Ullaakut / cameradar

Cameradar hacks its way into RTSP videosurveillance cameras
MIT License
4.11k stars 517 forks source link

Implement digest authentication #199

Closed rikosintie closed 5 years ago

rikosintie commented 5 years ago

First, make sure that none of the open and closed issues is about the same issue as you are describing, and make sure to check the frequently asked questions in the README file. Then, replace the parts of this template that are between with the data relative to your issue.

If you're reporting a bug, use the template below. Otherwise, delete this template and write your issue normally.

Context

Please select one:

Please select one:

Environment

My operating system:

OS version: Ubuntu 18.04 OS architecture: 64bit Intel

Issue

401 Unauthorized from the camera

What was expected?

Successful connection

What happened?

Hello, I love this project! I am trying to figure out why it isn't working against an Aiphone camera. Below are the logs. The camera is at default with user/pass of aiphone/aiphone.

I read the FAQ and a previous issue titled "can't detect camera feed". Both were very useful but I still can't figure out what I am doing wrong. Can you give me some tips to help troubleshoot? Thanks!

If I copy this line from the logs and put it in vlc I get the stream: rtsp://aiphone:aiphone@192.168.1.12:554/udp/unicast/aiphone_H264

Here is the command I used to run Docker. docker run -t -v /home/mhubbard/Dropbox/03_Tools:/tmp/dictionaries ullaakut/cameradar -r "/tmp/dictionaries/rtsp.txt" -c "/tmp/dictionaries/my_credentials.json" -t 192.168.1.12 -l

Here are the files in /home/mhubbard/Dropbox/03_Tools

rtsp.txt

udp/unicast/aiphone_H264

my_credentials.json

{
  "usernames": [
    "",
    "aiphone",
    "admin"
  ],
  "passwords" : [
    "",
    "aiphone",
    "V3ct0r88"
  ]
}

Logs

If your issue is with Cameradar's binary or docker image, please run it with -l to print logs, and paste them here:

->docker run -t -v /home/mhubbard/Dropbox/03_Tools:/tmp/dictionaries ullaakut/cameradar -r "/tmp/dictionaries/rtsp.txt" -c "/tmp/dictionaries/my_credentials.json"  -t 192.168.1.12 -l
* Expire in 0 ms for 6 (transfer 0xd90300)
* Expire in 2000 ms for 8 (transfer 0xd90300)
*   Trying 192.168.1.12...
* TCP_NODELAY set
* Expire in 200 ms for 4 (transfer 0xd90300)
* Connected to 192.168.1.12 (192.168.1.12) port 554 (#0)
> DESCRIBE rtsp://:@192.168.1.12:554/udp/unicast/aiphone_H264 RTSP/1.0
CSeq: 1
Accept: application/sdp

< RTSP/1.0 401 Unauthorized
< Server: Linux/2.6.32.17-davinci1 Ze-PRO
< CSeq: 1
< WWW-Authenticate: Digest realm="Secret", nonce="ODQ4MDguNDk3Mzk6NzQ3NTQ0OTk5"
< 
* Connection #0 to host 192.168.1.12 left intact
* Expire in 0 ms for 6 (transfer 0xd9d060)
* Expire in 2000 ms for 8 (transfer 0xd9d060)
*   Trying 192.168.1.12...
* TCP_NODELAY set
* Expire in 200 ms for 4 (transfer 0xd9d060)
* Connected to 192.168.1.12 (192.168.1.12) port 554 (#0)
> DESCRIBE rtsp://:@192.168.1.12:554/udp/unicast/aiphone_H264 RTSP/1.0
CSeq: 1
Accept: application/sdp

< RTSP/1.0 401 Unauthorized
< Server: Linux/2.6.32.17-davinci1 Ze-PRO
< CSeq: 1
< WWW-Authenticate: Digest realm="Secret", nonce="ODQ4MDguNTExMjg6MTk5OTQ0OTk="
< 
* Connection #0 to host 192.168.1.12 left intact
* Expire in 0 ms for 6 (transfer 0xda9bc0)
* Expire in 2000 ms for 8 (transfer 0xda9bc0)
*   Trying 192.168.1.12...
* TCP_NODELAY set
* Expire in 200 ms for 4 (transfer 0xda9bc0)
* Connected to 192.168.1.12 (192.168.1.12) port 554 (#0)
* Server auth using Basic with user ''
> DESCRIBE rtsp://:aiphone@192.168.1.12:554/udp/unicast/aiphone_H264 RTSP/1.0
CSeq: 1
Accept: application/sdp
Authorization: Basic OmFpcGhvbmU=

< RTSP/1.0 401 Unauthorized
< Server: Linux/2.6.32.17-davinci1 Ze-PRO
< CSeq: 1
< WWW-Authenticate: Digest realm="Secret", nonce="ODQ4MDguNTE3NDg6MTI3NTc3ODU0Mw=="
< 
* Connection #0 to host 192.168.1.12 left intact
* Expire in 0 ms for 6 (transfer 0xdb6760)
* Expire in 2000 ms for 8 (transfer 0xdb6760)
*   Trying 192.168.1.12...
* TCP_NODELAY set
* Expire in 200 ms for 4 (transfer 0xdb6760)
* Connected to 192.168.1.12 (192.168.1.12) port 554 (#0)
* Server auth using Basic with user ''
> DESCRIBE rtsp://:V3ct0r88@192.168.1.12:554/udp/unicast/aiphone_H264 RTSP/1.0
CSeq: 1
Accept: application/sdp
Authorization: Basic OlYzY3Qwcjg4

< RTSP/1.0 401 Unauthorized
< Server: Linux/2.6.32.17-davinci1 Ze-PRO
< CSeq: 1
< WWW-Authenticate: Digest realm="Secret", nonce="ODQ4MDguNTI0NDI6MTUyMDY5MDU1OA=="
< 
* Connection #0 to host 192.168.1.12 left intact
* Expire in 0 ms for 6 (transfer 0xdc3300)
* Expire in 2000 ms for 8 (transfer 0xdc3300)
*   Trying 192.168.1.12...
* TCP_NODELAY set
* Expire in 200 ms for 4 (transfer 0xdc3300)
* Connected to 192.168.1.12 (192.168.1.12) port 554 (#0)
* Server auth using Basic with user 'aiphone'
> DESCRIBE rtsp://aiphone:@192.168.1.12:554/udp/unicast/aiphone_H264 RTSP/1.0
CSeq: 1
Accept: application/sdp
Authorization: Basic YWlwaG9uZTo=

< RTSP/1.0 401 Unauthorized
< Server: Linux/2.6.32.17-davinci1 Ze-PRO
< CSeq: 1
< WWW-Authenticate: Digest realm="Secret", nonce="ODQ4MDguNTMwNDg6MTkyMTI5MTY="
< 
* Connection #0 to host 192.168.1.12 left intact
* Expire in 0 ms for 6 (transfer 0xdcfea0)
* Expire in 2000 ms for 8 (transfer 0xdcfea0)
*   Trying 192.168.1.12...
* TCP_NODELAY set
* Expire in 200 ms for 4 (transfer 0xdcfea0)
* Connected to 192.168.1.12 (192.168.1.12) port 554 (#0)
* Server auth using Basic with user 'aiphone'
> DESCRIBE rtsp://aiphone:aiphone@192.168.1.12:554/udp/unicast/aiphone_H264 RTSP/1.0
CSeq: 1
Accept: application/sdp
Authorization: Basic YWlwaG9uZTphaXBob25l

< RTSP/1.0 401 Unauthorized
< Server: Linux/2.6.32.17-davinci1 Ze-PRO
< CSeq: 1
< WWW-Authenticate: Digest realm="Secret", nonce="ODQ4MDguNTM2Mzk6NTQ1OTExMzQz"
< 
* Connection #0 to host 192.168.1.12 left intact
* Expire in 0 ms for 6 (transfer 0xddca80)
* Expire in 2000 ms for 8 (transfer 0xddca80)
*   Trying 192.168.1.12...
* TCP_NODELAY set
* Expire in 200 ms for 4 (transfer 0xddca80)
* Connected to 192.168.1.12 (192.168.1.12) port 554 (#0)
* Server auth using Basic with user 'aiphone'
> DESCRIBE rtsp://aiphone:V3ct0r88@192.168.1.12:554/udp/unicast/aiphone_H264 RTSP/1.0
CSeq: 1
Accept: application/sdp
Authorization: Basic YWlwaG9uZTpWM2N0MHI4OA==

< RTSP/1.0 401 Unauthorized
< Server: Linux/2.6.32.17-davinci1 Ze-PRO
< CSeq: 1
< WWW-Authenticate: Digest realm="Secret", nonce="ODQ4MDguNTQzNTE6MTY1ODg2MDUwOQ=="
< 
* Connection #0 to host 192.168.1.12 left intact
* Expire in 0 ms for 6 (transfer 0xde9660)
* Expire in 2000 ms for 8 (transfer 0xde9660)
*   Trying 192.168.1.12...
* TCP_NODELAY set
* Expire in 200 ms for 4 (transfer 0xde9660)
* Connected to 192.168.1.12 (192.168.1.12) port 554 (#0)
* Server auth using Basic with user 'admin'
> DESCRIBE rtsp://admin:@192.168.1.12:554/udp/unicast/aiphone_H264 RTSP/1.0
CSeq: 1
Accept: application/sdp
Authorization: Basic YWRtaW46

< RTSP/1.0 401 Unauthorized
< Server: Linux/2.6.32.17-davinci1 Ze-PRO
< CSeq: 1
< WWW-Authenticate: Digest realm="Secret", nonce="ODQ4MDguNTQ5NTU6MTk3MjEyMzA1Ng=="
< 
* Connection #0 to host 192.168.1.12 left intact
* Expire in 0 ms for 6 (transfer 0xdf6200)
* Expire in 2000 ms for 8 (transfer 0xdf6200)
*   Trying 192.168.1.12...
* TCP_NODELAY set
* Expire in 200 ms for 4 (transfer 0xdf6200)
* Connected to 192.168.1.12 (192.168.1.12) port 554 (#0)
* Server auth using Basic with user 'admin'
> DESCRIBE rtsp://admin:aiphone@192.168.1.12:554/udp/unicast/aiphone_H264 RTSP/1.0
CSeq: 1
Accept: application/sdp
Authorization: Basic YWRtaW46YWlwaG9uZQ==

< RTSP/1.0 401 Unauthorized
< Server: Linux/2.6.32.17-davinci1 Ze-PRO
< CSeq: 1
< WWW-Authenticate: Digest realm="Secret", nonce="ODQ4MDguNTU1MzU6MTc4NDM2MDIyNg=="
< 
* Connection #0 to host 192.168.1.12 left intact
* Expire in 0 ms for 6 (transfer 0xe02de0)
* Expire in 2000 ms for 8 (transfer 0xe02de0)
*   Trying 192.168.1.12...
* TCP_NODELAY set
* Expire in 200 ms for 4 (transfer 0xe02de0)
* Connected to 192.168.1.12 (192.168.1.12) port 554 (#0)
* Server auth using Basic with user 'admin'
> DESCRIBE rtsp://admin:V3ct0r88@192.168.1.12:554/udp/unicast/aiphone_H264 RTSP/1.0
CSeq: 1
Accept: application/sdp
Authorization: Basic YWRtaW46VjNjdDByODg=

