Closed Ullaakut closed 6 years ago
So, I will need a bit more information from you @johny77g :
ullaakut/cameradar
-l
option enabled please?From what you tell me, it looks like either the credentials or the routes you specified are not right, as Cameradar does not detect any change in the behavior of the camera with them.
Usually what happens is that the camera tries accessing the camera without giving any route or credentials and the camera replies either
wrong route
,wrong password
orok
. If the camera answerswrong password
orok
instead ofwrong route
when we are trying to guess the route, we assume that we found the correct route. If the camera answerswrong route
orok
instead ofwrong password
when we are trying to guess the passwords, we assume we have the right password.
Keep me updated on this, I would really like to help you solve your issue.
Hi, Thanks a lot for your quick reply. Please find enclosed related answers.
Looking forward to your reply. Regards, Janusz
first I installed Go (go version go1.7.4 linux/amd64)
then ran go get github.com github.com/EtixLabs/cameradar
cd $GOPATH/src/github.com/EtixLabs/cameradar
glide install
cd cameradar
go install
Latest v2.0.0 (installed just yesterday)
Linux DEBIAN 9
cameradar -t xxx.xxx.xx.xx -p 50554 -l
Starting Nmap 7.40 ( nmap.org nmap.org ) at 2017-10-25 08:24 CEST
Nmap scan report for xxx.xxx.xx.xx
Host is up (0.032s latency).
PORT STATE SERVICE VERSION 50554/tcp open rtsp
| fingerprint-strings:
| FourOhFourRequest, GenericLines, GetRequest:
| RTSP/1.0 551 Option not supported
|_ Cseq: 0 1 service unrecognized despite returning data.
If you know the service/version, please submit the following fingerprint at nmap.org nmap.org : SF-Port50554-TCP:V=7.40%I=7%D= SF:GenericLines,2E,"RTSP/1\.0\ SF::\x200\r\n\r\n")%r(GetReque SF:supported\r\nCseq:\x200\r\n SF:551\x20Option\x20not\x20sup
Service detection performed. Please report any incorrect results at nmap.org nmap.org .
Nmap done: 1 IP address (1 host up) scanned in 69.59 seconds
* Trying xxx.xxx.xx.xx...
* TCP_NODELAY set
* Connected to xxx.xxx.xx.xx (xxx.xxx.xx.xx) port 50554 (#0)
DESCRIBE rtsp://:@xxx.xxx.xx.xx:50554/t RTSP/1.0
CSeq: 1 Accept: application/sdp
* Operation timed out after 2001 milliseconds with 0 bytes received
* Curl_http_done: called premature == 1
* stopped the pause stream!
* The CSeq of this request 1 did not match the response 0
* Closing connection 0
ERROR: curl timeout on camera 'xxx.xxx.xx.xx' reached after 2s. consider increasing the timeout (-T, --timeout parameter) to at least 5000ms if scanning an unstable network.
* Trying xxx.xxx.xx.xx...
* TCP_NODELAY set
* Connected to xxx.xxx.xx.xx (xxx.xxx.xx.xx) port 50554 (#0) >
DESCRIBE rtsp://:@xxx.xxx.xx.xx:50554/u RTSP/1.0
CSeq: 1 Accept: application/sdp
* Operation timed out after 2001 milliseconds with 0 bytes received
* Curl_http_done: called premature == 1
* stopped the pause stream!
* The CSeq of this request 1 did not match the response 0
* Closing connection 0 ERROR: curl timeout on camera 'xxx.xxx.xx.xx' reached after 2s. consider increasing the timeout (-T, --timeout parameter) to at least 5000ms if scanning an unstable network.
* Trying xxx.xxx.xx.xx...
* TCP_NODELAY set
* Connected to xxx.xxx.xx.xx (xxx.xxx.xx.xx) port 50554 (#0)
* Server auth using Basic with user 'admin' >
DESCRIBE rtsp://admin: admin@xxx.xxx.xx.xx :50554/ RTSP/1.0
CSeq: 1 Accept: application/sdp Authorization: Basic YWRtaW46YWRtaW4=
* Operation timed out after 2001 milliseconds with 0 bytes received
* Curl_http_done: called premature == 1
* stopped the pause stream!
* The CSeq of this request 1 did not match the response 0
* Closing connection 0
ERROR: curl timeout on camera 'xxx.xxx.xx.xx' reached after 2s. consider increasing the timeout (-T, --timeout parameter) to at least 5000ms if scanning an unstable network.
* Trying xxx.xxx.xx.xx...
