ullaakut / cameradar Goto Github PK
View Code? Open in Web Editor NEWCameradar hacks its way into RTSP videosurveillance cameras
License: MIT License
Cameradar hacks its way into RTSP videosurveillance cameras
License: MIT License
Hello folks,
After following the steps, and installing all the dependencies I stayed in step 6
1- git clone https://github.com/EtixLabs/cameradar.git
2- cd cameradar
3- mkdir build
4- cd build
5- cmake ..
6- make
root@kali:~/Programas/cameradar/build# cmake ..
-- retrieve current git revision SHA1 of cameradar
-- current cameradar git revision SHA1 is b61fe521615d64e234e892b6e739ca965b470500
-- current cameradar build version will be 20170512004743
-- Configuring deps.jsoncpp
-- Configuring deps.mysqlconnector
-- Configuring done
-- Generating done
-- Build files have been written to: /root/Programas/cameradar/build
root@kali:~/Programas/cameradar/build# make
[ 18%] Built target deps.jsoncpp
[ 20%] Performing configure step for 'deps.mysql_connector'
CMake Error at /root/Programas/cameradar/deps/mysql-connector/src/deps.mysql_connector-stamp/deps.mysql_connector-configure-.cmake:16 (message):
Command failed: 1
'/usr/bin/cmake' '-DBOOST_ROOT=/root/Programas/cameradar/deps/boost/src/deps.boost' '-DCMAKE_INSTALL_PREFIX=/root/Programas/cameradar/deps/mysql-connector' '-DBUILD_TYPE=Release' '-DMYSQL_CXXFLAGS=-fexceptions' '/root/Programas/cameradar/deps/mysql-connector/src/deps.mysql_connector'
See also
/root/Programas/cameradar/deps/mysql-connector/src/deps.mysql_connector-stamp/deps.mysql_connector-configure-*.log
deps/CMakeFiles/deps.mysql_connector.dir/build.make:106: recipe for target '../deps/mysql-connector/src/deps.mysql_connector-stamp/deps.mysql_connector-configure' failed
make[2]: *** [../deps/mysql-connector/src/deps.mysql_connector-stamp/deps.mysql_connector-configure] Error 1
CMakeFiles/Makefile2:124: recipe for target 'deps/CMakeFiles/deps.mysql_connector.dir/all' failed
make[1]: *** [deps/CMakeFiles/deps.mysql_connector.dir/all] Error 2
Makefile:149: recipe for target 'all' failed
make: *** [all] Error 2
See the error:
root@kali:~/Programas/cameradar/deps/mysql-connector/src/deps.mysql_connector-stamp# cat deps.mysql_connector-configure-err.log
CMake Error at FindMySQL.cmake:556 (message):
Could not find "mysql.h" from searching "/usr/include/mysql
/usr/local/include/mysql /opt/mysql/mysql/include
/opt/mysql/mysql/include/mysql /usr/local/mysql/include
/usr/local/mysql/include/mysql /MySQL/*/include /MySQL/*/include"
Call Stack (most recent call first):
CMakeLists.txt:217 (INCLUDE)
Any ideia to fix the error?
Thanks in advance.
The tester did not catch it, but here is the problematic line : Unable to deserialize result file: invalid character '{' after array element
Currently if the program takes a long time to scan / attack cameras, the user has no clue that it's not stuck somewhere. It might be good to show a kind of spinner and a temporary log explaining what the program is currently doing.
