and being blown away at how much was on the open internet.
This seems very similar to Shodan. These sites are always very shady because I bet a lot of these people had no idea these devices were on the internet
Correct they didn't. Shady though? Nope. Just service scanning
Well every device that is connected to the internet is public space. If you do not close the door it is like a starbucks store, people can walk in and out and should see what service is being offered today.
@@maktiki Except Starbucks chose to give access to customers. This is more like going into a random person's home because they left the door ajar.
@@iuse9646 in some countries port scanning is illegal. Its likes nooping around someones house looking for an open window.
@@NorthLaker If there is no authentication protocol there is no door, and the autonomous system/server/iot device etc is just part of or an extension of public space.
I was surprised to see after looking into Censys that they're physically located in Ann Arbor. I lived in Ann Arbor for years :-O
VNC Resolver is something very similar to this which posts random snapshots on fedi
Love your content! And question what keyboard you are using?😂
I literally did this today with Finn. The synchronicity is real
a lot of stuff i looked up actually had a login page after the 200 so... kudos to them.
Once saw one of these videos of an old guy asleep on his sofa, think the camera was inside a TV. You're better off covering anything thats got a camera if you don't want others being able to see you. I have tape covering the camera on my laptop for the same reason. If you've got any webcams also unplug them when not using them. There are thousands of links online and through google that give access to all these cameras.
John just found something, that my grandpa showed me as a kid (no joke) LMAO. The funniest thing is that most of these cameras actually are publicly available. Like not only because of this site, but rather they are intended to be public.
hammond : bowling mask...what is that... bowling mask : 😸
@ 4:08 Hold Ctrl then scroll your mouse wheel up or down to quickly zoom the page in or out. -
Ive found multiple cameras from inside home with people just doing their thing on shodan, creepy af, also found controllable cameras through out some landmarks in rome.
Glad to of seen this and find out my ip is all good and no open service, port exposed to the public
Well, that is something that is left there forever.
It is
3:01 Interesting queries, hope there aren't any Internet exposed industrial systems.
spoilers, there are
there are alot some even let you change settings
Install exe -> Default --> Next --> Next --> Next --> Finish 😃👍
@@dcquence And many SCADA systems (especially older ones) have hard coded usernames and passwords for administration, or they don't allow changing the one that was chosen on first install. Sucks if any such system controls vital infrastructure and use known hard coded login details...
This site was part of a question in my CEH cert exam.
Have you taken the masters ?
there are a lot of publicly accessable webcames in germany that just sit on houses and show you the enviornment
What a useful tool!
Thanks Mr.Jhon that's great scammer hacker ❤
I giggled when I saw the "Try one of these examples" and the first example shown was "Russian hosts running RDP or FTP". 🤣
this is cool. like the overpass turbo of the Internet. awesome
25:53 gute Preise, gute Besserung 😂 (That's the slogan from the company ratiopharm)
This makes me feel like a genius just for having at least put a password on my TightVNC from the start 😅 (The port for it is no longer open/forwarded to the wild wide open internet since some time ago, instead I set up a VPN so I can connect into the home network and only *then* connect to the VNC; because I found out that TightVNC doesn't encrypt any of the session keystrokes or other traffic *except* for the password... meaning that the actual windows user account password I'd authenticate after connecting using the VNC server password would be sent as plaintext to the computer lol. Now it's at least encrypted until it's through to my VPN at home!)
I use it to check traffic, but the public cameras are pretty slow since everybody is using it
I'm actually surprised these devices let you use their app without setting a password
i remember yt vids of ipcam trolling. good times.
One of those billboards is literally 5 minutes from my house. What are the chances.
Searches are limited to 10 per day unless you create a login.
Also you find the camera via streetview, then contact the company. Then they remove the camera and few days later they make it public again :facepalm
Oui John!!
So, that’s why I see that going on my website 1 times every week, it’s just scanning for changes!
"I feel a little bit odd doing just the United States , I'll pivot to Canada" LMAO
the best part is when you can move them :)
Oh man.... The "S" in IOT stands for "Security"
Takes me back 20-30 years ago 😊😊
John Hammond is the Barney of cybersecurity.
lol this tickled me_no Diddy tho🤣
You're his biggest fan
Dude , he isn't at all
Barney, like the dinosaur? Can’t tell what you’re getting at.
Imagine looking at active cameras and randomly seeing someone through their webcam.. that would.. not be good.
Ive watch many of these stream years ago with a little the same pictures.
How is the legal situation with such a search engine? Are they allowed to scan the whole internet over and over again? I thought I remembered that at least in my country (Germany) port scanning is illegal. But I might be wrong.
when its a camera filming public spaces i doubt any city anywhere has any desire to spend even a single cent making it not publicly accessible, especially if all you can do is view the feed and not actually mess with the system. with private people and buisneses however i assume most
It's crazy what you can find on the internet.