* TCP_NODELAY set
* Connected to xxx.xxx.xx.xx (xxx.xxx.xx.xx) port 50554 (#0) >
DESCRIBE rtsp://:@xxx.xxx.xx.xx:50554/t RTSP/1.0
CSeq: 1 Accept: application/sdp
* Operation timed out after 2001 milliseconds with 0 bytes received
* Curl_http_done: called premature == 1
* stopped the pause stream!
* The CSeq of this request 1 did not match the response 0
* Closing connection 0 ERROR: curl timeout on camera 'xxx.xxx.xx.xx' reached after 2s. consider increasing the timeout (-T, --timeout parameter) to at least 5000ms if scanning an unstable network.
* Trying xxx.xxx.xx.xx...
* TCP_NODELAY set
* Connected to xxx.xxx.xx.xx (xxx.xxx.xx.xx) port 50554 (#0) >
DESCRIBE rtsp://:@xxx.xxx.xx.xx:50554/u RTSP/1.0
CSeq: 1 Accept: application/sdp
* Operation timed out after 2001 milliseconds with 0 bytes received
* Curl_http_done: called premature == 1
* stopped the pause stream!
* The CSeq of this request 1 did not match the response 0
* Closing connection 0
ERROR: curl timeout on camera 'xxx.xxx.xx.xx' reached after 2s. consider increasing the timeout (-T, --timeout parameter) to at least 5000ms if scanning an unstable network. ?
Admin panel URL: xxx.xxx.xx.xx xxx.xxx.xx.xx
You can use this URL to try attacking the camera's admin panel instead.
Device model:
IP address: xxx.xxx.xx.xx
RTSP port: � 50554
Username: � not found
Password: � not found
RTSP route: not found ?
Streams were found but none were accessed.
They are most likely configured with secure credentials and routes. You can try adding entries to the dictionary or generating your own in order to attempt a bruteforce attack on the cameras.
Okay so I edited your comment to add newlines and make it more readable, I hope you don't mind, and I think I see what the problem is.
Look at what nmap says:
Nmap scan report for xxx.xxx.xx.xx
Host is up (0.032s latency).
PORT STATE SERVICE VERSION 50554/tcp open rtsp
| fingerprint-strings:
| FourOhFourRequest, GenericLines, GetRequest:
| RTSP/1.0 551 Option not supported
|_ Cseq: 0 1 service unrecognized despite returning data.
If you know the service/version, please submit the following fingerprint at nmap.org nmap.org : SF-Port50554-TCP:V=7.40%I=7%D= SF:GenericLines,2E,"RTSP/1\.0\ SF::\x200\r\n\r\n")%r(GetReque SF:supported\r\nCseq:\x200\r\n SF:551\x20Option\x20not\x20sup
This looks like this device says it's streaming RTSP but does not actually implement the RTSP RFC (https://www.ietf.org/rfc/rfc2326.txt).
This is really interesting:
| fingerprint-strings:
| FourOhFourRequest, GenericLines, GetRequest:
I looked quickly on nmap's website and found this:
On the other hand, it is likely that results returned from a Probe such as RTSPRequest might match a regular expression crafted for GetRequest because the two protocols being tested for are closely related.
(Source: https://nmap.org/book/vscan-technique.html)
So it seems (to be confirmed though) that your device is not streaming RTSP on the port 50554, or at least that it is not compliant with the RFC.
I could help better if I knew what device/model/firmware it is/has, but I would understand if this is sensitive information.
Hi, I use the Vstarcam C51s camera with the firmware 48.67.200.73. RTSP port on camera is 10554 and forwarded to external network as 50554. I was using cameradar from external virtual Debian server so with port 50554. what is puzzeling me is why cameradar is not trying at all following configurations: > DESCRIBE rtsp://admin:admin@xxx.xxx.xx. RTSP/1.0 > DESCRIBE rtsp://admin: admin@xxx.xxx.xx.xx :50554/tcp/av00 RTSP/1.0 if it do that probably it would be succesfull Janusz Dnia 25 października 2017 09:05 Brendan LE GLAUNEC <notifications@github.com> napisał(a): Okay so I edited your comment to add newlines and make it more readable, I hope you don't mind, and I think I see what the problem is. Look at what nmap says: Nmap scan report for xxx.xxx.xx.xx Host is up (0.032s latency). PORT STATE SERVICE VERSION 50554/tcp open rtsp | fingerprint-strings: | FourOhFourRequest, GenericLines, GetRequest: | RTSP/1.0 551 Option not supported | Cseq: 0 1 service unrecognized despite returning data. If you know the service/version, please submit the following fingerprint at nmap.org nmap.org : SF-Port50554-TCP:V=7.40%I=7%D= SF:GenericLines,2E,"RTSP/1 SF::\x200\r\n\r\n")%r(GetR SF:supported\r\nCseq:\x200\r\n SF:551\x20Option\x20not\x20sup This looks like this device says it's streaming RTSP but does not actually implement the RTSP RFC ( www.ietf.org www.ietf.org ). This is really interesting: | fingerprint-strings: | FourOhFourRequest, GenericLines, GetRequest: I looked quickly on nmap's website and found this: On the other hand, it is likely that results returned from a Probe such as RTSPRequest might match a regular expression crafted for GetRequest because the two protocols being tested for are closely related. (Source: nmap.org nmap.org ) So it seems (to be confirmed though) that your device is not streaming RTSP on the port 50554, or at least that it is not compliant with the RFC. I could help better if I knew what device/model/firmware it is/has, but I would understand if this is sensitive information. — You are receiving this because you were mentioned. Reply to this email directly, github.com view it on GitHub , or github.com mute the thread .
