RTSP/CCTV Hacking

Camera Logo

TLDR;

With Xmas just a few weeks away, we thought we would focus on some of the smart gadgets within the home. Whether it be a baby monitor, security system, pet monitor, or some new gagdet with a camera installed. You might already have some of these devices in your home, or you could have a device under and Xmas tree.

Today, we take a look at how easy it is to extract/view RTSP streams from electronic devices.

RTSP and VLC

RTSP

The Real Time Streaming Protocol (RTSP) is a network control protocol designed for use in entertainment and communications systems to control streaming media servers. The protocol is used for establishing and controlling media sessions between endpoints. Clients of media servers issue VHS-style commands, such as play, record and pause, to facilitate real-time control of the media streaming from the server to a client (Video On Demand) or from a client to the server (Voice Recording).

https://en.wikipedia.org/wiki/Real_Time_Streaming_Protocol

VLC and RTP/RTSP

Its as easy as:

File
Open Network

When accessing RTSP streams in VLC you are often given a URL in the format of:

rtsp://«ip>:«port»/«stream»

rtsp://10.1.1.1/stream1

VLC is usually clever enough to figure out how to output the streaming data.

Seeking out RTSP

RTSP normally resides on the following TCP ports:

554
5554
8554

A simple portscan can reveal whether these ports are open and accessible.

Manually Confirming RTSP

A simple cURL one-liner:

curl -i -X OPTIONS rtsp://10.1.1.1:554/stream1 RTSP/1.1

A valid RTSP service should respond along the following lines:

RTSP/1.0 200 OK
CSeq: 1
Date: Tue, Dec 08 2020 09:56:12 GMT
Public: OPTIONS, DESCRIBE, SETUP, TEARDOWN, PLAY, GET_PARAMETER, SET_PARAMETER

RTSP Hacking made easy

Cameradar is a Go-based tool to hack RTSP Video Surveillance CCTV Cameras, it can detect open RTSP hosts, detect device models and launch automated attacks.

https://github.com/Ullaakut/cameradar

Cameradar allows you to

Detect open RTSP hosts on any accessible target host
Detect which device model is streaming
Launch automated dictionary attacks to get their stream route (e.g.: /live.sdp)
Launch automated dictionary attacks to get the username and password of the cameras
Retrieve a complete and user-friendly report of the results

Examples to Hack RTSP Camera

Running cameradar on your own machine to scan for default ports

docker run --net=host -t ullaakut/cameradar -t localhost

Running cameradar with an input file, logs enabled on port 8554

docker run -v /tmp:/tmp --net=host -t ullaakut/cameradar -t /tmp/test.txt -p 8554

Running cameradar on a subnetwork with custom dictionaries, on ports 554, 5554 and 8554

docker run -v /tmp:/tmp --net=host -t ullaakut/cameradar -t 192.168.0.0/24 --custom-credentials="/tmp/dictionaries/credentials.json" --custom-routes="/tmp/dictionaries/routes" -p 554,5554,8554

Example in action

Cameradar in action

Accessing the Stream using VLC we can see a picture from the security camera:

security camera footage

Share on: