feat: support http tunneled rtsp (#419)

* enhancement: supporting http tunneled rtsp * refactor: simplify HTTP tunnel support per review feedback - Extract streamCandidate() for nmap port classification - Add isCommonHTTPPort() for masscan and nmap fallback - Move URL building to Stream.String() and Stream.URL() - Pass Stream directly to attack methods instead of individual args - Add TLS config for HTTPS tunnel support - Make auth detection non-fatal for tunneled streams - Rename HTTPTunnel to UseHTTPTunnel * - Testing the auth workflow for the tunneled streams is not blocking the rest of the pipeline since I changed the return values to Auth unknown and nil - added extra ports in the test according to suggestions * fixing some lint errors * removing the unused buildrtspurl * delayed the urlstream call for clarity removed error messages refactored the test that used the deprecated buildTRSPurl to use stream.URL and stream.String() methods * extracting iscommonHTTP port to pkg/ports (package ports) switching on u.scheme to create proper schemes for http and https * refactor: replace HTTP tunnel bool with scheme-based detection; enable TLS only for HTTPS-tunneled streams * chore: simnplify InferTunnelScheme and newRTSPClient * fix: remove rendundant check in streamCandidate * fix: typo in parseScheme * tests: coverage for new schemes * fix: use RTSP and not RTSPS for HTTPS URLs * fix: tunneled RTSP scheme handling and auth detection fallback * ui: render empty credentials as none in summary and TUI * chore: ignore duplicate-string warning for none literal * Potential fix for pull request finding Co-authored-by: Copilot Autofix powered by AI <175728472+Copilot@users.noreply.github.com> * fix: rtsps probe headers --------- Co-authored-by: Brendan Le Glaunec <brendan@glaulabs.com> Co-authored-by: Copilot Autofix powered by AI <175728472+Copilot@users.noreply.github.com>
2026-03-18 01:41:20 -04:00
parent 14dcb74e89
commit 8531c006d4
15 changed files with 626 additions and 136 deletions
@@ -291,33 +291,26 @@ func (a Attacker) attackRoutesForStream(ctx context.Context, target cameradar.St
 }

 func (a Attacker) routeAttack(stream cameradar.Stream, route string) (bool, error) {
-	u, urlStr, err := buildRTSPURL(stream, route, stream.Username, stream.Password)
+	stream.Routes = []string{route}
+	code, err := a.describeStatus(stream)
 	if err != nil {
-		return false, fmt.Errorf("building rtsp url: %w", err)
+		return false, fmt.Errorf("performing describe request at %q: %w", stream, err)
 	}

-	code, err := a.describeStatus(u)
-	if err != nil {
-		return false, fmt.Errorf("performing describe request at %q: %w", urlStr, err)
-	}
-
-	a.reporter.Debug(cameradar.StepAttackRoutes, fmt.Sprintf("DESCRIBE %s RTSP/1.0 > %d", urlStr, code))
+	a.reporter.Debug(cameradar.StepAttackRoutes, fmt.Sprintf("DESCRIBE %s RTSP/1.0 > %d", stream, code))
 	access := code == base.StatusOK || code == base.StatusUnauthorized || code == base.StatusForbidden
 	return access, nil
 }

 func (a Attacker) credAttack(stream cameradar.Stream, username, password string) (bool, error) {
-	u, urlStr, err := buildRTSPURL(stream, stream.Route(), username, password)
+	stream.Username = username
+	stream.Password = password
+	code, err := a.describeStatus(stream)
 	if err != nil {
-		return false, fmt.Errorf("building rtsp url: %w", err)
+		return false, fmt.Errorf("performing describe request at %q: %w", stream, err)
 	}

-	code, err := a.describeStatus(u)
-	if err != nil {
-		return false, fmt.Errorf("performing describe request at %q: %w", urlStr, err)
-	}
-
-	a.reporter.Debug(cameradar.StepAttackCredentials, fmt.Sprintf("DESCRIBE %s RTSP/1.0 > %d", urlStr, code))
+	a.reporter.Debug(cameradar.StepAttackCredentials, fmt.Sprintf("DESCRIBE %s RTSP/1.0 > %d", stream, code))
 	return code == base.StatusOK || code == base.StatusNotFound, nil
 }

