Cameradar - An RTSP Surveillance Camera Access Multitool

Cameradar hacks its way into RTSP CCTV cameras

Cameradar allows you to:

• Detect open RTSP hosts on any accessible target
• Get their public info (hostname, port, camera model, etc.)
• Launch automated dictionary attacks to get their stream route (for example /live.sdp)
• Launch automated dictionary attacks to get the username and password of the cameras
• Generate thumbnails from them to check if the streams are valid and to have a quick preview of their content
• Try to create a Gstreamer pipeline to check if they are properly encoded
• Print a summary of all the informations Cameradar could get

And all of this in a single command-line.
Of course, you can also call for individual tasks if you plug in a Database to Cameradar using the MySQL cache manager for example. You can create your own cache manager by following the simple example of the dumb cache manager.

Quick install
The quick install uses docker to build Cameradar without polluting your machine with dependencies and makes it easy to deploy Cameradar in a few commands. However, it may require networking knowledge, as your docker containers will need access to the cameras subnetwork.

Dependencies
The only dependencies are docker, docker-tools, git and make.

Five steps guide

1. git clone https://github.com/EtixLabs/cameradar.git
2. cd cameradar/deployment
3. Tweak the conf/cameradar.conf.json as you need (see the configuration guide here for more information)
4. docker-compose build ; docker-compose up

By default, the version of the package in the deployment should be the last stable release.
If you want to scan a different target or different ports, change the values CAMERAS_TARGET and CAMERAS_PORTS in the docker-compose.yml file.
The generated thumbnails will be in the cameradar_thumbnails folder after Cameradar has finished executing.
If you want to deploy your custom version of Cameradar using the same method, you should check the advanced docker deployment tutorial here.

Manual installation
The manual installation is recommended if you want to tweak Cameradar and quickly test them using CMake and running Cameradar in command-line. If you just want to use Cameradar, it is recommended to use the quick install instead.

Dependencies
To install Cameradar you will need these packages

• cmake (cmake)
• git (git)
• gstreamer1.x (libgstreamer1.0-dev)
• ffmpeg (ffmpeg)
• boost (libboost-all-dev)
• libcurl (libcurl4-openssl-dev)

Steps
The simplest way would be to follow these steps :

1. git clone https://github.com/EtixLabs/cameradar.git
2. cd cameradar
3. mkdir build
4. cd build
5. cmake ..
6. make
7. cd cameradar_standalone
8. ./cameradar -s the_target_you_want_to_scan

Output
For each camera, Cameradar will output these JSON objects :

{
   "address" : "173.16.100.45",
   "ids_found" : true,
   "password" : "123456",
   "path_found" : true,
   "port" : 554,
   "product" : "Vivotek FD9381-HTV",
   "protocol" : "tcp",
   "route" : "/live.sdp",
   "service_name" : "rtsp",
   "state" : "open",
   "thumbnail_path" : "/tmp/127.0.0.1/1463735257.jpg",
   "username" : "admin"
}

Check camera access
If you have VLC Media Player, you should be able to use the GUI to connect to the RTSP stream using this format : rtsp://username:password@address:port/route
With the above result, the RTSP URL would be rtsp://admin:123456@173.16.100.45:554/live.sdp
If you're still in your console however, you can go even faster by using vlc in commmand-line and just run vlc rtsp://username:password@address:port/route with the camera's info instead of the placeholders.