(Maybe also a time estimation)
Right now the format outputed looks like :
[
{
"address" : "172.17.0.4",
"ids_found" : true,
"password" : "root",
"path_found" : true,
"port" : 8554,
"product" : "GStreamer rtspd",
"protocol" : "tcp",
"route" : "/live.sdp",
"service_name" : "rtsp",
"state" : "open",
"thumbnail_path" : "/tmp/172.17.0.4/1479896397.jpg",
"username" : "root"
}
,{
"address" : "172.17.0.5",
"ids_found" : true,
"password" : "ubnt",
"path_found" : true,
"port" : 8554,
"product" : "GStreamer rtspd",
"protocol" : "tcp",
"route" : "/cam",
"service_name" : "rtsp",
"state" : "open",
"thumbnail_path" : "/tmp/172.17.0.5/1479896397.jpg",
"username" : "Admin"
}
,{
"address" : "172.17.0.6",
"ids_found" : true,
"password" : "",
"path_found" : true,
"port" : 8554,
"product" : "GStreamer rtspd",
"protocol" : "tcp",
"route" : "/live_mpeg4.sdp",
"service_name" : "rtsp",
"state" : "open",
"thumbnail_path" : "/tmp/172.17.0.6/1479896397.jpg",
"username" : ""
}
,{
"address" : "172.17.0.7",
"ids_found" : true,
"password" : "ubnt",
"path_found" : true,
"port" : 8554,
"product" : "GStreamer rtspd",
"protocol" : "tcp",
"route" : "/cam",
"service_name" : "rtsp",
"state" : "open",
"thumbnail_path" : "/tmp/172.17.0.7/1479896397.jpg",
"username" : "Admin"
}
]
And it would be better to make it be
[
{
"address" : "172.17.0.4",
"ids_found" : true,
"password" : "root",
"path_found" : true,
"port" : 8554,
"product" : "GStreamer rtspd",
"protocol" : "tcp",
"route" : "/live.sdp",
"service_name" : "rtsp",
"state" : "open",
"thumbnail_path" : "/tmp/172.17.0.4/1479896397.jpg",
"username" : "root"
},
{
"address" : "172.17.0.5",
"ids_found" : true,
"password" : "ubnt",
"path_found" : true,
"port" : 8554,
"product" : "GStreamer rtspd",
"protocol" : "tcp",
"route" : "/cam",
"service_name" : "rtsp",
"state" : "open",
"thumbnail_path" : "/tmp/172.17.0.5/1479896397.jpg",
"username" : "Admin"
},
{
"address" : "172.17.0.6",
"ids_found" : true,
"password" : "",
"path_found" : true,
"port" : 8554,
"product" : "GStreamer rtspd",
"protocol" : "tcp",
"route" : "/live_mpeg4.sdp",
"service_name" : "rtsp",
"state" : "open",
"thumbnail_path" : "/tmp/172.17.0.6/1479896397.jpg",
"username" : ""
},
{
"address" : "172.17.0.7",
"ids_found" : true,
"password" : "ubnt",
"path_found" : true,
"port" : 8554,
"product" : "GStreamer rtspd",
"protocol" : "tcp",
"route" : "/cam",
"service_name" : "rtsp",
"state" : "open",
"thumbnail_path" : "/tmp/172.17.0.7/1479896397.jpg",
"username" : "Admin"
}
]
There must be a problem with nmap 7.4.0
, as specifying multiple targets works on my machine but not in Docker.
So far I found a few I can add :
/video.h264
/11
/12
/ch1-s1
/live3.sdp
/onvif-media/media.amp
/axis-media/media.amp
/axis-media/media.amp?videocodec=h264
/mpeg4/media.amp
/stream
/cam/realmonitor
/live
/video.pro2
/videoMain
/VideoInput/1/mpeg4/1
/VideoInput/1/h264/1
/video.pro3
/video.pro1
/video.mjpg
/h264_vga.sdp
/media.amp
/media
/ONVIF/MediaInput
/nphMpeg4/g726-640x48
/MediaInput/mpeg4
/MediaInput/h264
/Streaming/Channels/1
/ch0_0.h264
/rtsph2641080p
/live/av0
/cam1/onvif-h264
/ucast/11
/LowResolutionVideo
/1
/live/ch00_0
/medias2
I will add more to this list as I find more of them and when I think it is complete enough, I will create a PR for it.
Points to the old CONTRIBUTION.md
instead.
Either register to the proxy's registry if it uses one (would need to have a mac address and an IP address matching the pattern set in the proxy configuration) or find exploits that could be used.
The main purpose of making Cameradar a library is to make it usable by as many people as possible. Releasing a binary under Linux is not a problem since we can use Docker, but for a library, it's very important to ensure MultiOS compatibility and to maintain it at all times.
When the Cameradar library is ready, in order to keep a simple standalone application, it is important to maintain the functions of Cameradar 1.1.4 through the Cameraccess binary.
The first step will be to have a prototype, able to use the Cameradar library to discover cameras and dictionary attack them. No need to generate thumbnails or check if they are valid for GStreamer, except if it's requested by our users.
The call to the binary should be identical to the way Cameradar 1.1.4 was called :
$> cameraccess [-c /path/to/conf] [-l log_level] [-s subnets] [-p ports] [-m max_threads] [-v] [-h]
Upon success, the Cameraccess prototype should output its results in a JSON file (See #54 for the output file name).
I never did this before so the first step will be to answer those questions :
System call of nmap with the required arguments followed by the use of the https://github.com/lair-framework/go-nmap library to parse the XML result.
Are default dictionnaries a good idea?
We need a loadCustomDictionnary() function.
