Change Nmap to Masscan?

[bugeja1989]

Can you change or customise the use between masscan and nmap

something like: https://github.com/zan8in/masscan

[Ullaakut]

Hi @bugeja1989 !

Why do you need Cameradar to use masscan over nmap?

Nmap should be able to discover RTSP hosts with no problem, just as well as masscan.

The repository you linked is a heavily inspired implementation of masscan bindings based on my nmap package, which is fine but I don't see why using it would improve Cameradar.

[Ullaakut]

Sure this would work 👍

Cameradar is not intended to be a tool used to discover exploitable IP cameras on the internet, it is intended to be a penetration testing tool, precisely aimed at small, specific targets.

There could be cases where masscan might be relevant, but they could easily tend towards the illegal, which is why I will not integrate masscan over nmap for Cameradar.

Unless you have another argument than scanning the whole internet, which is not the intended purpose of this tool, I do not think I'll change my mind 😄

[Ullaakut]

@phr34k0 I'm curious about your use case then, because if it is a valid one I'd be willing to offer the choice between using masscan and nmap during the discovery phase in Cameradar.

How many subnetworks do you usually need to scan in parallel? Do you work for a company with thousands of active sites with CCTV coverage? Do you then usually know the exact IPs of the cameras, or at least the IP ranges at which they are available, or do you have to guess and scan the whole network?

If it's not the case with your clients/company, note that surveillance cameras should always be on a separate network, isolated from the rest of the infrastructure, for multiple reasons:

• Many brands of cameras are vulnerable to known exploits (especially Chinese brands), very likely many zero days, and some even have backdoors, that allow any attacker to take control of the camera and use it as a host in the network, from which to conduct further reconnaissance & attacks
• Cameras should ideally never be accessed remotely but only on-site by security guards. If they are to be accessed remotely, that should be done through IP whitelisting to allow only the NOC access to the cameras. Potential attackers having even only read access on what is going on onsite can facilitate social engineering and physical attacks.

That said, I could see a case where if you work for a large company and they ask you for a threat assessment of all of their networks without telling you where exactly IP cameras might or might not be available, that could take considerable time with Cameradar. It seems to me like quite an edge-case though 😬

[Ullaakut]

The thing is, it's going to get misused anyway 😄 I could see a valid case for having a private version of the repo with a masscan alternative, specifically accessible to people that I can be pretty sure will make good use for it though, if you are interested.

Disclaimer though, I do not have as much free time these days as I did when I wrote the tool so it could take some time.