Hijack Chromecasts with CATT to Display Images, Messages, Videos, Sites & More

Trong bài hướng dẫn sau của lớp Hacker Mũ Xám chúng ta sẽ tiến hành 1 tình huống Funny Hack đó là Hijacking Attack vào Thiết Bị Chromecast.

Lưu ý,tôi minh họa trên hệ thống Chromecast của mình để phục cụ cho công tác đào tạo, không nên cast “búa xua” coi chừng bị tác dụng ngược nghe các bạn.

Đầu tiên là chúng ta cài CATT từ github theo hướng dẫn trên Null-Byte như phần dưới (ai cài không được thì xem hướng dẫn trong LMS, mà khả năng trên 50% là cài không chạy).

Trong bài học trên LMS tôi sẽ trình bày chi tiết hơn , chứ thằng Nul Byte này nó hướng dẫn nói thiệt tôi làm cũng không chạy 🙂

Sau khi cài xong chạy #catt help để xem hướng dẫn, quét mạng có cast với chromecast bằng lệnh #catt scan như video sau

Ta thấy 1 cast là Ututleo1, vậy thử chèn video bài giảng hướng dẫn về cài Backtrack thay cho video xe đồ chơi mô hình mấy thằng nhok đang xem. Chèn từ xa nên tụi nhỏ la toáng lên vì nó vẫn giũ remote cùng table trong tay 🙂

Sau đó thử cast trang web hackermuxam.edu.vn hoặc 1 video có subttile, một hình ảnh trên máy đều được.

Bài này tôi test trên Kali Linux 2019 VM.

Demo Null Byte… https://www.youtube.com/watch?v=-9V9229B16I

Giving up your Wi-Fi password can be giving up more control than you think. Because of the way Chromecast and other IoT devices communicate, anyone on the same Wi-Fi network as your device can often make it do whatever they want. With a script called “Cast All the Things,” we can hijack a Chromecast to play nearly any kind of media with a single command in terminal.

IoT (Internet of Things) devices are notorious for making compromises on security for the sake of convenience, rendering them particularly easy to attack. A perfect example is the Chromecast, which can be effectively hijacked by any device on the same local network that knows how to talk to it.

Media devices like a Chromecast are controlled by simple application programming interfaces (APIs) designed to be controlled by messages from a user’s smartphone. These are usually sent to the Chromecast as the user operates a mobile application with an interface for controlling the device. In most cases, these messages don’t require any kind of password to execute, so the Chromecast will react exactly the same if you send it commands directly — without involving the official app.

IoT Devices Use Vulnerable Messaging to Communicate

Internet of Things devices are everywhere, and many of them use lightweight messaging standards like MQTT to communicate over Wi-Fi. This standard is kind of like Twitter for Wi-Fi, short simple pre-formatted messages that can easily be passed between devices in a mesh network. A mesh network allows groups of IoT devices to pass messages between each other so that all devices have a connection to the internet if even one device in the cluster has a connection back to a Wi-Fi network.

While this standard of communication is useful, security is often neglected to make it easier to configure the devices. With more serious problems like hard-coded passwords that can’t be changed, making botnets a real threat; shortcuts in setting up message authentication; and lack of planning for using devices in shared network environments has made IoT security a real problem.

Image by Kody

Cast All the Things for Command Line Control

For everyone wanting a scriptable, easy-to-install, easy-to-work-with way to control Chromecast devices, the community has an answer. Cast All The Things provides command line access to the Chromecast API, putting you between the front-end mobile application and the device it’s controlling. Designed to extend the functionality of the Chromecast much past where Google felt comfortable officially supporting, the project runs on Python and works on nearly every operating system.

CATT’s use to a hacker lies in how easy it is to use and how scalable it is. It’s not possible to command every Chromecast on a huge network to play a video at the same time using the normal application, because this is not behavior that Google would want to support.

With CATT, a single hacker with a laptop connected to the same network at a large office could order hundreds of Chromecasts to download and play a distracting video at maximum volume simultaneously, causing chaos and confusion at a key moment.

CATT can also act as an “out of band,” or difficult to trace, way to communicate with another person by using the Chromecast as a way to transmit messages. These can either be overt, like in the subtitles, or covert, like changing the programming repeatedly to certain topics.

What You’ll Need

To follow this guide, you’ll need a computer with Python installed. In addition, you’ll need a to be on the same network as the device you are targeting. This can be a Wi-Fi network or an Ethernet network. This will not work on a guest network if the guest network doesn’t allow you to scan or communicate with other hosts, like on a Starbucks Wi-Fi network.

You’ll also need a Chromecast device to try to control, such as a Chromecast Ultra or Chromecast (3rd Generation). This will work against all models of Chromecast, as they use the same basic API calls. Once you have a Chromecast device connected to the same network as your computer, you can download CATT and any dependencies.

Step 1 Install CATT

Installing CATT is incredibly easy, provided you have Python installed. If you do, then simply run the following command in a terminal window. While you don’t need to, you should also take some time to check out the GitHub page if you want to learn more about how the tool works.

pip install catt

Pip will install all dependencies and configure CATT for you. After it’s done installing, you can type catt –help to get a list of all the command line tools to better understand what the script can do. Sadly, there is no manual entry for CATT, so the amusing “man catt” command currently goes nowhere.

catt --help
Usage: catt [OPTIONS] COMMAND [ARGS]...