For now my opinion is that it should not. The library should just be in charge of discovering and accessing the streams. A simplified use I imagine would be :
import cameradar "github.com/EtixLabs/cameradar"
func main() {
c := new(cameradar);
c.loadCustomURLDictionary("/path/to/url/dict");
c.loadCustomIDDictionary("/path/to/ids/dict");
err := c.scan("192.168.100.0/24", "554")
if err != nil {
os.exit(1);
}
err = c.access()
if err != nil {
os.exit(1);
}
for stream := range c.getValidStreams() {
fmt.Println(stream.getIP(), " accessible at URL ", stream.getURL())
}
}
Which would ideally produce the following output :
192.168.100.10 accessible at URL rtsp://root:[email protected]/live.sdp:554
192.168.100.11 accessible at URL rtsp://root:[email protected]/live.sdp:554
192.168.100.12 accessible at URL rtsp://root:[email protected]/live.sdp:554
192.168.100.13 accessible at URL rtsp://root:[email protected]/live.sdp:554
192.168.100.14 accessible at URL rtsp://root:[email protected]/live.sdp:554
192.168.100.15 accessible at URL rtsp://root:[email protected]/live.sdp:554
If we need more functionalities, we would then simply use the getter methods to retrieve the URL and open it with FFMPEG to generate a thumbnail. The same goes for the stream checking and the generation of output files.
For now I think we would only need libcurl, and even better is that it can be configured to be built stripped of useless parts of the library, which would make it less than 300ko.
Here is what I consider mandatory for the 2.0.0 :
Right now the code is not unit tested at all, and it could be very good to have more than just functional end-to-end testing.
For someone who wants a database to keep and access the data, MySQL can be overkill, which is why SQLite seems like a neat easy solution for a simple persistent cache-manager.
Discover
commentCheck https://godoc.org/github.com/fluhus/godoc-tricks#example-Examples
Hello,
Here you can find an nmap script that can be used to find the url of RTSP streams https://nmap.org/nsedoc/scripts/rtsp-url-brute.html
It also uses a dictionary and from my quick tests, it's way faster than the actual cameradar.
.h
files are never used even if they areThe C++ warnings are weird and I don't really get why they happen. I decided to ignore them, because the functions are obviously used. The Golang warnings however will be fixed in a PR very soon.
What we do is actually not bruteforce.
Codacy or CodeClimate should do the trick.
There seems to be a cppcheck engine for CodeClimate.
Maybe the mapping can be improved with a different nmap command, or by changing dynamically the order of the dictionary using the bruteforcing results, or maybe you even have other ideas to improve the speed!
Any improvement would be very appreciated!
The tests are not working anymore because the architecture of the project changed and they have not been updated since.
Add a -o
option such as ./cameraccess -o test
outputs the results in the test file instead of the standard result.json
. The default value of the output should be cameradar_results.json
instead of the current result.json
.
A result
table could be confusing in a bigger database. Renaming it to cameradar_results
will be more appropriate and avoid eventual confusion.
It seems that libcurl uses some global variables and that using it in different threads can lead to unexpected results.
I'll be investigating this further this week.
Right now the image is 374MB, it would be very cool to make it lighter to make its use easier
CMake Error at /home/lionsec/cameradar/deps/mysql-connector/src/deps.mysql_connector-stamp/deps.mysql_connector-configure.cmake:16 (message):
Command failed: 1
'/usr/bin/cmake' '-DBOOST_ROOT=/home/lionsec/cameradar/deps/boost/src/deps.boost' '-DCMAKE_INSTALL_PREFIX=/home/lionsec/cameradar/deps/mysql-connector' '-DBUILD_TYPE=Release' '-DMYSQL_CXXFLAGS=-fexceptions' '/home/lionsec/cameradar/deps/mysql-connector/src/deps.mysql_connector'
See also
/home/lionsec/cameradar/deps/mysql-connector/src/deps.mysql_connector-stamp/deps.mysql_connector-configure-*.log
deps/CMakeFiles/deps.mysql_connector.dir/build.make:103: recipe for target '../deps/mysql-connector/src/deps.mysql_connector-stamp/deps.mysql_connector-configure' failed
make[2]: *** [../deps/mysql-connector/src/deps.mysql_connector-stamp/deps.mysql_connector-configure] Error 1
CMakeFiles/Makefile2:112: recipe for target 'deps/CMakeFiles/deps.mysql_connector.dir/all' failed
make[1]: *** [deps/CMakeFiles/deps.mysql_connector.dir/all] Error 2
Makefile:136: recipe for target 'all' failed
make: *** [all] Error 2
KO!
any idea how to fix this
Comelit cameras don't seem to respect the RTSP RFC.
