The auth type in source code is

• 0 for None
• 1 for basic auth
• 2 for digest auth

But when I run cameradar (I use docker image), it's not able to identify the auth type

This is the log

 (auth -1): curl: RTSP CSeq mismatch or invalid CSe

First, make sure that none of the open and closed issues is about the same issue as you are describing, and make sure to check the frequently asked questions in the README file. Then, replace the parts of this template that are between with the data relative to your issue.

If you're reporting a bug, use the template below. Otherwise, delete this template and write your issue normally.

Context

Please select one:

• [x] I use the docker image ullaakut/cameradar
• [ ] I use my own build of the docker image
• [ ] I use the pre-compiled binary
• [ ] I use my own build of the binary
• [ ] None of the above / I don't know

Please select one:

• [ ] I use a specific version:
• [x] I use the latest commit of the master branch
• [ ] I use the latest commit of the develop branch
• [ ] I use a forked version of the repository:
• [ ] I use a specific commit:

Environment

My operating system:

• [ ] Windows
• [ ] OSX
• [x] Linux
• [ ] Other

OS version: Raspbian OS architecture: arm

Issue

I am trying to run this on a Raspberry Pi, but when I execute the command docker run --net=host -t ullaakut/cameradar -t localhost I get this error:

WARNING: The requested image's platform (linux/amd64) does not match the detected host platform (linux/arm/v7) and no specific platform was requested
standard_init_linux.go:219: exec user process caused: exec format error

What was expected

Image should run

What happened

Error

Logs

If your issue is with Cameradar's binary or docker image, please run it with -v to print verbose logs, and paste them here:

WARNING: The requested image's platform (linux/amd64) does not match the detected host platform (linux/arm/v7) and no specific platform was requested
standard_init_linux.go:219: exec user process caused: exec format error

Context

Both binary and docker releases

Any commit since digest authentication was added

Environment

Any OS

Issue

Making any requests with digest authentication causes the following issue:

*   Trying 127.0.0.1:8554...
* TCP_NODELAY set
* Connected to 127.0.0.1 (127.0.0.1) port 8554 (#0)
* Server auth using Digest with user 'ubnt'
> DESCRIBE rtsp://ubnt:[email protected]:8554/live.sdp RTSP/1.0
CSeq: 1
Accept: application/sdp

< RTSP/1.0 401 Unauthorized
< CSeq: 1
< WWW-Authenticate: Digest realm="GStreamer RTSP Server", nonce="3034e78651e4e61e"
< Server: GStreamer RTSP server
< Date: Sun, 12 Jan 2020 09:36:53 GMT
<
* Connection #0 to host 127.0.0.1 left intact
* Issue another request to this URL: 'rtsp://ubnt:[email protected]:8554/live.sdp'
* Protocol "rtsp" not supported or disabled in libcurl
* Closing connection -1

* Protocol "rtsp" not supported or disabled in libcurl

While when using basic authentication or no authentication, streams are accessed without any issue, and this log never appears.

Issue from @johny77g ( https://github.com/EtixLabs/cameradar/commit/cad7d24ccf068d7d45dcf9db746140ec716ee219#commitcomment-25169225 )

Hi, I exposed my camera for a simple test with very simple setup username: admin, password: admin. Updated credentials.json and routes as below. With option -l the generated connections were following:

DESCRIBE rtsp://:@x.x.x.x:x/tcp/av0_0 RTSP/1.0 (no usr and no login)
DESCRIBE rtsp://:@x.x.x.x:x/udp/av0_0 RTSP/1.0 (no usr and no login)
DESCRIBE rtsp://admin:[email protected]:/ RTSP/1.0 (no command from routes)

BUT the right configuration was never generated. (I mean with: admin, admin, tcp/av0_0) Is it something wrong with my trial or some issue with attack.go file?

----------credentials.json----------------
{
"usernames": [
"admin"
],

"passwords" : [
"admin"
]
}
--------------routes--------------------
tcp/av0_0
udp/av0_0

When performing the attack (on my own network I get errors for the following Attacking routes of # streams...ok

Perform failed: curl: RTSP CSeq mismatch or invalid CSeq Perform failed: curl: Failure from receiving data from the peer Attempting to detect authentication of # of streams...ok Perform failed: curl: Failure from receiving data from the peer Attacking credentials of # streams ...ok Perform failed: curl: RTSP CSeq mismatch or invalid CSeq Perform failed: curl: Failure from receiving data from the peer Validating that streams are accessible...ok Perform failed: curl: Failure from receiving data from the peer

My question is are these normal error messages or did I mess up the installation?

Im using Cameradar from past 6 months it working fine but now i thing its having some issues with it. Im testing with RTSP IP having open port and also having default credentials which are present in dictionary Folder but it shows "Unable to attack empty list of targets " and when i open my rtsp link with default credentials in VLC it's working. so, i think there have some problem Cameradar. Please help me out.