  --delete-cache     Empty the Chromecast discovery cache.
  -d, --device NAME  Select Chromecast device.
  --help             Show this message and exit.

  add           Add a video to the queue.
  cast          Send a video to a Chromecast for playing.
  cast_site     Cast any website to a Chromecast.
  ffwd          Fastforward a video by TIME duration.
  info          Show complete information about the currently-playing video.
  pause         Pause a video.
  play          Resume a video after it has been paused.
  restore       Return Chromecast to saved state.
  rewind        Rewind a video by TIME duration.
  save          Save the current state of the Chromecast for later use.
  scan          Scan the local network and show all Chromecasts and their IPs.
  seek          Seek the video to TIME position.
  skip          Skip to next video in queue (if any).
  status        Show some information about the currently-playing video.
  stop          Stop playing.
  volume        Set the volume to LVL [0-100].
  volumedown    Turn down volume by a DELTA increment.
  volumeup      Turn up volume by a DELTA increment.
  write_config  Write the name of default Chromecast device to config file.

Step 2Scan the Network for Chromecasts

CATT makes things immediately easy for us by being able to scan the network on its own. While it’s possible to do an Nmap scan against the network, the scan feature of CATT is already tuned to detect Chromecast devices on the local network.

Without using CATT, you’ll need to calculate the network range of the network you’re on, scan for devices with port 8008 open, and then tease out details about what type of device it is. All of these things are integrated into CATT, so to discover all nearby Chromecasts, you can type the following command.

catt scan
Scanning Chromecasts... - Probe Team CIC - Google Inc. Chromecast Ultra

Here, CATT has found a device and shown us its IP address, network name, and the type of device it is. We can use this IP address, or the name of the device, to specify which device we want to command if there are more than one.

Because there is only one on this network, we don’t need to specify it in the following commands, because CATT will send to it by default.

Step 3Send an Image to the Screen

Images like GIFs are extremely easy to display on a Chromecast display. To display most common formats of images, including animated GIFs (which will play in a loop), you can run the following command.

catt cast ./mygif.gif

Step 4Cast a Remote YouTube Video to the Screen

To cast a video hosted on a YouTube-like website, you can run the following command.

catt cast "https://www.youtube.com/watch?v=dQw4w9WgXcQ"

This tool supports many, many websites besides YouTube that have video content, and there is a list of popular video sites that this tool can support. See the full list of websites (several of which are quite nasty).

With this ability, you can either host your own videos you want to play on YouTube and play them with the script or you can actually stream a file directly from your computer.

Step 5 Play a Local Video with Subtitles

Now, let’s overlay a message onto media we’re casting from our laptop. This means we’ll be able to communicate on two layers, with the content of the video we are playing, and with subtitles played very visibly over the video as it plays.

To do this, we’ll need to make an SRT file, which we can do in nano. In a terminal window, type the following to create a subtitles file.

nano Demo.srt

Then paste the following into the text file. You can modify the text, but the point is seeing how the format works. On the top, you have a 0 for where everything starts. Then you have a number for each block of text, a time code for how long the text is displayed, and then the text to display under it.

When you’re done creating your text file, type Ctrl-x and then y to save and close the file.

Now, we should have a Demo.srt file to cast along with a local video. It’s easy to cast a local video; simply specify the file path after typing catt cast and you should see the video begin to play. To specify we want subtitles, we’ll add the -s flag. In the format below, substitute “/yourvideo.mp4” with the location of your video file.

catt cast -s ./Demo.srt ./yourvideo.mp4

Just like that, you should see your video and subtitle message begin to play! I changed my example text a bit before it played.

Image by Kody/Null Byte

If you want to spend less time specifying different Chromecast devices, you can also set up aliases and add a configuration file. You can create a configuration file by creating a “catt.cfg” file at the following location.

nano ~/.config/catt/catt.cfg

You can add devices to this configuration in the following format. Under “options,” you can add the default device you wish to use if you don’t specify a device otherwise when running Catt.

Under “aliases,” you can make nicknames for the devices you want to use so that you can use that name for them when running the script.

device = chromecast_one

one = chromecast_one two = chromecast_two

Step 6 Cast a Website to the Screen

Lastly, we can cast any website directly to the screen. The Chromecast will grab websites with a resolution of 1280 x 720 pixels and display them on the screen. While this is useful for casting existing websites, we can also use it to design our own content, put it in a web interface, and then just cast that to the screen!

Sometimes we might want to create something totally fake and splash it on the screen, and by putting up a web URL, we can even host a web server on our own laptop and cast whatever we choose to display on it directly to the interface.

The command to do this, with this example being the Null Byte home page, is as follows.

catt cast_site https://www.hackermuxam.edu.vn
Casting https://www.hackermuxam.edu.vn on "Probe Team CIC"...

CATT Can Make Almost Anything Appear on the Screen

This tool is useful for a hacker looking to control Chromecast devices they don’t own, but it’s obviously extremely useful to anyone who does own a Chromecast as well. Thanks to the simplicity of controlling Chromecast devices over Wi-Fi, you can set custom triggers to cause actions on any displays you want using CATT.