@@ -330,32 +323,27 @@ func (a Attacker) validateStream(ctx context.Context, stream cameradar.Stream, e
 		return stream, ctx.Err()
 	}

-	u, urlStr, err := buildRTSPURL(stream, stream.Route(), stream.Username, stream.Password)
-	if err != nil {
-		return stream, fmt.Errorf("building rtsp url: %w", err)
-	}
-
-	client, err := a.newRTSPClient(u)
+	client, err := a.newRTSPClient(stream)
 	if err != nil {
 		return stream, fmt.Errorf("starting rtsp client: %w", err)
 	}
 	defer client.Close()

-	desc, res, err := a.describeWithRetry(ctx, client, u, urlStr)
+	desc, res, err := a.describeWithRetry(ctx, client, stream)
 	if err != nil {
-		return a.handleDescribeError(stream, urlStr, err)
+		return a.handleDescribeError(stream, err)
 	}
-	a.logDescribeResponse(urlStr, res)
+	a.logDescribeResponse(stream.String(), res)

 	if desc == nil || len(desc.Medias) == 0 {
-		return stream, fmt.Errorf("no media tracks found for %q", urlStr)
+		return stream, fmt.Errorf("no media tracks found for %q", stream)
 	}

 	res, err = client.Setup(desc.BaseURL, desc.Medias[0], 0, 0)
 	if err != nil {
-		return a.handleSetupError(stream, urlStr, err)
+		return a.handleSetupError(stream, err)
 	}
-	a.logSetupResponse(urlStr, res)
+	a.logSetupResponse(stream.String(), res)

 	stream.Available = res != nil && res.StatusCode == base.StatusOK
 	if stream.Available {
@@ -365,11 +353,15 @@ func (a Attacker) validateStream(ctx context.Context, stream cameradar.Stream, e
 	return stream, nil
 }

-func (a Attacker) describeWithRetry(ctx context.Context, client *gortsplib.Client, u *base.URL, urlStr string) (*description.Session, *base.Response, error) {
+func (a Attacker) describeWithRetry(ctx context.Context, client *gortsplib.Client, stream cameradar.Stream) (*description.Session, *base.Response, error) {
+	u, err := stream.URL()
+	if err != nil {
+		return nil, nil, fmt.Errorf("building rtsp url: %w", err)
+	}
+
 	var (
 		desc *description.Session
 		res  *base.Response
-		err  error
 	)
 	for range 5 {
 		desc, res, err = client.Describe(u)
@@ -379,7 +371,7 @@ func (a Attacker) describeWithRetry(ctx context.Context, client *gortsplib.Clien

 		var badStatus liberrors.ErrClientBadStatusCode
 		if errors.As(err, &badStatus) && badStatus.Code == base.StatusServiceUnavailable {
-			a.reporter.Debug(cameradar.StepValidateStreams, fmt.Sprintf("DESCRIBE %s RTSP/1.0 > %d (retrying)", urlStr, badStatus.Code))
+			a.reporter.Debug(cameradar.StepValidateStreams, fmt.Sprintf("DESCRIBE %s RTSP/1.0 > %d (retrying)", stream, badStatus.Code))
 			select {
 			case <-ctx.Done():
 				return nil, nil, ctx.Err()
@@ -391,13 +383,13 @@ func (a Attacker) describeWithRetry(ctx context.Context, client *gortsplib.Clien
 		return nil, nil, err
 	}

-	return nil, nil, fmt.Errorf("describe retries exhausted for %q: %w", urlStr, err)
+	return nil, nil, fmt.Errorf("describe retries exhausted for %q: %w", stream, err)
 }

