Can't access camera with custom route

[Ullaakut]

Issue from @johny77g ( https://github.com/EtixLabs/cameradar/commit/cad7d24ccf068d7d45dcf9db746140ec716ee219#commitcomment-25169225 )

Hi, I exposed my camera for a simple test with very simple setup username: admin, password: admin. Updated credentials.json and routes as below. With option -l the generated connections were following:

DESCRIBE rtsp://:@x.x.x.x:x/tcp/av0_0 RTSP/1.0 (no usr and no login)
DESCRIBE rtsp://:@x.x.x.x:x/udp/av0_0 RTSP/1.0 (no usr and no login)
DESCRIBE rtsp://admin:admin@x.x.x.x:/ RTSP/1.0 (no command from routes)

BUT the right configuration was never generated. (I mean with: admin, admin, tcp/av0_0) Is it something wrong with my trial or some issue with attack.go file?

----------credentials.json----------------
{
"usernames": [
"admin"
],

"passwords" : [
"admin"
]
}
--------------routes--------------------
tcp/av0_0
udp/av0_0

[Ullaakut]

So, I will need a bit more information from you @johny77g :

How did you use cameradar?

• [ ] I use the docker image ullaakut/cameradar
• [ ] I use my own build of the docker image
• [ ] I use the pre-compiled binary
• [ ] I use my own build of the binary
• [ ] None of the above / I don't know

Which version did you use?

• [ ] I use a specific version:
• [ ] I use the latest commit of the master branch
• [ ] I use the latest commit of the develop branch
• [ ] I use a forked version of the repository:
• [ ] I use a specific commit:

What is your operating system?

• [ ] Windows
• [ ] OSX
• [ ] Linux
• [ ] Other

Can you send me the full logs with the -l option enabled please?

From what you tell me, it looks like either the credentials or the routes you specified are not right, as Cameradar does not detect any change in the behavior of the camera with them.

Usually what happens is that the camera tries accessing the camera without giving any route or credentials and the camera replies either wrong route, wrong password or ok. If the camera answers wrong password or ok instead of wrong route when we are trying to guess the route, we assume that we found the correct route. If the camera answers wrong route or ok instead of wrong password when we are trying to guess the passwords, we assume we have the right password.

Keep me updated on this, I would really like to help you solve your issue.

[johny77g]

Hi, Thanks a lot for your quick reply. Please find enclosed related answers.

Looking forward to your reply. Regards, Janusz

How did you use cameradar?

first I installed Go (go version go1.7.4 linux/amd64) then ran go get github.com github.com/EtixLabs/cameradar cd $GOPATH/src/github.com/EtixLabs/cameradar glide install cd cameradar go install

Which version did you use?

Latest v2.0.0 (installed just yesterday)

What is your operating system?

Linux DEBIAN 9

Can you send me the full logs with the -l option enabled, please?

cameradar -t xxx.xxx.xx.xx -p 50554 -l  
Starting Nmap 7.40 (  nmap.org nmap.org  ) at 2017-10-25 08:24 CEST
Nmap scan report for xxx.xxx.xx.xx
Host is up (0.032s latency).
PORT      STATE SERVICE VERSION  50554/tcp open  rtsp  
| fingerprint-strings:  
|   FourOhFourRequest, GenericLines, GetRequest:  
|     RTSP/1.0 551 Option not supported  
|_    Cseq: 0  1 service unrecognized despite returning data. 
If you know the service/version, please submit the following fingerprint at  nmap.org nmap.org  :  SF-Port50554-TCP:V=7.40%I=7%D=  SF:GenericLines,2E,"RTSP/1\.0\  SF::\x200\r\n\r\n")%r(GetReque  SF:supported\r\nCseq:\x200\r\n  SF:551\x20Option\x20not\x20sup   
Service detection performed. Please report any incorrect results at  nmap.org nmap.org  .  
Nmap done: 1 IP address (1 host up) scanned in 69.59 seconds