Please select one:

• [* ] I use the docker image ullaakut/cameradar **
• [ ] I use my own build of the docker image
• [ ] I use the pre-compiled binary
• [ ] I use my own build of the binary
• [ ] None of the above / I don't know

Environment

My operating system:

• [ ] Windows
• [ ] OSX
• [* ] Linux
• [ ] Other

OS version: <ubuntu 16.04 > OS architecture: <64 bit>

hi i have setup my android phone as my camera using the app called "IP Webcam", just to make sure that the camera is running i did a nmap scan to make sure the port is open as well like below:

PORT STATE SERVICE 5554/tcp open sgi-esphttp MAC Address: 4C:77:41:43:A6:CD (Lenovo)

than i ran the command:

sudo docker run -t ullaakut/cameradar -t 192.168.1.0/24 -l and also this sudo docker run --net=host -t ullaakut/cameradar -t 0.0.0.0

both commands outputs the same: ✖ No streams were found. Please make sure that your target is on an accessible network.

my android phone is on the same network, i can access the camera through the browser, but cameradar cannot seem to find it.

any suggestions?

Hello

First of all, I wanted to thank you for working on and maintaining such an interesting project. Looking forward to further releases and updates :).

To keep it short. I recently stumbled upon cameradar while trying to build the perfect IoT pentesting environment on Android. Unfortunately however, I've faced some problems while trying to run it on my current environment. Here's my current scenario:

After setting up a chrooted Debian environment on Android (8.0 Oreo) and setting up golang and the necessary compilation build tools, the compiled binary somehow gets confused when invoking libcurl functions. Here's precisely what happens while trying to run cameradar on the above mentioned environment

https://drive.google.com/file/d/1fywQheMe10RJ0dkmQ_89Klbpr2BBbut0/view?usp=drivesdk

(You'll have to excuse me but I didn't manage to find an easier way of sharing a screenshot )

Basically, curl tries to connect to (rtsp://%user:%password:%macaddr/%route)

I already tried debugging the binary through strace thinking that it was invoking curl through execv but to no avail.

I still didn't manage to find out where the error culprit stands (libcurl invoked with erroneus parameters or simply libcurl failure)

Hopefully you'll manage to find some time and look into it.

Thanks in advance :)

-D4N

First, make sure that none of the open and closed issues is about the same issue as you are describing, and make sure to check the frequently asked questions in the README file. Then, replace the parts of this template that are between with the data relative to your issue.

If you're reporting a bug, use the template below. Otherwise, delete this template and write your issue normally.

Context

Please select one:

• [x] I use the docker image ullaakut/cameradar
• [ ] I use my own build of the docker image
• [ ] I use the pre-compiled binary
• [ ] I use my own build of the binary
• [ ] None of the above / I don't know

Please select one:

• [ ] I use a specific version:
• [x] I use the latest commit of the master branch
• [ ] I use the latest commit of the develop branch
• [ ] I use a forked version of the repository:
• [ ] I use a specific commit:

Environment

My operating system:

• [ ] Windows
• [ ] OSX
• [x] Linux
• [ ] Other

OS version: Ubuntu 18.04 OS architecture: 64bit Intel

Issue

401 Unauthorized from the camera

What was expected?

Successful connection

What happened?

Hello, I love this project! I am trying to figure out why it isn't working against an Aiphone camera. Below are the logs. The camera is at default with user/pass of aiphone/aiphone.

I read the FAQ and a previous issue titled "can't detect camera feed". Both were very useful but I still can't figure out what I am doing wrong. Can you give me some tips to help troubleshoot? Thanks!

If I copy this line from the logs and put it in vlc I get the stream: rtsp://aiphone:[email protected]:554/udp/unicast/aiphone_H264

Here is the command I used to run Docker. docker run -t -v /home/mhubbard/Dropbox/03_Tools:/tmp/dictionaries ullaakut/cameradar -r "/tmp/dictionaries/rtsp.txt" -c "/tmp/dictionaries/my_credentials.json" -t 192.168.1.12 -l

Here are the files in /home/mhubbard/Dropbox/03_Tools

rtsp.txt

udp/unicast/aiphone_H264

my_credentials.json

{
  "usernames": [
    "",
    "aiphone",
    "admin"
  ],
  "passwords" : [
    "",
    "aiphone",
    "V3ct0r88"
  ]
}

Logs

If your issue is with Cameradar's binary or docker image, please run it with -l to print logs, and paste them here:

->docker run -t -v /home/mhubbard/Dropbox/03_Tools:/tmp/dictionaries ullaakut/cameradar -r "/tmp/dictionaries/rtsp.txt" -c "/tmp/dictionaries/my_credentials.json"  -t 192.168.1.12 -l
* Expire in 0 ms for 6 (transfer 0xd90300)
* Expire in 2000 ms for 8 (transfer 0xd90300)
*   Trying 192.168.1.12...
* TCP_NODELAY set
* Expire in 200 ms for 4 (transfer 0xd90300)
* Connected to 192.168.1.12 (192.168.1.12) port 554 (#0)
> DESCRIBE rtsp://:@192.168.1.12:554/udp/unicast/aiphone_H264 RTSP/1.0
CSeq: 1
Accept: application/sdp

