针对CCTV摄像头的扫描爆破工具 :Cameradar

时间:2024-01-25 20:37:55

针对CCTV摄像头的扫描爆破工具 :Cameradar

0x01功能介绍
    
        简述:Cameradar 是一款基于docker使用的RTSP数据流访问工具。该工具可以通过基于RTSP协议认证的形式暴力破解账号密码。可以渗透常规的CCTV摄像头。自带账密字典和目标流路径字段。
        功能详解:
  • 可以检测任何可访问的目标设备并扫描出开放的RTSP主机。
  • 检测正在传输监控数据的设备型号。
  • 内置字典自动化渗透爆破账号密码和目标流路径。
        工具优势:
  • 可以很方便的批量检测摄像头设备的弱口令。
  • 可以自定义爆破的账密字典和目标流路径,可以检测的不同的摄像头设备来改变字典。
        GitHub源码地址:https://github.com/Ullaakut/cameradar
 
0x02环境配置
 
        这里使用的是系统是CentOS7的环境。docker安装,官方建议内核在3.8 以上。这里用的CentOS的内核版本为3.10,符合要求。
 
[root@localhost docker_test]# uname -a
Linux bogon 3.10.0-862.el7.x86_64 #1 SMP Fri Apr 20 16:44:24 UTC 2018 x86_64 x86_64 x86_64 GNU/Linux
[root@localhost docker_test]#
 
 一、使用yum包管理器将软件包升级到最新。
[root@localhost docker_test]# yum update
Loaded plugins: fastestmirror, langpacks
Determining fastest mirrors
* base: mirrors.huaweicloud.com
* extras: mirrors.tuna.tsinghua.edu.cn
* updates: mirrors.huaweicloud.com
base                                                     | 3.6 kB     00:00     
extras                                                   | 2.9 kB     00:00     
updates                                                  | 2.9 kB     00:00     
(1/4): base/7/x86_64/group_gz                              | 165 kB   00:00     
(2/4): extras/7/x86_64/primary_db                          | 153 kB   00:00     
(3/4): updates/7/x86_64/primary_db                         | 2.8 MB   00:01     
(4/4): base/7/x86_64/primary_db                            | 6.0 MB   00:02
二、安装相关依赖。(这里已经安装过了)
[root@localhost docker_test]# yum install -y yum-utils device-mapper-persistent-data lvm2
Loaded plugins: fastestmirror, langpacks
Loading mirror speeds from cached hostfile
* base: mirrors.huaweicloud.com
* extras: mirrors.tuna.tsinghua.edu.cn
* updates: mirrors.huaweicloud.com
Package yum-utils-1.1.31-52.el7.noarch already installed and latest version
Package device-mapper-persistent-data-0.8.5-1.el7.x86_64 already installed and latest version
Package 7:lvm2-2.02.185-2.el7_7.2.x86_64 already installed and latest version
Nothing to do
三、添加docker的yum源。
        这里安装的是docker社区免费版。
[root@localhost docker_test]# yum install docker-ce
Loaded plugins: fastestmirror, langpacks
Loading mirror speeds from cached hostfile
* base: mirrors.huaweicloud.com
* extras: mirrors.tuna.tsinghua.edu.cn
* updates: mirrors.huaweicloud.com
No package docker-ce available.
Error: Nothing to do
[root@localhost docker_test]#

在CentOS7.0上默认的源中没有docker的资源。(我这里安装的epel-release的源里也没有docker资源)

[root@localhost yum.repos.d]# pwd
/etc/yum.repos.d
[root@localhost yum.repos.d]# ls
CentOS-Base.repo       CentOS-fasttrack.repo  CentOS-Vault.repo
CentOS-CR.repo         CentOS-Media.repo      epel.repo
CentOS-Debuginfo.repo  CentOS-Sources.repo    epel-testing.repo

添加docker源。(可以看到添加docker源后,增加了一个yum源文件docker-ce.repo)

[root@localhost yum.repos.d]# yum-config-manager --add-repo https://download.docker.com/linux/centos/docker-ce.repo
Loaded plugins: fastestmirror, langpacks
adding repo from: https://download.docker.com/linux/centos/docker-ce.repo
grabbing file https://download.docker.com/linux/centos/docker-ce.repo to /etc/yum.repos.d/docker-ce.repo
repo saved to /etc/yum.repos.d/docker-ce.repo
[root@localhost yum.repos.d]# ls
CentOS-Base.repo       CentOS-fasttrack.repo  CentOS-Vault.repo  epel-testing.repo
CentOS-CR.repo         CentOS-Media.repo      docker-ce.repo
CentOS-Debuginfo.repo  CentOS-Sources.repo    epel.repo
[root@localhost yum.repos.d]#