*   Trying xxx.xxx.xx.xx...  
* TCP_NODELAY set  
* Connected to xxx.xxx.xx.xx (xxx.xxx.xx.xx) port 50554 (#0)  
DESCRIBE rtsp://:@xxx.xxx.xx.xx:50554/t RTSP/1.0  
CSeq: 1  Accept: application/sdp   
* Operation timed out after 2001 milliseconds with 0 bytes received  
* Curl_http_done: called premature == 1  
* stopped the pause stream!  
* The CSeq of this request 1 did not match the response 0  
* Closing connection 0   
ERROR: curl timeout on camera 'xxx.xxx.xx.xx' reached after 2s.  consider increasing the timeout (-T, --timeout parameter) to at least 5000ms if scanning an unstable network.  

*   Trying xxx.xxx.xx.xx...  
* TCP_NODELAY set  
* Connected to xxx.xxx.xx.xx (xxx.xxx.xx.xx) port 50554 (#0)  > 
DESCRIBE rtsp://:@xxx.xxx.xx.xx:50554/u RTSP/1.0  
CSeq: 1  Accept: application/sdp   
* Operation timed out after 2001 milliseconds with 0 bytes received  
* Curl_http_done: called premature == 1  
* stopped the pause stream!  
* The CSeq of this request 1 did not match the response 0  
* Closing connection 0   ERROR: curl timeout on camera 'xxx.xxx.xx.xx' reached after 2s.  consider increasing the timeout (-T, --timeout parameter) to at least 5000ms if scanning an unstable network.  
*   Trying xxx.xxx.xx.xx...  
* TCP_NODELAY set  
* Connected to xxx.xxx.xx.xx (xxx.xxx.xx.xx) port 50554 (#0)  
* Server auth using Basic with user 'admin'  > 
DESCRIBE rtsp://admin:  admin@xxx.xxx.xx.xx :50554/ RTSP/1.0  
CSeq: 1  Accept: application/sdp  Authorization: Basic YWRtaW46YWRtaW4=   
* Operation timed out after 2001 milliseconds with 0 bytes received  
* Curl_http_done: called premature == 1  
* stopped the pause stream!  
* The CSeq of this request 1 did not match the response 0  
* Closing connection 0   
ERROR: curl timeout on camera 'xxx.xxx.xx.xx' reached after 2s.  consider increasing the timeout (-T, --timeout parameter) to at least 5000ms if scanning an unstable network.  

*   Trying xxx.xxx.xx.xx...  
* TCP_NODELAY set 
* Connected to xxx.xxx.xx.xx (xxx.xxx.xx.xx) port 50554 (#0)  > 
DESCRIBE rtsp://:@xxx.xxx.xx.xx:50554/t RTSP/1.0  
CSeq: 1  Accept: application/sdp   
* Operation timed out after 2001 milliseconds with 0 bytes received  
* Curl_http_done: called premature == 1  
* stopped the pause stream!  
* The CSeq of this request 1 did not match the response 0  
* Closing connection 0   ERROR: curl timeout on camera 'xxx.xxx.xx.xx' reached after 2s.  consider increasing the timeout (-T, --timeout parameter) to at least 5000ms if scanning an unstable network.  

*   Trying xxx.xxx.xx.xx...  
* TCP_NODELAY set  
* Connected to xxx.xxx.xx.xx (xxx.xxx.xx.xx) port 50554 (#0)  > 
DESCRIBE rtsp://:@xxx.xxx.xx.xx:50554/u RTSP/1.0  
CSeq: 1  Accept: application/sdp   
* Operation timed out after 2001 milliseconds with 0 bytes received  
* Curl_http_done: called premature == 1  
* stopped the pause stream!  
* The CSeq of this request 1 did not match the response 0  
* Closing connection 0   
ERROR: curl timeout on camera 'xxx.xxx.xx.xx' reached after 2s.  consider increasing the timeout (-T, --timeout parameter) to at least 5000ms if scanning an unstable network.  ?       