< RTSP/1.0 401 Unauthorized
< Server: Linux/2.6.32.17-davinci1 Ze-PRO
< CSeq: 1
< WWW-Authenticate: Digest realm="Secret", nonce="ODQ4MDguNTYwODk6MzI4MDMxMDQ1"
< 
* Connection #0 to host 192.168.1.12 left intact
* Expire in 0 ms for 6 (transfer 0xe0f9c0)
* Expire in 2000 ms for 8 (transfer 0xe0f9c0)
*   Trying 192.168.1.12...
* TCP_NODELAY set
* Expire in 200 ms for 4 (transfer 0xe0f9c0)
* Connected to 192.168.1.12 (192.168.1.12) port 554 (#0)
> DESCRIBE rtsp://:@192.168.1.12:554/udp/unicast/aiphone_H264 RTSP/1.0
CSeq: 1
Accept: application/sdp

< RTSP/1.0 401 Unauthorized
< Server: Linux/2.6.32.17-davinci1 Ze-PRO
< CSeq: 1
< WWW-Authenticate: Digest realm="Secret", nonce="ODQ4MDguNTY4NjY6MTc2NDgyNDU2OQ=="
< 
* Connection #0 to host 192.168.1.12 left intact
* Expire in 0 ms for 6 (transfer 0xd8a920)
* Expire in 2000 ms for 8 (transfer 0xd8a920)
*   Trying 192.168.1.12...
* TCP_NODELAY set
* Expire in 200 ms for 4 (transfer 0xd8a920)
* Connected to 192.168.1.12 (192.168.1.12) port 554 (#0)
> SETUP rtsp://:@192.168.1.12:554/udp/unicast/aiphone_H264 RTSP/1.0
CSeq: 1
Transport: RTP/AVP;unicast;client_port=33332-33333

< RTSP/1.0 401 Unauthorized
< Server: Linux/2.6.32.17-davinci1 Ze-PRO
< CSeq: 1
< WWW-Authenticate: Digest realm="Secret", nonce="ODQ4MDguNTc0NjE6MTA1MDcxOTk0Nw=="
< 
* Connection #0 to host 192.168.1.12 left intact
✖   Admin panel URL:    http://192.168.1.12/ You can use this URL to try attacking the camera's admin panel instead.
    Device model:       

    Available:      ✖
    IP address:     192.168.1.12
    RTSP port:      554
    Username:       not found
    Password:       not found
    RTSP route:     /udp/unicast/aiphone_H264

✖ Streams were found but none were accessed. They are most likely configured with secure credentials and routes. You can try adding entries to the dictionary or generating your own in order to attempt a bruteforce attack on the cameras.
Ullaakut commented 5 years ago

Hi @rikosintie ! Thanks for the really detailed issue :)

By reading your logs, it seems like everything should be working, yes. As you can see in the logs with the -l option, Cameradar attempts to connect to the correct URL: rtsp://aiphone:aiphone@192.168.1.12:554/udp/unicast/aiphone_H264 but gets a 401 answer. I'm not familiar with aiphone cameras but it's possible that VLC gets the same answer but uses a workaround to connect to it anyway.

Could you run VLC in your command line with the -vv option and send me the logs that it outputs until the stream is displaying? I might be able to figure out what's going on :)

rikosintie commented 5 years ago

Hello, thanks for the quick response! I can't believe I didn't run vlc with logging. It was right in your FAQ!

I am out of town until Friday, As soon as I get home I will do it and post the results.

Thanks again for such a great project!

Ullaakut commented 5 years ago

Thanks and no worries, there's no rush :) We'll figure it out!

rikosintie commented 5 years ago

Hello Ullaakut, I ran VLC from the command line with the -vv option until it started playing. Thanks for that tip, I didn't know about that and it seems very useful! It looks likes the aiphone responds with 401 Unauthorized once but vlc tries a second time and then gets the 200.