Command line options

• "-c" : Set a custom path to the configuration file (-c /path/to/conf) <<<<<<< HEAD
• "-s" : Set custom subnets (overrides configuration) : You can use this argument in many ways, using a subnet (e.g.: 172.16.100.0/24) or even an IP (e.g.: 172.16.100.10), a range of IPs (e.g.: 172.16.100.10-172.16.100.20) or a mix of all those (e.g.: 172.17.100.0/24,172.16.100.10-172.16.100.20,0.0.0.0). =======
• "-s" : Set custom target (overrides configuration)
• "-p" : Set custom ports (overrides configuration)
• "-m" : Set number of threads (Default value : 1)
• "-l" : Set log level
  • "-l 1" : Log level DEBUG
    • Will print everything including debugging logs
  • "-l 2" : Log level INFO
    • Prints every normal information
  • "-l 4" : Log level WARNING
    • Only prints warning and errors
  • "-l 5" : Log level ERROR
    • Only prints errors
  • "-l 6" : Log level CRITICAL
    • Doesn't print anything since Cameradar can't have critical failures right now, however you can use this level to debug your own code easily or if you add new critical layers
• "-d" : Launch the discovery tool
• "-b" : Launch the dictionary attack tool on all discovered devices
  • Needs either to be launched with the -d option or to use an advanced cache manager (DB, file, ...) with data already present
• "-t" : Generate thumbnails from detected cameras
  • Needs either to be launched with the -d option or to use an advanced cache manager (DB, file, ...) with data already present
• "-g" : Check if the stream can be opened with GStreamer
  • Needs either to be launched with the -d option or to use an advanced cache manager (DB, file, ...) with data already present
• "-v" : Display Cameradar's version
• "-h" : Display this help
• "--gst-rtsp-server" : Use this option if the attack does not seem to work (only detects the username but not the path, or the opposite). This option will switch the order of the attacks to prioritize path over credentials, which is the way priority is handled for cameras that use GStreamer's RTSP server.

Download Cameradar

Read More

scanless - Public Port Scan Scrapper

Command-line utility for using websites that can perform port scans on your behalf. Useful for early stages of a penetration test or if you'd like to run a port scan on a host and have it not come from your IP address.

scanless (adj): lacking respectable morals. That girl is scanless!

Public Port Scanners

• yougetsignal
• viewdns
• hackertarget
• ipfingerprints
• pingeu

Usage
Requires the requests and bs4 libraries to run, install with pip.

$ python scanless.py --help
usage: scanless.py [-h] [-t TARGET] [-s SCANNER] [-l] [-a]

scanless, public port scan scrapper

optional arguments:
  -h, --help            show this help message and exit
  -t TARGET, --target TARGET
                        ip or domain to scan
  -s SCANNER, --scanner SCANNER
                        scanner to use (default: yougetsignal)
  -l, --list            list scanners
  -a, --all             use all the scanners

$ python scanless.py --list
Scanner Name   | Website
---------------|------------------------------
yougetsignal   | http://www.yougetsignal.com
viewdns        | http://viewdns.info
hackertarget   | https://hackertarget.com
ipfingerprints | http://www.ipfingerprints.com
pingeu         | http://ping.eu

$ python scanless.py -s viewdns -t scanme.nmap.org
Running scanless...

------- viewdns -------
PORT     STATE  SERVICE
21/tcp   closed ftp
22/tcp   open   ssh
23/tcp   closed telnet
25/tcp   closed smtp
53/tcp   closed dns
80/tcp   open   http
110/tcp  closed pop3
139/tcp  closed netbios
143/tcp  closed imap
443/tcp  closed https
445/tcp  closed smb
1433/tcp closed mssql
1521/tcp closed oracle
3306/tcp closed mysql
3389/tcp closed rdp
-----------------------

$ python scanless.py -a -t scanme.nmap.org
Running scanless...

------- yougetsignal -------
PORT     STATE  SERVICE
21/tcp   closed ftp
22/tcp   open   ssh
23/tcp   closed telnet
25/tcp   closed smtp
53/tcp   closed dns
80/tcp   open   http
110/tcp  closed pop3
115/tcp  closed sftp
135/tcp  closed msrpc
139/tcp  closed netbios
143/tcp  closed imap
194/tcp  closed irc
443/tcp  closed https
445/tcp  closed smb
1433/tcp closed mssql
3306/tcp closed mysql
3389/tcp closed rdp
5632/tcp closed pcanywhere
5900/tcp closed vnc
6112/tcp closed wc3
----------------------------

------- viewdns -------
PORT     STATE  SERVICE
21/tcp   closed ftp
22/tcp   open   ssh
23/tcp   closed telnet
25/tcp   closed smtp
53/tcp   closed dns
80/tcp   open   http
110/tcp  closed pop3
139/tcp  closed netbios
143/tcp  closed imap
443/tcp  closed https
445/tcp  closed smb
1433/tcp closed mssql
1521/tcp closed oracle
3306/tcp closed mysql
3389/tcp closed rdp
-----------------------

