Brute force on found streams

[analyserdmz]

Just a thought, as an enhancement. It would be super useful when a stream is found and successfully accessed, to automatically brute force channel IDs for other streams on the same IP.

For example, the stream URL rtsp://666666:666666@192.168.1.5:554/cam/realmonitor could be brute forced like this: cam/realmonitor?channel=1 and cam/realmonitor?channel=2 etc until all available streams are exposed.

Another example, the URL rtsp://admin:111111@192.168.1.5:554/StreamingSetting?version=1.0&action=getRTSPStream&ChannelID=1&ChannelName=Channel1 and its ChannelID parameter could be brute forced as well.

Unfortunately it's hard for me to contribute practically but in theory, this could be done with routes that have "brute force positions". For example ChannelID={} instead of ChannelID=1.

Do you think it's useful?

[Ullaakut]

Hi @analyserdmz !

That's a great suggestion, and shouldn't be too difficult to implement :) I'd have it optionally enabled though, as most users mainly want to know the user/password and can usually use those to find all of the routes through the admin panel of the camera using the credentials.

I'll take a look into this today actually, but I don't have any cameras with multiple concurrent routes at home at the moment, so it might not be easy to test it out and I might need some help. If I were to make a prototype with this feature, would you be able to test it out on your own cameras? :)

[analyserdmz]

Hi @analyserdmz !

That's a great suggestion, and shouldn't be too difficult to implement :) I'd have it optionally enabled though, as most users mainly want to know the user/password and can usually use those to find all of the routes through the admin panel of the camera using the credentials.

I'll take a look into this today actually, but I don't have any cameras with multiple concurrent routes at home at the moment, so it might not be easy to test it out and I might need some help. If I were to make a prototype with this feature, would you be able to test it out on your own cameras? :)

Are you kidding me? Count me in!!! hehe! Just a suggestion. When a stream is found, the rest of the channels should be brute forced just with found credentials. No need to try the whole list of user/pass combinations for each channel! ;)

[Ullaakut]

Of course :)

In the meantime I released the v5 of Cameradar with a similar feature, which is that Cameradar no longer stops after finding one route, it tries all of the routes from the dictionary.

This makes your suggestion even more convenient to implement, as we now just need to be able to identify the routes that are incremental (channel1 for example, where we can try channel2 if channel1 is successful), and continue to increment the number until the server responds negatively.

I'll let you know when a proof of concept is ready for testing, thanks again! :)))

[analyserdmz]

That may help on future routes updates ;)

[Ullaakut]

Goddamn, if I had known they had an XML file containing all of the sources, haha. I've been scrapping their website to build my dictionaries the whole time for nothing :p Thanks for the tip!

[analyserdmz]

The problem is the user/pass lists, which does require scraping.. unfortunately. But having all of these routes in one place, helps in automating the process of "what credentials am I looking for, to add them to my list".

If this project was written in Python I could actively help but... I can't even code a "hello world" in GO haha