diff --git a/CHANGELOG.md b/CHANGELOG.md index fa54449..ab87735 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -76,7 +76,7 @@ This file lists all versions of the repository and precises all changes. #### Major changes : * There are more command line options * Port can now be overridden in the command line - * target can now be overridden in the command line + * Target can now be overridden in the command line * Bruteforce is now multithreaded and will use as many threads as there are discovered cameras * Thumbnail generation is now multithreaded and will use as many threads as there are discovered cameras * There are now default configuration values in order to make cameradar easier to use @@ -84,7 +84,7 @@ This file lists all versions of the repository and precises all changes. #### Minor changes : * The algorithms take external input into account (so that a 3rd party can change the DB to help Cameradar in real-time) and thus check the persistent data at each iteration * The default log level is now DEBUG instead of INFO -* The bruteforce logs are now INFO instead of DEBUG +* The attack logs are now INFO instead of DEBUG * The thumbnail generation logs are now INFO instead of DEBUG #### Bugs fixed @@ -140,7 +140,7 @@ This file lists all versions of the repository and precises all changes. ## v0.2.2 -After doing some testing on a weirdly configured camera network in a far away Datacenter, I discovered that some Cameras needed a few tweaks to the Cameradar bruteforcing method in order to be accessed. +After doing some testing on a weirdly configured camera network in a far away Datacenter, I discovered that some Cameras needed a few tweaks to the Cameradar attack method in order to be accessed. #### Major changes : diff --git a/README.md b/README.md index 13a4c76..6b02aa6 100644 --- a/README.md +++ b/README.md @@ -13,8 +13,8 @@ * **Detect open RTSP hosts** on any accessible target * Get their public info (hostname, port, camera model, etc.) -* Bruteforce your way into them to get their **stream route** (for example /live.sdp) -* Bruteforce your way into them to get the **username and password** of the cameras +* Launch automated dictionary attacks to get their **stream route** (for example /live.sdp) +* Launch automated dictionary attacks to get the **username and password** of the cameras * **Generate thumbnails** from them to check if the streams are valid and to have a quick preview of their content * Try to create a Gstreamer pipeline to check if they are **properly encoded** * Print a summary of all the informations Cameradar could get @@ -192,7 +192,7 @@ The targets should be passed separated by commas only, and their target format s The **RTSP ports for most cameras are 554**, so you should probably specify 554 as one of the ports you scan. Not giving any ports in the configuration will scan every port of every host found on the target. -You **can use your own files for the ids and routes dictionaries** used to bruteforce the cameras, but the Cameradar repository already gives you a good base that works with most cameras. +You **can use your own files for the ids and routes dictionaries** used to attack the cameras, but the Cameradar repository already gives you a good base that works with most cameras. The thumbnail storage path should be a **valid and accessible directory** in which the thumbnails will be stored. @@ -249,7 +249,7 @@ If you're still in your console however, you can go even faster by using **vlc i * **"-l 6"** : Log level CRITICAL * _Doesn't print anything since Cameradar can't have critical failures right now, however you can use this level to debug your own code easily or if you add new critical layers_ * **"-d"** : Launch the discovery tool -* **"-b"** : Launch the bruteforce tool on all discovered devices +* **"-b"** : Launch the dictionary attack tool on all discovered devices * Needs either to be launched with the -d option or to use an advanced cache manager (DB, file, ...) with data already present * **"-t"** : Generate thumbnails from detected cameras * Needs either to be launched