< RTSP/1.0 401 Unauthorized
< Server: Linux/2.6.32.17-davinci1 Ze-PRO
< CSeq: 1
< WWW-Authenticate: Digest realm="Secret", nonce="ODQ4MDguNDk3Mzk6NzQ3NTQ0OTk5"
< 
* Connection #0 to host 192.168.1.12 left intact
* Expire in 0 ms for 6 (transfer 0xd9d060)
* Expire in 2000 ms for 8 (transfer 0xd9d060)
*   Trying 192.168.1.12...
* TCP_NODELAY set
* Expire in 200 ms for 4 (transfer 0xd9d060)
* Connected to 192.168.1.12 (192.168.1.12) port 554 (#0)
> DESCRIBE rtsp://:@192.168.1.12:554/udp/unicast/aiphone_H264 RTSP/1.0
CSeq: 1
Accept: application/sdp

< RTSP/1.0 401 Unauthorized
< Server: Linux/2.6.32.17-davinci1 Ze-PRO
< CSeq: 1
< WWW-Authenticate: Digest realm="Secret", nonce="ODQ4MDguNTExMjg6MTk5OTQ0OTk="
< 
* Connection #0 to host 192.168.1.12 left intact
* Expire in 0 ms for 6 (transfer 0xda9bc0)
* Expire in 2000 ms for 8 (transfer 0xda9bc0)
*   Trying 192.168.1.12...
* TCP_NODELAY set
* Expire in 200 ms for 4 (transfer 0xda9bc0)
* Connected to 192.168.1.12 (192.168.1.12) port 554 (#0)
* Server auth using Basic with user ''
> DESCRIBE rtsp://:[email protected]:554/udp/unicast/aiphone_H264 RTSP/1.0
CSeq: 1
Accept: application/sdp
Authorization: Basic OmFpcGhvbmU=

< RTSP/1.0 401 Unauthorized
< Server: Linux/2.6.32.17-davinci1 Ze-PRO
< CSeq: 1
< WWW-Authenticate: Digest realm="Secret", nonce="ODQ4MDguNTE3NDg6MTI3NTc3ODU0Mw=="
< 
* Connection #0 to host 192.168.1.12 left intact
* Expire in 0 ms for 6 (transfer 0xdb6760)
* Expire in 2000 ms for 8 (transfer 0xdb6760)
*   Trying 192.168.1.12...
* TCP_NODELAY set
* Expire in 200 ms for 4 (transfer 0xdb6760)
* Connected to 192.168.1.12 (192.168.1.12) port 554 (#0)
* Server auth using Basic with user ''
> DESCRIBE rtsp://:[email protected]:554/udp/unicast/aiphone_H264 RTSP/1.0
CSeq: 1
Accept: application/sdp
Authorization: Basic OlYzY3Qwcjg4

< RTSP/1.0 401 Unauthorized
< Server: Linux/2.6.32.17-davinci1 Ze-PRO
< CSeq: 1
< WWW-Authenticate: Digest realm="Secret", nonce="ODQ4MDguNTI0NDI6MTUyMDY5MDU1OA=="
< 
* Connection #0 to host 192.168.1.12 left intact
* Expire in 0 ms for 6 (transfer 0xdc3300)
* Expire in 2000 ms for 8 (transfer 0xdc3300)
*   Trying 192.168.1.12...
* TCP_NODELAY set
* Expire in 200 ms for 4 (transfer 0xdc3300)
* Connected to 192.168.1.12 (192.168.1.12) port 554 (#0)
* Server auth using Basic with user 'aiphone'
> DESCRIBE rtsp://aiphone:@192.168.1.12:554/udp/unicast/aiphone_H264 RTSP/1.0
CSeq: 1
Accept: application/sdp
Authorization: Basic YWlwaG9uZTo=

< RTSP/1.0 401 Unauthorized
< Server: Linux/2.6.32.17-davinci1 Ze-PRO
< CSeq: 1
< WWW-Authenticate: Digest realm="Secret", nonce="ODQ4MDguNTMwNDg6MTkyMTI5MTY="
< 
* Connection #0 to host 192.168.1.12 left intact
* Expire in 0 ms for 6 (transfer 0xdcfea0)
* Expire in 2000 ms for 8 (transfer 0xdcfea0)
*   Trying 192.168.1.12...
* TCP_NODELAY set
* Expire in 200 ms for 4 (transfer 0xdcfea0)
* Connected to 192.168.1.12 (192.168.1.12) port 554 (#0)
* Server auth using Basic with user 'aiphone'
> DESCRIBE rtsp://aiphone:[email protected]:554/udp/unicast/aiphone_H264 RTSP/1.0
CSeq: 1
Accept: application/sdp
Authorization: Basic YWlwaG9uZTphaXBob25l

< RTSP/1.0 401 Unauthorized
< Server: Linux/2.6.32.17-davinci1 Ze-PRO
< CSeq: 1
< WWW-Authenticate: Digest realm="Secret", nonce="ODQ4MDguNTM2Mzk6NTQ1OTExMzQz"
< 
* Connection #0 to host 192.168.1.12 left intact
* Expire in 0 ms for 6 (transfer 0xddca80)
* Expire in 2000 ms for 8 (transfer 0xddca80)
*   Trying 192.168.1.12...
* TCP_NODELAY set
* Expire in 200 ms for 4 (transfer 0xddca80)
* Connected to 192.168.1.12 (192.168.1.12) port 554 (#0)
* Server auth using Basic with user 'aiphone'
> DESCRIBE rtsp://aiphone:[email protected]:554/udp/unicast/aiphone_H264 RTSP/1.0
CSeq: 1
Accept: application/sdp
Authorization: Basic YWlwaG9uZTpWM2N0MHI4OA==

