Cameradar: Hack RTSP CCTV Cameras!

I stumbled upon this tool when trying to find more Docker security projects – Cameradar. You can use this tool post exploitation just for the fun, or use it in your own network and check for unauthorized CCTV installations. You can also use it to test the security of your existing camera setup.


What is Cameradar?

Cameradar is an open source Real Time Streaming Protocol (RTSP) surveillance camera access multi-tool. It allows you to:

  • Detect open RTSP hosts on any accessible subnetwork
  • Get their public info (hostname, port, camera model, etc.)
  • Bruteforce your way into them to get their stream route (for example /live.sdp)
  • Bruteforce your way into them to get the username and password of the cameras.
  • Generate thumbnails from them to check if the streams are valid and to have a quick preview of their content.
  • Try to create a GStreamer pipeline to check if they are properly encoded. GStreamer is a library for constructing graphs of media-handling components.
  • Print a summary of all the information Cameradar could retrieve.

It scans for open RTSP CCTV cameras by scanning on the following ports – 554 (default RTSP port) and 8554 (default emulated RTSP port). If no ports are passed to the application, it will scan every port of every host found on the subnetworks and try to detect RTSP sessions.

You can either install Cameradar as a docker image, or simply as a standard installation. When installing as a docker image, the only dependencies are docker, docker-tools, git and make. Otherwise, it needs cmake, git, gstreamer1.x (or libgstreamer1.0-dev), ffmpeg, boost (libboost-all-dev) and libcurl (libcurl4-openssl-dev). You can even link it up to a MySQL database. Installation is pretty simple – clone the Git repository, make, install and then:

./cameradar -s the_subnet_you_want_to_scan

What’s more is that the developers are planning to convert this whole project into a library so that you can freely use it in your projects. This is planned for version 2.0.0. When that happens, Cameradar will become the name of the library and Cameraccess will be the name of the binary that uses the library to hack the cameras. Support for the following RTSP routes is also in the works: /video.h264, /11, /12, /ch1-s1, /live3.sdp, /onvif-media/media.amp, /axis-media/media.amp, /axis-media/media.amp?videocodec=h264, /mpeg4/media.amp, /stream, /cam/realmonitor, /live, /video.pro2, /videoMain, /VideoInput/1/mpeg4/1, /VideoInput/1/h264/1, /video.pro3, /video.pro1, /video.mjpg, /h264_vga.sdp, /media.amp, /media, /ONVIF/MediaInput, /nphMpeg4/g726-640×48, /MediaInput/mpeg4, /MediaInput/h264, /Streaming/Channels/1, /ch0_0.h264, /rtsph2641080p, /live/av0, /cam1/onvif-h264, /ucast/11, /LowResolutionVideo, /1, /live/ch00_0, /medias2. The project itself is quiet fast. On a 2.8GHz dual-core Intel Core i7 with 8GB of 1600MHz DDR3L onboard memory, it takes about 3 minutes for the discovery and directory attack phase.

Download Cameradar:

The latest version of Cameradar v1.1.4 (cameradar_1.1.4_Release_Linux.tar.gz) can be downloaded here.