with the -d option or to use an advanced cache manager (DB, file, ...) with data already present @@ -257,7 +257,7 @@ If you're still in your console however, you can go even faster by using **vlc i * Needs either to be launched with the -d option or to use an advanced cache manager (DB, file, ...) with data already present * **"-v"** : Display Cameradar's version * **"-h"** : Display this help -* **"--gst-rtsp-server"** : Use this option if the bruteforce does not seem to work (only detects the username but not the path, or the opposite). This option will switch the order of the bruteforce to prioritize path over credentials, which is the way priority is handled for cameras that use GStreamer's RTSP server. +* **"--gst-rtsp-server"** : Use this option if the attack does not seem to work (only detects the username but not the path, or the opposite). This option will switch the order of the attacks to prioritize path over credentials, which is the way priority is handled for cameras that use GStreamer's RTSP server. ## Contribution diff --git a/cameradar_standalone/include/dispatcher.h b/cameradar_standalone/include/dispatcher.h index 44d6d6e..af54667 100644 --- a/cameradar_standalone/include/dispatcher.h +++ b/cameradar_standalone/include/dispatcher.h @@ -26,8 +26,8 @@ // All the tasks managed by the dispatcher #include #include -#include -#include +#include +#include #include #include #include @@ -40,8 +40,8 @@ enum class task { preparation, mapping, parsing, - brutepath, - bruteforce, + path_attack, + creds_attack, thumb_generation, print, finished diff --git a/cameradar_standalone/include/tasks/brutelogs.h b/cameradar_standalone/include/tasks/creds_attack.h similarity index 83% rename from cameradar_standalone/include/tasks/brutelogs.h rename to cameradar_standalone/include/tasks/creds_attack.h index 69c2d1a..f9247c0 100644 --- a/cameradar_standalone/include/tasks/brutelogs.h +++ b/cameradar_standalone/include/tasks/creds_attack.h @@ -24,25 +24,25 @@ namespace etix { namespace cameradar { -class brutelogs : public etix::cameradar::cameradar_task { +class creds_attack : public etix::cameradar::cameradar_task { const configuration& conf; std::shared_ptr cache; std::string nmap_output; public: - brutelogs() = delete; - brutelogs(std::shared_ptr cache, + creds_attack() = delete; + creds_attack(std::shared_ptr cache, const configuration& conf, std::string nmap_output) : conf(conf), cache(cache), nmap_output(nmap_output) {} - brutelogs(const brutelogs& ref) = delete; + creds_attack(const creds_attack& ref) = delete; virtual bool run() const; bool test_ids(const etix::cameradar::stream_model& cit, const std::string& pit, const std::string& uit) const; - bool bruteforce_camera(const stream_model& stream) const; + bool attack_camera_creds(const stream_model& stream) const; }; } } diff --git a/cameradar_standalone/include/tasks/brutepath.h b/cameradar_standalone/include/tasks/path_attack.h similarity index 84% rename from cameradar_standalone/include/tasks/brutepath.h rename to cameradar_standalone/include/tasks/path_attack.h index 935e88a..9961737 100644 --- a/cameradar_standalone/include/tasks/brutepath.h +++ b/cameradar_standalone/include/tasks/path_attack.h @@ -27,23 +27,23 @@ namespace etix { namespace cameradar { -class brutepath : public etix::cameradar::cameradar_task { +class path_attack : public etix::cameradar::cameradar_task { const configuration& conf; std::shared_ptr cache; std::string nmap_output; public: - brutepath() = delete; - brutepath(std::shared_ptr cache, + path_attack() = delete; + path_attack(std::shared_ptr cache, const configuration& conf, std::string nmap_output) : conf(conf), cache(cache), nmap_output(nmap_output) {} - brutepath(const brutepath& ref) = delete; + path_attack(const path_attack& ref) = delete; virtual bool run() const; bool test_path(const etix::cameradar::stream_model& cit, const std::string& it) const; - bool bruteforce_camera(const stream_model& stream) const; + bool attack_camera_path(const stream_model& stream) const; }; } } diff --git a/cameradar_standalone/src/describe.cpp