Welcome back, my aspiring IP camera hackers!
As most of you know, we have played a key role in the defense of Ukraine. Among our many activities in defense of Ukraine is the hacking of IP cameras throughout the country. In this way, we can spy on Russian activities and war crimes. We did this at the request of the Ukraine Army starting in April 2022.
For more on Hackers-Arise activities in Ukraine check out this post.
For more information on our IP camera hacking to support Ukraine, check out this post.
As hackers, of course, it is important to take a strategic approach to any target. Always use the simplest methods first before progressing to more advanced and time-consuming attack methods.
Next, we tried to hack the cameras with weak passwords. This yielded significant results! The primary tool we used in that effort was cameradar.
In this tutorial, I will show you how to use this tool for IP camera hacking just like we did in the Ukraine war!
RTSP
Before we begin to hack IP cameras, you need a bit of background in RTSP. RTSP is the protocol that most of these IP cameras use. Not all of the cameras use RTSP, but the vast majority do. Before we go any farther, we need to say that those cameras using proprietary or other protocols will not be exploitable by cameradar.
RTSP is an application-layer protocol used for commanding streaming media servers via pause and play capabilities. It thereby facilitates real-time control of the streaming media by communicating with the server — without actually transmitting the data itself.
Rather, RTSP servers often leverage the Real-Time Transport Protocol (RTP) in conjunction with the Real-Time Control Protocol (RTCP) to move the actual streaming data.
Most IP camera use the Real-Time Streaming Protocol (RTSP) to establish and control video and audio streams. The content is delivered using Real-time Transport Protocol (RTP). RSTP does not provide any configuration of the device. That must be done using the URI and IP address. Any configuration changes must be done via the web interface.
Most systems support RTSP as a fallback even if they are using a different protocol such a PSIA or ONVIF
When a user initiates a video stream from an IP camera using RTSP, the device sends an RTSP request to the streaming server. This jump starts the setup process.
Subsequently, the video and audio data can then be transmitted using RTP.
You can think of RTSP in terms of a television remote control for media streaming, with RTP acting as the broadcast itself.
While similar in some ways to HTTP, RTSP defines control sequences useful in controlling multimedia playback.
While HTTP is stateless, RTSP has state; an identifier is used when needed to track concurrent sessions
Like HTTP, RTSP uses TCP to maintain an end-to-end connection and, while most RTSP control messages are sent by the client to the server, some commands travel in the other direction (i.e. from server to client).
Options: This request determines what other types of requests the media server will accept.
Describe: A describe request identifies the URL and type of data.
Announce: The announce method describes the presentation when sent from the client to the server and updates the description when sent from server to client.
Setup: Setup requests specify how a media stream must be transported before a play request is sent.
Play: A play request starts the media transmission by telling the server to start sending the data.
Pause: Pause requests temporarily halt the stream delivery.
Record: A record request initiates a media recording.
Teardown: This request terminates the session entirely and stops all media streams.
Redirect: Redirect requests inform the client that it must connect to another server by providing a new URL for the client to issue requests to.
Other types of RTSP requests include ‘get parameter,’ ‘set parameter,’ and ’embedded (interleaved) binary data,’
Now that you have a little background in RTSP, you are ready to start cracking IP camera credentials!
Step #1: Download and Install cameradar
Although cameradar can be run natively in Linux, I find that it works best in a docker container.
First, install docker.
kali > sudo apt install docker
Next, start docker with the systemctl command;
kali > sudo systemctl start docker
Now, download cameradar.
kali> sudo git clone https://github.com/Ullaakut/cameradar
Now, you are ready to begin to brute-force IP cameras!
Step #2: Run the RTSP Credential Brute-forcer
Now that you have docker and cameradar installed, you only need to point cameradar at the IP address of the camera that you want to brute-force!
For instance, to brute force a camera at 192.168.1.101 (obviously, not an IP address of a real camera), we would simply enter;
kali > sudo docker run ullaakut/cameradar -t 192.168.1.101
kali > sudo docker run ullaakut/cameradar -t 192.168.1.101 -p 9554
Step #3: Using Custom Username and Password Lists
By default, cameradar uses a small username and password list of the most common usernames and passwords. It’s good strategy to use these first but if they are unsuccessful, it’s time to bring out the big guns!
In this context, big guns means larger and more appropriate username and password lists. From my experience hacking cameras in Ukraine and Russia, the usernames usually are simple such as admin, root, admin1, admin3, etc. This means that you can probably use the default username list but passwords vary quite a bit. That’s why you should use a good password list that is appropriate for your environment (for instance, using a Spanish list in a Spanish speaking nation).
First, the password list must be json format. There are several websites that can covert your text file to json such as https://anyconv.com/txt-to-json-converter/. Your .txt file will then be appended with a json extension. So, if we were using the seclist’s password list;
/usr/share/seclists/Passwords/Common-Credentials/10-million-password-list-top-1000000.txt,
I would first convert it to json format and then use that file with cameradar. It will then appear as 10-million-password-list-top-1000000.json.
Now to use that password list with cameradar, you can run the following command;
kali> sudo docker run ullaakut/cameradar -t
-v /usr/share/seclists/Passwords/Common-Credentials:/tmp/dictionaries
-c “tmp/dictionaries/10-million-password-list-top-1000000.json”
-t 192.168.1.101
Summary
Password Cracking of IP camera credentials is very similar to other remote password cracking once you become familiar with the RTSP protocol. In fact, in many ways it is easier, as it is rare to find a lockout (limiting how many attempts you can make) on the RTSP protocol. By using a tool like cameradar, we were able to successfully access a large percentage of IP cameras with weak passwords.