Hi, And one more info to the mail sent just before for camera details.
When I use RTSP from external network with ffmpeg:
ffplay.exe -rtsp_transport tcp -i rtsp://admin:admin@xxx.xxx.xxx.xxx:xxx/tcp/av0_0 -probesize 32 -analyzeduration 0
or android TinyCam rtsp://admin:admin@xxx.xxx.xxx.xxx:xxx/tcp/av0_2
it works very well with no issue.
Janusz
Mh that's interesting.
Can you send me the logs of the following command (that adds -loglevel 32
): ffplay.exe -loglevel 32 -rtsp_transport tcp -i rtsp://admin:admin@xxx.xxx.xxx.xxx:xxx/tcp/av0_0 -probesize 32 -analyzeduration 0
?
And/or vlc -vvv rtsp://admin:admin@xxx.xxx.xxx.xxx:xxx/tcp/av0_0
? (VLC might take like 15-20s as it will first try using UDP and if that doesn't work it will fallback to TCP)
Hi, Please find enclosed the screenshot: (not sure if it's what you want, if some other logs please let me know)
Hey, unfortunately when you answer on GitHub by email, attached documents are not working.
Could you come to the issue link (https://github.com/EtixLabs/cameradar/issues/142) on your web browser and answer using your account to post the screenshots?
Thanks! We'll figure this out :p
My current guess is that the device that forwards the RTSP port does it in a weird way that nmap and cameradar can't currently work with. If that's the case, I will need to order one of those cameras that you have, as well as the device that forwards it, and make tests.
the screenshot of ffmpeg
Additionally when I make the nmap of my router from external network I can see the port like: 50554/tcp open unknown I have 2 C51s cameras and the external ports are visible for each of them.
I have as well the C7815WIP from Vstarcam and the external port is not visible by nmap. But when I connect with ffplay or with android tinycam there is no issue and works well.
Did you add -loglevel 32
in the command when running ffplay
?
The fact that nmap says unknown for you is normal, if you run it with -A
it should show that it serves RTSP :-)
Yes the exact ffplay command was:
ffplay.exe -loglevel 32 -rtsp_transport tcp -i "rtsp://xxxx:xxxxg@xx.xx.xx.xx:xxx/tcp/av0_0" -probesize 32 -analyzeduration 0
For the nmap with -A I have:
SF-Port50554-TCP:V=7.40%I=7%D=10/25%Time=59F08A44%P=x86_64-pc-linux-gnu%r( SF:GenericLines,2E,"RTSP/1.0\x20551\x20Option\x20not\x20supported\r\nCseq SF::\x200\r\n\r\n")%r(GetRequest,2E,"RTSP/1.0\x20551\x20Option\x20not\x20 SF:supported\r\nCseq:\x200\r\n\r\n")%r(FourOhFourRequest,2E,"RTSP/1.0\x20 SF:551\x20Option\x20not\x20supported\r\nCseq:\x200\r\n\r\n");
Mh. Interesting that ffplay
gives almost no logs!
Well if you can, logs from VLC with the -vvv
flag (or a GStreamer pipeline with GST_DEBUG set to 4) would help more.
Here in ffplay except the decoding for stream0 failed
everything seems in order. And the decoding issue has no link at all with Cameradar so that shouldn't be a problem...
