Skip to content

cctv toolkit

Jump to bottom
7h30th3r0n3 edited this page Aug 17, 2025 · 1 revision

📹 CCTV Toolkit

A pentest toolkit for Discover, fingerprint, and sanity-check IP cameras (HTTP/HTTPS, RTSP, ONVIF, RTMP).

🚀 Workflow

Targets (LAN / Single IP / File)
           │
           ▼
[1] Port Scan → 80/443/8080–8099/8443 · 554/8554 · 1935–1939 · 3702
           │
           ▼
[2] Camera Heuristics → HTTP Server/body + RTSP Server/Public
           │
           ▼
[3] Brand Fingerprint → Hikvision / Dahua / Axis / CP Plus / Generic
           │
           ▼
[4] CVE Hints (internal DB) → NVD links in serial logs
           │
           ▼
[5] Login Pages → common paths (/, /login, /admin, …)
           │
           ▼
[6] Default Creds → only where auth is required (401/403/WWW-Auth)
           │
           ▼
[7] Streams → RTSP DESCRIBE (SDP), HTTP MJPEG/snapshots, RTMP hint
           │
           ▼
[8] Report → /evil/CCTV/CCTV_scan.txt (SD)

📦 Modules

1) Scan Local (LAN)

  • ARP sweep → full pipeline per host.
  • Output: TFT status + per-host summary in CCTV_scan.txt.
  • Use: quick mapping of camera services on a flat LAN.

2) Scan Unique IP (online or LAN)

  • Target: one IPv4 (public or private).
  • Public IP → adds GeoIP info via ipinfo.
  • Runs full pipeline like LAN mode.

3) Scan from FILE

  • Reads targets from /evil/CCTV/CCTV_IP.txt (one IP per line).
  • Batch mode → pipeline for each entry.
  • Pass trough all the IP and report on SD.

4) MJPEG Live Viewer

  • Plays MJPEG feeds from CCTV_live.txt: 
    Name | http://ip:port/mjpg/video.mjpg
  • Detected endpoint /mjpg/video.mjpg is logged when found on scan:
  • Top bar: stream name, resolution, compression, FPS.
  • Controls:
    • , / / → prev/next stream
    • r → toggle resolution
    • ; / . → compression ±
    • Backspace → exit viewer

5) Spycam Detector (Wi-Fi)

  • Passive scan for SSIDs (IPCAM, IPC-, PV-, P2P_, HDCAM, …) and OUIs (Bilian, AI-Link, High-Flying…)
  • RSSI heuristic → “NEAR” if strong (≥ −40 dBm).
  • Beep + LED blink on probable hits.

📁 SD Card Layout

/evil/CCTV/
  CCTV_scan.txt          ← cumulative reports
  CCTV_IP.txt            ← input list (IPs)
  CCTV_credentials.txt   ← default creds (user:pass)
  CCTV_live.txt          ← MJPEG feeds for viewer

⌨️ Keyboard Shortcuts

Context Keys Action
Global Backspace Abort / return
Menus ; / . Up / Down
Menus Enter Select
MJPEG Viewer , / / Prev / Next stream
MJPEG Viewer r Toggle resolution
MJPEG Viewer ; / . Compression ±
Spycam Enter / Backspace Stop scanning

📑 Example Report

----------------------------------------------------------------
Target: 192.168.1.23
Geo: City, CC
Ports: 80,443,554,8554,8080
Brand: Hikvision
Known CVEs: 12
[SERVER] HTTP 192.168.1.23:80 App-Webs/1.0
[RTSP] service: 192.168.1.23:554
rtsp://192.168.1.23:554/Streaming/Channels/101 -> 200
Login pages: 2
Default creds: FOUND
  http://192.168.1.23:80/login  admin:12345
RTSP accessible paths:
  - rtsp://192.168.1.23:554/Streaming/Channels/101
RTSP protected (auth required):
  - rtsp://192.168.1.23:554/Streaming/Channels/1  [401]

⚖️ Disclaimer

Use strictly for authorized audits.
Short timeouts + auth-gated default-cred checks reduce noise.
Segmented or TLS-only networks will naturally limit results.

Clone this wiki locally