Admin panel URL:         xxx.xxx.xx.xx xxx.xxx.xx.xx  
You can use this URL to try attacking the camera's admin panel instead.          
Device model:           
IP address:            xxx.xxx.xx.xx          
RTSP port:            � 50554          
Username:          � not found          
Password:          � not found          
RTSP route:             not found    ? 

Streams were found but none were accessed. 
They are most likely configured with secure credentials and routes. You can try adding entries to the dictionary or generating your own in order to attempt a bruteforce attack on the cameras.

[Ullaakut]

Okay so I edited your comment to add newlines and make it more readable, I hope you don't mind, and I think I see what the problem is.

Look at what nmap says:

Nmap scan report for xxx.xxx.xx.xx
Host is up (0.032s latency).
PORT      STATE SERVICE VERSION  50554/tcp open  rtsp
| fingerprint-strings:
|   FourOhFourRequest, GenericLines, GetRequest:
|     RTSP/1.0 551 Option not supported
|_    Cseq: 0  1 service unrecognized despite returning data.
If you know the service/version, please submit the following fingerprint at  nmap.org nmap.org  :  SF-Port50554-TCP:V=7.40%I=7%D=  SF:GenericLines,2E,"RTSP/1\.0\  SF::\x200\r\n\r\n")%r(GetReque  SF:supported\r\nCseq:\x200\r\n  SF:551\x20Option\x20not\x20sup

This looks like this device says it's streaming RTSP but does not actually implement the RTSP RFC (https://www.ietf.org/rfc/rfc2326.txt).

This is really interesting:

| fingerprint-strings:
|   FourOhFourRequest, GenericLines, GetRequest:

I looked quickly on nmap's website and found this:

On the other hand, it is likely that results returned from a Probe such as RTSPRequest might match a regular expression crafted for GetRequest because the two protocols being tested for are closely related.

(Source: https://nmap.org/book/vscan-technique.html)

So it seems (to be confirmed though) that your device is not streaming RTSP on the port 50554, or at least that it is not compliant with the RFC.

I could help better if I knew what device/model/firmware it is/has, but I would understand if this is sensitive information.

[johny77g]

Hi, I use the Vstarcam C51s camera with the firmware 48.67.200.73. RTSP port on camera is 10554 and forwarded to external network as 50554. I was using cameradar from external virtual Debian server so with port 50554. what is puzzeling me is why cameradar is not trying at all following configurations: > DESCRIBE rtsp://admin:admin@xxx.xxx.xx. RTSP/1.0 > DESCRIBE rtsp://admin: admin@xxx.xxx.xx.xx :50554/tcp/av00 RTSP/1.0 if it do that probably it would be succesfull Janusz Dnia 25 października 2017 09:05 Brendan LE GLAUNEC <notifications@github.com> napisał(a): Okay so I edited your comment to add newlines and make it more readable, I hope you don't mind, and I think I see what the problem is. Look at what nmap says: Nmap scan report for xxx.xxx.xx.xx Host is up (0.032s latency). PORT STATE SERVICE VERSION 50554/tcp open rtsp | fingerprint-strings: | FourOhFourRequest, GenericLines, GetRequest: | RTSP/1.0 551 Option not supported | Cseq: 0 1 service unrecognized despite returning data. If you know the service/version, please submit the following fingerprint at nmap.org nmap.org : SF-Port50554-TCP:V=7.40%I=7%D= SF:GenericLines,2E,&#34;RTSP/1 SF::\x200\r\n\r\n&#34;)%r(GetR SF:supported\r\nCseq:\x200\r\n SF:551\x20Option\x20not\x20sup This looks like this device says it's streaming RTSP but does not actually implement the RTSP RFC ( www.ietf.org www.ietf.org ). This is really interesting: | fingerprint-strings: | FourOhFourRequest, GenericLines, GetRequest: I looked quickly on nmap's website and found this: On the other hand, it is likely that results returned from a Probe such as RTSPRequest might match a regular expression crafted for GetRequest because the two protocols being tested for are closely related. (Source: nmap.org nmap.org ) So it seems (to be confirmed though) that your device is not streaming RTSP on the port 50554, or at least that it is not compliant with the RFC. I could help better if I knew what device/model/firmware it is/has, but I would understand if this is sensitive information. — You are receiving this because you were mentioned. Reply to this email directly, github.com view it on GitHub , or github.com mute the thread .

