Welcome back, my aspiring IP camera hackers!
As most of you know, we have played a key role in the defense of Ukraine. Among our many activities in defense of Ukraine is the hacking of IP cameras throughout the country. In this way, we can spy on Russian activities and war crimes. We did this at the request of the Ukraine Army starting in April 2022.
To hack these cameras we used multiple methods and techniques. In hacking, we often need to explore multiple methods to be successful. Persistence is a key hacker characteristic.
As hackers, of course, it is important to take a strategic approach to any target. Always use the simplest methods first before progressing to more advanced and time-consuming attack methods.
In our first step, we identified the unprotected cameras using such sites as Shodan, Google, and Censys. Next, we tried default credentials. These default credentials vary by camera and manufacturer, so make certain to check our list of default credentials for nearly every camera and manufacturer. That technique yielded a few cameras.
Next, we tried to hack the cameras with weak passwords. This yielded significant results! The primary tool we used in that effort was cameradar.
In this tutorial, I will show you how to use this tool for IP camera hacking just like we did in the Ukraine war!
RTSP
Before we begin to hack IP cameras, you need a bit of background in RTSP. RTSP is the protocol that most of these IP cameras use. Not all of the cameras use RTSP, but the vast majority do. Before we go any farther, we need to say that those cameras using proprietary or other protocols will not be exploitable by cameradar.
RTSP is an application-layer protocol used for commanding streaming media servers via pause and play capabilities. It thereby facilitates real-time control of the streaming media by communicating with the server — without actually transmitting the data itself.
Rather, RTSP servers often leverage the Real-Time Transport Protocol (RTP) in conjunction with the Real-Time Control Protocol (RTCP) to move the actual streaming data.
Most IP camera use the Real-Time Streaming Protocol (RTSP) to establish and control video and audio streams. The content is delivered using Real-time Transport Protocol (RTP). RSTP does not provide any configuration of the device. That must be done using the URI and IP address. Any configuration changes must be done via the web interface.
Most systems support RTSP as a fallback even if they are using a different protocol such a PSIA or ONVIF
When a user initiates a video stream from an IP camera using RTSP, the device sends an RTSP request to the streaming server. This jump starts the setup process.
Subsequently, the video and audio data can then be transmitted using RTP.
You can think of RTSP in terms of a television remote control for media streaming, with RTP acting as the broadcast itself.
While similar in some ways to HTTP, RTSP defines control sequences useful in controlling multimedia playback.
While HTTP is stateless, RTSP has state; an identifier is used when needed to track concurrent sessions
Like HTTP, RTSP uses TCP to maintain an end-to-end connection and, while most RTSP control messages are sent by the client to the server, some commands travel in the other direction (i.e. from server to client).
RTSP uses the following commands, typically sent from the client to the server,
when negotiating and controlling media transmissions:
Options: This request determines what other types of requests the media server will accept.
Describe: A describe request identifies the URL and type of data.
Announce: The announce method describes the presentation when sent from the client to the server and updates the description when sent from server to client.
Setup: Setup requests specify how a media stream must be transported before a play request is sent.
Play: A play request starts the media transmission by telling the server to start sending the data.
Pause: Pause requests temporarily halt the stream delivery.
Record: A record request initiates a media recording.
Teardown: This request terminates the session entirely and stops all media streams.
Redirect: Redirect requests inform the client that it must connect to another server by providing a new URL for the client to issue requests to.
Other types of RTSP requests include ‘get parameter,’ ‘set parameter,’ and ’embedded (interleaved) binary data,’
Now that you have a little background in RTSP, you are ready to start cracking IP camera credentials!
Step #1: Download and Install cameradar
Although cameradar can be run natively in Linux, I find that it works best in a docker container.
First, install docker.
kali > sudo apt install docker
Next, start docker with the systemctl command;
kali > sudo systemctl start docker
Now, download cameradar.
kali> sudo git clone https://github.com/Ullaakut/cameradar
Now, you are ready to begin to brute-force IP cameras!
Step #2: Run the RTSP Credential Brute-forcer
Now that you have docker and cameradar installed, you only need to point cameradar at the IP address of the camera that you want to brute-force!
For instance, to brute force a camera at 192.168.1.101 (obviously, not an IP address of a real camera), we would simply enter;
kali > sudo docker run ullaakut/cameradar -t 192.168.1.101
cameradar will now attempt to find a RTSP stream at one of the default RTSP ports namely 554, 5554 and 8554. If you suspect there may be other ports with RTSP streams (you may want to run an nmap scan first), you can add them with the -p switch, such as
kali > sudo docker run ullaakut/cameradar -t 192.168.1.101 -p 9554
Step #3: Using Custom Username and Password Lists
By default, cameradar uses a small username and password list of the most common usernames and passwords. It's good strategy to use these first but if they are unsuccessful, it's time to bring out the big guns!
In this context, big guns means larger and more appropriate username and password lists. From my experience hacking cameras in Ukraine and Russia, the usernames usually are simple such as admin, root, admin1, admin3, etc. This means that you can probably use the default username list but passwords vary quite a bit. That's why you should use a good password list that is appropriate for your environment (for instance, using a Spanish list in a Spanish speaking nation).
First, the password list must be json format. There are several websites that can covert your text file to json such as https://anyconv.com/txt-to-json-converter/. Your .txt file will then be appended with a json extension. So, if we were using the seclist's password list;
/usr/share/seclists/Passwords/Common-Credentials/10-million-password-list-top-1000000.txt,
I would first convert it to json format and then use that file with cameradar. It will then appear as 10-million-password-list-top-1000000.json.
Now to use that password list with cameradar, you can run the following command;
kali> sudo docker run ullaakut/cameradar -t
-v /usr/share/seclists/Passwords/Common-Credentials:/tmp/dictionaries
-c "tmp/dictionaries/10-million-password-list-top-1000000.json"
-t 192.168.1.101
Summary
Password Cracking of IP camera credentials is very similar to other remote password cracking once you become familiar with the RTSP protocol. In fact, in many ways it is easier, as it is rare to find a lockout (limiting how many attempts you can make) on the RTSP protocol. By using a tool like cameradar, we were able to successfully access a large percentage of IP cameras with weak passwords.