-func (a Attacker) handleDescribeError(stream cameradar.Stream, urlStr string, err error) (cameradar.Stream, error) {
+func (a Attacker) handleDescribeError(stream cameradar.Stream, err error) (cameradar.Stream, error) {
 	var badStatus liberrors.ErrClientBadStatusCode
 	if errors.As(err, &badStatus) && badStatus.Code == base.StatusServiceUnavailable {
-		a.reporter.Debug(cameradar.StepValidateStreams, fmt.Sprintf("DESCRIBE %s RTSP/1.0 > %d", urlStr, badStatus.Code))
+		a.reporter.Debug(cameradar.StepValidateStreams, fmt.Sprintf("DESCRIBE %s RTSP/1.0 > %d", stream, badStatus.Code))
 		a.reporter.Progress(cameradar.StepValidateStreams, fmt.Sprintf("Stream unavailable for %s:%d (RTSP %d)",
 			stream.Address.String(),
 			stream.Port,
@@ -407,20 +399,20 @@ func (a Attacker) handleDescribeError(stream cameradar.Stream, urlStr string, er
 		return stream, nil
 	}

-	a.reporter.Debug(cameradar.StepValidateStreams, fmt.Sprintf("DESCRIBE %s RTSP/1.0 > error: %v", urlStr, err))
+	a.reporter.Debug(cameradar.StepValidateStreams, fmt.Sprintf("DESCRIBE %s RTSP/1.0 > error: %v", stream, err))

-	return stream, fmt.Errorf("performing describe request at %q: %w", urlStr, err)
+	return stream, fmt.Errorf("performing describe request at %q: %w", stream, err)
 }

-func (a Attacker) handleSetupError(stream cameradar.Stream, urlStr string, err error) (cameradar.Stream, error) {
+func (a Attacker) handleSetupError(stream cameradar.Stream, err error) (cameradar.Stream, error) {
 	var badStatus liberrors.ErrClientBadStatusCode
 	if errors.As(err, &badStatus) {
-		a.reporter.Debug(cameradar.StepValidateStreams, fmt.Sprintf("SETUP %s RTSP/1.0 > %d", urlStr, badStatus.Code))
+		a.reporter.Debug(cameradar.StepValidateStreams, fmt.Sprintf("SETUP %s RTSP/1.0 > %d", stream, badStatus.Code))
 		stream.Available = badStatus.Code == base.StatusOK
 		return stream, nil
 	}

-	return stream, fmt.Errorf("performing setup request at %q: %w", urlStr, err)
+	return stream, fmt.Errorf("performing setup request at %q: %w", stream, err)
 }

 func (a Attacker) logDescribeResponse(urlStr string, res *base.Response) {
@@ -41,28 +41,44 @@ func (a Attacker) detectAuthMethod(ctx context.Context, stream cameradar.Stream)
 	if ctx.Err() != nil {
 		return stream, ctx.Err()
 	}
-	u, urlStr, err := buildRTSPURL(stream, stream.Route(), "", "")
+	u, err := stream.URL()
 	if err != nil {
 		return stream, fmt.Errorf("building rtsp url: %w", err)
 	}

-	statusCode, headers, err := a.probeDescribeHeaders(ctx, u, urlStr)
+	statusCode, headers, err := a.probeDescribeHeaders(ctx, u)
 	if err != nil {
-		a.reporter.Debug(cameradar.StepDetectAuth, fmt.Sprintf("DESCRIBE %s RTSP/1.0 > error: %v", urlStr, err))
+		a.reporter.Debug(cameradar.StepDetectAuth, fmt.Sprintf("DESCRIBE %s RTSP/1.0 > error: %v", u, err))
+		if stream.Scheme == schemeHTTP || stream.Scheme == schemeHTTPS {
+			statusCode, statusErr := a.describeStatus(stream)
+			if statusErr == nil {
+				a.reporter.Debug(cameradar.StepDetectAuth, fmt.Sprintf("DESCRIBE %s RTSP/1.0 > %d (fallback)", u, statusCode))
+				stream.AuthenticationType = authTypeFromStatus(statusCode, nil)
+				return stream, nil
+			}
+
+			stream.AuthenticationType = cameradar.AuthUnknown
+			return stream, nil
+		}
+
 		stream.AuthenticationType = cameradar.AuthUnknown
-		return stream, fmt.Errorf("performing describe request at %q: %w", urlStr, err)
+		return stream, fmt.Errorf("performing describe request at %q: %w", u, err)
 	}

