Cameradar V2.1.0 - Hacks Its Mode Into Rtsp Videosurveillance Cameras

  
An RTSP flow access tool that comes alongside its library

Cameradar allows you lot to
  • Detect opened upward RTSP hosts on whatever accessible target host
  • Detect which device model is streaming
  • Launch automated dictionary attacks to larn their stream route (e.g.: /live.sdp)
  • Launch automated lexicon attacks to larn the username in addition to password of the cameras
  • Retrieve a consummate in addition to user-friendly study of the results

Docker Image for Cameradar
Install docker on your machine, in addition to run the next command:
docker run -t ullaakut/cameradar -t <target> <other command-line options>
See command-line options.
e.g.: docker run -t ullaakut/cameradar -t 192.168.100.0/24 -l volition scan the ports 554 in addition to 8554 of hosts on the 192.168.100.0/24 subnetwork in addition to laid on the discovered RTSP streams in addition to volition output debug logs.
  • YOUR_TARGET tin hold out a subnet (e.g.: 172.16.100.0/24), an IP (e.g.: 172.16.100.10), or a attain of IPs (e.g.: 172.16.100.10-20).
  • If you lot desire to larn the precise results of the nmap scan inwards the shape of an XML file, you lot tin add together -v /your/path:/tmp/cameradar_scan.xml to the docker run command, earlier ullaakut/cameradar.
  • If you lot exercise the -r in addition to -c options to specify your custom dictionaries, brand for sure to also exercise a majority to add together them to the docker container. Example: docker run -t -v /path/to/dictionaries/:/tmp/ ullaakut/cameradar -r /tmp/myroutes -c /tmp/mycredentials.json -t mytarget

Installing the binary on your machine
Only exercise this solution if for exactly about argue using docker is non an pick for you lot or if you lot desire to locally build Cameradar on your machine.

Dependencies
  • go
  • dep

Installing dep
  • OSX: brew install dep in addition to brew upgrade dep
  • Others: Download the unloose bundle for your OS here

Steps to install
Make for sure you lot installed the dependencies mentionned above.
  1. go larn github.com/Ullaakut/cameradar
  2. cd $GOPATH/src/github.com/Ullaakut/cameradar
  3. dep ensure
  4. cd cameradar
  5. go install
The cameradar binary is similar a shot inwards your $GOPATH/bin cook to hold out used. See command line options here.

Library

Dependencies of the library
  • curl-dev / libcurl (depending on your OS)
  • nmap
  • github.com/pkg/errors
  • gopkg.in/go-playground/validator.v9
  • github.com/andelf/go-curl

Installing the library
go larn github.com/Ullaakut/cameradar
After this command, the cameradar library is cook to use. Its source volition hold out in:
$GOPATH/src/pkg/github.com/Ullaakut/cameradar
You tin exercise go larn -u to update the package.
Here is an overview of the exposed functions of this library:

Discovery
You tin exercise the cameradar library for uncomplicated discovery purposes if you lot don't shout out for to access the cameras but exactly to hold out aware of their existence.


This describes the nmap fourth dimension presets. You tin overstep a value betwixt 1 in addition to five equally described inwards this table, to the NmapRun function.
Attack
If you lot already know which hosts in addition to ports you lot desire to attack, you lot tin also skip the uncovering constituent in addition to exercise straight the laid on functions. The laid on functions also accept a timeout value equally a parameter.

Data models
Here are the dissimilar information models useful to exercise the exposed functions of the cameradar library.


Dictionary loaders
The cameradar library also provides 2 functions that accept file paths equally inputs in addition to render the appropriate information models filled.

Configuration
The RTSP port used for most cameras is 554, thus you lot should in all probability specify 554 equally 1 of the ports you lot scan. Not specifying whatever ports to the cameradar application volition scan the 554 in addition to 8554 ports.
docker run -t --net=host ullaakut/cameradar -p "18554,19000-19010" -t localhost volition scan the ports 18554, in addition to the attain of ports betwixt 19000 in addition to 19010 on localhost.
You can exercise your ain files for the ids in addition to routes dictionaries used to laid on the cameras, but the Cameradar repository already gives you lot a practiced base of operations that plant alongside most cameras, inwards the /dictionaries folder.
docker run -t -v /my/folder/with/dictionaries:/tmp/dictionaries \            ullaakut/cameradar \            -r "/tmp/dictionaries/my_routes" \            -c "/tmp/dictionaries/my_credentials.json" \            -t 172.19.124.0/24
This volition position the contents of your folder containing dictionaries inwards the docker icon in addition to volition exercise it for the lexicon laid on instead of the default dictionaries provided inwards the cameradar repo.