[johny77g]

Hi, And one more info to the mail sent just before for camera details.

When I use RTSP from external network with ffmpeg:

ffplay.exe -rtsp_transport tcp -i rtsp://admin:admin@xxx.xxx.xxx.xxx:xxx/tcp/av0_0 -probesize 32 -analyzeduration 0 or android TinyCam rtsp://admin:admin@xxx.xxx.xxx.xxx:xxx/tcp/av0_2 it works very well with no issue.

Janusz

[Ullaakut]

Mh that's interesting.

Can you send me the logs of the following command (that adds -loglevel 32): ffplay.exe -loglevel 32 -rtsp_transport tcp -i rtsp://admin:admin@xxx.xxx.xxx.xxx:xxx/tcp/av0_0 -probesize 32 -analyzeduration 0 ?

And/or vlc -vvv rtsp://admin:admin@xxx.xxx.xxx.xxx:xxx/tcp/av0_0 ? (VLC might take like 15-20s as it will first try using UDP and if that doesn't work it will fallback to TCP)

[johny77g]

Hi, Please find enclosed the screenshot: (not sure if it's what you want, if some other logs please let me know)

[Ullaakut]

Hey, unfortunately when you answer on GitHub by email, attached documents are not working.

Could you come to the issue link (https://github.com/EtixLabs/cameradar/issues/142) on your web browser and answer using your account to post the screenshots?

Thanks! We'll figure this out :p

[Ullaakut]

My current guess is that the device that forwards the RTSP port does it in a weird way that nmap and cameradar can't currently work with. If that's the case, I will need to order one of those cameras that you have, as well as the device that forwards it, and make tests.

[johny77g]

the screenshot of ffmpeg

Additionally when I make the nmap of my router from external network I can see the port like: 50554/tcp open unknown I have 2 C51s cameras and the external ports are visible for each of them.

I have as well the C7815WIP from Vstarcam and the external port is not visible by nmap. But when I connect with ffplay or with android tinycam there is no issue and works well.

[Ullaakut]

Did you add -loglevel 32 in the command when running ffplay?

The fact that nmap says unknown for you is normal, if you run it with -A it should show that it serves RTSP :-)

[johny77g]

Yes the exact ffplay command was:

ffplay.exe -loglevel 32 -rtsp_transport tcp -i "rtsp://xxxx:xxxxg@xx.xx.xx.xx:xxx/tcp/av0_0" -probesize 32 -analyzeduration 0

For the nmap with -A I have:

SF-Port50554-TCP:V=7.40%I=7%D=10/25%Time=59F08A44%P=x86_64-pc-linux-gnu%r( SF:GenericLines,2E,"RTSP/1.0\x20551\x20Option\x20not\x20supported\r\nCseq SF::\x200\r\n\r\n")%r(GetRequest,2E,"RTSP/1.0\x20551\x20Option\x20not\x20 SF:supported\r\nCseq:\x200\r\n\r\n")%r(FourOhFourRequest,2E,"RTSP/1.0\x20 SF:551\x20Option\x20not\x20supported\r\nCseq:\x200\r\n\r\n");

[Ullaakut]

Mh. Interesting that ffplay gives almost no logs!

Well if you can, logs from VLC with the -vvv flag (or a GStreamer pipeline with GST_DEBUG set to 4) would help more.

Here in ffplay except the decoding for stream0 failed everything seems in order. And the decoding issue has no link at all with Cameradar so that shouldn't be a problem...