->vlc -vv rtsp://aiphone:aiphone@192.168.1.12:554/udp/unicast/aiphone_H264 VLC media player 3.0.6 Vetinari (revision 3.0.6-0-g5803e85) [00000000014f33b0] main libvlc debug: VLC media player - 3.0.6 Vetinari [00000000014f33b0] main libvlc debug: Copyright © 1996-2018 the VideoLAN team [00000000014f33b0] main libvlc debug: revision 3.0.6-0-g5803e85 [00000000014f33b0] main libvlc debug: configured with ./configure '--prefix=/home/jenkins/workspace/vlc-release/linux/vlc-release-snap/extras/package/snap/parts/vlc/install/usr' '--disable-wayland' '--enable-merge-ffmpeg' 'CFLAGS= -I/home/jenkins/workspace/vlc-release/linux/vlc-release-snap/extras/package/snap/parts/vlc/install/usr/include -I/home/jenkins/workspace/vlc-release/linux/vlc-release-snap/extras/package/snap/stage/usr/include' 'LDFLAGS= -L/home/jenkins/workspace/vlc-release/linux/vlc-release-snap/extras/package/snap/parts/vlc/install/lib -L/home/jenkins/workspace/vlc-release/linux/vlc-release-snap/extras/package/snap/parts/vlc/install/usr/lib -L/home/jenkins/workspace/vlc-release/linux/vlc-release-snap/extras/package/snap/parts/vlc/install/lib/x86_64-linux-gnu -L/home/jenkins/workspace/vlc-release/linux/vlc-release-snap/extras/package/snap/parts/vlc/install/usr/lib/x86_64-linux-gnu -L/home/jenkins/workspace/vlc-release/linux/vlc-release-snap/extras/package/snap/stage/lib -L/home/jenkins/workspace/vlc-release/linux/vlc-release-snap/extras/package/snap/stage/usr/lib -L/home/jenkins/workspace/vlc-release/linux/vlc-release-snap/extras/package/snap/stage/lib/x86_64-linux-gnu -L/home/jenkins/workspace/vlc-release/linux/vlc-release-snap/extras/package/snap/stage/usr/lib/x86_64-linux-gnu' 'CPPFLAGS= -I/home/jenkins/workspace/vlc-release/linux/vlc-release-snap/extras/package/snap/parts/vlc/install/usr/include -I/home/jenkins/workspace/vlc-release/linux/vlc-release-snap/extras/package/snap/stage/usr/include' 'CXXFLAGS= -I/home/jenkins/workspace/vlc-release/linux/vlc-release-snap/extras/package/snap/parts/vlc/install/usr/include -I/home/jenkins/workspace/vlc-release/linux/vlc-release-snap/extras/package/snap/stage/usr/include' 'PKG_CONFIG_PATH=:/home/jenkins/workspace/vlc-release/linux/vlc-release-snap/extras/package/snap/parts/vlc/install/usr/share/pkgconfig:/home/jenkins/workspace/vlc-release/linux/vlc-release-snap/extras/package/snap/stage/usr/share/pkgconfig' [00000000014f33b0] main libvlc debug: searching plug-in modules [00000000014f33b0] main libvlc debug: loading plugins cache file /snap/vlc/770/usr/lib/vlc/plugins/plugins.dat [00000000014f33b0] main libvlc debug: recursively browsing /snap/vlc/770/usr/lib/vlc/plugins' [00000000014f33b0] main libvlc debug: plug-ins loaded: 517 modules [00000000014f33b0] main libvlc debug: opening config file (/home/mhubbard/snap/vlc/common/vlcrc) [00000000014f36f0] main logger debug: looking for logger module matching "any": 3 candidates [00000000014f36f0] main logger debug: using logger module "console" [00000000014f33b0] main libvlc debug: translation test: code is "C" [00000000014f4890] main keystore debug: looking for keystore module matching "memory": 4 candidates [00000000014f4890] main keystore debug: using keystore module "memory" [00000000014f33b0] main libvlc debug: CPU has capabilities MMX MMXEXT SSE SSE2 SSE3 SSSE3 SSE4.1 SSE4.2 AVX AVX2 FPU [000000000158b9c0] main input debug: Creating an input for 'Media Library' [000000000158b9c0] main input debug: Input is a meta file: disabling unneeded options [000000000158b9c0] main input debug: using timeshift granularity of 50 MiB [000000000158b9c0] main input debug: using default timeshift path [000000000158b9c0] main input debug:file/directory:///home/mhubbard/snap/vlc/770/.local/share/vlc/ml.xspf' gives access file' demuxdirectory' path /home/mhubbard/snap/vlc/770/.local/share/vlc/ml.xspf' [0000000001595830] main input source debug: creating demux: access='file' demux='directory' location='/home/mhubbard/snap/vlc/770/.local/share/vlc/ml.xspf' file='/home/mhubbard/snap/vlc/770/.local/share/vlc/ml.xspf' [0000000001595970] main demux debug: looking for access_demux module matching "file": 21 candidates [0000000001595970] main demux debug: no access_demux modules matched [00000000015ae580] main stream debug: creating access: file:///home/mhubbard/snap/vlc/770/.local/share/vlc/ml.xspf [00000000015ae580] main stream debug: (path: /home/mhubbard/snap/vlc/770/.local/share/vlc/ml.xspf) [00000000015ae580] main stream debug: looking for access module matching "file": 26 candidates [00000000015ae580] main stream debug: using access module "filesystem" [00000000015af320] main stream debug: looking for stream_filter module matching "prefetch,cache_read": 26 candidates [00000000015af320] cache_read stream debug: Using stream method for AStream* [00000000015af320] cache_read stream debug: starting pre-buffering [00000000015af320] cache_read stream debug: received first data after 0 ms [00000000015af320] cache_read stream debug: pre-buffering done 296 bytes in 0s - 3659 KiB/s [00000000015af320] main stream debug: using stream_filter module "cache_read" [00000000015b04a0] main stream debug: looking for stream_filter module matching "any": 26 candidates [00000000015b04a0] playlist stream debug: using XSPF playlist reader [00000000015b04a0] main stream debug: using stream_filter module "playlist" [00000000015b04a0] main stream debug: stream filter added to 0x15af320 [00000000015b38c0] main stream debug: looking for stream_filter module matching "any": 26 candidates [00000000015b38c0] main stream debug: no stream_filter modules matched [00000000015b38c0] main stream_directory debug: looking for stream_directory module matching "any": 1 candidates [00000000015b38c0] main stream_directory debug: no stream_directory modules matched [0000000001595830] main input source debug: attachment of directory-extractor failed for file:///home/mhubbard/snap/vlc/770/.local/share/vlc/ml.xspf [00000000015b4fe0] main stream debug: looking for stream_filter module matching "record": 26 candidates [00000000015b4fe0] main stream debug: using stream_filter module "record" [0000000001595830] main input source debug: creating demux: access='file' demux='directory' location='/home/mhubbard/snap/vlc/770/.local/share/vlc/ml.xspf' file='/home/mhubbard/snap/vlc/770/.local/share/vlc/ml.xspf' [00000000015b57c0] main demux debug: looking for demux module matching "directory": 56 candidates [00000000015b57c0] main demux debug: using demux module "directory" [00000000015b61b0] main demux meta debug: looking for meta reader module matching "any": 2 candidates [00000000015b61b0] lua demux meta debug: Trying Lua scripts in /home/mhubbard/snap/vlc/770/.local/share/vlc/lua/meta/reader [00000000015b61b0] lua demux meta debug: Trying Lua scripts in /snap/vlc/770/usr/lib/vlc/lua/meta/reader [00000000015b61b0] lua demux meta debug: Trying Lua playlist script /snap/vlc/770/usr/lib/vlc/lua/meta/reader/filename.luac [00000000015b61b0] lua demux meta debug: Trying Lua scripts in /snap/vlc/770/usr/share/vlc/lua/meta/reader [00000000015b61b0] main demux meta debug: no meta reader modules matched [000000000158b9c0] main input debug:file/directory:///home/mhubbard/snap/vlc/770/.local/share/vlc/ml.xspf' successfully opened [00000000015bfc80] main xml reader debug: looking for xml reader module matching "any": 1 candidates [00000000015bfc80] main xml reader debug: using xml reader module "xml" [000000000158b9c0] main input debug: EOF reached [00000000015b57c0] main demux debug: removing module "directory" [00000000015b4fe0] main stream debug: removing module "record" [00000000015b04a0] main stream debug: removing module "playlist" [00000000015af320] main stream debug: removing module "cache_read" [00000000015ae580] main stream debug: removing module "filesystem" [0000000001588c30] main playlist debug: creating audio output [00000000015b3400] main audio output debug: looking for audio output module matching "any": 6 candidates [00000000015b3400] vlcpulse audio output debug: using library version 8.0.0 [00000000015b3400] vlcpulse audio output debug: (compiled with version 8.0.0, protocol 30) [00000000015b3400] vlcpulse audio output debug: connected locally to unix:/run/user/1000/snap.vlc/../pulse/native as client #17 [00000000015b3400] vlcpulse audio output debug: using protocol 30, server protocol 32 [00000000015b3400] pulse audio output debug: adding sink 0: alsa_output.pci-0000_00_1f.3.analog-stereo (Built-in Audio Analog Stereo) [00000000015b3400] main audio output debug: using audio output module "pulse" [0000000001588c30] main playlist debug: keeping audio output [00000000015bf150] main interface debug: looking for interface module matching "dbus,none": 17 candidates [00000000015bf150] dbus interface debug: listening on dbus as: org.mpris.MediaPlayer2.vlc [00000000015bf150] main interface debug: using interface module "dbus" [00000000015c75a0] main interface debug: looking for interface module matching "hotkeys,none": 17 candidates [00000000015c75a0] main interface debug: using interface module "hotkeys" [00000000015c80a0] main interface debug: looking for interface module matching "globalhotkeys,none": 17 candidates [00000000015c80a0] main interface debug: using interface module "xcb_hotkeys" [00000000014f33b0] main libvlc: Running vlc with the default interface. Use 'cvlc' to use vlc without interface. [00000000015c91f0] main interface debug: looking for interface module matching "any": 17 candidates [00000000015bf150] dbus interface debug: Getting All properties [00000000015bf150] dbus interface debug: Getting All properties [00000000015bf150] dbus interface debug: Getting All properties [00000000015bf150] dbus interface debug: Getting All properties [00000000015bf150] dbus interface debug: Getting All properties Qt: Session management error: None of the authentication protocols specified are supported [00007f2ea88f0060] main generic debug: looking for extension module matching "any": 1 candidates [00007f2ea88f0060] lua generic debug: Opening Lua Extension module [00007f2ea88f0060] lua generic debug: Trying Lua scripts in /home/mhubbard/snap/vlc/770/.local/share/vlc/lua/extensions [00007f2ea88f0060] lua generic debug: Trying Lua scripts in /snap/vlc/770/usr/lib/vlc/lua/extensions [00007f2ea88f0060] lua generic debug: Trying Lua playlist script /snap/vlc/770/usr/lib/vlc/lua/extensions/VLSub.luac [00007f2ea88f0060] lua generic debug: Scanning Lua script /snap/vlc/770/usr/lib/vlc/lua/extensions/VLSub.luac [00007f2ea88f0060] lua generic debug: Script /snap/vlc/770/usr/lib/vlc/lua/extensions/VLSub.luac has the following capability flags: 0x5 [00007f2ea88f0060] lua generic debug: Trying Lua scripts in /snap/vlc/770/usr/share/vlc/lua/extensions [00007f2ea88f0060] main generic debug: using extension module "lua" [00000000015c91f0] main interface debug: using interface module "qt" [0000000001588c30] main playlist debug: processing request item: null, node: Playlist, skip: 0 [0000000001588c30] main playlist debug: rebuilding array of current - root Playlist [0000000001588c30] main playlist debug: rebuild done - 1 items, index -1 [0000000001588c30] main playlist debug: starting playback of new item [0000000001588c30] main playlist debug: resyncing on rtsp://192.168.1.12:554/udp/unicast/aiphone_H264 [0000000001588c30] main playlist debug: rtsp://192.168.1.12:554/udp/unicast/aiphone_H264 is at 0 [0000000001588c30] main playlist debug: creating new input thread [00007f2e940009e0] main input debug: Creating an input for 'rtsp://192.168.1.12:554/udp/unicast/aiphone_H264' [0000000001588c30] main playlist debug: requesting art for new input thread [00007f2e940009e0] main input debug: using timeshift granularity of 50 MiB [00007f2e940009e0] main input debug: using default timeshift path [00000000015c91f0] qt interface debug: IM: Setting an input [00007f2e940009e0] main input debug: rtsp://aiphone:aiphone@192.168.1.12:554/udp/unicast/aiphone_H264' gives accessrtsp' demux any' pathaiphone:aiphone@192.168.1.12:554/udp/unicast/aiphone_H264' [00007f2e98000d50] main input source debug: creating demux: access='rtsp' demux='any' location='aiphone:aiphone@192.168.1.12:554/udp/unicast/aiphone_H264' file='(null)' [00007f2e98000f00] main demux debug: looking for access_demux module matching "rtsp": 21 candidates [00007f2e90000980] main meta fetcher debug: looking for meta fetcher module matching "any": 1 candidates [00007f2e90000980] lua meta fetcher debug: Trying Lua scripts in /home/mhubbard/snap/vlc/770/.local/share/vlc/lua/meta/fetcher [00007f2e90000980] lua meta fetcher debug: Trying Lua scripts in /snap/vlc/770/usr/lib/vlc/lua/meta/fetcher [00007f2e90000980] lua meta fetcher debug: Trying Lua scripts in /snap/vlc/770/usr/share/vlc/lua/meta/fetcher [00007f2e90000980] main meta fetcher debug: no meta fetcher modules matched [00007f2e90000980] main art finder debug: looking for art finder module matching "any": 2 candidates [00007f2e98000f00] live555 demux debug: version 2016.11.28 [00007f2e98000f00] main demux warning: Password in a URI is DEPRECATED [00007f2e90000980] lua art finder debug: Trying Lua scripts in /home/mhubbard/snap/vlc/770/.local/share/vlc/lua/meta/art Opening connection to [00007f2e90000980] lua art finder debug: Trying Lua scripts in /snap/vlc/770/usr/lib/vlc/lua/meta/art 192.168.1.12, port 554... [00007f2e90000980] lua art finder debug: Trying Lua playlist script /snap/vlc/770/usr/lib/vlc/lua/meta/art/00_musicbrainz.luac ...remote connection opened Sending request: OPTIONS rtsp://192.168.1.12:554/udp/unicast/aiphone_H264 RTSP/1.0 CSeq: 2 User-Agent: LibVLC/3.0.6 (LIVE555 Streaming Media v2016.11.28)

[00007f2e90000980] lua art finder debug: skipping script (unmatched scope) /snap/vlc/770/usr/lib/vlc/lua/meta/art/00_musicbrainz.luac [00007f2e90000980] lua art finder debug: Trying Lua playlist script /snap/vlc/770/usr/lib/vlc/lua/meta/art/01_googleimage.luac [00007f2e90000980] lua art finder debug: skipping script (unmatched scope) /snap/vlc/770/usr/lib/vlc/lua/meta/art/01_googleimage.luac [00007f2e90000980] lua art finder debug: Trying Lua playlist script /snap/vlc/770/usr/lib/vlc/lua/meta/art/02_frenchtv.luac [00007f2e90000980] lua art finder debug: skipping script (unmatched scope) /snap/vlc/770/usr/lib/vlc/lua/meta/art/02_frenchtv.luac [00007f2e90000980] lua art finder debug: Trying Lua playlist script /snap/vlc/770/usr/lib/vlc/lua/meta/art/03_lastfm.luac [00007f2e90000980] lua art finder debug: skipping script (unmatched scope) /snap/vlc/770/usr/lib/vlc/lua/meta/art/03_lastfm.luac [00007f2e90000980] lua art finder debug: Trying Lua scripts in /snap/vlc/770/usr/share/vlc/lua/meta/art [00007f2e90000980] main art finder debug: no art finder modules matched [00007f2e84000980] main meta fetcher debug: looking for meta fetcher module matching "any": 1 candidates [00007f2e84000980] lua meta fetcher debug: Trying Lua scripts in /home/mhubbard/snap/vlc/770/.local/share/vlc/lua/meta/fetcher [00007f2e84000980] lua meta fetcher debug: Trying Lua scripts in /snap/vlc/770/usr/lib/vlc/lua/meta/fetcher [00007f2e84000980] lua meta fetcher debug: Trying Lua scripts in /snap/vlc/770/usr/share/vlc/lua/meta/fetcher [00007f2e84000980] main meta fetcher debug: no meta fetcher modules matched [00007f2e84000980] main art finder debug: looking for art finder module matching "any": 2 candidates [00007f2e84000980] lua art finder debug: Trying Lua scripts in /home/mhubbard/snap/vlc/770/.local/share/vlc/lua/meta/art [00007f2e84000980] lua art finder debug: Trying Lua scripts in /snap/vlc/770/usr/lib/vlc/lua/meta/art [00007f2e84000980] lua art finder debug: Trying Lua playlist script /snap/vlc/770/usr/lib/vlc/lua/meta/art/00_musicbrainz.luac Received 158 new bytes of response data. Received a complete OPTIONS response: RTSP/1.0 401 Unauthorized Server: Linux/2.6.32.17-davinci1 Ze-PRO CSeq: 2 WWW-Authenticate: Digest realm="Secret", nonce="MzM4OC4yMTAxOToxMjc5Njk4MDEw"

Resending... Sending request: OPTIONS rtsp://192.168.1.12:554/udp/unicast/aiphone_H264 RTSP/1.0 CSeq: 3 Authorization: Digest username="aiphone", realm="Secret", nonce="MzM4OC4yMTAxOToxMjc5Njk4MDEw", uri="rtsp://192.168.1.12:554/udp/unicast/aiphone_H264", response="8ed3645f174378041778f209f95d45f9" User-Agent: LibVLC/3.0.6 (LIVE555 Streaming Media v2016.11.28)