-	a.reporter.Debug(cameradar.StepDetectAuth, fmt.Sprintf("DESCRIBE %s RTSP/1.0 > %d", urlStr, statusCode))
+	a.reporter.Debug(cameradar.StepDetectAuth, fmt.Sprintf("DESCRIBE %s RTSP/1.0 > %d", u, statusCode))
 	values := headerValues(headers, "WWW-Authenticate")
-	switch statusCode {
-	case base.StatusOK:
-		stream.AuthenticationType = cameradar.AuthNone
-	case base.StatusUnauthorized:
-		stream.AuthenticationType = authTypeFromHeaders(values)
-	default:
-		stream.AuthenticationType = cameradar.AuthUnknown
-	}
+	stream.AuthenticationType = authTypeFromStatus(statusCode, values)

 	return stream, nil
 }
+
+func authTypeFromStatus(statusCode base.StatusCode, wwwAuthenticate base.HeaderValue) cameradar.AuthType {
+	switch statusCode {
+	case base.StatusOK:
+		return cameradar.AuthNone
+	case base.StatusUnauthorized:
+		return authTypeFromHeaders(wwwAuthenticate)
+	default:
+		return cameradar.AuthUnknown
+	}
+}
@@ -2,7 +2,13 @@ package attack

 import (
 	"bufio"
+	"crypto/ecdsa"
+	"crypto/elliptic"
+	"crypto/rand"
+	"crypto/tls"
+	"crypto/x509"
 	"fmt"
+	"math/big"
 	"net"
 	"net/netip"
 	"strings"
@@ -78,6 +84,49 @@ func TestAuthTypeFromHeaders(t *testing.T) {
 	}
 }

+func TestAuthTypeFromStatus(t *testing.T) {
+	tests := []struct {
+		name         string
+		statusCode   base.StatusCode
+		headers      base.HeaderValue
+		wantAuthType cameradar.AuthType
+	}{
+		{
+			name:         "status ok means no auth",
+			statusCode:   base.StatusOK,
+			wantAuthType: cameradar.AuthNone,
+		},
+		{
+			name:         "status unauthorized with basic",
+			statusCode:   base.StatusUnauthorized,
+			headers:      headers.Authenticate{Method: headers.AuthMethodBasic, Realm: "cam"}.Marshal(),
+			wantAuthType: cameradar.AuthBasic,
+		},
+		{
+			name:         "status unauthorized with digest",
+			statusCode:   base.StatusUnauthorized,
+			headers:      headers.Authenticate{Method: headers.AuthMethodDigest, Realm: "cam", Nonce: "nonce"}.Marshal(),
+			wantAuthType: cameradar.AuthDigest,
+		},
+		{
+			name:         "status unauthorized without auth headers",
+			statusCode:   base.StatusUnauthorized,
+			wantAuthType: cameradar.AuthUnknown,
+		},
+		{
+			name:         "status not found is unknown",
+			statusCode:   base.StatusNotFound,
+			wantAuthType: cameradar.AuthUnknown,
+		},
+	}
+
+	for _, test := range tests {
+		t.Run(test.name, func(t *testing.T) {
+			assert.Equal(t, test.wantAuthType, authTypeFromStatus(test.statusCode, test.headers))
+		})
+	}
+}
+
 func TestDetectAuthMethod(t *testing.T) {
 	tests := []struct {
 		name       string
@@ -142,6 +191,52 @@ func TestDetectAuthMethod(t *testing.T) {
 	}
 }

