Camera not requiring authentication message about cameradar HOT 16 CLOSED

When I use the -v option I get this output :
sudo docker run ullaakut/cameradar:latest -p 554,8554 -t My Target IP -v -T 10000ms
Loading credentials...ok
Loading routes...ok
Scanning the network...ok
Attacking routes of 1 streams...* Expire in 0 ms for 6 (transfer 0x7fad68da9190)

• Expire in 10000 ms for 8 (transfer 0x7fad68da9190)
• Trying My Target IP...
• TCP_NODELAY set
• Expire in 200 ms for 4 (transfer 0x7fad68da9190)
• Connected to My Target IP (My Target IP) port 554 (#0)
  > DESCRIBE rtsp://:@my Target IP:554//0x8b6c42 RTSP/1.0
  CSeq: 1
  Accept: application/sdp

< RTSP/1.0 200 OK
< Server: H264DVR 1.0
< Cseq: 1
< WWW-Authenticate: Digest realm="23daeb6cb133f8d9", nonce="mNiB804d6UK398ir8OyLnag
<

• Connection #0 to host My Target IP left intact
• Expire in 0 ms for 6 (transfer 0x7fad68d98200)
• Expire in 10000 ms for 8 (transfer 0x7fad68d98200)
• Trying My Target IP...
• TCP_NODELAY set
  ok
  Attempting to detect authentication methods of 1 streams...* Expire in 200 ms for 4 (transfer 0x7fad68d98200)
• Connected to My Target IP (My Target IP) port 554 (#0)
  > DESCRIBE rtsp://My Target IP:554// RTSP/1.0
  CSeq: 1
  Accept: application/sdp

ok
Attacking credentials of 1 streams...< RTSP/1.0 200 OK
< Server: H264DVR 1.0
< Cseq: 1
< WWW-Authenticate: Digest realm="23daeb6cb133f8d9", nonce="mNiB804d6UK398ir8OyLnag
<

• Connection #0 to host My Target IP left intact
• Expire in 0 ms for 6 (transfer 0x7fad68d4a240)
• Expire in 10000 ms for 8 (transfer 0x7fad68d4a240)
• Trying My Target IP...
• TCP_NODELAY set
• Expire in 200 ms for 4 (transfer 0x7fad68d4a240)
• Connected to My Target IP (My Target IP) port 554 (#0)
  > DESCRIBE rtsp://:@my Target IP:554// RTSP/1.0
  CSeq: 1
  Accept: application/sdp

< RTSP/1.0 200 OK
< Server: H264DVR 1.0
< Cseq: 1
< WWW-Authenticate: Digest realm="23daeb6cb133f8d9", nonce="mNiB804d6UK398ir8OyLnag
<

• Connection #0 to host My Target IP left intact

• Expire in 0 ms for 6 (transfer 0x7fad68d33290)

• Expire in 10000 ms for 8 (transfer 0x7fad68d33290)
  ok
  Validating that streams are accessible...* Trying My Target IP...

• TCP_NODELAY set

• Expire in 200 ms for 4 (transfer 0x7fad68d33290)

• Connected to My Target IP (My Target IP) port 554 (#0)
  > SETUP rtsp://:@my Target IP:554// RTSP/1.0
  CSeq: 1
  Transport: RTP/AVP;unicast;client_port=33332-33333

• Operation timed out after 10000 milliseconds with 0 bytes received

• The CSeq of this request 1 did not match the response 0

• Closing connection 0
  ok
  Second round of attacks... > Perform failed for "rtsp://:@my Target IP:554//" (auth 0): curl: Timeout was reached

• Expire in 0 ms for 6 (transfer 0x7fad68d312c0)

• Expire in 10000 ms for 8 (transfer 0x7fad68d312c0)

• Trying My Target IP...

• TCP_NODELAY set

• Expire in 200 ms for 4 (transfer 0x7fad68d312c0)

• Connected to My Target IP (My Target IP) port 554 (#0)
  > DESCRIBE rtsp://:@my Target IP:554//0x8b6c42 RTSP/1.0
  CSeq: 1
  Accept: application/sdp

< RTSP/1.0 200 OK
< Server: H264DVR 1.0
< Cseq: 1
< WWW-Authenticate: Digest realm="23daeb6cb133f8d9", nonce="z16aOT0l1bqr3rNgXEtQ42b
<

• Connection #0 to host My Target IP left intact
  ok
  Validating that streams are accessible...* Expire in 0 ms for 6 (transfer 0x7fad68d1aa90)

• Expire in 10000 ms for 8 (transfer 0x7fad68d1aa90)

• Trying My Target IP...

