ullaakut / cameradar Goto Github PK

The main purpose of making Cameradar a library is to make it usable by as many people as possible. Releasing a binary under Linux is not a problem since we can use Docker, but for a library, it's very important to ensure MultiOS compatibility and to maintain it at all times.

I don't know if it would be easy to do with Cameradar considering the network aspect, but it would be super cool to give users a chance to try it in their browser and play with it as they want.

Here is the full story about this quick&dirty fix that I used to get Travis to test Cameradar.

First, I use cmake3.5.1 on my system and it works flawlessly. Travis uses the 2.8 by default but I managed to find a PPA giving me the 3.2.3 version. However, even though the 3.5 and the 3.2 do not have relevant differences concerning the install method, it seems that on my system CPack manages to find the external shared libraries after their installation, while Travis does not.

I really tried lots of different manipulations, I've read all the documentation concerning file and install in CMake, and I still have no clue to why they're not found. When looking for them in the system, they are properly generated and in the right place, but they are simply not added to the tarball at the end.

It results in Docker failing to create the image.

To fix this temporarily, I manually unzip the tarball, copy the shared libraries using a global expression, and zip the tarball again with the added libs. It does the trick, but the paths to the libraries is written directly in the .travis.yml file, which is disgusting.

I will keep looking for the reason of this problem later!

If you have an idea of where it could come from, you're free to look at the logs of the 30 first builds of Cameradar on Travis, here : https://travis-ci.org/EtixLabs/cameradar/builds and to answer to this issue.

Either register to the proxy's registry if it uses one (would need to have a mac address and an IP address matching the pattern set in the proxy configuration) or find exploits that could be used.

Being able to feed in a list of IP addresses would be potentially a useful feature, for example, for where one does a "pre-scan" of a range for the open RSTP ports using something like zmap or masscan, prior to passing to this tool.

So far I found a few I can add :

• /video.h264
• /11
• /12
• /ch1-s1
• /live3.sdp
• /onvif-media/media.amp
• /axis-media/media.amp
• /axis-media/media.amp?videocodec=h264
• /mpeg4/media.amp
• /stream
• /cam/realmonitor
• /live
• /video.pro2
• /videoMain
• /VideoInput/1/mpeg4/1
• /VideoInput/1/h264/1
• /video.pro3
• /video.pro1
• /video.mjpg
• /h264_vga.sdp
• /media.amp
• /media
• /ONVIF/MediaInput
• /nphMpeg4/g726-640x48
• /MediaInput/mpeg4
• /MediaInput/h264
• /Streaming/Channels/1
• /ch0_0.h264
• /rtsph2641080p
• /live/av0
• /cam1/onvif-h264
• /ucast/11
• /LowResolutionVideo
• /1
• /live/ch00_0
• /medias2

I will add more to this list as I find more of them and when I think it is complete enough, I will create a PR for it.

It seems that libcurl uses some global variables and that using it in different threads can lead to unexpected results.

I'll be investigating this further this week.

Right now the images are only tagged with latest and not with their actual tags.

Hello,

Here you can find an nmap script that can be used to find the url of RTSP streams https://nmap.org/nsedoc/scripts/rtsp-url-brute.html
It also uses a dictionary and from my quick tests, it's way faster than the actual cameradar.

The go code in it was a quick copy paste of another tool that was not very clean in the first place, and it was my first use of Golang ever, which is one of the reasons why it's so unclean at the moment. It would very much need to be done in a more elegant way.

I will do a few changes right now but I don't have the time to change all of it for now.

• Total refacto
• Separate service and service config
• Remove duplicate database configuration
• Add newlines in some part of the code to make it clearer
• Remove error checks on the same lines as error definitions
• Fix comments
• Add comments to struct variables where it's needed

Maybe the mapping can be improved with a different nmap command, or by changing dynamically the order of the dictionary using the bruteforcing results, or maybe you even have other ideas to improve the speed!

Any improvement would be very appreciated!

Right now the image is 374MB, it would be very cool to make it lighter to make its use easier

An extra null pointer check is not needed in functions like the following.