Run on DEBIAN vlc -vvv "rtsp://xxxx:xxxxx@xxx.x.x.x:xxx/tcp/av0_0" (video has started after some time)
With following results belowe, just small cut from many data scrolling on the screen
[xxxxxxxx] core art finder debug: no art finder modules matched [xxxxxxxxxx] core libvlc debug: art not found for rtsp://xxx.xxx.xxx.xxx:xxx/tcp/av0_0 Received 152 new bytes of response data. Received a complete OPTIONS response: RTSP/1.0 200 OK Cseq: 2 Date: Wed, Oct 25 2017 15:22:20 GMT Public: OPTIONS, DESCRIBE, SETUP, TEARDOWN, PLAY, PAUSE, GET_PARAMETER, SET_PARAMETER
Sending request: DESCRIBE rtsp://xxx.xxx.xxx.xxx:xxx/tcp/av0_0 RTSP/1.0 CSeq: 3 User-Agent: LibVLC/2.2.6 (LIVE555 Streaming Media v2017.04.26) Accept: application/sdp
Received 119 new bytes of response data. Received a complete DESCRIBE response: RTSP/1.0 401 Unauthorized Cseq: 3 WWW-Authenticate: Digest realm="RTSPD",nonce="xxxxxxxxxxxxxxx"
Resending... Sending request: DESCRIBE rtsp://xxx.xxx.xxx.xxx:xxx/tcp/av0_0 RTSP/1.0 CSeq: 4 Authorization: Digest username="admin", realm="RTSPD", nonce="xxxxxxxxxxx", uri="rtsp://xxx.xxx.xxx.xxx:xxx/tcp/av0_0", response="xxxxxxxxxxxxxxxxx" User-Agent: LibVLC/2.2.6 (LIVE555 Streaming Media v2017.04.26) Accept: application/sdp
Received 500 new bytes of response data. Received a complete DESCRIBE response: RTSP/1.0 200 OK Cseq: 4 Date: Wed, Oct 25 2017 15:22:20 GMT Content-Type: application/sdp Content-Length: 383
v=0
o=VSTC xxxxxxx xxxxxxx IN IP4 192.168.xxx.xxx
s=streamed by the VSTARCAM RTSP server
e=NONE
c=IN IP4 0.0.0.0
t=0 0
m=video 0 RTP/AVP 96
b=AS:1536
a=control:track0
a=rtpmap:96 H264/90000
a=fmtp:96 packetization-mode=1;profile-level-id=42001F;sprop-parameter-sets=xxxxxx==,xxxxx==
m=audio 0 RTP/AVP 8
b=AS:48
a=control:track1
a=rtpmap:8 PCMA/8000/1
Mh so yeah here everything looks perfectly normal. The RTSP server seems to respond correctly to requests!
I don't really know what to do to help you here to be honest, it seems like an issue form nmap and the libcurl. I'll investigate this and come back to you when I know more!
Thanks for all the logs and the patience!
Thanks a lot for your involvement as well. There is one positive thing - maybe it will be a little bit more difficult to attack my camera. (but from time to time I can see with netstat on my camera some IPs trying to connect) If you would like to perform some tests on my camera in the future please feel free to contact me.
Hi!
I'm on holidays for a week and I'll be working on Cameradar a bit, so if you want to give me remote access to your camera I can try running a few tests using Cameradar, VLC, ffmpeg, ffplay, nmap and cURL! :-)
Hi, please send me an e-mail on which I can send you some temporary connection data. (not to allow every one to check my camera :-).
Hi, I have one general question for RTSP access. For my camera when using HTTP with wget "http://xxxx:xx/system.ini?loginuse&loginpas" every one can get login and password. Therefore I do not expose my HTTP connection. I am trying to use only RTSP for external access with fixed IP. I noticed however with nmap (on camera telnet) that I have some RTSP protocols established with some external IPs. Is there a way for RTSP to connect to the stream without password or to get passwrd with similar command like for HTTP?
Hi Johny!
If you set credentials for access on your RTSP stream, no, there is no way to access your stream except by bruteforcing/guessing your credentials or the sessionID and hijacking the RTSP session.
If you use a strong combination of username/password, your RTSP stream will be safe, except if there is an exploit on the firmware that your camera uses.
Issue from @johny77g ( https://github.com/EtixLabs/cameradar/commit/cad7d24ccf068d7d45dcf9db746140ec716ee219#commitcomment-25169225 )
Hi, I exposed my camera for a simple test with very simple setup
username: admin
,password: admin
. Updatedcredentials.json
and routes as below. With option-l
the generated connections were following:BUT the right configuration was never generated. (I mean with:
admin
,admin
,tcp/av0_0
) Is it something wrong with my trial or some issue withattack.go
file?