Check photographic telly camera access
If you lot stimulate got VLC Media Player, you lot should hold out able to exercise the GUI or the command-line to connect to the RTSP flow using this format : rtsp://username:password@address:port/route
With the higher upward result, the RTSP URL would hold out rtsp://admin:12345@173.16.100.45:554/live.sdp

Command delineate of piece of occupation options
  • "-t, --target": Set target. Required. Target tin hold out a file (see instructions on how to format the file), an IP, an IP range, a subnetwork, or a combination of those.
  • "-p, --ports": (Default: 554,8554) Set custom ports.
  • "-s, --speed": (Default: 4) Set custom nmap uncovering presets to amend speed or accuracy. It's recommended to lower it if you lot are attempting to scan an unstable in addition to tedious network, or to increase it if on a rattling performant in addition to reliable network. See this for to a greater extent than information on the nmap timing templates.
  • "-T, --timeout": (Default: 2000) Set custom timeout value inwards miliseconds subsequently which an laid on endeavor without an respond should give up. It's recommended to increase it when attempting to scan unstable in addition to tedious networks or to decrease it on rattling performant in addition to reliable networks.
  • "-r, --custom-routes": (Default: <CAMERADAR_GOPATH>/dictionaries/routes) Set custom lexicon path for routes
  • "-c, --custom-credentials": (Default: <CAMERADAR_GOPATH>/dictionaries/credentials.json) Set custom lexicon path for credentials
  • "-o, --nmap-output": (Default: /tmp/cameradar_scan.xml) Set custom nmap output path
  • "-l, --log": Enable debug logs (nmap requests, curlicue depict requests, etc.)
  • "-h" : Display the usage information

Format input file
The file tin incorporate IPs, hostnames, IP ranges in addition to subnetwork, separated yesteryear newlines. Example:
0.0.0.0 localhost 192.17.0.0/16 192.168.1.140-255 192.168.2-3.0-255

Environment Variables

CAMERADAR_TARGET
This variable is mandatory in addition to specifies the target that cameradar should scan in addition to endeavor to access RTSP streams on.
Examples:
  • 172.16.100.0/24
  • 192.168.1.1
  • localhost
  • 192.168.1.140-255
  • 192.168.2-3.0-255

CAMERADAR_PORTS
This variable is optional in addition to allows you lot to specify the ports on which to run the scans.
Default value: 554,8554
It is recommended non to modify these except if you lot are for sure that cameras stimulate got been configured to flow RTSP over a dissimilar port. 99.9% of cameras are streaming on these ports.

CAMERADAR_NMAP_OUTPUT_FILE
This variable is optional in addition to allows you lot to specify on which file nmap volition write its output.
Default value: /tmp/cameradar_scan.xml
This tin hold out useful alone if you lot desire to read the files yourself, if you lot don't desire it to write inwards your /tmp folder, or if you lot desire to exercise alone the RunNmap constituent inwards cameradar, in addition to do its parsing manually.

CAMERADAR_CUSTOM_ROUTES, CAMERADAR_CUSTOM_CREDENTIALS
These variables are optional, allowing to supplant the default dictionaries alongside custom ones, for the lexicon attack.
Default values: <CAMERADAR_GOPATH>/dictionaries/routes in addition to <CAMERADAR_GOPATH>/dictionaries/credentials.json

CAMERADAR_SPEED
This optional variable allows you lot to laid custom nmap uncovering presets to amend speed or accuracy. It's recommended to lower it if you lot are attempting to scan an unstable in addition to tedious network, or to increase it if on a rattling performant in addition to reliable network. See this for to a greater extent than information on the nmap timing templates.
Default value: 4

CAMERADAR_TIMEOUT
This optional variable allows you lot to laid custom timeout value inwards miliseconds subsequently which an laid on endeavor without an respond should give up. It's recommended to increase it when attempting to scan unstable in addition to tedious networks or to decrease it on rattling performant in addition to reliable networks.
Default value: 2000

CAMERADAR_LOGS
This optional variable allows you lot to enable a to a greater extent than verbose output to stimulate got to a greater extent than information virtually what is going on.
It volition output nmap results, cURL requests, etc.
Default: false

Contribution

Build

Docker build
To build the docker image, exactly run docker build -t . cameradar inwards the root of the project.
Your icon volition hold out called cameradar in addition to NOT ullaakut/cameradar.