[00007f2e84000980] lua art finder debug: Trying Lua playlist script /snap/vlc/770/usr/lib/vlc/lua/meta/art/01_googleimage.luac [00007f2e84000980] lua art finder debug: Trying Lua playlist script /snap/vlc/770/usr/lib/vlc/lua/meta/art/02_frenchtv.luac [00007f2e84000980] lua art finder debug: Trying Lua playlist script /snap/vlc/770/usr/lib/vlc/lua/meta/art/03_lastfm.luac [00007f2e84000980] lua art finder debug: Trying Lua scripts in /snap/vlc/770/usr/share/vlc/lua/meta/art [00007f2e84000980] main art finder debug: no art finder modules matched Received 134 new bytes of response data. Received a complete OPTIONS response: RTSP/1.0 200 OK Server: Linux/2.6.32.17-davinci1 Ze-PRO CSeq: 3 Public: DESCRIBE, SETUP, TEARDOWN, PLAY, OPTIONS, SET_PARAMETER

Sending request: DESCRIBE rtsp://192.168.1.12:554/udp/unicast/aiphone_H264 RTSP/1.0 CSeq: 4 Authorization: Digest username="aiphone", realm="Secret", nonce="MzM4OC4yMTAxOToxMjc5Njk4MDEw", uri="rtsp://192.168.1.12:554/udp/unicast/aiphone_H264", response="034830ad6eb4e6fa30e0b119bba32aa0" User-Agent: LibVLC/3.0.6 (LIVE555 Streaming Media v2016.11.28) Accept: application/sdp

Received 653 new bytes of response data. Received a complete DESCRIBE response: RTSP/1.0 200 OK Server: Linux/2.6.32.17-davinci1 Ze-PRO CSeq: 4 Content-Length: 467 Content-Type: application/sdp Content-Base: rtsp://192.168.1.12:554/udp/unicast/aiphone_H264/

v=0 o=NetworkCameraOnvif 2208992188 969705160 IN IP4 0.0.0.0 s=MediaSession t=0 0 a=control:* a=range:npt=0- c=IN IP4 0.0.0.0 m=video 0 RTP/AVP 96 a=rtpmap:96 H264/90000 a=control:trackID=video a=cliprect:0,0,720,1280 a=framesize:96 1280-720 a=framerate:10 a=fmtp:96 profile-level-id=4d001f;packetization-mode=1;sprop-parameter-sets=Z00AH9oBQBbsBVIAAAMABAAAAwB4wIAA+gAAAwEZQF73wvCIRqA=,aO48gA== m=audio 0 RTP/AVP 0 a=control:trackID=audio a=recvonly

[00007f2e98000f00] live555 demux debug: RTP subsession 'video/H264' Sending request: SETUP rtsp://192.168.1.12:554/udp/unicast/aiphone_H264/trackID=video RTSP/1.0 CSeq: 5 Authorization: Digest username="aiphone", realm="Secret", nonce="MzM4OC4yMTAxOToxMjc5Njk4MDEw", uri="rtsp://192.168.1.12:554/udp/unicast/aiphone_H264/", response="a39481fb9ef35323381ae714ca3b3dfb" User-Agent: LibVLC/3.0.6 (LIVE555 Streaming Media v2016.11.28) Transport: RTP/AVP;unicast;client_port=44000-44001

Received 241 new bytes of response data. Received a complete SETUP response: RTSP/1.0 200 OK Server: Linux/2.6.32.17-davinci1 Ze-PRO CSeq: 5 Session: 0063c628;timeout=60 Cache-Control: must-revalidate Transport: RTP/AVP;unicast;client_port=44000-44001;source=192.168.1.12;server_port=32000-32001;ssrc=112110E1

[00007f2e940009e0] main input debug: selecting program id=0 [00007f2e98000f00] live555 demux debug: RTP subsession 'audio/PCMU' Sending request: SETUP rtsp://192.168.1.12:554/udp/unicast/aiphone_H264/trackID=audio RTSP/1.0 CSeq: 6 Authorization: Digest username="aiphone", realm="Secret", nonce="MzM4OC4yMTAxOToxMjc5Njk4MDEw", uri="rtsp://192.168.1.12:554/udp/unicast/aiphone_H264/", response="a39481fb9ef35323381ae714ca3b3dfb" User-Agent: LibVLC/3.0.6 (LIVE555 Streaming Media v2016.11.28) Transport: RTP/AVP;unicast;client_port=47650-47651 Session: 0063c628

Received 241 new bytes of response data. Received a complete SETUP response: RTSP/1.0 200 OK Server: Linux/2.6.32.17-davinci1 Ze-PRO CSeq: 6 Session: 0063c628;timeout=60 Cache-Control: must-revalidate Transport: RTP/AVP;unicast;client_port=47650-47651;source=192.168.1.12;server_port=22000-22001;ssrc=D647CDB8

[00007f2e98000f00] live555 demux debug: setup start: 0.000000 stop:0.000000 Sending request: PLAY rtsp://192.168.1.12:554/udp/unicast/aiphone_H264/ RTSP/1.0 CSeq: 7 Authorization: Digest username="aiphone", realm="Secret", nonce="MzM4OC4yMTAxOToxMjc5Njk4MDEw", uri="rtsp://192.168.1.12:554/udp/unicast/aiphone_H264/", response="ae2b3357e2f06bd74d140d001ee2c6fa" User-Agent: LibVLC/3.0.6 (LIVE555 Streaming Media v2016.11.28) Session: 0063c628 Range: npt=0.000-

Received 182 new bytes of response data. Received a complete PLAY response: RTSP/1.0 200 OK Server: Linux/2.6.32.17-davinci1 Ze-PRO CSeq: 7 Session: 0063c628 RTP-Info: url=trackID=video;seq=26890;rtptime=33629,url=trackID=audio;seq=34249;rtptime=1465