+func TestDetectAuthMethod_HTTPTunnel_NonFatal(t *testing.T) {
+	tests := []struct {
+		name   string
+		scheme string
+	}{
+		{name: "http tunnel", scheme: "http"},
+		{name: "https tunnel", scheme: "https"},
+	}
+
+	for _, test := range tests {
+		t.Run(test.name, func(t *testing.T) {
+			attacker, err := New(testDictionary{}, 0, time.Second, ui.NopReporter{})
+			require.NoError(t, err)
+
+			stream := cameradar.Stream{
+				Address: netip.MustParseAddr("127.0.0.1"),
+				Port:    1,
+				Scheme:  test.scheme,
+			}
+
+			got, err := attacker.detectAuthMethod(t.Context(), stream)
+			require.NoError(t, err)
+			assert.Equal(t, cameradar.AuthUnknown, got.AuthenticationType)
+		})
+	}
+}
+
+func TestDetectAuthMethod_RTSPS(t *testing.T) {
+	addr, port := startRTSPTLSProbeServer(t, base.StatusUnauthorized, base.Header{
+		"WWW-Authenticate": headers.Authenticate{Method: headers.AuthMethodBasic, Realm: "cam"}.Marshal(),
+	})
+
+	attacker, err := New(testDictionary{}, 0, time.Second, ui.NopReporter{})
+	require.NoError(t, err)
+
+	stream := cameradar.Stream{
+		Address: addr,
+		Port:    port,
+		Scheme:  "rtsps",
+	}
+
+	got, err := attacker.detectAuthMethod(t.Context(), stream)
+	require.NoError(t, err)
+	assert.Equal(t, cameradar.AuthBasic, got.AuthenticationType)
+}
+
 func startRTSPProbeServer(t *testing.T, statusCode base.StatusCode, headers base.Header) (netip.Addr, uint16) {
 	t.Helper()

@@ -193,6 +288,83 @@ func startRTSPProbeServer(t *testing.T, statusCode base.StatusCode, headers base
 	return netip.MustParseAddr("127.0.0.1"), uint16(tcpAddr.Port)
 }

+func startRTSPTLSProbeServer(t *testing.T, statusCode base.StatusCode, headers base.Header) (netip.Addr, uint16) {
+	t.Helper()
+
+	listener, err := tls.Listen("tcp", "127.0.0.1:0", testTLSConfig(t))
+	require.NoError(t, err)
+
+	t.Cleanup(func() {
+		_ = listener.Close()
+	})
+
+	go func() {
+		conn, err := listener.Accept()
+		if err != nil {
+			return
+		}
+		defer conn.Close()
+
+		_ = conn.SetDeadline(time.Now().Add(time.Second))
+
+		reader := bufio.NewReader(conn)
+		for {
+			line, err := reader.ReadString('\n')
+			if err != nil {
+				return
+			}
+			if strings.TrimSpace(line) == "" {
+				break
+			}
+		}
+
+		statusText := statusTextFromCode(statusCode)
+
+		var builder strings.Builder
+		_, _ = fmt.Fprintf(&builder, "RTSP/1.0 %d %s\r\n", statusCode, statusText)
+		builder.WriteString("CSeq: 1\r\n")
+		for key, values := range headers {
+			for _, value := range values {
+				_, _ = fmt.Fprintf(&builder, "%s: %s\r\n", key, value)
+			}
+		}
+		builder.WriteString("Content-Length: 0\r\n\r\n")
+
+		_, _ = conn.Write([]byte(builder.String()))
+	}()
+
+	tcpAddr, ok := listener.Addr().(*net.TCPAddr)
+	require.True(t, ok)
+
+	return netip.MustParseAddr("127.0.0.1"), uint16(tcpAddr.Port)
+}
+
+func testTLSConfig(t *testing.T) *tls.Config {
+	t.Helper()
+
+	key, err := ecdsa.GenerateKey(elliptic.P256(), rand.Reader)
+	require.NoError(t, err)
+
+	template := &x509.Certificate{
+		SerialNumber: big.NewInt(1),
+		NotBefore:    time.Now().Add(-time.Hour),
+		NotAfter:     time.Now().Add(time.Hour),
+		KeyUsage:     x509.KeyUsageDigitalSignature | x509.KeyUsageKeyEncipherment,
+		ExtKeyUsage:  []x509.ExtKeyUsage{x509.ExtKeyUsageServerAuth},
+		IPAddresses:  []net.IP{net.ParseIP("127.0.0.1")},
+	}
+
+	der, err := x509.CreateCertificate(rand.Reader, template, template, &key.PublicKey, key)
+	require.NoError(t, err)
+
+	return &tls.Config{
+		Certificates: []tls.Certificate{{
+			Certificate: [][]byte{der},
+			PrivateKey:  key,
+		}},
+	}
+}
+
 func statusTextFromCode(code base.StatusCode) string {
 	switch code {
 	case base.StatusOK:
@@ -3,11 +3,11 @@ package attack
 import (
 	"bufio"
 	"context"
+	"crypto/tls"
 	"errors"
 	"fmt"
 	"net"
 	"net/textproto"
-	"net/url"
 	"strconv"
 	"strings"
 	"time"
@@ -19,15 +19,46 @@ import (
 	"github.com/bluenviron/gortsplib/v5/pkg/liberrors"
 )