Big Tech meets Big Ick - I love it!!
When i was taking my course in CEH, our instructor (big dude, with a big beard, and full sleeves) poked some Chinese routers that were open to the Internet. Illegal? I dunno. Funny. Hell yes
Great video today
The webcam from ~ 22:56 is a public, the one from the roof
And this is why kids you must watch/listen Security Now podcast
You should connect to new refrigerators and see what food people have.
16:42 his task bar briefly appears. Showing proton vpn, brave as well as the time 11:57 lol.
Brave 🤢
@@Bromon655 What? Brave's the jam!
@@gamingbud926 brave used to leak tor logs.
@@gamingbud926 It's Chromium based
Your background is cool
What are some other Shodan like services out there?
There's a pretty cool song to play through the ip cameras: The Police - Every Breath You Take. It's the ultimate stalker's theme. Edit: Remember John, do not feed the monkeys.
No when they sleep start moaning, when they wake up stop and repeat every night.
SauSarge and CharlieTheJanitor had classic content that did exactly that. Others pranks that were funny were also the smoke detector beep and getting some dog to randomly start barking. Eventually they lost their KZhead channels for that content after a TOS change, although I think one resumed on another differently named channel that is now notorious for making fun of gaming exploits. Now if you think they were entirely bad guys, they often ended the joking around by telling people to change the login and password. Often those cameras were completely open to the public. I wonder if anyone out there still managed to archive that content? I miss the garage webcam with "Let It Snow" playing, or the Rick Roll of a U of S.C. classroom. Those kind of had a mood, and the outcomes were good-natured at least.
@@pauljs75 Dwight? ;) I've liked the video from the automated house, in which the guy had the control over not only the cameras, but also the a/c system, the garage's door and other stuff. The heating system being turned on in the middle of the summer was the evilest thing I could imagine to see.
@@januzi2 Was that the one where they spammed the "nuclear launch alert" soundboard thing?
@@pauljs75 The automated house? It was quiet, except for the owner that was being loud about getting "free sauna" treatment.
To anyone looking for a side hustle. Correct me if I'm wrong but couldn't you find these open Access things call up who owns them. If you can find the information and then say you'll fix the issue for a hundred bucks? Do a couple of those a day. You know what you're doing, it would be like bug bounties
No people wont pay for this, also it can be quite alot of work to find the exact location. Because a server can be in a different city so youll have do photo research. Then you call the company they are schocked and will fix it. Then some weeks later youll find the camera again lol.
Imagine finding out you have been the main character of a tv show in another country because you forgot to secure your home cameras 😮
Whats the difference between Censys and Shodan?
"Weird, wild, wacky stuff!" It's just cars, buildings, and streets. This dude's easily amused, I guess. Maybe an Amy Schumer fan.
This much information available for anyone to see yet our government is focused on tiktok. Another great example of how out of touch and useless our government truly is
We use to have to type to code line into Google search bar then use the links that appears to pick from 👨🏻💻
Most people buy things and then never change the login info...... so its wide open.
"Know your attack surface and plug the holes" Change passwords.
Would be cool if they have api and also return the websites technologies and versions like php version Id make use if that with some python
More plz
Is there a way to look at your own ip incase anything is leaked?
Look up your up ip.
unless you open ports youre gucci basically
21:36 It would be fun if we can look for it if there are cameras in Area 51
In this video : the phrase "drill down"
Should we be using a VPN when using this search engine?
‘Dystopia’ or 1984 don’t even begin to describe it. Why are these devices not strongly encrypted by default? Even if someone like me who doesn’t know about IT stuff changes their password, any password can be cracked. Let’s hope that the links to critical infrastructure are just honeypots. I am becoming a luddite. It’s disgusting.
There are websites with open cam links
Ton of public cams on EarthCam but the other stuff….
Fully expected to see some sort of ASI interface... It was supposed to be a Person of Interest reference...
Its like shodan right? Just gratis?
Its not free
Commenting on this just to make sure that if anything gets hacked in Edmonton, Alberta - IT WAS NOT ME, OFFICER. Seriously. Also, Hi from Edmonton!
I am not sure but isn’t this something like shodan?
Inst it very similar to Shodan ?
But John, why not Shodan?
Don’t they deliver films to theaters digitally now-a-days 😅
They called me crazy but i knew i had to install a cctv and not a crappy smart camera
I am an ethical hacker and I don't search for no auth TTY interfaces because HOW DO YOU RESIST NOT TOUCHING IT :D
ctrl c and ctrl v exist btw you dont need to right click :D