• cache_manager
• db_connection::execute

Unable to deserialize result file: invalid character '{' after array element
Test OK in 185.780285s
All tests completed
--- Writing results... ---
Unable to deserialize test-results.xml file: EOF
--- Test summary ---
Results: 5/5 (100%)
Time: 185.780285s
-> JUnit XML report written: test-results.xml
--- Writing results done ---
Tests exited with code 0
<testsuites>
	<testsuite tests="5" failures="5" time="185.780285">
		<testcase message="" time="185.780285"></testcase>
		<testcase message="" time="185.780285"></testcase>
		<testcase message="" time="185.780285"></testcase>
		<testcase message="" time="185.780285"></testcase>
		<testcase message="" time="185.780285"></testcase>
	</testsuite>
</testsuites>stopping all cameras tests
stopping and removing 5 containers
Tests returned 0

There are several problems here :

• Deserialization failure should terminate the test
• If no tests were found, the results should not have been 5/5 (100%)
• The testcases do not have failures as they should
• The tester should not return success after all those problems

CMake Error at /home/lionsec/cameradar/deps/mysql-connector/src/deps.mysql_connector-stamp/deps.mysql_connector-configure.cmake:16 (message):
Command failed: 1

'/usr/bin/cmake' '-DBOOST_ROOT=/home/lionsec/cameradar/deps/boost/src/deps.boost' '-DCMAKE_INSTALL_PREFIX=/home/lionsec/cameradar/deps/mysql-connector' '-DBUILD_TYPE=Release' '-DMYSQL_CXXFLAGS=-fexceptions' '/home/lionsec/cameradar/deps/mysql-connector/src/deps.mysql_connector'

See also

/home/lionsec/cameradar/deps/mysql-connector/src/deps.mysql_connector-stamp/deps.mysql_connector-configure-*.log

deps/CMakeFiles/deps.mysql_connector.dir/build.make:103: recipe for target '../deps/mysql-connector/src/deps.mysql_connector-stamp/deps.mysql_connector-configure' failed
make[2]: *** [../deps/mysql-connector/src/deps.mysql_connector-stamp/deps.mysql_connector-configure] Error 1
CMakeFiles/Makefile2:112: recipe for target 'deps/CMakeFiles/deps.mysql_connector.dir/all' failed
make[1]: *** [deps/CMakeFiles/deps.mysql_connector.dir/all] Error 2
Makefile:136: recipe for target 'all' failed
make: *** [all] Error 2
KO!

any idea how to fix this

There must be a problem with nmap 7.4.0, as specifying multiple targets works on my machine but not in Docker.

• Useless warnings that say functions declared in .h files are never used even if they are
• Style warnings saying that in Golang, error strings should not begin with an uppercase and not end with a dot

The C++ warnings are weird and I don't really get why they happen. I decided to ignore them, because the functions are obviously used. The Golang warnings however will be fixed in a PR very soon.

Currently if the program takes a long time to scan / attack cameras, the user has no clue that it's not stuck somewhere. It might be good to show a kind of spinner and a temporary log explaining what the program is currently doing.

(Maybe also a time estimation)

Right now the code is not unit tested at all, and it could be very good to have more than just functional end-to-end testing.

Hello folks,

After following the steps, and installing all the dependencies I stayed in step 6

1- git clone https://github.com/EtixLabs/cameradar.git
2- cd cameradar
3- mkdir build
4- cd build
5- cmake ..
6- make

root@kali:~/Programas/cameradar/build# cmake ..
-- retrieve current git revision SHA1 of cameradar
-- current cameradar git revision SHA1 is b61fe521615d64e234e892b6e739ca965b470500
-- current cameradar build version will be 20170512004743
-- Configuring deps.jsoncpp
-- Configuring deps.mysqlconnector
-- Configuring done
-- Generating done
-- Build files have been written to: /root/Programas/cameradar/build

root@kali:~/Programas/cameradar/build# make
[ 18%] Built target deps.jsoncpp
[ 20%] Performing configure step for 'deps.mysql_connector'
CMake Error at /root/Programas/cameradar/deps/mysql-connector/src/deps.mysql_connector-stamp/deps.mysql_connector-configure-.cmake:16 (message):
  Command failed: 1

   '/usr/bin/cmake' '-DBOOST_ROOT=/root/Programas/cameradar/deps/boost/src/deps.boost' '-DCMAKE_INSTALL_PREFIX=/root/Programas/cameradar/deps/mysql-connector' '-DBUILD_TYPE=Release' '-DMYSQL_CXXFLAGS=-fexceptions' '/root/Programas/cameradar/deps/mysql-connector/src/deps.mysql_connector'

  See also

    /root/Programas/cameradar/deps/mysql-connector/src/deps.mysql_connector-stamp/deps.mysql_connector-configure-*.log


deps/CMakeFiles/deps.mysql_connector.dir/build.make:106: recipe for target '../deps/mysql-connector/src/deps.mysql_connector-stamp/deps.mysql_connector-configure' failed
make[2]: *** [../deps/mysql-connector/src/deps.mysql_connector-stamp/deps.mysql_connector-configure] Error 1
CMakeFiles/Makefile2:124: recipe for target 'deps/CMakeFiles/deps.mysql_connector.dir/all' failed
make[1]: *** [deps/CMakeFiles/deps.mysql_connector.dir/all] Error 2
Makefile:149: recipe for target 'all' failed
make: *** [all] Error 2

See the error:

root@kali:~/Programas/cameradar/deps/mysql-connector/src/deps.mysql_connector-stamp# cat deps.mysql_connector-configure-err.log 
CMake Error at FindMySQL.cmake:556 (message):
  Could not find "mysql.h" from searching "/usr/include/mysql
  /usr/local/include/mysql /opt/mysql/mysql/include
  /opt/mysql/mysql/include/mysql /usr/local/mysql/include
  /usr/local/mysql/include/mysql /MySQL/*/include /MySQL/*/include"
Call Stack (most recent call first):
  CMakeLists.txt:217 (INCLUDE)

Any ideia to fix the error?