• TCP_NODELAY set

• Expire in 200 ms for 4 (transfer 0x7fad68d1aa90)

• Connected to My Target IP (My Target IP) port 554 (#0)
  > SETUP rtsp://:@my Target IP:554// RTSP/1.0
  CSeq: 1
  Transport: RTP/AVP;unicast;client_port=33332-33333

• Operation timed out after 10001 milliseconds with 0 bytes received

• The CSeq of this request 1 did not match the response 0

• Closing connection 0
  > Perform failed for "rtsp://:@my Target IP:554//" (auth 0): curl: Timeout was reached
  ok
  ✖ Admin panel URL: http://My Target IP/ You can use this URL to try attacking the camera's admin panel instead.
  Available: ✖
  Device model: H264DVR rtspd

    IP address:             My Target IP
    RTSP port:              554
    This camera does not require authentication
    Username:
    Password:
    RTSP routes:
                            //
                            //
  

✖ Streams were found but none were accessed. They are most likely configured with secure credentials and routes. You can try adding entries to the dictionary or generating your own in order to attempt a bruteforce attack on the camera

from cameradar.

Apparently the problem only occurs only when targeting a camera with Server: H264DVR 1.0. U tried it with other cameras and it works fine . Have you and idea how to access such a camera (h264 from vls)

from cameradar.

When Cameradar says the camera is accessible without authentication, it's because it's getting a 200 OK response without providing credentials.

If the actual stream is still protected but the DESCRIBE requests get answered with 200, the camera does not follow the RTSP protocol. Here since it's timing out when trying to send PERFORM requests, i'm pretty sure that is the issue. Unfortunately Cameradar follows that protocol so if cameras don't, there isn't much we can do.

I don't think it's a connection issue, since it answers immediately to some other requests.

Did you try accessing the stream yourself manually?

from cameradar.

Well the problem only occurs with cameras that use h264 server DVR. However the shodan for example seems to have screenshots of these cameras but when I try to access them with vlc using rtsp://camera_ip:port554 I get an error that it cannot connect and I don’t know why .

from cameradar.

Mhhh do you mean that you are trying to access the stream from the DVR? Or from the cameras that turn out to be using a DVR?
Do you know the model of the cameras?

from cameradar.

You can try to build a custom dictionary with some of the ones from this page https://camera-sdk.com/p_6678-how-to-connect-to-a-h-264-network-dvr-camera.html and see if that works. The timeout responses might be a way that the constructor uses to deter dictionary attacks though.

from cameradar.

No I just open vlc and select network stream option and I use the url: rtsp://ip:554. This works with other cameras that do not use this h264 DVR. .. How else would I have access to such a camera like shodan does if not with vlc? Do you have any idea ?

from cameradar.

But why can’t cameradar give me the correct url I must use ? I mean it detects that no authentication is required but how will it give me a way to access the camera ?

from cameradar.

And how does shown manages to take screenshots of such cameras ? It means that are are accessible with no credentials but I do not understand how to access them ( I mean their stream )

from cameradar.

Those cameras use port 554 so obviously they must use rtsp

from cameradar.

Those cameras use port 554 so obviously they must use rtsp

They use RTSP, but they don't follow the protocol correctly. A lot of cameras/DVRs use Chinese frameworks that don't always follow the specification. They might return the wrong code here and there, implement an endpoint differently, etc.

If you can't access it without credentials using VLC, then it's protected, but Cameradar can't figure out the password because the endpoint used for the dictionary attack (DISCOVER :/<stream_route> is not protected by credentials for this DVR.

Since it's unprotected, it makes Cameradar think that the camera is completely unprotected, but it's likely just their DISCOVER endpoint that is, because they don't follow the spec's recommendation:

Authorization R opt. all

As per page 44 of RFC 2326, ALL endpoints are supposed to require the Authorization header. It is optional to support Authorization, but if it is supported, it's supposed to affect all endpoints.

Unfortunately there's nothing Cameradar can do in this case.

from cameradar.

But I don’t really get how shodan have screenshots of those cameras ?? The stream must be somehow available .

from cameradar.

People might have bruteforced the password another way, using the list I sent you earlier. Or they might have used another protocol than RTSP, since DVRs usually also allow HTTP and expose a dashboard. The dashboard can also be bruteforced, but not with Cameradar.

from cameradar.

Yes but the dashboard would normally use the port 80 not 554. Also how exactly does shodwn work ? People just post photos if the manage to hack into the camera?

from cameradar.

Sorry but I won't do that.

1. I don't have the time to do research on this topic, I work on multiple projects in parallel and don't have much time to dedicate to open source anymore
2. It's illegal, and I don't condone of any use of Cameradar that isn't for penetration testing on hardware you own, or are authorized to access.

from cameradar.

Sorry but I won't do that.

1. I don't have the time to do research on this topic, I work on multiple projects in parallel and don't have much time to dedicate to open source anymore
2. It's illegal, and I don't condone of any use of Cameradar that isn't for penetration testing on hardware you own, or are authorized to access.

That’s unfortunate

from cameradar.