-func (a Attacker) newRTSPClient(u *base.URL) (*gortsplib.Client, error) {
+const (
+	schemeRTSP  = "rtsp"
+	schemeRTSPS = "rtsps"
+	schemeHTTP  = "http"
+	schemeHTTPS = "https"
+)
+
+func (a Attacker) newRTSPClient(stream cameradar.Stream) (*gortsplib.Client, error) {
+	u, err := stream.URL()
+	if err != nil {
+		return nil, fmt.Errorf("building rtsp url: %w", err)
+	}
+	if u.Scheme != schemeRTSP && u.Scheme != schemeRTSPS {
+		return nil, fmt.Errorf("unsupported rtsp url scheme: %q", u.Scheme)
+	}
+
 	client := &gortsplib.Client{
 		ReadTimeout:  a.timeout,
 		WriteTimeout: a.timeout,
+		Scheme:       u.Scheme,
+		Host:         u.Host,
 	}
-	client.Scheme = u.Scheme
-	client.Host = u.Host

-	err := client.Start()
+	switch stream.Scheme {
+	case "":
+		// No explicit transport was requested. Use plain RTSP/RTSPS from the URL.
+	case schemeRTSP, schemeRTSPS:
+		// Nothing to do.
+	case schemeHTTP:
+		client.Scheme = schemeRTSP
+		client.Tunnel = gortsplib.TunnelHTTP
+	case schemeHTTPS:
+		client.Scheme = schemeRTSPS
+		client.Tunnel = gortsplib.TunnelHTTP
+		client.TLSConfig = &tls.Config{InsecureSkipVerify: true}
+	default:
+		return nil, fmt.Errorf("unsupported stream transport scheme: %q", stream.Scheme)
+	}
+
+	err = client.Start()
 	if err != nil {
 		return nil, err
 	}
@@ -35,8 +66,13 @@ func (a Attacker) newRTSPClient(u *base.URL) (*gortsplib.Client, error) {
 	return client, nil
 }

-func (a Attacker) describeStatus(u *base.URL) (base.StatusCode, error) {
-	client, err := a.newRTSPClient(u)
+func (a Attacker) describeStatus(stream cameradar.Stream) (base.StatusCode, error) {
+	u, err := stream.URL()
+	if err != nil {
+		return 0, fmt.Errorf("building rtsp url: %w", err)
+	}
+
+	client, err := a.newRTSPClient(stream)
 	if err != nil {
 		return 0, err
 	}
@@ -61,9 +97,25 @@ func (a Attacker) describeStatus(u *base.URL) (base.StatusCode, error) {
 //
 // NOTE: We do not use gortsplib here because it does not expose response headers when the status code is 401 Unauthorized,
 // which is exactly what we need in order to detect authentication methods.
-func (a Attacker) probeDescribeHeaders(ctx context.Context, u *base.URL, urlStr string) (base.StatusCode, base.Header, error) {
+func (a Attacker) probeDescribeHeaders(ctx context.Context, u *base.URL) (base.StatusCode, base.Header, error) {
 	dialer := &net.Dialer{Timeout: a.timeout}
-	conn, err := dialer.DialContext(ctx, "tcp", u.Host)
+
+	var (
+		conn net.Conn
+		err  error
+	)
+	switch u.Scheme {
+	case schemeRTSP:
+		conn, err = dialer.DialContext(ctx, "tcp", u.Host)
+	case schemeRTSPS:
+		tlsDialer := &tls.Dialer{
+			NetDialer: dialer,
+			Config:    &tls.Config{InsecureSkipVerify: true},
+		}
+		conn, err = tlsDialer.DialContext(ctx, "tcp", u.Host)
+	default:
+		return 0, nil, fmt.Errorf("unsupported rtsp url scheme: %q", u.Scheme)
+	}
 	if err != nil {
 		return 0, nil, err
 	}
@@ -81,7 +133,7 @@ func (a Attacker) probeDescribeHeaders(ctx context.Context, u *base.URL, urlStr