b/cameradar_standalone/src/describe.cpp index ae9fb89..9f2005f 100644 --- a/cameradar_standalone/src/describe.cpp +++ b/cameradar_standalone/src/describe.cpp @@ -95,7 +95,7 @@ curl_describe(const std::string& path, bool logs) { // Some cameras timeout and then curl considers the status as 0 // GST-RTSP-SERVER returns 404 instead of 401, then 401 instead of 404. if (rc != 401 && rc != 400 && rc && pos == std::string::npos) - LOG_INFO_("Unprotected camera discovered.", "brutelogs"); + LOG_INFO_("Unprotected camera discovered.", "creds_attack"); return ((res == CURLE_OK) && rc != 401 && rc != 400 && rc); } return ((res == CURLE_OK) && rc != 404 && rc != 400 && rc); diff --git a/cameradar_standalone/src/dispatcher.cpp b/cameradar_standalone/src/dispatcher.cpp index b8cc3aa..b6c315c 100644 --- a/cameradar_standalone/src/dispatcher.cpp +++ b/cameradar_standalone/src/dispatcher.cpp @@ -64,11 +64,11 @@ dispatcher::do_stuff() { } if (opts.second.exist("-b")) { if (opts.second.exist("--gst-rtsp-server")) { - queue.push_back(new etix::cameradar::brutepath(cache, conf, nmap_output)); - queue.push_back(new etix::cameradar::brutelogs(cache, conf, nmap_output)); + queue.push_back(new etix::cameradar::path_attack(cache, conf, nmap_output)); + queue.push_back(new etix::cameradar::creds_attack(cache, conf, nmap_output)); } else { - queue.push_back(new etix::cameradar::brutelogs(cache, conf, nmap_output)); - queue.push_back(new etix::cameradar::brutepath(cache, conf, nmap_output)); + queue.push_back(new etix::cameradar::creds_attack(cache, conf, nmap_output)); + queue.push_back(new etix::cameradar::path_attack(cache, conf, nmap_output)); } } if (opts.second.exist("-t")) { @@ -82,11 +82,11 @@ dispatcher::do_stuff() { queue.push_back(new etix::cameradar::mapping(cache, conf, nmap_output)); queue.push_back(new etix::cameradar::parsing(cache, conf, nmap_output)); if (opts.second.exist("--gst-rtsp-server")) { - queue.push_back(new etix::cameradar::brutepath(cache, conf, nmap_output)); - queue.push_back(new etix::cameradar::brutelogs(cache, conf, nmap_output)); + queue.push_back(new etix::cameradar::path_attack(cache, conf, nmap_output)); + queue.push_back(new etix::cameradar::creds_attack(cache, conf, nmap_output)); } else { - queue.push_back(new etix::cameradar::brutelogs(cache, conf, nmap_output)); - queue.push_back(new etix::cameradar::brutepath(cache, conf, nmap_output)); + queue.push_back(new etix::cameradar::creds_attack(cache, conf, nmap_output)); + queue.push_back(new etix::cameradar::path_attack(cache, conf, nmap_output)); } queue.push_back(new etix::cameradar::thumbnail(cache, conf, nmap_output)); queue.push_back(new etix::cameradar::stream_check(cache, conf, nmap_output)); diff --git a/cameradar_standalone/src/main.cpp b/cameradar_standalone/src/main.cpp index f8f616e..bdde7e8 100644 --- a/cameradar_standalone/src/main.cpp +++ b/cameradar_standalone/src/main.cpp @@ -33,14 +33,14 @@ parse_cmdline(int argc, char* argv[]) { opt_parse.optional("-c", "Path to the configuration file (-c /path/to/conf)", true); opt_parse.optional("-l", "Set log level (-l 4 will only show warnings and errors)", true); opt_parse.optional("-d", "Launch the discovery tool on the given target", false); - opt_parse.optional("-b", "Launch the bruteforce tool on all discovered devices", false); + opt_parse.optional("-b", "Launch the dictionary attack tool on all discovered devices", false); opt_parse.optional("-t", "Generate thumbnails from detected cameras", false); opt_parse.optional("-g", "Check if the stream can be opened with GStreamer", false); opt_parse.optional("-v", "Display Cameradar's version", false); opt_parse.optional("-h", "Display this help", false); opt_parse.optional( "--gst-rtsp-server", - "Change the order of the bruteforce to match GST RTSP Server's implementation of " + "Change the order of the attack to match GST RTSP Server's implementation of " "RTSP. Some cameras and RTSP servers will use this standard instead of the more " "standard one. For more information, see the README.md file.", false); diff --git a/cameradar_standalone/src/tasks/brutelogs.cpp