查看仓库中所有docker版本。

[root@localhost yum.repos.d]# yum list docker-ce --showduplicates | sort -r
* updates: mirrors.huaweicloud.com
Loading mirror speeds from cached hostfile
Loaded plugins: fastestmirror, langpacks
* extras: mirrors.tuna.tsinghua.edu.cn
* epel: mirrors.tuna.tsinghua.edu.cn
docker-ce.x86_64            3:19.03.4-3.el7                     docker-ce-stable
docker-ce.x86_64            3:19.03.3-3.el7                     docker-ce-stable
docker-ce.x86_64            3:19.03.2-3.el7                     docker-ce-stable
docker-ce.x86_64            3:19.03.1-3.el7                     docker-ce-stable
.
.
.

安装docker社区免费版。

[root@localhost yum.repos.d]# yum install docker-ce
Loaded plugins: fastestmirror, langpacks
Loading mirror speeds from cached hostfile
* base: mirrors.huaweicloud.com
* epel: mirrors.tuna.tsinghua.edu.cn
* extras: mirrors.tuna.tsinghua.edu.cn
* updates: mirrors.huaweicloud.com
Resolving Dependencies
--> Running transaction check
---> Package docker-ce.x86_64 3:19.03.4-3.el7 will be installed
--> Processing Dependency: container-selinux >= 2:2.74 for package: 3:docker-ce-19.03.4-3.el7.x86_64
--> Processing Dependency: containerd.io >= 1.2.2-3 for package: 3:docker-ce-19.03.4-3.el7.x86_64
--> Processing Dependency: docker-ce-cli for package: 3:docker-ce-19.03.4-3.el7.x86_64
--> Running transaction check
---> Package container-selinux.noarch 2:2.107-3.el7 will be installed
---> Package containerd.io.x86_64 0:1.2.10-3.2.el7 will be installed
---> Package docker-ce-cli.x86_64 1:19.03.4-3.el7 will be installed
--> Finished Dependency Resolution


Dependencies Resolved


=======================================================================================
Package                Arch        Version                Repository             Size
=======================================================================================
Installing:
docker-ce              x86_64      3:19.03.4-3.el7        docker-ce-stable       24 M
Installing for dependencies:
container-selinux      noarch      2:2.107-3.el7          extras                 39 k
containerd.io          x86_64      1.2.10-3.2.el7         docker-ce-stable       23 M
docker-ce-cli          x86_64      1:19.03.4-3.el7        docker-ce-stable       39 M


Transaction Summary
=======================================================================================
Install  1 Package (+3 Dependent packages)


Total download size: 87 M
Installed size: 362 M

查看docker版本,启动docker

[root@localhost yum.repos.d]# docker version
Client: Docker Engine - Community
Version:           19.03.4
API version:       1.40
Go version:        go1.12.10
Git commit:        9013bf583a
Built:             Fri Oct 18 15:52:22 2019
OS/Arch:           linux/amd64
Experimental:      false
Cannot connect to the Docker daemon at unix:///var/run/docker.sock. Is the docker daemon running?

启动docker

[root@localhost yum.repos.d]# systemctl start docker
[root@localhost yum.repos.d]# systemctl status docker
● docker.service - Docker Application Container Engine
   Loaded: loaded (/usr/lib/systemd/system/docker.service; disabled; vendor preset: disabled)
   Active: active (running) since Fri 2019-11-08 03:31:55 EST; 32s ago
     Docs: https://docs.docker.com
Main PID: 1188 (dockerd)
    Tasks: 8
   Memory: 99.4M
   CGroup: /system.slice/docker.service
           └─1188 /usr/bin/dockerd -H fd:// --containerd=/run/containerd/containerd.sock