< RTSP/1.0 401 Unauthorized
< Server: Linux/2.6.32.17-davinci1 Ze-PRO
< CSeq: 1
< WWW-Authenticate: Digest realm="Secret", nonce="ODQ4MDguNTQzNTE6MTY1ODg2MDUwOQ=="
< 
* Connection #0 to host 192.168.1.12 left intact
* Expire in 0 ms for 6 (transfer 0xde9660)
* Expire in 2000 ms for 8 (transfer 0xde9660)
*   Trying 192.168.1.12...
* TCP_NODELAY set
* Expire in 200 ms for 4 (transfer 0xde9660)
* Connected to 192.168.1.12 (192.168.1.12) port 554 (#0)
* Server auth using Basic with user 'admin'
> DESCRIBE rtsp://admin:@192.168.1.12:554/udp/unicast/aiphone_H264 RTSP/1.0
CSeq: 1
Accept: application/sdp
Authorization: Basic YWRtaW46

< RTSP/1.0 401 Unauthorized
< Server: Linux/2.6.32.17-davinci1 Ze-PRO
< CSeq: 1
< WWW-Authenticate: Digest realm="Secret", nonce="ODQ4MDguNTQ5NTU6MTk3MjEyMzA1Ng=="
< 
* Connection #0 to host 192.168.1.12 left intact
* Expire in 0 ms for 6 (transfer 0xdf6200)
* Expire in 2000 ms for 8 (transfer 0xdf6200)
*   Trying 192.168.1.12...
* TCP_NODELAY set
* Expire in 200 ms for 4 (transfer 0xdf6200)
* Connected to 192.168.1.12 (192.168.1.12) port 554 (#0)
* Server auth using Basic with user 'admin'
> DESCRIBE rtsp://admin:[email protected]:554/udp/unicast/aiphone_H264 RTSP/1.0
CSeq: 1
Accept: application/sdp
Authorization: Basic YWRtaW46YWlwaG9uZQ==

< RTSP/1.0 401 Unauthorized
< Server: Linux/2.6.32.17-davinci1 Ze-PRO
< CSeq: 1
< WWW-Authenticate: Digest realm="Secret", nonce="ODQ4MDguNTU1MzU6MTc4NDM2MDIyNg=="
< 
* Connection #0 to host 192.168.1.12 left intact
* Expire in 0 ms for 6 (transfer 0xe02de0)
* Expire in 2000 ms for 8 (transfer 0xe02de0)
*   Trying 192.168.1.12...
* TCP_NODELAY set
* Expire in 200 ms for 4 (transfer 0xe02de0)
* Connected to 192.168.1.12 (192.168.1.12) port 554 (#0)
* Server auth using Basic with user 'admin'
> DESCRIBE rtsp://admin:[email protected]:554/udp/unicast/aiphone_H264 RTSP/1.0
CSeq: 1
Accept: application/sdp
Authorization: Basic YWRtaW46VjNjdDByODg=

< RTSP/1.0 401 Unauthorized
< Server: Linux/2.6.32.17-davinci1 Ze-PRO
< CSeq: 1
< WWW-Authenticate: Digest realm="Secret", nonce="ODQ4MDguNTYwODk6MzI4MDMxMDQ1"
< 
* Connection #0 to host 192.168.1.12 left intact
* Expire in 0 ms for 6 (transfer 0xe0f9c0)
* Expire in 2000 ms for 8 (transfer 0xe0f9c0)
*   Trying 192.168.1.12...
* TCP_NODELAY set
* Expire in 200 ms for 4 (transfer 0xe0f9c0)
* Connected to 192.168.1.12 (192.168.1.12) port 554 (#0)
> DESCRIBE rtsp://:@192.168.1.12:554/udp/unicast/aiphone_H264 RTSP/1.0
CSeq: 1
Accept: application/sdp

< RTSP/1.0 401 Unauthorized
< Server: Linux/2.6.32.17-davinci1 Ze-PRO
< CSeq: 1
< WWW-Authenticate: Digest realm="Secret", nonce="ODQ4MDguNTY4NjY6MTc2NDgyNDU2OQ=="
< 
* Connection #0 to host 192.168.1.12 left intact
* Expire in 0 ms for 6 (transfer 0xd8a920)
* Expire in 2000 ms for 8 (transfer 0xd8a920)
*   Trying 192.168.1.12...
* TCP_NODELAY set
* Expire in 200 ms for 4 (transfer 0xd8a920)
* Connected to 192.168.1.12 (192.168.1.12) port 554 (#0)
> SETUP rtsp://:@192.168.1.12:554/udp/unicast/aiphone_H264 RTSP/1.0
CSeq: 1
Transport: RTP/AVP;unicast;client_port=33332-33333

< RTSP/1.0 401 Unauthorized
< Server: Linux/2.6.32.17-davinci1 Ze-PRO
< CSeq: 1
< WWW-Authenticate: Digest realm="Secret", nonce="ODQ4MDguNTc0NjE6MTA1MDcxOTk0Nw=="
< 
* Connection #0 to host 192.168.1.12 left intact
✖	Admin panel URL:	http://192.168.1.12/ You can use this URL to try attacking the camera's admin panel instead.
	Device model:		

	Available:		✖
	IP address:		192.168.1.12
	RTSP port:		554
	Username:		not found
	Password:		not found
	RTSP route:		/udp/unicast/aiphone_H264


✖ Streams were found but none were accessed. They are most likely configured with secure credentials and routes. You can try adding entries to the dictionary or generating your own in order to attempt a bruteforce attack on the cameras.