 	request := fmt.Sprintf(
 		"DESCRIBE %s RTSP/1.0\r\nCSeq: 1\r\nUser-Agent: cameradar\r\nAccept: application/sdp\r\nHost: %s\r\n\r\n",
-		urlStr,
+		u,
 		u.Host,
 	)
 	_, err = conn.Write([]byte(request))
@@ -163,25 +215,3 @@ func headerValues(header base.Header, name string) base.HeaderValue {
 	}
 	return nil
 }
-
-func buildRTSPURL(stream cameradar.Stream, route, username, password string) (*base.URL, string, error) {
-	host := net.JoinHostPort(stream.Address.String(), strconv.Itoa(int(stream.Port)))
-	path := "/" + strings.TrimLeft(strings.TrimSpace(route), "/") // Ensure path starts with a single "/"
-
-	u := &url.URL{
-		Scheme: "rtsp",
-		Host:   host,
-		Path:   path,
-	}
-	if username != "" || password != "" {
-		u.User = url.UserPassword(username, password)
-	}
-
-	urlStr := u.String()
-	parsed, err := base.ParseURL(urlStr)
-	if err != nil {
-		return nil, "", err
-	}
-
-	return parsed, urlStr, nil
-}
@@ -2,85 +2,163 @@ package attack

 import (
 	"net/netip"
+	"net/url"
 	"testing"

 	"github.com/Ullaakut/cameradar/v6"
 	"github.com/stretchr/testify/require"
 )