Nov 08 03:31:54 bogon dockerd[1188]: time="2019-11-08T03:31:54.384116486-05:00" level=info msg="ccResolverWrapper: s...e=grpc
Nov 08 03:31:54 bogon dockerd[1188]: time="2019-11-08T03:31:54.384130527-05:00" level=info msg="ClientConn switching...e=grpc
Nov 08 03:31:54 bogon dockerd[1188]: time="2019-11-08T03:31:54.416778226-05:00" level=info msg="[graphdriver] using ...rlay2"
Nov 08 03:31:54 bogon dockerd[1188]: time="2019-11-08T03:31:54.420853788-05:00" level=info msg="Loading containers: start."
Nov 08 03:31:55 bogon dockerd[1188]: time="2019-11-08T03:31:55.048703993-05:00" level=info msg="Default bridge (dock...dress"
Nov 08 03:31:55 bogon dockerd[1188]: time="2019-11-08T03:31:55.312303083-05:00" level=info msg="Loading containers: done."
Nov 08 03:31:55 bogon dockerd[1188]: time="2019-11-08T03:31:55.357432633-05:00" level=info msg="Docker daemon" commi...9.03.4
Nov 08 03:31:55 bogon dockerd[1188]: time="2019-11-08T03:31:55.357497299-05:00" level=info msg="Daemon has completed...ation"
Nov 08 03:31:55 bogon dockerd[1188]: time="2019-11-08T03:31:55.394993466-05:00" level=info msg="API listen on /var/r....sock"
Nov 08 03:31:55 bogon systemd[1]: Started Docker Application Container Engine.
Hint: Some lines were ellipsized, use -l to show in full.
[root@localhost yum.repos.d]#
 
 0x03工具使用
 
将docker镜像pull下来。
[root@localhost yum.repos.d]# docker pull ullaakut/cameradar
Using default tag: latest
latest: Pulling from ullaakut/cameradar
9d48c3bd43c5: Pull complete
cc7766bf8751: Pull complete
a497a345880d: Pull complete
919b21ac9ea0: Pull complete
3f9aebbc778b: Pull complete
Digest: sha256:04bbc19c486584ccc12d8bca2bd07e24bb859b63c44e07c0c17e940ec8badc75
Status: Downloaded newer image for ullaakut/cameradar:latest
查看本地下载下来的镜像
[root@localhost yum.repos.d]# docker images
REPOSITORY           TAG                 IMAGE ID            CREATED             SIZE
ullaakut/cameradar   latest              fe268aaf499c        5 weeks ago         68.8MB
hello-world          latest              fce289e99eb9        10 months ago       1.84kB
[root@localhost yum.repos.d]#

 具体使用方法

1、使用工具扫描单个摄像头设备:
    docker run ullaakut/cameradar --targets=“ip”
 
2、自定义扫描端口:
    docker run ullaakut/cameradar --targets=“ip" --ports="554,5554,8554“
 
3、自定扫描的扫描使用的账密的字典和路由字典。
用法:
docker run -t -v /my/folder/with/dictionaries:/tmp/dictionaries \
           ullaakut/cameradar \
           -r "/tmp/dictionaries/my_routes" \
           -c "/tmp/dictionaries/my_credentials.json" \
           -t 172.19.124.0/24
  正常情况下,工具会加载docker容器中默认的账密字典和路由字典
[root@localhost ~]# docker run  ullaakut/cameradar -t192.168.64.128
Loading credentials...ok
  > Loading credentials dictionary from path "/app/dictionaries/credentials.json"
  > Loaded 14 usernames and 32 passwords
Loading routes...ok
  > Loading routes dictionary from path "/app/dictionaries/routes"
  > Loaded 182 routes
Scanning the network...ok
  > Found 0 RTSP streams
✖ unable to attack empty list of targets

   我们可以查看该工具的源文件,可以看到它的密码只有 账密字典中有14个用户名和32个密码,路径字典中有182个路径。

[root@localhost cameradar]# ls
attack.go       cmd           Dockerfile  helpers.go         LICENSE          README.md        scan_test.go
attack_test.go  curl.go       examples    helpers_test.go    loaders.go       scan.go          summary.go
cameradar.go    curl_test.go  go.mod      images             loaders_test.go  scanner.go       summary_test.go
CHANGELOG.md    dictionaries  go.sum      ISSUE_TEMPLATE.md  models.go        scanner_test.go  tools
[root@localhost cameradar]# cd dictionaries/
[root@localhost dictionaries]# ls
credentials.json  routes
[root@localhost dictionaries]# head credentials.json
{
  "usernames": [
    "",
    "666666",
    "888888",
    "Admin",
    "admin",
    "admin1",
    "administrator",
    "Administrator",
[root@localhost dictionaries]# head routes


