search

Ullaakut / cameradar

Cameradar hacks its way into RTSP videosurveillance cameras
MIT License
4.09k stars 517 forks source link

Perform failed for <rtsp url here> curl: Timeout was reached #275

Closed aldabrada closed 2 years ago

aldabrada commented 3 years ago

Context

Please select one:

Please select one:

Environment

My operating system:

OS version: Linux ubuntu 5.4.0-40-generic #44-Ubuntu SMP Tue Jun 23 00:01:04 UTC 2020 x86_64 x86_64 x86_64 GNU/Linux OS architecture:

Issue

Getting Timeout was reached and only the first username:password combination is used - moreover I see that it's saying that "This camera does not require authentication" even if it clearly does

What was expected

Find or at least try all the routes and user:pass combination on that IP not only the first 2 occurrences (joe for the user and firstpass for the password). Also, even if I manually added some cutom routes in the /tmp/routes.json file I don't see anything that resembles what I have on the first line of this file (/tmp/routes.json) which is "/hlbenefits"

What happened

I guess the issue was because of the timeout and even when tried to increase the timeout to -T 100000ms the issue still persisted

Logs

If your issue is with Cameradar's binary or docker image, please run it with -v to print verbose logs, and paste them here:

root@ubuntu:~# docker run -t -v /tmp:/tmp ullaakut/cameradar -c "/tmp/mycredentials.json" -r /tmp/routes.json -t 192.168.1.52 -T 10000ms -d
Loading credentials...ok
  > Loading credentials dictionary from path "/tmp/mycredentials.json"
  > Loaded 15 usernames and 39 passwords
Loading routes...ok
  > Loading routes dictionary from path "/tmp/routes.json"
  > Loaded 195 routes
Scanning the network...ok
  > Found 1 RTSP streams
Attacking routes of 1 streams...ok
  > DESCRIBE rtsp://:@192.168.1.52:554//0x8b6c42 RTSP/1.0 > 200
Attempting to detect authentication methods of 1 streams...ok
  > DESCRIBE rtsp://192.168.1.52:554// RTSP/1.0 > 0
  > Stream rtsp://:@192.168.1.52:554// uses no authentication method
Attacking credentials of 1 streams...ok
  > DESCRIBE rtsp://joe:firstpass@192.168.1.52:554// RTSP/1.0 > 200
Validating that streams are accessible...ok
  > Perform failed for "rtsp://joe:firstpass@192.168.1.52:554//" (auth 0): curl: Timeout was reached
Second round of attacks...ok
  > DESCRIBE rtsp://joe:firstpass@192.168.1.52:554//0x8b6c42 RTSP/1.0 > 200
Validating that streams are accessible...ok
  > Perform failed for "rtsp://joe:firstpass@192.168.1.52:554//" (auth 0): curl: Timeout was reached
βœ–   Admin panel URL:    http://192.168.1.52/ You can use this URL to try attacking the camera's admin panel instead.
    Available:      βœ–
    Device model:       H264DVR rtspd

    IP address:     192.168.1.52
    RTSP port:      554
    This camera does not require authentication
    Username:       joe
    Password:       firstpass
    RTSP routes:
                //
                //

βœ– Streams were found but none were accessed. They are most likely configured with secure credentials and routes. You can try adding entries to the dictionary or generating your own in order to attempt a bruteforce attack on the cameras.
Ullaakut commented 3 years ago

Hi @aldabrada! Thanks for reporting this issue. This is strange indeed. It might be related to the use of custom credentials, but I'm not sure. I'll have to give it a look when I have some time. Also from your logs, it seems like it considered that the streams were accessible despite getting a timeout.

I think the timeout issue comes from trying to reach the camera at // and might be related to the camera's firmware, but I'd need to confirm it by testing on my own.

I'll let you know as soon as I know more :) Thanks again!

Ullaakut commented 3 years ago

I have not been able to reproduce this issue on my end. I suspect that this is specific to the camera that you were using. Have you been able to reproduce this issue with other cameras? What model of camera are you using, if you don't mind me asking?

Thanks

DMLON commented 2 years ago

Hello! Having the exact same issue, i already have the user and password combination, only need to try all the routes. I think the camera is kinda unstable, tried setting timeout to 100 seconds and got the same result.

In my case i'm using a Gadnic CM200W camera, seems to have chinese firmware and i'm unable to connect via RTSP. NMAP reports it as AltoBeam

Ullaakut commented 2 years ago

Hi @DMLON !

Could you share your logs in verbose mode? Do you use docker or a manually built binary? What OS do you use?

DMLON commented 2 years ago

I think it was an issue with the camera's firmware, after upgrading it i was able to run the script correctly!

For future cases, i had a camera that the only way of seeing the stream was using internet explorer running an ActiveX plugin called NETSurveillance. I could see the stream with chrome with IE Tab. After the upgrade, chrome was able to see the stream without that plugin and the RTSP stream worked like a charm!

Sorry i don't have the logs anymore, running the script after the firmware upgrade passes all tasks. I was using docker with the already built image on Ubuntu 20.04

Ullaakut commented 2 years ago

Thanks @DMLON ! That's alright, it's also what I suspected:

I think the timeout issue comes from trying to reach the camera at // and might be related to the camera's firmware, but I'd need to confirm it by testing on my own.

I guess this solves the mystery :) Hopefully future users that encounter this issue will be able to solve their issue thanks to you !

Have a nice day πŸ˜„