------- hackertarget -------
tarting Nmap 7.01 ( https://nmap.org ) at 2017-05-06 02:31 UTC
Nmap scan report for scanme.nmap.org (45.33.32.156)
Host is up (0.065s latency).
Other addresses for scanme.nmap.org (not scanned): 2600:3c01::f03c:91ff:fe18:bb2f
PORT     STATE  SERVICE       VERSION
21/tcp   closed ftp
22/tcp   open   ssh           OpenSSH 6.6.1p1 Ubuntu 2ubuntu2.8 (Ubuntu Linux; protocol 2.0)
23/tcp   closed telnet
25/tcp   closed smtp
80/tcp   open   http          Apache httpd 2.4.7 ((Ubuntu))
110/tcp  closed pop3
143/tcp  closed imap
443/tcp  closed https
445/tcp  closed microsoft-ds
3389/tcp closed ms-wbt-server
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 7.05 second
----------------------------

------- ipfingerprints -------
Host is up (0.16s latency).
Not shown: 484 closed ports
PORT    STATE    SERVICE
22/tcp  open     ssh
80/tcp  open     http
111/tcp filtered rpcbind
135/tcp filtered msrpc
136/tcp filtered profile
137/tcp filtered netbios-ns
138/tcp filtered netbios-dgm
139/tcp filtered netbios-ssn
445/tcp filtered microsoft-ds
Device type: general purpose
Running: Linux 3.X
OS CPE: cpe:/o:linux:linux_kernel:3
OS details: Linux 3.11 - 3.14
Network Distance: 10 hops
------------------------------

------- pingeu -------
PORT     STATE  SERVICE
21/tcp   closed ftp
22/tcp   open   ssh
23/tcp   closed telnet
25/tcp   closed smtp
53/tcp   closed dns
80/tcp   open   http
139/tcp  closed netbios
443/tcp  closed https
445/tcp  closed smb
3389/tcp closed rdp
----------------------

Download scanless

Read More

Inspeckage - (Android Package Inspector) Dynamic Analysis With Api Hooks, Start Unexported Activities And More

Inspeckage is a tool developed to offer dynamic analysis of Android applications. By applying hooks to functions of the Android API, Inspeckage will help you understand what an Android application is doing at runtime.

• http://ac-pm.github.io/Inspeckage
• https://twitter.com/inspeckage
• https://play.google.com/store/apps/details?id=mobi.acpm.inspeckage
• http://repo.xposed.info/module/mobi.acpm.inspeckage

Features
With Inspeckage, we can get a good amount of information about the application's behavior:

Information gathering

• Requested Permissions;
• App Permissions;
• Shared Libraries;
• Exported and Non-exported Activities, Content Providers,Broadcast Receivers and Services;
• Check if the app is debuggable or not;
• Version, UID and GIDs;
• etc.

Hooks (so far)
With the hooks, we can see what the application is doing in real time:

• Shared Preferences (log and file);
• Serialization;
• Crypto;
• Hashes;
• SQLite;
• HTTP (an HTTP proxy tool is still the best alternative);
• File System;
• Miscellaneous (Clipboard, URL.Parse());
• WebView;
• IPC;
• + Hooks (add new hooks dynamically)

Actions
With Xposed it's possible to perform actions such as start a unexported activity and much else:

• Start any activity (exported and unexported);
• Call any provider (exported and unexported);
• Disable FLAG_SECURE;
• SSL uncheck (bypass certificate pinning - JSSE, Apache and okhttp3);
• Start, stop and restart the application;
• Replace params and return value (+Hooks tab).

Extras

• APK Download;
• View the app's directory tree;
• Download the app's files;
• Download the output generated by hooks in text file format;
• Take a screen capture;
• Send text to android clipboard.

Configuration
Even though our tool has some hooks to the HTTP libraries, using an external proxy tool is still the best option to analyze the app's traffic. With Inspeckage, you can:

• Add a proxy to the target app;
• Enable and disable proxy;
• Add entries in the arp table.