Thanks in advance.

Hello,

Setting the tested subnets and ports in the configuration file might be nice when you want to repeat the same process several time, but is not ideal when you are trying around to find something incrementally.
It might be nice to have some options that would override the config file.

Codacy or CodeClimate should do the trick.

There seems to be a cppcheck engine for CodeClimate.

I never did this before so the first step will be to answer those questions :

How to handle scanning in the library?

System call of nmap with the required arguments followed by the use of the https://github.com/lair-framework/go-nmap library to parse the XML result.

How to use dictionaries with the library ?

Are default dictionnaries a good idea?
We need a loadCustomDictionnary() function.

Should the thumbnail generation, the stream checking and the output file generation be part of the library ?

For now my opinion is that it should not. The library should just be in charge of discovering and accessing the streams. A simplified use I imagine would be :

import cameradar "github.com/EtixLabs/cameradar"

func main() {
  c := new(cameradar);

  c.loadCustomURLDictionary("/path/to/url/dict");
  c.loadCustomIDDictionary("/path/to/ids/dict");
  err := c.scan("192.168.100.0/24", "554")
  if err != nil {
      os.exit(1);
  }
  err = c.access()
  if err != nil {
      os.exit(1);
  }
  for stream := range c.getValidStreams() {
       fmt.Println(stream.getIP(), " accessible at URL ", stream.getURL())
  }
}

Which would ideally produce the following output :

192.168.100.10 accessible at URL rtsp://root:[email protected]/live.sdp:554
192.168.100.11 accessible at URL rtsp://root:[email protected]/live.sdp:554
192.168.100.12 accessible at URL rtsp://root:[email protected]/live.sdp:554
192.168.100.13 accessible at URL rtsp://root:[email protected]/live.sdp:554
192.168.100.14 accessible at URL rtsp://root:[email protected]/live.sdp:554
192.168.100.15 accessible at URL rtsp://root:[email protected]/live.sdp:554

If we need more functionalities, we would then simply use the getter methods to retrieve the URL and open it with FFMPEG to generate a thumbnail. The same goes for the stream checking and the generation of output files.

For now I think we would only need libcurl, and even better is that it can be configured to be built stripped of useless parts of the library, which would make it less than 300ko.

Here is what I consider mandatory for the 2.0.0 :

• Configuration
• Dictionary loading
• Network scanning
• RTSP discovery
• RTSP dictionary attack
• Multithreading

What we do is actually not bruteforce.

Comelit cameras don't seem to respect the RTSP RFC.

Developing a different algorithm and adding a long option like --comelit could be a nice improvement.

Legends say that they answer with 451 Parameter Not Understood instead of 200 OK when the ids and url are the good ones, but that they also can have some random behaviour sometimes.

Right now it only tests the build

Right now the format outputed looks like :

[
{
   "address" : "172.17.0.4",
   "ids_found" : true,
   "password" : "root",
   "path_found" : true,
   "port" : 8554,
   "product" : "GStreamer rtspd",
   "protocol" : "tcp",
   "route" : "/live.sdp",
   "service_name" : "rtsp",
   "state" : "open",
   "thumbnail_path" : "/tmp/172.17.0.4/1479896397.jpg",
   "username" : "root"
}
,{
   "address" : "172.17.0.5",
   "ids_found" : true,
   "password" : "ubnt",
   "path_found" : true,
   "port" : 8554,
   "product" : "GStreamer rtspd",
   "protocol" : "tcp",
   "route" : "/cam",
   "service_name" : "rtsp",
   "state" : "open",
   "thumbnail_path" : "/tmp/172.17.0.5/1479896397.jpg",
   "username" : "Admin"
}
,{
   "address" : "172.17.0.6",
   "ids_found" : true,
   "password" : "",
   "path_found" : true,
   "port" : 8554,
   "product" : "GStreamer rtspd",
   "protocol" : "tcp",
   "route" : "/live_mpeg4.sdp",
   "service_name" : "rtsp",
   "state" : "open",
   "thumbnail_path" : "/tmp/172.17.0.6/1479896397.jpg",
   "username" : ""
}
,{
   "address" : "172.17.0.7",
   "ids_found" : true,
   "password" : "ubnt",
   "path_found" : true,
   "port" : 8554,
   "product" : "GStreamer rtspd",
   "protocol" : "tcp",
   "route" : "/cam",
   "service_name" : "rtsp",
   "state" : "open",
   "thumbnail_path" : "/tmp/172.17.0.7/1479896397.jpg",
   "username" : "Admin"
}