[00007f2e98000f00] live555 demux debug: We have a timeout of 60 seconds [00007f2e98000f00] live555 demux debug: play start: 0.000000 stop:0.000000 [00007f2e98000f00] main demux debug: using access_demux module "live555" [00007f2e98088380] main packetizer debug: looking for packetizer module matching "any": 25 candidates [00007f2e98088380] h264 packetizer debug: found NAL_SPS (sps_id=0) [00007f2e98088380] h264 packetizer debug: found NAL_PPS (pps_id=0 sps_id=0) [00007f2e98088380] main packetizer debug: using packetizer module "h264" [00007f2e98087af0] main decoder debug: looking for video decoder module matching "any": 18 candidates [00007f2e98087af0] avcodec decoder debug: using ffmpeg Lavc58.6.103 [00007f2e98087af0] avcodec decoder debug: CPU flags: 0x000fd3db [00007f2e98087af0] avcodec decoder debug: allowing 6 thread(s) for decoding [00007f2e98087af0] avcodec decoder debug: codec (h264) started [00007f2e98087af0] avcodec decoder debug: using frame thread mode with 6 threads [00007f2e98087af0] main decoder debug: using video decoder module "avcodec" [00007f2e9817e940] main decoder debug: looking for audio decoder module matching "any": 21 candidates [00007f2e9817e940] g711 decoder debug: samplerate:8000Hz channels:1 [00007f2e9817e940] main decoder debug: using audio decoder module "g711" [00007f2e98181850] main demux meta debug: looking for meta reader module matching "any": 2 candidates [00007f2e98181850] lua demux meta debug: Trying Lua scripts in /home/mhubbard/snap/vlc/770/.local/share/vlc/lua/meta/reader [00007f2e98181850] lua demux meta debug: Trying Lua scripts in /snap/vlc/770/usr/lib/vlc/lua/meta/reader [00007f2e98181850] lua demux meta debug: Trying Lua playlist script /snap/vlc/770/usr/lib/vlc/lua/meta/reader/filename.luac [00007f2e98181850] lua demux meta debug: Trying Lua scripts in /snap/vlc/770/usr/share/vlc/lua/meta/reader [00007f2e98181850] main demux meta debug: no meta reader modules matched [00007f2e940009e0] main input debug: rtsp://aiphone:aiphone@192.168.1.12:554/udp/unicast/aiphone_H264' successfully opened [00007f2e940009e0] main input debug: Buffering 0% [0000000001588c30] main playlist debug: reusing audio output [00000000015b3400] pulse audio output debug: using mono channel map [00007f2e98000f00] live555 demux debug: tk->rtpSource->hasBeenSynchronizedUsingRTCP() [00007f2e940009e0] main input debug: ES_OUT_RESET_PCR called [00007f2e940009e0] main input debug: Buffering 0% [00000000015b3400] pulse audio output debug: changed buffer metrics: maxlength=4194304, tlength=1920, prebuf=0, minreq=640 [00000000015b3400] pulse audio output debug: connected to sink alsa_output.pci-0000_00_1f.3.analog-stereo [00000000015b3400] main audio output debug: output 's16l' 8000 Hz Mono frame=1 samples/2 bytes [00007f2e90002a50] main volume debug: looking for audio volume module matching "any": 2 candidates [00007f2e90002a50] main volume debug: using audio volume module "integer_mixer" [00000000015b3400] main audio output debug: input 's16l' 8000 Hz Mono frame=1 samples/2 bytes [00007f2e90003750] main audio filter debug: looking for audio filter module matching "scaletempo": 16 candidates [00007f2e90003750] scaletempo audio filter debug: format: 8000 rate, 1 nch, 4 bps, fl32 [00007f2e90003750] scaletempo audio filter debug: params: 30 stride, 0.200 overlap, 14 search [00007f2e90003750] scaletempo audio filter debug: 1.000 scale, 240.000 stride_in, 240 stride_out, 192 standing, 48 overlap, 112 search, 400 queue, fl32 mode [00007f2e90003750] main audio filter debug: using audio filter module "scaletempo" [00000000015b3400] main audio output debug: conversion: 's16l'->'f32l' 8000 Hz->8000 Hz Mono->Mono [00007f2e90004f00] main audio converter debug: looking for audio converter module matching "any": 8 candidates [00000000015b3400] pulse audio output debug: changing sink 0: alsa_output.pci-0000_00_1f.3.analog-stereo (Built-in Audio Analog Stereo) [00007f2e90004f00] audio_format audio converter debug: s16l->f32l, bits per sample: 16->32 [00007f2e90004f00] main audio converter debug: using audio converter module "audio_format" [00000000015b3400] main audio output debug: conversion pipeline complete [00000000015b3400] main audio output debug: conversion: 'f32l'->'s16l' 8000 Hz->8000 Hz Mono->Mono [00007f2e90007bd0] main audio converter debug: looking for audio converter module matching "any": 8 candidates [00007f2e90007bd0] audio_format audio converter debug: f32l->s16l, bits per sample: 32->16 [00007f2e90007bd0] main audio converter debug: using audio converter module "audio_format" [00000000015b3400] main audio output debug: conversion pipeline complete [00007f2e90007f40] main audio resampler debug: looking for audio resampler module matching "any": 3 candidates [00007f2e90007f40] main audio resampler debug: using audio resampler module "ugly" [00007f2e940009e0] main input debug: Buffering 26% [00007f2e940009e0] main input debug: Buffering 28% [00007f2e98000f00] live555 demux debug: tk->rtpSource->hasBeenSynchronizedUsingRTCP() [00007f2e940009e0] main input debug: ES_OUT_RESET_PCR called [00007f2e940009e0] main input debug: Buffering 0% [00007f2e98087af0] main decoder debug: restarting module due to input format change [00007f2e98087af0] main decoder debug: removing module "avcodec" [00007f2e98087af0] main decoder debug: looking for video decoder module matching "any": 18 candidates [00007f2e98087af0] avcodec decoder debug: using ffmpeg Lavc58.6.103 [00007f2e98087af0] avcodec decoder debug: CPU flags: 0x000fd3db [00007f2e98087af0] avcodec decoder debug: allowing 6 thread(s) for decoding [00007f2e98087af0] avcodec decoder debug: codec (h264) started [00007f2e98087af0] avcodec decoder debug: using frame thread mode with 6 threads [00007f2e98087af0] main decoder debug: using video decoder module "avcodec" [00007f2e98087af0] avcodec decoder debug: available hardware decoder output format 100 (vdpau) [00007f2e98087af0] avcodec decoder debug: available hardware decoder output format 119 (cuda) [00007f2e98087af0] avcodec decoder debug: available hardware decoder output format 46 (vaapi_vld) [00007f2e98087af0] avcodec decoder debug: available software decoder output format 12 (yuvj420p) [00007f2e98087af0] avcodec decoder debug: trying format vdpau [00007f2e84091830] main spu text debug: looking for text renderer module matching "any": 3 candidates [00007f2e84091830] freetype spu text debug: Building font databases. [00007f2e84091830] freetype spu text debug: Took -29349 microseconds [00007f2e84091830] main spu text debug: using text renderer module "freetype" [00007f2e840be010] main scale debug: looking for video converter module matching "any": 23 candidates [00007f2e840be010] swscale scale debug: 32x32 (32x32) chroma: YUVA -> 16x16 (16x16) chroma: RGBA with scaling using Bicubic (good quality) [00007f2e840be010] main scale debug: using video converter module "swscale" [00007f2e840e3230] main scale debug: looking for video converter module matching "any": 23 candidates [00007f2e840e3230] yuvp scale debug: YUVP to YUVA converter [00007f2e840e3230] main scale debug: using video converter module "yuvp" [00007f2e8408dfc0] main video output debug: Deinterlacing available [00007f2e8408dfc0] main video output debug: deinterlace -1, mode auto, is_needed 0 [00007f2e840e9c80] main window debug: looking for vout window module matching "qt,any": 4 candidates [00007f2e840e9c80] qt window debug: requesting video window... [00007f2e840e9c80] main window debug: using vout window module "qt" [00007f2e840e9dd0] main inhibit debug: looking for inhibit module matching "any": 2 candidates [00007f2e840e9c80] main window debug: resized to 1280x720 [00007f2e840e9dd0] dbus_screensaver inhibit debug: found service org.freedesktop.ScreenSaver [00007f2e840e9dd0] main inhibit debug: using inhibit module "dbus_screensaver" [00007f2e840e9c80] main window debug: resized to 1920x934 [00007f2e8408dfc0] main video output debug: Opening vout display wrapper [00007f2e74001060] main vout display debug: looking for vout display module matching "xcb_x11": 10 candidates [00007f2e74001060] main vout display debug: VoutDisplayEvent 'resize' 1920x934 [00007f2e74001060] xcb vout display debug: connected to X11.0 server [00007f2e74001060] xcb vout display debug: vendor : The X.Org Foundation [00007f2e74001060] xcb vout display debug: version: 11906000 [00007f2e74001060] xcb vout display debug: using screen 0x12c [00007f2e74001060] xcb_x11 vout display debug: using X11 visual ID 0x20 [00007f2e74001060] xcb_x11 vout display debug: 24 bits depth [00007f2e74001060] xcb_x11 vout display debug: 32 bits per pixel [00007f2e74001060] xcb_x11 vout display debug: 32 bits line pad [00007f2e74001060] xcb_x11 vout display debug: using X11 window 05e00000 [00007f2e74001060] xcb_x11 vout display debug: using X11 graphic context 05e00001 [00007f2e74001060] main vout display debug: using vout display module "xcb_x11" [00007f2e74001060] main vout display debug: A filter to adapt decoder VDV0 to display RV32 is needed [00007f2e74002fb0] main filter debug: looking for video converter module matching "any": 23 candidates [00007f2e74002fb0] chain filter debug: Trying to use chroma I420 as middle man [00007f2e74009850] main filter debug: looking for video converter module matching "any": 23 candidates [00007f2e74009850] main filter debug: using video converter module "vdpau_chroma" [00007f2e74002fb0] main filter debug: Filter 'VDPAU' (0x7f2e74009850) appended to chain [00007f2e74009d30] main filter debug: looking for video converter module matching "any": 23 candidates [00007f2e74009d30] swscale filter debug: 1280x720 (1280x720) chroma: I420 -> 1280x720 (1280x720) chroma: RV32 with scaling using Bicubic (good quality) [00007f2e74009d30] main filter debug: using video converter module "swscale" [00007f2e74002fb0] main filter debug: Filter 'Swscale' (0x7f2e74009d30) appended to chain [00007f2e74002fb0] main filter debug: using video converter module "chain" [00007f2e74001060] main vout display debug: Filter 'chain' (0x7f2e74002fb0) appended to chain [00007f2e8408dfc0] main video output debug: original format sz 1280x720, of (0,0), vsz 1280x720, 4cc VDV0, sar 1:1, msk r0x0 g0x0 b0x0 [00007f2e74001060] main vout display warning: VoutDisplayEvent 'pictures invalid' [00007f2e74001060] main vout display warning: VoutDisplayEvent 'pictures invalid' [00007f2e74001060] main vout display warning: VoutDisplayEvent 'pictures invalid' [00007f2e84091830] main spu text debug: removing module "freetype" [00007f2e74002fb0] main filter debug: removing module "chain" [00007f2e74009850] main filter debug: removing module "vdpau_chroma" [00007f2e74002fb0] main filter debug: Filter 0x7f2e74009850 removed from chain [00007f2e74009d30] main filter debug: removing module "swscale" [00007f2e74002fb0] main filter debug: Filter 0x7f2e74009d30 removed from chain [00007f2e74001060] main vout display debug: Filter 0x7f2e74002fb0 removed from chain [00007f2e74001060] main vout display debug: A filter to adapt decoder VDV0 to display RV32 is needed [00007f2e74002d20] main filter debug: looking for video converter module matching "any": 23 candidates [00007f2e74002d20] chain filter debug: Trying to build resize+chroma [00007f2e740097e0] main filter debug: looking for video converter module matching "any": 23 candidates [00007f2e84091830] main spu text debug: looking for text renderer module matching "any": 3 candidates [00007f2e84091830] freetype spu text debug: Building font databases. [00007f2e740097e0] main filter debug: no video converter modules matched [00007f2e74002d20] main filter error: Failed to create video converter [00007f2e74002d20] chain filter debug: Trying to build chroma+resize [00007f2e74009c90] main filter debug: looking for video converter module matching "any": 23 candidates [00007f2e74009c90] chain filter debug: Trying to use chroma I420 as middle man [00007f2e7402e490] main filter debug: looking for video converter module matching "any": 23 candidates [00007f2e7402e490] main filter debug: using video converter module "vdpau_chroma" [00007f2e74009c90] main filter debug: Filter 'VDPAU' (0x7f2e7402e490) appended to chain [00007f2e7401d400] main filter debug: looking for video converter module matching "any": 23 candidates [00007f2e7401d400] swscale filter debug: 1280x720 (1280x720) chroma: I420 -> 1280x720 (1280x720) chroma: RV32 with scaling using Bicubic (good quality) [00007f2e7401d400] main filter debug: using video converter module "swscale" [00007f2e74009c90] main filter debug: Filter 'Swscale' (0x7f2e7401d400) appended to chain [00007f2e74009c90] main filter debug: using video converter module "chain" [00007f2e74002d20] main filter debug: Filter 'chain' (0x7f2e74009c90) appended to chain [00007f2e7402cb60] main filter debug: looking for video converter module matching "any": 23 candidates [00007f2e7402cb60] swscale filter debug: 1280x720 (1280x720) chroma: RV32 -> 1660x934 (1660x934) chroma: RV32 with scaling using Bicubic (good quality) [00007f2e7402cb60] main filter debug: using video converter module "swscale" [00007f2e74002d20] main filter debug: Filter 'Swscale' (0x7f2e7402cb60) appended to chain [00007f2e74002d20] main filter debug: using video converter module "chain" [00007f2e74001060] main vout display debug: Filter 'chain' (0x7f2e74002d20) appended to chain [00007f2e940009e0] main input debug: Buffering 26% [00007f2e84091830] freetype spu text debug: Took -30034 microseconds [00007f2e84091830] main spu text debug: using text renderer module "freetype" [00007f2e84097950] main generic debug: looking for hw decoder module matching "any": 3 candidates Failed to open VDPAU backend libvdpau_va_gl.so: cannot open shared object file: No such file or directory [00007f2e84097950] main generic debug: no hw decoder modules matched [h264 @ 0x7f2e8c010640] Reinit context to 1280x720, pix_fmt: yuvj420p [00007f2e74002d20] main filter debug: removing module "chain" [00007f2e74009c90] main filter debug: removing module "chain" [00007f2e7402e490] main filter debug: removing module "vdpau_chroma" [00007f2e74009c90] main filter debug: Filter 0x7f2e7402e490 removed from chain [00007f2e7401d400] main filter debug: removing module "swscale" [00007f2e74009c90] main filter debug: Filter 0x7f2e7401d400 removed from chain [00007f2e74002d20] main filter debug: Filter 0x7f2e74009c90 removed from chain [00007f2e7402cb60] main filter debug: removing module "swscale" [00007f2e74002d20] main filter debug: Filter 0x7f2e7402cb60 removed from chain [00007f2e74001060] main vout display debug: Filter 0x7f2e74002d20 removed from chain [00007f2e74001060] main vout display debug: removing module "xcb_x11" [00007f2e8408dfc0] main video output debug: deinterlace -1, mode auto, is_needed 0 [00007f2e8408dfc0] main video output debug: Opening vout display wrapper [00007f2e7401df20] main vout display debug: looking for vout display module matching "xcb_x11": 10 candidates [00007f2e7401df20] main vout display debug: VoutDisplayEvent 'resize' 1920x934 [00007f2e7401df20] xcb vout display debug: connected to X11.0 server [00007f2e7401df20] xcb vout display debug: vendor : The X.Org Foundation [00007f2e7401df20] xcb vout display debug: version: 11906000 [00007f2e7401df20] xcb vout display debug: using screen 0x12c [00007f2e7401df20] xcb_x11 vout display debug: using X11 visual ID 0x20 [00007f2e7401df20] xcb_x11 vout display debug: 24 bits depth [00007f2e7401df20] xcb_x11 vout display debug: 32 bits per pixel [00007f2e7401df20] xcb_x11 vout display debug: 32 bits line pad [00007f2e7401df20] xcb_x11 vout display debug: using X11 window 05e00000 [00007f2e7401df20] xcb_x11 vout display debug: using X11 graphic context 05e00001 [00007f2e7401df20] main vout display debug: using vout display module "xcb_x11" [00007f2e7401df20] main vout display debug: A filter to adapt decoder J420 to display RV32 is needed [00007f2e74009770] main filter debug: looking for video converter module matching "any": 23 candidates [swscaler @ 0x7f2e74009c00] deprecated pixel format used, make sure you did set range correctly [00007f2e74009770] swscale filter debug: 1280x720 (1280x738) chroma: J420 -> 1280x720 (1280x738) chroma: RV32 with scaling using Bicubic (good quality) [00007f2e74009770] main filter debug: using video converter module "swscale" [00007f2e7401df20] main vout display debug: Filter 'Swscale' (0x7f2e74009770) appended to chain [00007f2e8408dfc0] main video output debug: original format sz 1280x738, of (0,0), vsz 1280x720, 4cc J420, sar 1:1, msk r0x0 g0x0 b0x0 [00007f2e8408dfc0] qt video output debug: Qt: Fullscreen state changed [0000000001588c30] main playlist debug: reusing provided vout [00007f2e7401df20] main vout display warning: VoutDisplayEvent 'pictures invalid' [00007f2e7401df20] main vout display warning: VoutDisplayEvent 'pictures invalid' [00007f2e7401df20] main vout display warning: VoutDisplayEvent 'pictures invalid' [00007f2e74009770] main filter debug: removing module "swscale" [00007f2e7401df20] main vout display debug: Filter 0x7f2e74009770 removed from chain [00007f2e7401df20] main vout display debug: A filter to adapt decoder J420 to display RV32 is needed [00007f2e74009770] main filter debug: looking for video converter module matching "any": 23 candidates [swscaler @ 0x7f2e74009c00] deprecated pixel format used, make sure you did set range correctly [00007f2e940009e0] main input debug: Buffering 36% [00007f2e74009770] swscale filter debug: 1280x720 (1280x738) chroma: J420 -> 1660x934 (1660x957) chroma: RV32 with scaling using Bicubic (good quality) [00007f2e74009770] main filter debug: using video converter module "swscale" [00007f2e7401df20] main vout display debug: Filter 'Swscale' (0x7f2e74009770) appended to chain [00007f2e940009e0] main input debug: Buffering 46% [00007f2e940009e0] main input debug: Buffering 56% [00007f2e940009e0] main input debug: Buffering 66% [00007f2e98087af0] main decoder debug: Received first picture [00007f2e740268b0] main blend debug: looking for video blending module matching "any": 1 candidates [00007f2e740268b0] main blend debug: using video blending module "blend" [00007f2e7401df20] xcb vout display debug: display is visible [00007f2e940009e0] main input debug: Buffering 76% [00007f2e940009e0] main input debug: Buffering 86% [00007f2e940009e0] main input debug: Buffering 96% [00007f2e940009e0] main input debug: Stream buffering done (1060 ms in 1066 ms) [00007f2e940009e0] main input debug: Decoder wait done in 0 ms [00007f2e9817e940] main decoder error: Timestamp conversion failed (delay 1000000, buffering 100000, bound 3000000) [00007f2e9817e940] main decoder error: Could not convert timestamp 1558330604205404 for g711 [00007f2e9817e940] main decoder debug: discarded audio buffer [00000000015b3400] vlcpulse audio output debug: write index corrupt [00000000015b3400] pulse audio output debug: cannot synchronize start [00000000015b3400] pulse audio output debug: deferring start (279402 us) [00000000015b3400] vlcpulse audio output debug: write index corrupt [00000000015b3400] pulse audio output debug: cannot synchronize start [00000000015b3400] pulse audio output debug: deferring start (279015 us) [00000000015b3400] vlcpulse audio output debug: write index corrupt [00000000015b3400] pulse audio output debug: cannot synchronize start [00000000015b3400] pulse audio output debug: deferring start (278735 us) [00000000015b3400] vlcpulse audio output debug: write index corrupt [00000000015b3400] pulse audio output debug: cannot synchronize start [00000000015b3400] pulse audio output debug: deferring start (278485 us) [00000000015b3400] vlcpulse audio output debug: write index corrupt [00000000015b3400] pulse audio output debug: cannot synchronize start [00000000015b3400] pulse audio output debug: deferring start (278194 us) [00000000015b3400] vlcpulse audio output debug: write index corrupt [00000000015b3400] pulse audio output debug: cannot synchronize start [00000000015b3400] pulse audio output debug: deferring start (277923 us) [00000000015b3400] pulse audio output debug: deferring start (177858 us) [00000000015b3400] pulse audio output debug: deferring start (177797 us) [00000000015b3400] pulse audio output debug: deferring start (177734 us) [00000000015b3400] pulse audio output debug: deferring start (177673 us) [00000000015b3400] pulse audio output debug: deferring start (177565 us) [00000000015b3400] pulse audio output debug: deferring start (177507 us) [00000000015b3400] pulse audio output debug: deferring start (177457 us) [00000000015b3400] pulse audio output debug: deferring start (177293 us) [00000000015b3400] pulse audio output debug: deferring start (157141 us) [00000000015b3400] pulse audio output debug: deferring start (156992 us) [00000000015b3400] pulse audio output debug: deferring start (136816 us) [00000000015b3400] pulse audio output debug: deferring start (116289 us) [00000000015b3400] pulse audio output debug: deferring start (95950 us) [00000000015b3400] pulse audio output debug: deferring start (75627 us) [00000000015b3400] pulse audio output debug: deferring start (55448 us) [00000000015b3400] pulse audio output debug: deferring start (35156 us) [00000000015b3400] pulse audio output debug: deferring start (14865 us) [00000000015b3400] pulse audio output warning: starting late (-5409 us) [00000000015b3400] main audio output warning: playback way too early (-202218): playing silence [00000000015b3400] main audio output debug: inserting 1617 zeroes [00000000015b3400] pulse audio output debug: changing sink 0: alsa_output.pci-0000_00_1f.3.analog-stereo (Built-in Audio Analog Stereo) [00000000015b3400] pulse audio output debug: started [00000000014f33b0] main libvlc debug: exiting [00000000014f33b0] main libvlc debug: exiting [00000000014f33b0] main libvlc debug: removing all interfaces [00000000015c91f0] main interface debug: removing module "qt" [0000000001588c30] main playlist debug: deactivating the playlist [0000000001588c30] main playlist debug: incoming request - stopping current input [00007f2e98087af0] main decoder debug: killing decoder fourcch264' [00007f2e98087af0] main decoder debug: removing module "avcodec" [0000000001588c30] main playlist debug: saving a free vout [0000000001588c30] main playlist debug: reusing provided vout [00007f2e98088380] main packetizer debug: removing module "h264" [00007f2e9817e940] main decoder debug: killing decoder fourcc `mlaw' [00007f2e9817e940] main decoder debug: removing module "g711" [00007f2e90007f40] main audio resampler debug: removing module "ugly" [00007f2e90004f00] main audio converter debug: removing module "audio_format" [00007f2e90003750] main audio filter debug: removing module "scaletempo" [00007f2e90007bd0] main audio converter debug: removing module "audio_format" [00007f2e90002a50] main volume debug: removing module "integer_mixer" [0000000001588c30] main playlist debug: keeping audio output [00007f2e98000f00] main demux debug: removing module "live555" Sending request: TEARDOWN rtsp://192.168.1.12:554/udp/unicast/aiphone_H264/ RTSP/1.0 CSeq: 8 Authorization: Digest username="aiphone", realm="Secret", nonce="MzM4OC4yMTAxOToxMjc5Njk4MDEw", uri="rtsp://192.168.1.12:554/udp/unicast/aiphone_H264/", response="010951d6e195684b96a0b7e8568e8975" User-Agent: LibVLC/3.0.6 (LIVE555 Streaming Media v2016.11.28) Session: 0063c628