/live/ch01_0
0/1:1/main
0/usrnm:pwd/main
0/video1
1
1.AMP
1/h264major
1/stream1
11
   我们在本机新建自己的账密文件(使用数组的形式存储账密字典)
[root@localhost tools]# ls
my_credentials.json  my_routes
[root@localhost tools]# vim my_credentials.json
{
  "usernames": [
    "",
    "666666",
    "888888",
    "Admin",
    "admin",
    "admin1",
    "administrator",
    "Administrator",
    "aiphone",
    "Dinion",
    "root",
    "service",
    "supervisor",
    "ubnt",
    "test",
    "ciby",
    "hello"
  ],
  "passwords": [
    "",
    "111111",
    "1111111",
    "1234",
    "12345",
    "123456",
    "12345678",
    "4321",
    "666666",
    "888888",
    "9999",
    "admin",
    "administrator",
    "aiphone",
    "camera",
    "fliradmin",
    "hikvision",
    "hikadmin",
    "ikwd",
    "jvc",
    "meinsm",
    "pass",
    "password",
    "reolink",
    "root",
    "service",
    "supervisor",
    "system",
    "toor",
    "tp-link",
    "ubnt",
    "wbox123",
    "test.com",
    "test1.com",
    "123.com"
  ]
}
[root@localhost tools]# head my_routes

/live/ch01_0
0/1:1/main
0/usrnm:pwd/main
0/video1
1
1.AMP
1/h264major
1/stream1
11

   将我们本机的字典挂在到容器中,然后使用-c -r 参数来调用自定义的字典。

[root@localhost tools]# docker run -t -v /home/docker_test/tools:/tmp ullaakut/cameradar -c "/tmp/my_credentials.json" -r "/tmp/my_routes" -t 192.168.64.128
Loading credentials...ok
  > Loading credentials dictionary from path "/tmp/my_credentials.json"
  > Loaded 17 usernames and 35 passwords
Loading routes...ok
  > Loading routes dictionary from path "/tmp/my_routes"
  > Loaded 182 routes
Scanning the network...ok
  > Found 0 RTSP streams
✖ unable to attack empty list of targets
 4、批量扫描文件中的目标IP(这里IP可以有多种格式)
[root@localhost tools]# docker run -t -v /home/docker_test/tools:/tmp ullaakut/cameradar -c "/tmp/my_credentials.json" -r "/tmp/my_routes" -t "/home/docker_test/tools/target.txt"
Loading credentials...ok
  > Loading credentials dictionary from path "/tmp/my_credentials.json"
  > Loaded 17 usernames and 35 passwords
Loading routes...ok
  > Loading routes dictionary from path "/tmp/my_routes"
  > Loaded 182 routes
Scanning the network...ko
✖ error while scanning network: Unable to split netmask from target expression: "/home/docker_test/tools/target.txt"
WARNING: No targets were specified, so 0 hosts scanned

 (这里报错了。未能拆分网络掩码,不懂go语言暂未解决)

    可以扫C段:
[root@localhost tools]# docker run -t -v /home/docker_test/tools:/tmp ullaakut/cameradar -c "/tmp/my_credentials.json" -r "/tmp/my_routes" -t 192.168.64.0/24
Loading credentials...ok
  > Loading credentials dictionary from path "/tmp/my_credentials.json"
  > Loaded 17 usernames and 35 passwords
Loading routes...ok
  > Loading routes dictionary from path "/tmp/my_routes"
  > Loaded 182 routes
Scanning the network...

 5、其他参数

* “ -h”:显示用法信息
* “ -T,--2000ms timeout ”:(默认:)设置自定义超时值,在此之后应放弃没有答案的攻击尝试。在尝试扫描不稳定和慢速的网络时,建议增加该值;在快速可靠的网络中,建议减少该值。
* “ -d,-- debug ”:启用调试日志
* “ -v,-- verbose ”:启用详细的curl日志(不推荐用于大多数用途)
“ -s,--scan-speed”:(默认:)4设置自定义nmap发现预设以提高速度或准确性。如果您尝试扫描不稳定和慢速的网络,建议降低它,如果在性能良好且可靠的网络上,则建议增加它。您可能还希望将其保持在较低水平,以使发现变得隐秘。