Developing a different algorithm and adding a long option like --comelit
could be a nice improvement.
Legends say that they answer with 451 Parameter Not Understood instead of 200 OK when the ids and url are the good ones, but that they also can have some random behaviour sometimes.
Hello,
Setting the tested subnets and ports in the configuration file might be nice when you want to repeat the same process several time, but is not ideal when you are trying around to find something incrementally.
It might be nice to have some options that would override the config file.
Here is the full story about this quick&dirty fix
that I used to get Travis to test Cameradar.
First, I use cmake3.5.1 on my system and it works flawlessly. Travis uses the 2.8 by default but I managed to find a PPA giving me the 3.2.3 version. However, even though the 3.5 and the 3.2 do not have relevant differences concerning the install
method, it seems that on my system CPack manages to find the external shared libraries after their installation, while Travis does not.
I really tried lots of different manipulations, I've read all the documentation concerning file
and install
in CMake, and I still have no clue to why they're not found. When looking for them in the system, they are properly generated and in the right place, but they are simply not added to the tarball at the end.
It results in Docker failing to create the image.
To fix this temporarily, I manually unzip the tarball, copy the shared libraries using a global expression, and zip the tarball again with the added libs. It does the trick, but the paths to the libraries is written directly in the .travis.yml
file, which is disgusting.
I will keep looking for the reason of this problem later!
If you have an idea of where it could come from, you're free to look at the logs of the 30 first builds of Cameradar on Travis, here : https://travis-ci.org/EtixLabs/cameradar/builds and to answer to this issue.
Three new URLs will be added to the base dictionary
/rtsp_live0
/rtsp_live1
/rtsp_live2
And I need to add some contribution documentation to list contributors and give guidelines for those who want to help.
Unable to deserialize result file: invalid character '{' after array element
Test OK in 185.780285s
All tests completed
--- Writing results... ---
Unable to deserialize test-results.xml file: EOF
--- Test summary ---
Results: 5/5 (100%)
Time: 185.780285s
-> JUnit XML report written: test-results.xml
--- Writing results done ---
Tests exited with code 0
<testsuites>
<testsuite tests="5" failures="5" time="185.780285">
<testcase message="" time="185.780285"></testcase>
<testcase message="" time="185.780285"></testcase>
<testcase message="" time="185.780285"></testcase>
<testcase message="" time="185.780285"></testcase>
<testcase message="" time="185.780285"></testcase>
</testsuite>
</testsuites>stopping all cameras tests
stopping and removing 5 containers
Tests returned 0
There are several problems here :
5/5 (100%)
Being able to feed in a list of IP addresses would be potentially a useful feature, for example, for where one does a "pre-scan" of a range for the open RSTP ports using something like zmap or masscan, prior to passing to this tool.
I don't know if it would be easy to do with Cameradar considering the network aspect, but it would be super cool to give users a chance to try it in their browser and play with it as they want.
-fsanitize=undefined
-fstack-protector-strong
Those flags will detect when the code does undefined behaviour, and is sufficiently lightweight to always ship releases with this permanently turned on.
CES became RTSPATT. The new version is way cooler and can be used with a docker image, which would avoid the ugly binary in the repo.
Right now it only tests the build
The go code in it was a quick copy paste of another tool that was not very clean in the first place, and it was my first use of Golang ever, which is one of the reasons why it's so unclean at the moment. It would very much need to be done in a more elegant way.
I will do a few changes right now but I don't have the time to change all of it for now.
It's currently called CONTRIBUTION.md
, and I just learned that calling it CONTRIBUTNG.md
integrates it in GitHub issue / PR interface.
Right now the Cameradar output is always in a JSON file, it would be cool to have a command-line argument to export in an Excel file or even other formats.
A declarative, efficient, and flexible JavaScript library for building user interfaces.
๐ Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
An Open Source Machine Learning Framework for Everyone
The Web framework for perfectionists with deadlines.
A PHP framework for web artisans
Bring data to life with SVG, Canvas and HTML. ๐๐๐
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
Some thing interesting about web. New door for the world.
A server is a program made to process requests and deliver data to clients.
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
Some thing interesting about visualization, use data art
Some thing interesting about game, make everyone happy.
We are working to build community through open source technology. NB: members must have two-factor auth.
Open source projects and samples from Microsoft.
Google โค๏ธ Open Source for everyone.
Alibaba Open Source for everyone
Data-Driven Documents codes.
China tencent open source team.