[johny77g]

Run on DEBIAN vlc -vvv "rtsp://xxxx:xxxxx@xxx.x.x.x:xxx/tcp/av0_0" (video has started after some time)

With following results belowe, just small cut from many data scrolling on the screen

---

[xxxxxxxx] core art finder debug: no art finder modules matched [xxxxxxxxxx] core libvlc debug: art not found for rtsp://xxx.xxx.xxx.xxx:xxx/tcp/av0_0 Received 152 new bytes of response data. Received a complete OPTIONS response: RTSP/1.0 200 OK Cseq: 2 Date: Wed, Oct 25 2017 15:22:20 GMT Public: OPTIONS, DESCRIBE, SETUP, TEARDOWN, PLAY, PAUSE, GET_PARAMETER, SET_PARAMETER

Sending request: DESCRIBE rtsp://xxx.xxx.xxx.xxx:xxx/tcp/av0_0 RTSP/1.0 CSeq: 3 User-Agent: LibVLC/2.2.6 (LIVE555 Streaming Media v2017.04.26) Accept: application/sdp

Received 119 new bytes of response data. Received a complete DESCRIBE response: RTSP/1.0 401 Unauthorized Cseq: 3 WWW-Authenticate: Digest realm="RTSPD",nonce="xxxxxxxxxxxxxxx"

Resending... Sending request: DESCRIBE rtsp://xxx.xxx.xxx.xxx:xxx/tcp/av0_0 RTSP/1.0 CSeq: 4 Authorization: Digest username="admin", realm="RTSPD", nonce="xxxxxxxxxxx", uri="rtsp://xxx.xxx.xxx.xxx:xxx/tcp/av0_0", response="xxxxxxxxxxxxxxxxx" User-Agent: LibVLC/2.2.6 (LIVE555 Streaming Media v2017.04.26) Accept: application/sdp

Received 500 new bytes of response data. Received a complete DESCRIBE response: RTSP/1.0 200 OK Cseq: 4 Date: Wed, Oct 25 2017 15:22:20 GMT Content-Type: application/sdp Content-Length: 383

v=0 o=VSTC xxxxxxx xxxxxxx IN IP4 192.168.xxx.xxx s=streamed by the VSTARCAM RTSP server e=NONE c=IN IP4 0.0.0.0 t=0 0 m=video 0 RTP/AVP 96 b=AS:1536 a=control:track0 a=rtpmap:96 H264/90000 a=fmtp:96 packetization-mode=1;profile-level-id=42001F;sprop-parameter-sets=xxxxxx==,xxxxx== m=audio 0 RTP/AVP 8
b=AS:48 a=control:track1 a=rtpmap:8 PCMA/8000/1

[Ullaakut]

Mh so yeah here everything looks perfectly normal. The RTSP server seems to respond correctly to requests!

I don't really know what to do to help you here to be honest, it seems like an issue form nmap and the libcurl. I'll investigate this and come back to you when I know more!

Thanks for all the logs and the patience!

[johny77g]

Thanks a lot for your involvement as well. There is one positive thing - maybe it will be a little bit more difficult to attack my camera. (but from time to time I can see with netstat on my camera some IPs trying to connect) If you would like to perform some tests on my camera in the future please feel free to contact me.

[Ullaakut]

Hi!

I'm on holidays for a week and I'll be working on Cameradar a bit, so if you want to give me remote access to your camera I can try running a few tests using Cameradar, VLC, ffmpeg, ffplay, nmap and cURL! :-)

[johny77g]

Hi, please send me an e-mail on which I can send you some temporary connection data. (not to allow every one to check my camera :-).

[johny77g]

Hi, I have one general question for RTSP access. For my camera when using HTTP with wget "http://xxxx:xx/system.ini?loginuse&loginpas" every one can get login and password. Therefore I do not expose my HTTP connection. I am trying to use only RTSP for external access with fixed IP. I noticed however with nmap (on camera telnet) that I have some RTSP protocols established with some external IPs. Is there a way for RTSP to connect to the stream without password or to get passwrd with similar command like for HTTP?

[Ullaakut]

Hi Johny!

If you set credentials for access on your RTSP stream, no, there is no way to access your stream except by bruteforcing/guessing your credentials or the sessionID and hijacking the RTSP session.

If you use a strong combination of username/password, your RTSP stream will be safe, except if there is an exploit on the firmware that your camera uses.