[00007f2e940009e0] main input debug: Program doesn't contain anymore ES [0000000001588c30] main playlist debug: dead input [0000000001588c30] main playlist debug: nothing to play [00007f2e8408dfc0] main video output debug: destroying useless vout [00000000015c91f0] qt interface debug: IM: Deleting the input [00007f2e740268b0] main blend debug: removing module "blend" [00007f2e74009770] main filter debug: removing module "swscale" [00007f2e7401df20] main vout display debug: Filter 0x7f2e74009770 removed from chain [00007f2e7401df20] main vout display debug: removing module "xcb_x11" [00007f2e840e9dd0] dbus_screensaver inhibit debug: got cookie 1289838957 [00007f2e840e9dd0] main inhibit debug: removing module "dbus_screensaver" [00007f2e840e9c80] qt window debug: releasing video... [00000000015b3400] pulse audio output debug: changing sink 0: alsa_output.pci-0000_00_1f.3.analog-stereo (Built-in Audio Analog Stereo) [00000000015c91f0] qt interface debug: Video is not needed anymore [00007f2e84091830] main spu text debug: removing module "freetype" [00007f2e840e3230] main scale debug: removing module "yuvp" [00007f2e840be010] main scale debug: removing module "swscale" [00000000015b3400] main audio output debug: removing module "pulse" [00000000015c91f0] qt interface debug: requesting exit... [00000000015c91f0] qt interface debug: waiting for UI thread... [00000000015c91f0] qt interface debug: QApp exec() finished [00000000015c91f0] qt interface debug: Video is not needed anymore [00000000015c91f0] qt interface debug: Killing extension dialog provider [00000000015c91f0] qt interface debug: ExtensionsDialogProvider is quitting... [00007f2ea88f0060] main generic debug: removing module "lua" [00000000015c80a0] main interface debug: removing module "xcb_hotkeys" [00000000015c75a0] main interface debug: removing module "hotkeys" [00000000015bf150] main interface debug: removing module "dbus" [0000000001588c30] main playlist debug: destroying [00000000015c4660] main playlist export debug: saving media library to file /home/mhubbard/snap/vlc/770/.local/share/vlc/ml.xspf.tmp13754 [00000000015c4660] main playlist export debug: looking for playlist export module matching "export-xspf": 4 candidates [00000000015c4660] main playlist export debug: using playlist export module "export" [00000000015c4660] main playlist export debug: removing module "export" [0000000001588c30] main playlist debug: deleting item Media Library' [0000000001588c30] main playlist debug: deleting itemrtsp://192.168.1.12:554/udp/unicast/aiphone_H264' [0000000001588c30] main playlist debug: deleting item `Playlist' [00000000014f4890] main keystore debug: removing module "memory" QObject::~QObject: Timers cannot be stopped from another thread

Ullaakut commented 5 years ago

Hi @rikosintie! 👋

Ah awesome, thanks, those logs perfectly highlight the issue. Let's go through those few lines:

Sending request: OPTIONS rtsp://192.168.1.12:554/udp/unicast/aiphone_H264 RTSP/1.0
CSeq: 2
User-Agent: LibVLC/3.0.6 (LIVE555 Streaming Media v2016.11.28)

Received 158 new bytes of response data.
Received a complete OPTIONS response:
RTSP/1.0 401 Unauthorized
Server: Linux/2.6.32.17-davinci1 Ze-PRO
CSeq: 2
WWW-Authenticate: Digest realm="Secret", nonce="MzM4OC4yMTAxOToxMjc5Njk4MDEw"

Resending...
Sending request: OPTIONS rtsp://192.168.1.12:554/udp/unicast/aiphone_H264 RTSP/1.0
CSeq: 3
Authorization: Digest username="aiphone", realm="Secret", nonce="MzM4OC4yMTAxOToxMjc5Njk4MDEw", uri="rtsp://192.168.1.12:554/udp/unicast/aiphone_H264", response="8ed3645f174378041778f209f95d45f9"
User-Agent: LibVLC/3.0.6 (LIVE555 Streaming Media v2016.11.28)

Received 134 new bytes of response data.
Received a complete OPTIONS response:
RTSP/1.0 200 OK
Server: Linux/2.6.32.17-davinci1 Ze-PRO
CSeq: 3
Public: DESCRIBE, SETUP, TEARDOWN, PLAY, OPTIONS, SET_PARAMETER

As you can see, VLC first tries to make a request without specifying the username and password you provided. This is because VLC doesn't know what authentication method to use (both basic and digest are supported by the RTSP protocol).