When running:

go get github.com/Ullaakut/cameradar

I get

# pkg-config --cflags libcurl
Package libcurl was not found in the pkg-config search path.
Perhaps you should add the directory containing `libcurl.pc'
to the PKG_CONFIG_PATH environment variable
No package 'libcurl' found
pkg-config: exit status 1

Should I install libcurl ? If so, which one ? :/ Is it one related to GO language ?

sudo apt-cache search libcurl

libcurl3-gnutls - easy-to-use client-side URL transfer library (GnuTLS flavour)
libcurl3-nss - easy-to-use client-side URL transfer library (NSS flavour)
libcurl4-doc - documentation for libcurl
libcurl4-gnutls-dev - development files and documentation for libcurl (GnuTLS flavour)
libcurl4-nss-dev - development files and documentation for libcurl (NSS flavour)
libcurl4-openssl-dev - development files and documentation for libcurl (OpenSSL flavour)
libstrongswan-extra-plugins - strongSwan utility and crypto library (extra plugins)
python-pycurl - Python bindings to libcurl
python-pycurl-dbg - Python bindings to libcurl (debug extension)
python-pycurl-doc - Python bindings to libcurl (documentation)
python3-pycurl - Python bindings to libcurl (Python 3)
python3-pycurl-dbg - Python bindings to libcurl (debug extension, Python 3)
libcurl4 - easy-to-use client-side URL transfer library (OpenSSL flavour)
fp-units-net - Free Pascal - networking units dependency package
fp-units-net-3.0.4 - Free Pascal - networking units
libcupt4-2-downloadmethod-curl - flexible package manager -- libcurl download method
libcurl-ocaml - OCaml curl bindings (Runtime Library)
libcurlpp-dev - c++ wrapper for libcurl (development files)
libcurlpp0 - c++ wrapper for libcurl
libghc-curl-dev - GHC libraries for the libcurl Haskell bindings
libghc-curl-doc - Documentation for the libcurl Haskell bindings; documentation
libghc-curl-prof - Profiling libraries for the libcurl Haskell bindings; profiling libraries
libghc-hxt-curl-dev - LibCurl interface for HXT
libghc-hxt-curl-doc - LibCurl interface for HXT; documentation
libghc-hxt-curl-prof - LibCurl interface for HXT; profiling libraries
libjsonrpccpp-client0 - library implementing json-rpc C++ clients
libjsonrpccpp-client0-dbg - debugging symbols for libjsonrpccpp-client0
libresource-retriever-dev - Robot OS resource_retriever library - development files
libresource-retriever0d - Robot OS resource_retriever library
libulfius-dev - Web Framework for REST Applications in - development
libwww-curl-perl - Perl bindings to libcurl
lua-curl - libcURL bindings for the Lua language
lua-curl-dev - libcURL development files for the Lua language
python-resource-retriever - Robot OS resource_retriever library - Python
ruby-curb - Ruby libcurl bindings
ruby-ethon - libcurl wrapper using ffi
ruby-typhoeus - parallel HTTP library on top of ethon
tclcurl - Tcl bindings to libcurl
wmget - Background download manager in a Window Maker dock app
libcurl-ocaml-dev - OCaml libcurl bindings (Development package)
libcurl-openssl1.0-dev - development files and documentation for libcurl (OpenSSL 1.0 flavour)
libcurl3 - easy-to-use client-side URL transfer library (OpenSSL flavour)
libulfius2.2 - Web Framework for REST Applications in C
r-cran-crul - simple HTTP Client for GNU R

Hey @Ullaakut :)

So I was testing some cameras around my neighbourhood and noticed something weird. Cameradar bases it's results on the response it gets from a RTSP DESCRIBE request and so far so good, it works and everything. The problem IMO Is that cameradar never checks to make sure the stream is actually available. This time I'm proposing a detection mechanism enhancement by issuing a second RTSP SETUP request and, thus validating that the credentials and route are actually accessible. Consider the following scenario

cameradar -t xxx.xxx.xxx.xxx -T 5000 -l Output

root@localhost:~# cameradar -t 192.168.100.64 -T 5000 -l
command: nmap -T4 -A -p 554,8554 -oX /tmp/cameradar_scan.xml 192.168.100.6
4

