IP-Camera

CamXploit: Find and Anlyze IP Cameras vulnerabilities

Hazem Abbas

Hazem Abbas

4 min read

If you’ve ever wondered whether a random IP address is hosting an open camera feed, CamXploit is here to help.

It’s not some scary hacking tool, it’s actually a pretty handy little scanner built for curious minds and responsible researchers. Think of it as your digital flashlight for spotting exposed IP cameras on the internet.

What does it do?

  • It checks the most common ports that cameras use (like 80, 554, 8080).
  • It looks for login pages, the kind that let you view live footage.
  • It tests if those cameras are actually streaming video (via RTSP, HTTP, MMS, or RTMP).
  • It figures out what brand it is, Hikvision, Dahua, Axis, Sony, Panasonic, you name it, and even flags known vulnerabilities.
  • And yes, it’ll try default passwords only if you’re testing your own devices or have permission.

How does it work?

  • Scans open ports (Common CCTV ports)
  • Checks if a camera is present
  • If a camera is found, it:
    • Searches for login pages
    • Checks default credentials
    • Identifies camera brand & vulnerabilities
    • Detects live streams (RTSP, RTMP, HTTP, MMS)
    • Provides location information with maps
    • Shows server details and authentication types
  • Provides manual search URLs for deeper investigation

Features

1. Scans All Common CCTV Ports

  • What it does: Automatically scans a wide range of default ports used by IP cameras (e.g., 80, 443, 554, 8080, 8000, 7000, 9000, 10000).
  • Why it matters: Many cameras expose services on non-standard ports. This ensures no device is missed during discovery.
  • Use case: Rapid initial sweep across a subnet or public IP range to find active camera endpoints.

2. Detects Exposed Camera Login Pages

  • What it does: Identifies web interfaces that serve login forms for IP cameras (e.g., /login, /cgi-bin/login.cgi).
  • Why it matters: Reveals devices that are publicly accessible without proper access controls.
  • Bonus: Can flag common patterns like index.html?lang=en or login.jsp, indicating potential camera firmware.

3. Checks If the Device Is a Camera Stream

  • What it does: Uses protocol fingerprinting and content analysis to confirm whether a service is actually streaming video.
  • How: Analyzes HTTP responses, headers, MIME types, and data signatures (e.g., H.264 streams).
  • Use case: Filters out false positives from generic web servers hosting unrelated content.

4. Identifies Camera Brands & Known Vulnerabilities

  • What it does: Matches server banners, response headers, and HTML structures to known brands (Hikvision, Dahua, Axis, etc.) and cross-references them against CVE databases.
  • Why it matters: Enables targeted exploitation or patching recommendations based on brand-specific flaws (e.g., Hikvision RCE via getDevInfo).
  • Example: Detects "Dahua" → alerts user about known unauthenticated command execution vulnerabilities.

5. Tests for Default Credentials on Login Pages

  • What it does: Attempts login using widely known default credentials (e.g., admin:admin, admin:12345, root:root) on detected login pages.
  • Security Note: Only performed ethically and legally (with authorization), ideal for penetration testing.
  • Enhancement: Smart credential lists per brand, reducing noise and increasing success rate.
  • What it does: Generates ready-to-use search queries for popular cyber intelligence platforms:
    • Shodan: product:"Hikvision"
    • Censys: services.http.response.body:"Hikvision"
    • Zoomeye: app:"IP Camera" + country:"TR"
    • Google Dorks: inurl:/login.php intitle:"Dahua"
  • Why useful: Empowers users to expand findings beyond automated scanning.

7. Google Dorking Suggestions for Deeper Recon

  • What it does: Offers advanced Google search syntax to uncover hidden camera dashboards, exposed RTSP URLs, or misconfigured admin panels.
  • Examples:
    • "Login Page" inurl:login intitle:"Camera"
    • "Live View" filetype:html site:*.local
    • intext:"Dahua Video Server" "Web Interface"
  • Goal: Uncover devices not visible through port scanning alone.

8. Enhanced Camera Detection with Detailed Port Analysis & Brand Identification

  • What it does: Goes beyond simple port checks, analyzes:
    • Server software (Apache/Nginx versions)
    • Response codes
    • Custom headers (e.g., X-Device-Type: Hikvision)
    • Firmware strings
  • Result: High-confidence identification of specific models and versions (e.g., Hikvision DS-2CD3T46WD-I).

9. Live Stream Detection (RTSP, RTMP, HTTP, MMS)

  • What it does: Tests multiple streaming protocols to detect real-time video feeds:
    • RTSP: Standard for IP cameras (rtsp://ip:554/stream)
    • RTMP: Used in live broadcasting (rtmp://ip/live/stream)
    • HTTP: Embedded video via HLS/DASH
    • MMS: Legacy but still found in older systems
  • Benefit: Confirms if the device isn’t just a web interface but actively streaming.
  • What it does: Pulls geolocation data from IP addresses using WHOIS and geolocation APIs.
  • Output includes:
    • Country, city, ISP
    • Latitude/longitude
    • Clickable Google Maps / Earth links
  • Use case: Visualize camera locations on maps — critical for assessing physical risk or privacy concerns.

11. Multi-threaded Port Scanning for Faster Results

  • What it does: Uses parallel threads to scan hundreds of IPs or ports simultaneously.
  • Performance boost: Reduces scan time from hours to minutes.
  • Optimized for: Large-scale assessments (e.g., scanning an entire network segment).

12. Enhanced Error Handling & SSL Support

  • What it does: Handles connection timeouts, SSL/TLS handshake failures, certificate errors gracefully.
  • Supports:
    • Self-signed certificates
    • Expired certs
    • Insecure cipher suites
  • Ensures stability: Prevents crashes when encountering poorly configured or malicious devices.

Supported Brands & Devices

  • Hikvision, Dahua, Axis, Sony, Bosch, Samsung, Panasonic, Vivotek, CP Plus, and most generic DVR/NVRs
  • CP Plus DVRs (e.g., CP-UVR-0401E1-IC2) with custom ports
  • Any device exposing RTSP, HTTP, RTMP, or MMS video streams

License

  • AGPL-3.0

Resources & Downloads

  • Source-code & Downloads
GitHub - spyboy-productions/CamXploit: Find, analyze, and check for exposed IP cameras with open ports, known vulnerabilities, and weak login credentials.
Find, analyze, and check for exposed IP cameras with open ports, known vulnerabilities, and weak login credentials. - spyboy-productions/CamXploit
GitHubspyboy-productions

Read more