Logcat
Logcat.html page. A experimental page with websocket to show some information from the logcat.

Installation
Requirements: Xposed Framework

Xposed Installer

1. Go to Xposed Installer, select "Download"
2. Refresh and search for "Inspeckage"
3. Download the latest version and install
4. Enable it in Xposed
5. Reboot and enjoy!

Xposed Repository
Get it from Xposed repo: http://repo.xposed.info/module/mobi.acpm.inspeckage

    adb install mobi.acpm.inspeckage.apk

1. Enable it in Xposed
2. Reboot and enjoy!

From Source
Feel free to download the source!

How to uninstall

    adb uninstall mobi.acpm.inspeckage

And reboot!

Genymotion

Screenshots

Download Inspeckage

Read More

Struts2Shell - Interactive Shell Command to Exploit Apache Struts CVE-2017-5638

Improves manipulation and sending commands to the vulnerable  Apache Struts server using a shell.

Usage:

python Struts2Shell.py

Download Struts2Shell

Read More

strutszeiro - Telegram Bot to manage botnets created with struts vulnerability (CVE-2017-5638)

Telegram Bot to manage botnets created with struts vulnerability(CVE-2017-5638)

Dependencies

pip install -r requeriments.txt  

Config

Create a telegram bot, save the API token in config/token.conf
Create a telegram group, save the group id in config/group.conf

Start
python strutszeiro.py

Telegram Usage

/add url - test vulnerability and add the new server
/exploit url *cmd - execute commands in a specific server (you need to use the * caracter)
/botnet cmd - execute commands in all servers
/list - show all servers in botnet
/total - show total of servers in botnet

Thanks to @btamburi

Download strutszeiro

Read More

struts-pwn - An exploit for Apache Struts CVE-2017-5638

An exploit for Apache Struts CVE-2017-5638

Usage

Testing a single URL.

python struts-pwn.py --url 'http://example.com/struts2-showcase/index.action' -c 'id'

Testing a list of URLs.

python struts-pwn.py --list 'urls.txt' -c 'id'

Checking if the vulnerability exists against a single URL.

python struts-pwn.py --check --url 'http://example.com/struts2-showcase/index.action'

Checking if the vulnerability exists against a list of URLs.

python struts-pwn.py --check --list 'urls.txt'

Requirements

• Python2 or Python3
• requests

Legal Disclaimer
This project is made for educational and ethical testing purposes only. Usage of struts-pwn for attacking targets without prior mutual consent is illegal. It is the end user's responsibility to obey all applicable local, state and federal laws. Developers assume no liability and are not responsible for any misuse or damage caused by this program.

Author
Mazin Ahmed

• Website: https://mazinahmed.net
• Email: mazin AT mazinahmed DOT net
• Twitter: https://twitter.com/mazen160
• Linkedin: http://linkedin.com/in/infosecmazinahmed

Download struts-pwn

Read More

[OWASP HTTP Post Tool] DoS Apache Webserver Attack

This Tutorials shows, how you can easily take out an Apache Webserver with one HTTP POST Tool using a std. slow DSL Connection.

This is NO Slowloris Attack!
Limitations of HTTP GET DDOS attack:

- Does not work on IIS web servers or web
servers with timeout limits for HTTP headers.

- Easily defensible using popular load balancers,
such as F5 and Cisco, reverse proxies and
certain Apache modules, such as mod_antiloris.

- Anti-DDOS systems may use "delayed
binding"/"TCP Splicing" to defend against HTTP
GET attacks.

Why HTTP POST DDOS attack works

- This attack can evade Layer 4 detection
techniques as there is no malformed TCP, just
like Slowloris.

- Unlike Slowloris, there is no delay in sending
HTTP Header, hence nullifying IIS built-in
defense, making IIS vulnerable too.

- Size, character sets and time intervals can be
randomised to foil any recognition of Layer 7
traffic patterns by DDOS protection systems.

- Difficult to differentiate from legit connections
which are slow

Download OWASP HTTP Post Tool

Read More