-func TestBuildRTSPURL(t *testing.T) {
-	stream := cameradar.Stream{
-		Address: netip.MustParseAddr("192.168.0.10"),
-		Port:    554,
-	}
-
+func TestStreamURL(t *testing.T) {
 	tests := []struct {
-		name     string
-		route    string
-		username string
-		password string
-		wantURL  string
+		name             string
+		stream           cameradar.Stream
+		wantURL          string
+		wantParsedScheme string
 	}{
 		{
-			name:    "empty route",
+			name: "empty route",
+			stream: cameradar.Stream{
+				Address: netip.MustParseAddr("192.168.0.10"),
+				Port:    554,
+			},
 			wantURL: "rtsp://192.168.0.10:554/",
 		},
 		{
-			name:    "root route",
-			route:   "/",
+			name: "root route",
+			stream: cameradar.Stream{
+				Address: netip.MustParseAddr("192.168.0.10"),
+				Port:    554,
+				Routes:  []string{"/"},
+			},
 			wantURL: "rtsp://192.168.0.10:554/",
 		},
 		{
-			name:    "multiple leading slashes",
-			route:   "////",
+			name: "multiple leading slashes",
+			stream: cameradar.Stream{
+				Address: netip.MustParseAddr("192.168.0.10"),
+				Port:    554,
+				Routes:  []string{"////"},
+			},
 			wantURL: "rtsp://192.168.0.10:554/",
 		},
 		{
-			name:    "route with no leading slash",
-			route:   "stream",
+			name: "route with no leading slash",
+			stream: cameradar.Stream{
+				Address: netip.MustParseAddr("192.168.0.10"),
+				Port:    554,
+				Routes:  []string{"stream"},
+			},
 			wantURL: "rtsp://192.168.0.10:554/stream",
 		},
 		{
-			name:    "route with leading slash",
-			route:   "/stream",
+			name: "route with leading slash",
+			stream: cameradar.Stream{
+				Address: netip.MustParseAddr("192.168.0.10"),
+				Port:    554,
+				Routes:  []string{"/stream"},
+			},
 			wantURL: "rtsp://192.168.0.10:554/stream",
 		},
 		{
-			name:    "route with trailing slash",
-			route:   "stream/",
+			name: "route with trailing slash",
+			stream: cameradar.Stream{
+				Address: netip.MustParseAddr("192.168.0.10"),
+				Port:    554,
+				Routes:  []string{"stream/"},
+			},
 			wantURL: "rtsp://192.168.0.10:554/stream/",
 		},
 		{
-			name:    "route with spaces",
-			route:   "  /stream  ",
+			name: "route with spaces",
+			stream: cameradar.Stream{
+				Address: netip.MustParseAddr("192.168.0.10"),
+				Port:    554,
+				Routes:  []string{"  /stream  "},
+			},
 			wantURL: "rtsp://192.168.0.10:554/stream",
 		},
 		{
-			name:     "username and password",
-			route:    "stream",
-			username: "admin",
-			password: "admin123",
-			wantURL:  "rtsp://admin:admin123@192.168.0.10:554/stream",
+			name: "username and password",
+			stream: cameradar.Stream{
+				Address:  netip.MustParseAddr("192.168.0.10"),
+				Port:     554,
+				Routes:   []string{"stream"},
+				Username: "admin",
+				Password: "admin123",
+			},
+			wantURL: "rtsp://admin:admin123@192.168.0.10:554/stream",
 		},
 		{
-			name:     "empty username with password",
-			route:    "stream",
-			password: "pass",
-			wantURL:  "rtsp://:pass@192.168.0.10:554/stream",
+			name: "empty username with password",
+			stream: cameradar.Stream{
+				Address:  netip.MustParseAddr("192.168.0.10"),
+				Port:     554,
+				Routes:   []string{"stream"},
+				Password: "pass",
+			},
+			wantURL: "rtsp://:pass@192.168.0.10:554/stream",
 		},
 		{
-			name:     "username only",
-			route:    "stream",
-			username: "user",
-			wantURL:  "rtsp://user:@192.168.0.10:554/stream",
+			name: "username only",
+			stream: cameradar.Stream{
+				Address:  netip.MustParseAddr("192.168.0.10"),
+				Port:     554,
+				Routes:   []string{"stream"},
+				Username: "user",
+			},
+			wantURL: "rtsp://user:@192.168.0.10:554/stream",
+		},
+		{
+			name: "http scheme",
+			stream: cameradar.Stream{
+				Address: netip.MustParseAddr("192.168.0.10"),
+				Port:    554,
+				Routes:  []string{"stream"},
+				Scheme:  "http",
+			},
+			wantURL:          "http://192.168.0.10:554/stream",
+			wantParsedScheme: "rtsp",
+		},
+		{
+			name: "https scheme",
+			stream: cameradar.Stream{
+				Address: netip.MustParseAddr("192.168.0.10"),
+				Port:    554,
+				Routes:  []string{"stream"},
+				Scheme:  "https",
+			},
+			wantURL:          "https://192.168.0.10:554/stream",
+			wantParsedScheme: "rtsps",
+		},
+		{
+			name: "rtsps scheme",
+			stream: cameradar.Stream{
+				Address: netip.MustParseAddr("192.168.0.10"),
+				Port:    554,
+				Routes:  []string{"stream"},
+				Scheme:  "rtsps",
+			},
+			wantURL:          "rtsps://192.168.0.10:554/stream",
+			wantParsedScheme: "rtsps",
 		},
 	}

 	for _, test := range tests {
 		t.Run(test.name, func(t *testing.T) {
-			_, gotURL, err := buildRTSPURL(stream, test.route, test.username, test.password)
-			require.NoError(t, err)
+			gotURL := test.stream.String()
 			require.Equal(t, test.wantURL, gotURL)
+
+			parsedURL, err := test.stream.URL()
+			require.NoError(t, err)
+
+			expectedURL, err := url.Parse(test.wantURL)
+			require.NoError(t, err)
+			wantParsedScheme := test.wantParsedScheme
+			if wantParsedScheme == "" {
+				wantParsedScheme = expectedURL.Scheme
+			}
+			require.Equal(t, wantParsedScheme, parsedURL.Scheme)
 		})
 	}
 }