Starting Nmap 7.40 ( https://nmap.org ) at 2018-07-06 08:30 CEST
Nmap scan report for 192.168.100.64
Host is up (0.014s latency).
PORT     STATE  SERVICE  VERSION
554/tcp  open   rtsp
| fingerprint-strings:
|   FourOhFourRequest:
|     RTSP/1.0 505 RTSP Version Not Supported
|     Server: ALi feng/2.1.0_rc1
|     Date: Week 4, 1 Mon0 0070 22:12:16 GMT
|   GetRequest:
|     RTSP/1.0 505 RTSP Version Not Supported
|     Server: ALi feng/2.1.0_rc1
|     Date: Week 4, 1 Mon0 0070 22:12:01 GMT
|   HTTPOptions:
|     RTSP/1.0 505 RTSP Version Not Supported
|     Server: ALi feng/2.1.0_rc1
|     Date: Week 4, 1 Mon0 0070 22:12:11 GMT
|   RTSPRequest:
|     RTSP/1.0 400 Bad Request
|     Server: ALi feng/2.1.0_rc1
|     Date: Week 4, 1 Mon0 0070 22:12:06 GMT
|   SIPOptions:
|     RTSP/1.0 505 RTSP Version Not Supported
|     Server: ALi feng/2.1.0_rc1
|_    Date: Week 4, 1 Mon0 0070 22:12:21 GMT
|_rtsp-methods: OPTIONS,DESCRIBE,SETUP,PLAY,PAUSE,TEARDOWN
8554/tcp closed rtsp-alt
1 service unrecognized despite returning data. If you know the service/ver
sion, please submit the following fingerprint at https://nmap.org/cgi-bin/
submit.cgi?new-service :
SF-Port554-TCP:V=7.40%I=7%D=7/6%Time=5B3F0C99%P=aarch64-unknown-linux-gnu%
SF:r(GetRequest,6F,"RTSP/1\.0\x20505\x20RTSP\x20Version\x20Not\x20Supporte
SF:d\r\nServer:\x20ALi\x20feng/2\.1\.0_rc1\r\nDate:\x20Week\x204,\x201\x20
SF:Mon0\x200070\x2022:12:01\x20GMT\r\n\r\n")%r(RTSPRequest,60,"RTSP/1\.0\x
SF:20400\x20Bad\x20Request\r\nServer:\x20ALi\x20feng/2\.1\.0_rc1\r\nDate:\
SF:x20Week\x204,\x201\x20Mon0\x200070\x2022:12:06\x20GMT\r\n\r\n")%r(HTTPO
SF:ptions,6F,"RTSP/1\.0\x20505\x20RTSP\x20Version\x20Not\x20Supported\r\nS
SF:erver:\x20ALi\x20feng/2\.1\.0_rc1\r\nDate:\x20Week\x204,\x201\x20Mon0\x
SF:200070\x2022:12:11\x20GMT\r\n\r\n")%r(FourOhFourRequest,6F,"RTSP/1\.0\x
SF:20505\x20RTSP\x20Version\x20Not\x20Supported\r\nServer:\x20ALi\x20feng/
SF:2\.1\.0_rc1\r\nDate:\x20Week\x204,\x201\x20Mon0\x200070\x2022:12:16\x20
SF:GMT\r\n\r\n")%r(SIPOptions,6F,"RTSP/1\.0\x20505\x20RTSP\x20Version\x20N
SF:ot\x20Supported\r\nServer:\x20ALi\x20feng/2\.1\.0_rc1\r\nDate:\x20Week\
SF:x204,\x201\x20Mon0\x200070\x2022:12:21\x20GMT\r\n\r\n");
MAC Address: 50:00:07:00:32:84 (Unknown)
No exact OS matches for host (If you know what OS is running on it, see ht
tps://nmap.org/submit/ ).
TCP/IP fingerprint:
OS:SCAN(V=7.40%E=4%D=7/6%OT=554%CT=8554%CU=33778%PV=Y%DS=1%DC=D%G=Y%M=5000
0
OS:7%TM=5B3F0CBE%P=aarch64-unknown-linux-gnu)SEQ(SP=27%GCD=1%ISR=5F%TI=I%C
I
OS:=I%TS=U)SEQ(SP=1C%GCD=1%ISR=5F%TI=I%CI=I%II=RI%SS=S%TS=U)SEQ(SP=0%GCD=1
7
OS:F%ISR=5F%TI=I%TS=U)OPS(O1=M5B4NW4NNS%O2=M5B4NW4NNS%O3=M5B4NW4NNS%O4=M5B
4
OS:NW4NNS%O5=M5B4NW4NNS%O6=M5B4NW4NNS)WIN(W1=FFF%W2=FFF%W3=FFF%W4=FFF%W5=F
F
OS:F%W6=FFFF)ECN(R=Y%DF=N%T=FF%W=FFF%O=M5B4NW4NNS%CC=N%Q=)T1(R=Y%DF=N%T=FF
%
OS:S=O%A=S+%F=AS%RD=0%Q=)T2(R=N)T3(R=Y%DF=N%T=FF%W=FFF%S=O%A=S+%F=AS%O=M5B
4
OS:NW4NNS%RD=0%Q=)T4(R=Y%DF=N%T=FF%W=FFF%S=A%A=S%F=AR%O=%RD=0%Q=)T5(R=Y%DF
=
OS:N%T=FF%W=FFF%S=A%A=S+%F=AR%O=%RD=0%Q=)T6(R=Y%DF=N%T=FF%W=FFF%S=A%A=S%F=
A
OS:R%O=%RD=0%Q=)T7(R=Y%DF=N%T=FF%W=FFF%S=A%A=S+%F=AR%O=%RD=0%Q=)U1(R=Y%DF=
N
OS:%T=FF%IPL=38%UN=0%RIPL=G%RID=G%RIPCK=G%RUCK=G%RUD=G)IE(R=Y%DFI=S%T=FF%C
D
OS:=S)