Go build
To build the projection without docker:
  1. Install dep
    • OSX: brew install dep in addition to brew upgrade dep
    • Others: Download the unloose bundle for your OS here
  2. dep ensure
  3. go build to build the library
  4. cd cameradar && larn build to build the binary
The cameradar binary is similar a shot inwards the root of the directory.
See the contribution document to larn started.

Frequently Asked Questions
Cameradar does non regain whatever camera!
That way that either your cameras are non streaming inwards RTSP or that they are non on the target you lot are scanning. In most cases, CCTV cameras volition hold out on a someone subnetwork, isolated from the internet. Use the -t pick to specify your target.
Cameradar detects my cameras, but does non create do to access them at all!
Maybe your cameras stimulate got been configured in addition to the credentials / URL stimulate got been changed. Cameradar alone guesses using default constructor values if a custom lexicon is non provided. You tin exercise your ain dictionaries inwards which you lot exactly stimulate got to add together your credentials in addition to RTSP routes. To do that, come across how the configuration works. Also, perhaps your camera's credentials are non yet known, inwards which instance if you lot regain them it would hold out rattling overnice to add together them to the Cameradar dictionaries to assistance other people inwards the future.
What happened to the C++ version?
You tin soundless regain it nether the 1.1.4 tag on this repo, nevertheless it was less performant in addition to stable than the electrical flow version written inwards Golang.
How to exercise the Cameradar library for my ain project?
See the instance inwards /cameradar. You exactly shout out for to run go larn github.com/Ullaakut/cameradar in addition to to exercise the cmrdr bundle inwards your code. You tin regain the documentation on godoc.
I desire to scan my ain localhost for exactly about argue in addition to it does non work! What's going on?
Use the --net=host flag when launching the cameradar image, or exercise the binary yesteryear running go run cameradar/cameradar.go or installing it
I don't come across a colored output :(
You forgot the -t flag earlier ullaakut/cameradar inwards your command-line. This tells docker to allocate a pseudo-tty for cameradar, which makes it able to exercise colors.
I don't stimulate got a photographic telly camera but I'd similar to seek Cameradar!
Simply run docker run -p 8554:8554 -e RTSP_USERNAME=admin -e RTSP_PASSWORD=12345 -e RTSP_PORT=8554 ullaakut/rtspatt in addition to thus run cameradar in addition to it should gauge that the username is admin in addition to the password is 12345. You tin seek this alongside whatever default constructor credentials (they tin hold out flora here)

Examples
Running cameradar on your ain machine to scan for default ports
docker run --net=host -t ullaakut/cameradar -t localhost
Running cameradar alongside an input file, logs enabled on port 8554
docker run -v /tmp:/tmp --net=host -t ullaakut/cameradar -t /tmp/test.txt -p 8554 -l


Popular posts from this blog

Kerbrute - A Tool To Perform Kerberos Pre-Auth Bruteforcing

Image
Influenza A virus subtype H5N1 tool to speedily bruteforce together with enumerate valid Active Directory accounts through Kerberos Pre-Authentication Grab the latest binaries from the releases page to acquire started. Background This tool grew out of approximately bash scripts I wrote a few years agone to perform bruteforcing using the Heimdal Kerberos customer from Linux. I wanted something that didn't demand privileges to install a Kerberos client, together with when I works life the amazing pure Go implementation of Kerberos gokrb5 , I decided to lastly acquire Go together with write this. Bruteforcing Windows passwords amongst Kerberos is much faster than whatever other approach I know of, together with potentially stealthier since pre-authentication failures produce non trigger that "traditional" An job organisation human relationship failed to log on final result 4625. With Kerberos, y'all tin validate a username or exam a login past times s
Read more

Efiguard - Disable Patchguard Together With Dse At Kicking Time

Image
EfiGuard is a portable x64 UEFI bootkit that patches the Windows kicking manager, kicking loader too center at kicking fourth dimension inward club to disable PatchGuard too Driver Signature Enforcement (DSE). Features Currently supports all EFI-compatible versions of Windows x64 e'er released, from Vista SP1 to Server 2019. Easy to use: tin live on booted from a USB stick via a loader application that automatically finds too boots Windows. The driver tin also live on loaded too configured manually using either the UEFI rhythm out or the loader. Makes extensive utilization of the Zydis disassembler library for fast runtime pedagogy decoding to back upwardly to a greater extent than robust analysis than what is possible amongst signature matching, which oftentimes requires changes amongst novel OS updates. Works passively: the driver does non charge or start the Windows kicking manager. Instead it acts on a charge of bootmgfw.efi yesteryear the firmware kicking
Read more