The server then answers WWW-Authenticate: Digest realm="Secret", nonce="MzM4OC4yMTAxOToxMjc5Njk4MDEw", letting VLC know that it should pass the credentials using digest access authentication, and giving it the nonce and realm values to specify.

VLC then properly adds the necessary authentication headers and gets a 200 OK.

Now the reason why this doesn't work in Cameradar is simply because Cameradar currently doesn't support digest authentication. As far as I know, most (I'm guessing at least 90%) IP cameras stream over RTSP servers using basic authentication.

However, those 10 other hypothetical percents fully deserve to be cameradared, so I'll update this issue to reflect the feature that's needed for this to work, and I'll get to implementing it as soon as I have some time!

Thanks again for opening this issue with so many helpful details and precision and for going through the trouble of troubleshooting with me, I hope I'll manage to fix this ASAP and that you'll enjoy using Cameradar. 🙂

Have a good day!

rikosintie commented 5 years ago

I'm so glad I found your project! I had never really used VLC before and I can see it's a very useful tool. The aiphone device is part of a door access control system my company just started selling - https://www.aiphone.com/home/products/ix-dv. It doesn't belong to me but I have if for another couple weeks for development and testing.

I can run any tests you need or help any way I can, just let me know.

Thanks again for your quick responses and education!

Ullaakut commented 5 years ago

Ha, funny story, I worked for a company manufacturing access control devices (among other things) too, when I developed Cameradar!

I'm getting started on the feature now, I'll let you know when a test branch is ready.

Ullaakut commented 5 years ago

The feature is done and working pretty well, and I also made a few other improvements along the way so I guess I'll make a new release with this feature as the main shiny new thing hehe.

Here's how it looks like when accessing a basic auth protected camera (emulated using RTSPAllTheThings:

Screenshot 2019-05-21 at 10 29 15 AM Screenshot 2019-05-21 at 10 38 38 AM

And with a camera with digest auth:

Screenshot 2019-05-21 at 10 29 33 AM Screenshot 2019-05-21 at 10 38 16 AM

As you can see, the authentication type is recognized automatically and it's also been added in the summary :)

You can try it out yourself right now by using cameradar by specifying the tag :digest-auth when running the command, like so docker run [...] ullaakut/cameradar:digest-auth [...] and let me know if it works for you!

Again, thanks for the issue, that was a fun one to work on 🙂

rikosintie commented 5 years ago

Etixlabs looks interesting!

I tried the new version after I got over the shock of how fast you implemented the digest authentication!

I think it worked, the results show the correct username, password, and route. It does have a red x and says streams couldn't be accessed

->docker run -t -v /home/mhubbard/Dropbox/03_Tools:/tmp/dictionaries ullaakut/cameradar:digest-auth -r "/tmp/dictionaries/rtsp.txt" -c "/tmp/dictionaries/my_credentials.json" -t 192.168.1.12 -l

< RTSP/1.0 401 Unauthorized < Server: Linux/2.6.32.17-davinci1 Ze-PRO < CSeq: 1 < WWW-Authenticate: Digest realm="Secret", nonce="ODk5NTYuMzk0Njg6NTE5OTUwOTgx" <

< RTSP/1.0 401 Unauthorized < Server: Linux/2.6.32.17-davinci1 Ze-PRO < CSeq: 1 < WWW-Authenticate: Digest realm="Secret", nonce="ODk5NTYuMzk4OTQ6MTU3MDU1ODI3Nw==" <

< RTSP/1.0 401 Unauthorized < Server: Linux/2.6.32.17-davinci1 Ze-PRO < CSeq: 1 < WWW-Authenticate: Digest realm="Secret", nonce="ODk5NTYuNDAzMjI6MzY3NDI1MzIw" <

< RTSP/1.0 403 Forbidden < Server: Linux/2.6.32.17-davinci1 Ze-PRO < CSeq: 2 <

< RTSP/1.0 401 Unauthorized < Server: Linux/2.6.32.17-davinci1 Ze-PRO < CSeq: 1 < WWW-Authenticate: Digest realm="Secret", nonce="ODk5NTYuNDE1NTk6MTQ0OTI5NTQzNQ==" <

< RTSP/1.0 403 Forbidden < Server: Linux/2.6.32.17-davinci1 Ze-PRO < CSeq: 2 <

< RTSP/1.0 401 Unauthorized < Server: Linux/2.6.32.17-davinci1 Ze-PRO < CSeq: 1 < WWW-Authenticate: Digest realm="Secret", nonce="ODk5NTYuNDI4MjA6MTQwNzQ4OTAwNA==" <

< RTSP/1.0 403 Forbidden < Server: Linux/2.6.32.17-davinci1 Ze-PRO < CSeq: 2 <

< RTSP/1.0 401 Unauthorized < Server: Linux/2.6.32.17-davinci1 Ze-PRO < CSeq: 1 < WWW-Authenticate: Digest realm="Secret", nonce="ODk5NTYuNDQwNDg6MTkyOTA4NjQ=" <

< RTSP/1.0 403 Forbidden < Server: Linux/2.6.32.17-davinci1 Ze-PRO < CSeq: 2 <

< RTSP/1.0 401 Unauthorized < Server: Linux/2.6.32.17-davinci1 Ze-PRO < CSeq: 1 < WWW-Authenticate: Digest realm="Secret", nonce="ODk5NTYuNDUyNzU6MTY2NTk0NzYxNQ==" <

< RTSP/1.0 200 OK < Server: Linux/2.6.32.17-davinci1 Ze-PRO < CSeq: 2 < Content-Length: 468 < Content-Type: application/sdp < Content-Base: rtsp://aiphone:aiphone@192.168.1.12:554/udp/unicast/aiphone_H264/ < v=0 o=NetworkCameraOnvif 2209078756 1982493151 IN IP4 0.0.0.0 s=MediaSession t=0 0 a=control:* a=range:npt=0- c=IN IP4 0.0.0.0 m=video 0 RTP/AVP 96 a=rtpmap:96 H264/90000 a=control:trackID=video a=cliprect:0,0,720,1280 a=framesize:96 1280-720 a=framerate:10 a=fmtp:96 profile-level-id=4d001f;packetization-mode=1;sprop-parameter-sets=Z00AH9oBQBbsBVIAAAMABAAAAwB4wIAA+gAAAwEZQF73wvCIRqA=,aO48gA== m=audio 0 RTP/AVP 0 a=control:trackID=audio a=recvonly

< RTSP/1.0 403 Forbidden < Server: Linux/2.6.32.17-davinci1 Ze-PRO < CSeq: 2 <

✖ Streams were found but none were accessed. They are most likely configured with secure credentials and routes. You can try adding entries to the dictionary or generating your own in order to attempt a bruteforce attack on the cameras.

Ullaakut commented 5 years ago

Mh, that's interesting 🤔 I'm not able to reproduce this and the RTSP protocol's RFC stipulates that a SETUP request's only responses should be:

But it also specifies the following paragraph:

Persistently suspicious behavior: RTSP servers SHOULD return error code 403 (Forbidden) upon receiving a single instance of behavior which is deemed a security risk. RTSP servers SHOULD also be aware of attempts to probe the server for weaknesses and entry points and MAY arbitrarily disconnect and ignore further requests clients which are deemed to be in violation of local security policy.

So my guess is that due to the many requests that Cameradar sent before, it blocks the SETUP request (which makes the camera launch a stream if it's not already consumed). Which is kind of weird because I've never seen a camera's RTSP framework implement this part of the RFC before, and if there was suspicious behavior to block, I guess it should be blocking the attempts at credentials dictionary attacks instead 😅

Also I will add the default credentials and route for aiphone cameras to the default list of credentials, didn't know about them before :)

Thanks for the issue and I'll keep you updated if I find a solution to this mysterious behavior.

See you around!

rikosintie commented 5 years ago

Thanks for the update! I am beginning to think that Aiphone is a cut above on security as I have run a lot of directory traversal and other common pen test tools and nothing much to report. Tonight I will create a credentials.json file with just aiphone and a route file with just the correct one and see what happens.

If you need anything more from me just let me know.

rikosintie commented 5 years ago

We have some Hanwha iPolis cameras also. They used to be called Samsung. I ran Cameradar with and without the digest. The Hanwha's needed the digest auth also.

docker run -t -v /home/mhubbard/Dropbox/03_Tools:/tmp/dictionaries ullaakut/cameradar -r "/tmp/dictionaries/rtsp.txt" -c "/tmp/dictionaries/my_credentials.json" -t 10.132.250.29 -l

< RTSP/1.0 401 Unauthorized < CSeq: 1 < Date: Thu, 23 May 2019 02:55:10 GMT < Expires: Thu, 23 May 2019 02:55:10 GMT < Cache-Control: must-revalidate < WWW-Authenticate: Digest realm="iPOLiS", nonce="2CB39FCBBE5843DA3430129B4EA1414C" <

< RTSP/1.0 401 Unauthorized < CSeq: 1 < Date: Thu, 23 May 2019 02:55:10 GMT < Expires: Thu, 23 May 2019 02:55:10 GMT < Cache-Control: must-revalidate < WWW-Authenticate: Digest realm="iPOLiS", nonce="0C30BE908BBAA58D2339B10DD8D36154" <

< RTSP/1.0 401 Unauthorized < CSeq: 1 < Date: Thu, 23 May 2019 02:55:10 GMT < Expires: Thu, 23 May 2019 02:55:10 GMT < Cache-Control: must-revalidate < WWW-Authenticate: Digest realm="iPOLiS", nonce="1D4B229F0F9D5122C3C586986478A8CA" <

< RTSP/1.0 401 Unauthorized < CSeq: 1 < Date: Thu, 23 May 2019 02:55:11 GMT < Expires: Thu, 23 May 2019 02:55:11 GMT < Cache-Control: must-revalidate < WWW-Authenticate: Digest realm="iPOLiS", nonce="872E3E49FEF01BEB37EF98DA0BEC7582" <