Network Distance: 1 hop

TRACEROUTE
HOP RTT      ADDRESS
1   13.58 ms 192.168.100.64

OS and Service detection performed. Please report any incorrect results at
 https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 52.88 seconds
*   Trying 192.168.100.64...
* TCP_NODELAY set
* Connected to 192.168.100.64 (192.168.100.64) port 554 (#0)
> DESCRIBE rtsp://:@192.168.100.64:554/ RTSP/1.0
CSeq: 1
Accept: application/sdp

< RTSP/1.0 400 Bad Request
< CSeq: 1
< Server: ALi feng/2.1.0_rc1
< Date: Week 4, 1 Mon0 0070 22:12:43 GMT
<
* Curl_http_done: called premature == 0
* Connection #0 to host 192.168.100.64 left intact
*   Trying 192.168.100.64...
* TCP_NODELAY set
* Connected to 192.168.100.64 (192.168.100.64) port 554 (#0)
> DESCRIBE rtsp://:@192.168.100.64:554/1.AMP RTSP/1.0
CSeq: 1
Accept: application/sdp

< RTSP/1.0 200 OK
< CSeq: 1
< Server: ALi feng/2.1.0_rc1
< Content-Type: application/sdp
< Content-Base: rtsp://:@192.168.100.64:554/1.AMP/
< Date: Week 4, 1 Mon0 0070 22:12:43 GMT
< Content-Length: 226
<
v=0
o=- 2209068544 2209068544 IN IP4
s=RTSP Session
i=1.AMP
c=IN IP4 0.0.0.0
t=0 0
a=type:broadcast
a=tool:ALi feng 2.1.0_rc1 Streaming Server
a=control:*
a=range:npt=0-
m=video 0 RTP/AVP 33
a=control:TrackID=0

* Curl_http_done: called premature == 0
* Connection #0 to host 192.168.100.64 left intact
*   Trying 192.168.100.64...
* TCP_NODELAY set
* Connected to 192.168.100.64 (192.168.100.64) port 554 (#0)
> DESCRIBE rtsp://:@192.168.100.64:554/1.AMP RTSP/1.0
CSeq: 1
Accept: application/sdp

< RTSP/1.0 200 OK
< CSeq: 1
< Server: ALi feng/2.1.0_rc1
< Content-Type: application/sdp
< Content-Base: rtsp://:@192.168.100.64:554/1.AMP/
< Date: Week 4, 1 Mon0 0070 22:12:43 GMT
< Content-Length: 226
<
v=0
o=- 2209068544 2209068544 IN IP4
s=RTSP Session
i=1.AMP
c=IN IP4 0.0.0.0
t=0 0
a=type:broadcast
a=tool:ALi feng 2.1.0_rc1 Streaming Server
a=control:*
a=range:npt=0-
m=video 0 RTP/AVP 33
a=control:TrackID=0

* Curl_http_done: called premature == 0
* Connection #0 to host 192.168.100.64 left intact
▶       Device RTSP URL:        rtsp://:@192.168.100.64:554/1.AMP
        Device model:

        IP address:             192.168.100.64
        RTSP port:              554
        Username:
        Password:
        RTSP route:             /1.AMP


root@localhost:~#

Here cameradar correctly outputs that a stream has been found and it's accessible due to the 200 response. However when you try to connect to the stream, this happens

testRTSPClient rtsp://:@xxx.xxx.xxx.xxx:ppp/streamexample

root@localhost:~# testRTSPClient rtsp://:@192.168.100.64:554/1.AMP
Opening connection to 192.168.100.64, port 554...
...remote connection opened
Sending request: DESCRIBE rtsp://:@192.168.100.64:554/1.AMP RTSP/1.0
CSeq: 2
User-Agent: testRTSPClient (LIVE555 Streaming Media v2016.11.28)
Accept: application/sdp


Received 424 new bytes of response data.
Received a complete DESCRIBE response:
RTSP/1.0 200 OK
CSeq: 2
Server: ALi feng/2.1.0_rc1
Content-Type: application/sdp
Content-Base: rtsp://:@192.168.100.64:554/1.AMP/
Date: Week 4, 1 Mon0 0070 22:30:07 GMT
Content-Length: 226

v=0
o=- 2209069568 2209069568 IN IP4
s=RTSP Session
i=1.AMP
c=IN IP4 0.0.0.0
t=0 0
a=type:broadcast
a=tool:ALi feng 2.1.0_rc1 Streaming Server
a=control:*
a=range:npt=0-
m=video 0 RTP/AVP 33
a=control:TrackID=0