b/cameradar_standalone/src/tasks/creds_attack.cpp similarity index 85% rename from cameradar_standalone/src/tasks/brutelogs.cpp rename to cameradar_standalone/src/tasks/creds_attack.cpp index 19c3585..f712ff3 100644 --- a/cameradar_standalone/src/tasks/brutelogs.cpp +++ b/cameradar_standalone/src/tasks/creds_attack.cpp @@ -13,7 +13,7 @@ // limitations under the License. #include -#include +#include namespace etix { namespace cameradar { @@ -23,23 +23,23 @@ static const std::string no_ids_warning_ = "cameras. Either " "they have custom ids, or your ids.json file does not contain enough " "default routes. " - "Path bruteforce is impossible without the IDs."; + "Path dictionary attack is impossible without the credentials."; // Tries to match the detected combination of Username / Password // with the camera stream. Creates a resource in the DB upon // valid discovery bool -brutelogs::test_ids(const etix::cameradar::stream_model& stream, +creds_attack::test_ids(const etix::cameradar::stream_model& stream, const std::string& password, const std::string& username) const { bool found = false; std::string path = stream.service_name + "://"; if (username != "" || password != "") { path += username + ":" + password + "@"; } path += stream.address + ":" + std::to_string(stream.port) + stream.route; - LOG_INFO_("Testing ids : " + path, "brutelogs"); + LOG_INFO_("Testing ids : " + path, "creds_attack"); try { if (curl_describe(path, true)) { - LOG_INFO_("[FOUND IDS] : " + path, "brutelogs"); + LOG_INFO_("[FOUND IDS] : " + path, "creds_attack"); found = true; stream_model newstream{ stream.address, stream.port, username, password, @@ -57,7 +57,7 @@ brutelogs::test_ids(const etix::cameradar::stream_model& stream, (*cache)->update_stream(newstream); } } catch (const std::runtime_error& e) { - LOG_DEBUG_("Ids already tested : " + std::string(e.what()), "brutelogs"); + LOG_DEBUG_("Ids already tested : " + std::string(e.what()), "creds_attack"); } return found; } @@ -71,7 +71,7 @@ ids_already_found(std::vector streams, stream_model stream) { } bool -brutelogs::bruteforce_camera(const stream_model& stream) const { +creds_attack::attack_camera_creds(const stream_model& stream) const { for (const auto& username : conf.usernames) { if (signal_handler::instance().should_stop() != etix::cameradar::stop_priority::running) break; @@ -88,15 +88,15 @@ brutelogs::bruteforce_camera(const stream_model& stream) const { // Tries to discover the right IDs on all RTSP streams in DB // Uses the ids.json file to try different combinations bool -brutelogs::run() const { +creds_attack::run() const { std::vector> futures; LOG_INFO_( - "Beginning bruteforce of the usernames and passwords task, it may " + "Beginning attack of the credentials , it may " "take a while.", - "brutelogs"); + "creds_attack"); std::vector streams = (*cache)->get_streams(); - LOG_DEBUG_("Found " + std::to_string(streams.size()) + " streams in the cache", "brutelogs"); + LOG_DEBUG_("Found " + std::to_string(streams.size()) + " streams in the cache", "creds_attack"); size_t found = 0; for (const auto& stream : streams) { if (signal_handler::instance().should_stop() != etix::cameradar::stop_priority::running) @@ -106,23 +106,23 @@ brutelogs::run() const { " : This camera's ids were already discovered in " "the database. Skipping to " "the next camera.", - "brutelogs"); + "creds_attack"); ++found; } else { futures.push_back( - std::async(std::launch::async, &brutelogs::bruteforce_camera, this, stream)); + std::async(std::launch::async, &creds_attack::attack_camera_creds, this, stream)); } } for (auto& fit : futures) { if (fit.get()) { ++found; } } if (!found) { - LOG_WARN_(no_ids_warning_, "brutelogs"); + LOG_WARN_(no_ids_warning_, "creds_attack"); return false; } else LOG_INFO_("Found " + std::to_string(found) + " ids for " + std::to_string(streams.size()) + " cameras", - "brutelogs"); + "creds_attack"); return true; } } diff --git a/cameradar_standalone/src/tasks/parsing.cpp b/cameradar_standalone/src/tasks/parsing.cpp index 6e08098..844eaa0 100644 --- a/cameradar_standalone/src/tasks/parsing.cpp +++ b/cameradar_standalone/src/tasks/parsing.cpp @@ -114,7 +114,7 @@ parsing::run() const { if (data.size() == 0) { LOG_WARN_("No cameras were discovered", "parsing"); } return print_detected_cameras(data); } catch (const std::exception& e) { - LOG_ERR_("Error during parsing. brutepath aborted : " + std::string(e.what()), "parsing"); + LOG_ERR_("Error during parsing. path_attack aborted : " + std::string(e.what()), "parsing"); return false; } } diff --git a/cameradar_standalone/src/tasks/brutepath.cpp b/cameradar_standalone/src/tasks/path_attack.cpp similarity index 86% rename from cameradar_standalone/src/tasks/brutepath.cpp rename to cameradar_standalone/src/tasks/path_attack.cpp index 686713a..b92373f 100644 --- a/cameradar_standalone/src/tasks/brutepath.cpp +++ b/cameradar_standalone/src/tasks/path_attack.cpp @@ -7,7 +7,7 @@ // strictly forbidden unless // prior written permission is obtained from Etix Labs. -#include +#include namespace etix { namespace cameradar { @@ -23,18 +23,18 @@ static const std::string no_route_found_ = // with a route for the camera stream. Creates a resource in the DB upon // valid discovery bool -brutepath::test_path(const stream_model& stream, const std::string& route) const { +path_attack::test_path(const stream_model& stream, const std::string& route) const { bool found = false; std::string path = stream.service_name + "://" + stream.username + ":" + stream.password + "@" + stream.address + ":" + std::to_string(stream.port); if (route.front() != '/') { path += "/"; } path += route; - LOG_INFO_("Testing path : " + path, "brutepath"); + LOG_INFO_("Testing path : " + path, "path_attack"); try { if (curl_describe(path, false)) { // insert in DB and go to the next port, print a cool message found = true; - LOG_INFO_("Discovered a valid path : [" + path + "]", "brutepath"); + LOG_INFO_("Discovered a valid path : [" + path + "]", "path_attack"); stream_model newstream{ stream.address, stream.port, stream.username, stream.password, route, stream.service_name, stream.product, stream.protocol, stream.state, true, @@ -51,7 +51,7 @@ brutepath::test_path(const stream_model& stream, const std::string& route) const if ((*cache)->has_changed(stream)) return true; (*cache)->update_stream(newstream); } - } catch (const std::runtime_error& e) { LOG_INFO_(e.what(), "brutepath"); } + } catch (const std::runtime_error& e) { LOG_INFO_(e.what(), "path_attack"); } return found; } @@ -65,7 +65,7 @@ path_already_found(std::vector streams, stream_model model) { } bool -brutepath::bruteforce_camera(const stream_model& stream) const { +path_attack::attack_camera_path(const stream_model& stream) const { for (const auto& route : conf.paths) { if (signal_handler::instance().should_stop() != etix::cameradar::stop_priority::running) break; @@ -78,10 +78,10 @@ brutepath::bruteforce_camera(const stream_model& stream) const { // Tries to discover a route on all RTSP streams in DB // Uses the url.json file to try different routes bool -brutepath::run() const { +path_attack::run() const { std::vector> futures; - LOG_INFO_("Beginning bruteforce of the camera paths task, it may take a while.", "bruteforce"); + LOG_INFO_("Beginning attack of the camera paths, it may take a while.", "path_attack"); std::vector streams = (*cache)->get_streams(); int found = 0; for (const auto& stream : streams) { @@ -91,23 +91,23 @@ brutepath::run() const { LOG_INFO_(stream.address + " : This camera's path was already discovered in the database. Skipping " "to the next camera.", - "brutepath"); + "path_attack"); ++found; } else { futures.push_back( - std::async(std::launch::async, &brutepath::bruteforce_camera, this, stream)); + std::async(std::launch::async, &path_attack::attack_camera_path, this, stream)); } } for (auto& fit : futures) { if (fit.get()) { ++found; } } if (!found) { - LOG_WARN_(no_route_found_, "brutepath"); + LOG_WARN_(no_route_found_, "path_attack"); } else LOG_INFO_("Found " + std::to_string(found) + " routes for " + std::to_string(streams.size()) + " cameras", - "brutepath"); + "path_attack"); return true; } }