< RTSP/1.0 401 Unauthorized < CSeq: 1 < Date: Thu, 23 May 2019 02:55:11 GMT < Expires: Thu, 23 May 2019 02:55:11 GMT < Cache-Control: must-revalidate < WWW-Authenticate: Digest realm="iPOLiS", nonce="824543F097C5DEE5033B36E729B0631D" <

< RTSP/1.0 401 Unauthorized < CSeq: 1 < Date: Thu, 23 May 2019 02:55:11 GMT < Expires: Thu, 23 May 2019 02:55:11 GMT < Cache-Control: must-revalidate < WWW-Authenticate: Digest realm="iPOLiS", nonce="A08CD6152BF1801CB152A68895A06023" <

< RTSP/1.0 401 Unauthorized < CSeq: 1 < Date: Thu, 23 May 2019 02:55:11 GMT < Expires: Thu, 23 May 2019 02:55:11 GMT < Cache-Control: must-revalidate < WWW-Authenticate: Digest realm="iPOLiS", nonce="38F489B153A7327B3D503CBA0C0044FD" <

< RTSP/1.0 401 Unauthorized < CSeq: 1 < Date: Thu, 23 May 2019 02:55:11 GMT < Expires: Thu, 23 May 2019 02:55:11 GMT < Cache-Control: must-revalidate < WWW-Authenticate: Digest realm="iPOLiS", nonce="C5F18D798F423EB35B69D803D1B5181A" <

< RTSP/1.0 401 Unauthorized < CSeq: 1 < Date: Thu, 23 May 2019 02:55:11 GMT < Expires: Thu, 23 May 2019 02:55:11 GMT < Cache-Control: must-revalidate < WWW-Authenticate: Digest realm="iPOLiS", nonce="5F7F22EEE67310E2DF563D033CDD0173" <

< RTSP/1.0 401 Unauthorized < CSeq: 1 < Date: Thu, 23 May 2019 02:55:11 GMT < Expires: Thu, 23 May 2019 02:55:11 GMT < Cache-Control: must-revalidate < WWW-Authenticate: Digest realm="iPOLiS", nonce="5EFFEDAFB13FD8F0CBB8DA4DF9F24B12" <

< RTSP/1.0 401 Unauthorized < CSeq: 1 < Date: Thu, 23 May 2019 02:55:11 GMT < Expires: Thu, 23 May 2019 02:55:11 GMT < Cache-Control: must-revalidate < WWW-Authenticate: Digest realm="iPOLiS", nonce="9C62DB32146A3A3345A8F2CA401BD3C4" <

< RTSP/1.0 459 Aggregate operation not allowed < CSeq: 0 < Date: Thu, 23 May 2019 02:55:11 GMT < Expires: Thu, 23 May 2019 02:55:11 GMT < Cache-Control: must-revalidate <

✖ Streams were found but none were accessed. They are most likely configured with secure credentials and routes. You can try adding entries to the dictionary or generating your own in order to attempt a bruteforce attack on the cameras.


->docker run -t -v /home/mhubbard/Dropbox/03_Tools:/tmp/dictionaries ullaakut/cameradar:digest-auth -r "/tmp/dictionaries/rtsp.txt" -c "/tmp/dictionaries/my_credentials.json" -t 10.132.250.29 -l

< RTSP/1.0 401 Unauthorized < CSeq: 1 < Date: Thu, 23 May 2019 02:57:00 GMT < Expires: Thu, 23 May 2019 02:57:00 GMT < Cache-Control: must-revalidate < WWW-Authenticate: Digest realm="iPOLiS", nonce="C07A627722612980E92775A23258566C" <

< RTSP/1.0 401 Unauthorized < CSeq: 1 < Date: Thu, 23 May 2019 02:57:00 GMT < Expires: Thu, 23 May 2019 02:57:00 GMT < Cache-Control: must-revalidate < WWW-Authenticate: Digest realm="iPOLiS", nonce="9E4A8E21B02C4F336D1DC54461EE0588" <

< RTSP/1.0 401 Unauthorized < CSeq: 1 < Date: Thu, 23 May 2019 02:57:00 GMT < Expires: Thu, 23 May 2019 02:57:00 GMT < Cache-Control: must-revalidate < WWW-Authenticate: Digest realm="iPOLiS", nonce="BA2BBD4E602A4CD5E08ACC0896D1234E" <

< RTSP/1.0 401 Unauthorized < CSeq: 2 < Date: Thu, 23 May 2019 02:57:00 GMT < Expires: Thu, 23 May 2019 02:57:00 GMT < Cache-Control: must-revalidate

< RTSP/1.0 401 Unauthorized < CSeq: 1 < Date: Thu, 23 May 2019 02:57:00 GMT < Expires: Thu, 23 May 2019 02:57:00 GMT < Cache-Control: must-revalidate < WWW-Authenticate: Digest realm="iPOLiS", nonce="AA498D6516A134BFB8DA1AAC1DDD1C3C" <

< RTSP/1.0 401 Unauthorized < CSeq: 2 < Date: Thu, 23 May 2019 02:57:00 GMT < Expires: Thu, 23 May 2019 02:57:00 GMT < Cache-Control: must-revalidate

< RTSP/1.0 401 Unauthorized < CSeq: 1 < Date: Thu, 23 May 2019 02:57:01 GMT < Expires: Thu, 23 May 2019 02:57:01 GMT < Cache-Control: must-revalidate < WWW-Authenticate: Digest realm="iPOLiS", nonce="8BCCB3A21FEDA5B484062F43E4CB9C03" <

< RTSP/1.0 401 Unauthorized < CSeq: 2 < Date: Thu, 23 May 2019 02:57:01 GMT < Expires: Thu, 23 May 2019 02:57:01 GMT < Cache-Control: must-revalidate

< RTSP/1.0 401 Unauthorized < CSeq: 1 < Date: Thu, 23 May 2019 02:57:01 GMT < Expires: Thu, 23 May 2019 02:57:01 GMT < Cache-Control: must-revalidate < WWW-Authenticate: Digest realm="iPOLiS", nonce="17599541F45B1F2F3C4774AE13CAA2DA" <

< RTSP/1.0 401 Unauthorized < CSeq: 2 < Date: Thu, 23 May 2019 02:57:01 GMT < Expires: Thu, 23 May 2019 02:57:01 GMT < Cache-Control: must-revalidate

< RTSP/1.0 401 Unauthorized < CSeq: 1 < Date: Thu, 23 May 2019 02:57:01 GMT < Expires: Thu, 23 May 2019 02:57:01 GMT < Cache-Control: must-revalidate < WWW-Authenticate: Digest realm="iPOLiS", nonce="48D67F2B41AAF4EE77BF8A60895D276D" <

< RTSP/1.0 401 Unauthorized < CSeq: 2 < Date: Thu, 23 May 2019 02:57:01 GMT < Expires: Thu, 23 May 2019 02:57:01 GMT < Cache-Control: must-revalidate

< RTSP/1.0 401 Unauthorized < CSeq: 1 < Date: Thu, 23 May 2019 02:57:01 GMT < Expires: Thu, 23 May 2019 02:57:01 GMT < Cache-Control: must-revalidate < WWW-Authenticate: Digest realm="iPOLiS", nonce="AB017E962F8421EA8420A40AF33101B7" <

< RTSP/1.0 401 Unauthorized < CSeq: 2 < Date: Thu, 23 May 2019 02:57:01 GMT < Expires: Thu, 23 May 2019 02:57:01 GMT < Cache-Control: must-revalidate

< RTSP/1.0 401 Unauthorized < CSeq: 1 < Date: Thu, 23 May 2019 02:57:01 GMT < Expires: Thu, 23 May 2019 02:57:01 GMT < Cache-Control: must-revalidate < WWW-Authenticate: Digest realm="iPOLiS", nonce="3E6D6092539213F251271B0E14136E17" <

< RTSP/1.0 401 Unauthorized < CSeq: 2 < Date: Thu, 23 May 2019 02:57:01 GMT < Expires: Thu, 23 May 2019 02:57:01 GMT < Cache-Control: must-revalidate

< RTSP/1.0 401 Unauthorized < CSeq: 1 < Date: Thu, 23 May 2019 02:57:01 GMT < Expires: Thu, 23 May 2019 02:57:01 GMT < Cache-Control: must-revalidate < WWW-Authenticate: Digest realm="iPOLiS", nonce="F5ADB0FDA2C93CACBB5145E296AC801D" <

< RTSP/1.0 401 Unauthorized < CSeq: 2 < Date: Thu, 23 May 2019 02:57:01 GMT < Expires: Thu, 23 May 2019 02:57:01 GMT < Cache-Control: must-revalidate

< RTSP/1.0 401 Unauthorized < CSeq: 1 < Date: Thu, 23 May 2019 02:57:01 GMT < Expires: Thu, 23 May 2019 02:57:01 GMT < Cache-Control: must-revalidate < WWW-Authenticate: Digest realm="iPOLiS", nonce="F88391474D3051542646F47D2EC0CF87" <

< RTSP/1.0 200 OK < CSeq: 2 < Date: Thu, 23 May 2019 02:57:01 GMT < Expires: Thu, 23 May 2019 02:57:01 GMT < Cache-Control: must-revalidate < Content-Base: rtsp://admin:SuperSecret@10.132.250.29:554/profile2/media.smp < Content-Type: application/sdp < Content-Length: 676 < x-Accept-Retransmit: our-retransmit < x-Accept-Dynamic-Rate: 1 < v=0 o=- 0 0 IN IP4 10.56.30.17 s=Media Presentation i=samsung c=IN IP4 0.0.0.0 b=AS:2632 t=0 0 a=control:rtsp://admin:SuperSecret@10.132.250.29:554/profile2/media.smp a=range:npt=now- m=video 40024 RTP/AVP 98 b=AS:2560 a=rtpmap:98 H264/90000 a=control:rtsp://admin:SuperSecret@10.132.250.29:554/profile2/media.smp/trackID=v a=cliprect:0,0,1080,1920 a=framesize:98 1920-1080 a=framerate:30.0 a=fmtp:98 packetization-mode=1;profile-level-id=640028;sprop-parameter-sets=Z2QAKKy0A8ARPyo=,aO4Bniw= m=application 40028 RTP/AVP 107 b=AS:8 a=rtpmap:107 vnd.onvif.metadata/90000 a=control:rtsp://admin:SuperSecret@10.132.250.29:554/profile2/media.smp/trackID=m a=recvonly

< RTSP/1.0 459 Aggregate operation not allowed < CSeq: 0 < Date: Thu, 23 May 2019 02:57:01 GMT < Expires: Thu, 23 May 2019 02:57:01 GMT < Cache-Control: must-revalidate <

✖ Streams were found but none were accessed. They are most likely configured with secure credentials and routes. You can try adding entries to the dictionary or generating your own in order to attempt a bruteforce attack on the cameras.

Ullaakut commented 5 years ago

Interesting indeed that they show the same behavior. If you want to secure your cameras, anyway, the only way is to change the credentials/ports.

Also you might want to try to run camerattack against your cameras if you want to check their resistance to thousands of requests per second :)

Ullaakut commented 5 years ago

Hey @rikosintie! Just a heads up that I put you in the Thanks section of the Cameradar v4 release, since the major feature is digest auth support. Let me know if you don't want to be included in the release notes 👍