[URL:"rtsp://:@192.168.100.64:554/1.AMP/"]: Got a SDP description:
v=0
o=- 2209069568 2209069568 IN IP4
s=RTSP Session
i=1.AMP
c=IN IP4 0.0.0.0
t=0 0
a=type:broadcast
a=tool:ALi feng 2.1.0_rc1 Streaming Server
a=control:*
a=range:npt=0-
m=video 0 RTP/AVP 33
a=control:TrackID=0


[URL:"rtsp://:@192.168.100.64:554/1.AMP/"]: Initiated the "video/MP2T" sub
session (client ports 33332-33333)
Sending request: SETUP rtsp://:@192.168.100.64:554/1.AMP/TrackID=0 RTSP/1.
0
CSeq: 3
User-Agent: testRTSPClient (LIVE555 Streaming Media v2016.11.28)
Transport: RTP/AVP;unicast;client_port=33332-33333


Received 113 new bytes of response data.
Received a complete SETUP response:
RTSP/1.0 503 Service Unavailable
CSeq: 3
Server: ALi feng/2.1.0_rc1
Date: Week 4, 1 Mon0 0070 22:30:07 GMT


[URL:"rtsp://:@192.168.100.64:554/1.AMP/"]: Failed to set up the "video/MP
2T" subsession: 503 Service Unavailable
[URL:"rtsp://:@192.168.100.64:554/1.AMP/"]: Failed to start playing sessio
n: No RTSP session is currently in progress

[URL:"rtsp://:@192.168.100.64:554/1.AMP/"]: Closing the stream.
root@localhost:~#

Here you can see that after issuing a DESCRIBE request, testRTSPClient issues a second SETUP request and fails due to the 503 Service Unavailable response.

I think it would be awesome if cameradar automated such process, without having the user actually debug what's going on using third party tools.

Anyway this was just an enhancement idea I had. Hopefully you'll consider implementing such functionality in the near future.

All the best

-D4N

Given a list of IPs

12.125.12.5
12.125.12.4
12.125.12.2
12.125.12.87

and command: docker run -v "$(pwd):/data" --net=host -t ullaakut/cameradar -t /data/ips.txt -d -p 554

nmap reports

> [Nmap Warning] Failed to resolve "149.165.246.187
".> [Nmap Warning] Failed to resolve "149.165.246.187
etc...

and only the last IP in the list is actually scanned.

The file is a UTF-8 plaintext file:

I'm running docker desktop on Windows with the provided example commands

Hi again) Can`t compile now for arm64. For amd64 everything ok, but if i try: env GOOS=android GOARCH=arm64 go build -o radar2

Getting this:

github.com/Ullaakut/cameradar/v5 ../../attack.go:202:15: undefined: curl.OPT_URL ../../attack.go:204:15: undefined: curl.OPT_RTSP_STREAM_URI ../../attack.go:205:15: undefined: curl.OPT_RTSP_REQUEST ../../attack.go:214:29: undefined: curl.INFO_HTTPAUTH_AVAIL ../../attack.go:242:15: undefined: curl.OPT_HTTPAUTH ../../attack.go:243:15: undefined: curl.OPT_USERPWD ../../attack.go:246:15: undefined: curl.OPT_URL ../../attack.go:248:15: undefined: curl.OPT_RTSP_STREAM_URI ../../curl.go:12:15: undefined: curl.CurlInfo ../../curl.go:19:2: undefined: curl.CURL ../../attack.go:248:15: too many errors

Any solutions?

Hi, I used your tool on my network and it seems to works great ! But I had a question, is this possible to scan a list of ip (mass scan) with a txt file ? I searched for answers on forums, but I found nothing ... Thanks for your answer :)

Udocker can be installed on Android in Termux.

Is it possible to run Cameradar using Udocker on Android 10 without rooting a smartphone? https://github.com/indigo-dc/udocker

documentation: https://indigo-dc.github.io/udocker/

Or maybe you know another way?

gives my list of factory logins and passwords that I could find on the Internet, including wifi spy cameras supporting RTSP using android lookcampro and hdsmartIPC applications { "usernames": [ "", "666666", "888888", "Admin", "admin", "admin1", "administrator", "Administrator", "aiphone", "Dinion", "guest", "root", "service", "supervisor", "ubnt", "user" ], "passwords": [ "", "0000", "000000", "1111", "111111", "1111111", "11111111", "1234", "12341234", "12345", "123456", "1234567", "12345678", "123456789", "1234567890", "4321", "6666", "666666", "6fJjMKYx", "8888", "888888", "9999", "999999", "999988", "99999999", "ADMIN", "Admin", "hi3518", "jvbzd", "JVC", "Karnet", "Meins", "admin", "administrator", "aiphone", "camera", "fliradmin", "GRwvcj8j", "guest", "hikadmin", "hikvision", "ikwd", "jvc", "kj3TqCWv", "klv123", "meinsm", "none", "novus", "pass", "password", "password123", "reolink", "root", "service", "supervisor", "system", "tlJwpbo6", "toor", "tp-link", "ubnt", "user", "wbox123", "xc3511", "xmhdipc", "Y5eIMz3C" ] }