]

And it would be better to make it be

[
{
   "address" : "172.17.0.4",
   "ids_found" : true,
   "password" : "root",
   "path_found" : true,
   "port" : 8554,
   "product" : "GStreamer rtspd",
   "protocol" : "tcp",
   "route" : "/live.sdp",
   "service_name" : "rtsp",
   "state" : "open",
   "thumbnail_path" : "/tmp/172.17.0.4/1479896397.jpg",
   "username" : "root"
},
{
   "address" : "172.17.0.5",
   "ids_found" : true,
   "password" : "ubnt",
   "path_found" : true,
   "port" : 8554,
   "product" : "GStreamer rtspd",
   "protocol" : "tcp",
   "route" : "/cam",
   "service_name" : "rtsp",
   "state" : "open",
   "thumbnail_path" : "/tmp/172.17.0.5/1479896397.jpg",
   "username" : "Admin"
},
{
   "address" : "172.17.0.6",
   "ids_found" : true,
   "password" : "",
   "path_found" : true,
   "port" : 8554,
   "product" : "GStreamer rtspd",
   "protocol" : "tcp",
   "route" : "/live_mpeg4.sdp",
   "service_name" : "rtsp",
   "state" : "open",
   "thumbnail_path" : "/tmp/172.17.0.6/1479896397.jpg",
   "username" : ""
},
{
   "address" : "172.17.0.7",
   "ids_found" : true,
   "password" : "ubnt",
   "path_found" : true,
   "port" : 8554,
   "product" : "GStreamer rtspd",
   "protocol" : "tcp",
   "route" : "/cam",
   "service_name" : "rtsp",
   "state" : "open",
   "thumbnail_path" : "/tmp/172.17.0.7/1479896397.jpg",
   "username" : "Admin"
}
]

• Remove useless space at the end
• Change position of the commas

A result table could be confusing in a bigger database. Renaming it to cameradar_results will be more appropriate and avoid eventual confusion.

The tester did not catch it, but here is the problematic line : Unable to deserialize result file: invalid character '{' after array element

Add a -o option such as ./cameraccess -o test outputs the results in the test file instead of the standard result.json. The default value of the output should be cameradar_results.json instead of the current result.json.

The tests are not working anymore because the architecture of the project changed and they have not been updated since.

https://opensource.guide/code-of-conduct/

Three new URLs will be added to the base dictionary

• /rtsp_live0
• /rtsp_live1
• /rtsp_live2

And I need to add some contribution documentation to list contributors and give guidelines for those who want to help.

For someone who wants a database to keep and access the data, MySQL can be overkill, which is why SQLite seems like a neat easy solution for a simple persistent cache-manager.

Right now the Cameradar output is always in a JSON file, it would be cool to have a command-line argument to export in an Excel file or even other formats.

• JSON
• XML

• Pull CES (https://github.com/EtixLabs/CES)
• Compile the latest version
• Change the testing to give it the path to the compiled CES binary

• Fix Discover comment
• Remove exemple for Credentials type
• Do not export XML types in the package

Check https://godoc.org/github.com/fluhus/godoc-tricks#example-Examples

Points to the old CONTRIBUTION.md instead.

When the Cameradar library is ready, in order to keep a simple standalone application, it is important to maintain the functions of Cameradar 1.1.4 through the Cameraccess binary.

The first step will be to have a prototype, able to use the Cameradar library to discover cameras and dictionary attack them. No need to generate thumbnails or check if they are valid for GStreamer, except if it's requested by our users.

The call to the binary should be identical to the way Cameradar 1.1.4 was called :

$> cameraccess [-c /path/to/conf] [-l log_level] [-s subnets] [-p ports] [-m max_threads] [-v] [-h]

Upon success, the Cameraccess prototype should output its results in a JSON file (See #54 for the output file name).

• Command line parsing
• Discovery
• Dictionary attack
• Output
• Documentation

It's currently called CONTRIBUTION.md, and I just learned that calling it CONTRIBUTNG.md integrates it in GitHub issue / PR interface.

-fsanitize=undefined
-fstack-protector-strong

Those flags will detect when the code does undefined behaviour, and is sufficiently lightweight to always ship releases with this permanently turned on.

CES became RTSPATT. The new version is way cooler and can be used with a docker image, which would avoid the ugly binary in the repo.