NMAPing IP Cameras

Author: Ethan Ace, Published on Mar 05, 2015

The Hikvision hack has increased security concerns.

Indeed, most users do not know whether they are vulnerable or not, which ports of their systems are open, and what services they may be running, leaving them potentially vulnerable.

NMAP, a common security network tool, can be used to check for some vulnerabilities, but is not used as much as it should be.

In this test, we show how it may be used to check your cameras and systems for potential security problems, as well as discovering IP cameras and finding non-standard ports being used for video transmission.

Then we run it on cameras from:

  • Arecont Vision
  • Avigilon
  • Axis
  • Bosch
  • Dahua
  • Hikvision

The test shows which cameras allow the most open ports and the greatest potential security risks.

*** ********* **** *** ********* ******** ********.

******, **** ***** ** *** **** ******* **** *** ********** or ***, ***** ***** ** ***** ******* *** ****, *** what ******** **** *** ** *******, ******* **** *********** **********.

****, * ****** ******** ******* ****, *** ** **** ** check *** **** ***************, *** ** *** **** ** **** as ** ****** **.

** **** ****, ** **** *** ** *** ** **** to ***** **** ******* *** ******* *** ********* ******** ********, as **** ** *********** ** ******* *** ******* ***-******** ***** being **** *** ***** ************.

**** ** *** ** ** ******* ****:

  • ******* ******
  • ********
  • ****
  • *****
  • *****
  • *********

*** **** ***** ***** ******* ***** *** **** **** ***** and *** ******** ********* ******** *****.

[***************]

Using ****

**** ** * **** *** **** ****** ******* **** *** network ******** *** ******** ********. *** **** ********* *** ** IP ************ ** *********** ***** ***** ** * ***** ****** are ****** *** ****. ***** *** ** *** ****** * single ****** ** ********, **** ** ****** ******.

**** ****** ** * ******* **** ******* **** **** ******* switches *** *********. *** ******* ** *** * **** **** of *** *** *****, *** *******, ***** **** ****:

**** -* *-***** -** -* -* ***.**.***.***

*******, ********* ********** *** ********* ***** ******** *** *** *** ****** scan ******* ** * ******** ****, **** ********, ***** **** ** *** ***:

**** ***** ******* *** ***** ********* ** **** ***** *** Zenmap ***.

Scan *******

*** ******* ** * **** ****, ********* ** ***** ** used, **** **** ***** * ***** **** ** **** ***** while ****** *** ********, *****-**** ******* ******* ******* ***** *** identifiers.

**** ******* ***** * ***** **** ** * ****** ****** (***** *********):

******** **** *.** ( ****://****.*** ) ** ****-**-** **:** *** Nmap **** ****** *** ***.**.***.*** **** ** ** (*.***** *******). Not *****: *** ****** ***** **** ***** ******* **/*** **** telnet **/*** **** **** ***/*** **** **** ****/*** **** ****** 5000/tcp **** **** *****/*** **** ******* *** *******: **:**:**:**:**:** (******** Dahua ********** **.) **** ****: * ** ******* (* **** up) ******* ** *.** *******

**** ******* ***** *** **** ******, **** ** ******* **** of *** *** *****. **** **** **** **** ** **** complex, ******* ******** ******* *********** **** *********, **** ** ******* and ** ********. ***** **** ********** ***** **** ************* ****** than ******* *****, ** ** **** ** **** ** ****, versus *-** *******.

******** ******* *********** *** ** **** ** *** ******* **** ** the ****** **** *****, ***** ********* "******* *******" ** *** server ** *** ** *** ******. **** **** ***********, ********* may **** ****** ****** *** **** ** ******* ***** **** ports. ******* ****** *** "******* ******* *******", *** *******, ******* **** *******, ********* ******** ************.

Common ****** *****

** ******* ** ******* **** * ****** ************* ** *** how **** ********. **** ***** *** ******* ******** ****** ******, with **** ******* **** *** ** ***** ******* ***** **** (****, HTTPS, ****), ***** ****** ****** ** ** **** *** ******* services, ********* ******, ***, ****, ******** **** *******, *** ****.

***** ** * ********* ** ******* **** ****** *************, ******* from ******* **** ***** (**** *** ****) ** ********, ** well ** ******** ** ******* ***** ***** ***** ** ****** via *** ******'* *** *********:

******* ****** ********

******* ****** ******* **** **** **** *** **** *****. **** that **** ****** (-** ** *** ******* ****) **** ** disabled ** ***** ** **** ******* ******* ** ***, ** they ***** *** **** ** ****** *****. 

**/*** **** ****
***/*** **** ****
****/*** **** ****-*****

******** *.**-***-***

** **** *******, ********'* ******* **** **** *** **** ******* of *****, ****, *****, *** ****. 

**/*** **** ****
***/*** **** *****
***/*** **** ****

**** *****

*** *****, ** **** ** *** ***** **** ******* ** tested, *** **** ***** ****, *** ****** **** *** **** ports, ** **** ** *** (**** ** ****** ********, **** applications, ***. ** *** ******), *** ****, ******* ** **** 49152. *** *** **** *** **** ** ****** *** ** network ********.

**/*** **** ***
**/*** **** ****
***/*** **** ****
*****/*** **** ******* 

***** ***-*****

***** ******* ******* ****** ******* **** *** **** *****, ** well ** *****, ***** **** *** *** **** *******, ******, and **** ** *****. ****** *** **** *** ** ****** via *** *** *********.

**/*** **** ******
**/*** **** ****
***/*** **** *****
***/*** **** ****
****/*** **** *****
*****/*** **** ******* 

***** ***-********

***** ******* **** *** ********* ***** ** *******. **** **** may ** ********. ***** ** ** ****** ** ***** ***** ports.

**/*** **** ******
**/*** **** ****
***/*** **** ****
****/*** **** ******
****/*** **** ****
*****/*** **** ******* 

****** ****** ****

****** **** ** ** ****** ** ***** ******* ** ******** 2.400 *** **, **** ** ****** ** ****** ** ** the ******'* *** *********. ***** **** ***** ****** *********. ****** was ********** **** ** ****** ***** ******* ** * ***** scale ****** (***:****** ***** ******* ***** ******* ***** ******).

**/*** **** ****
***/*** **** ****
****/*** **** ******
****/*** **** ****
*****/*** **** ******* 

********* **-*******-*

** **** ******, ******** ***** *** **** *** ******** ***** than **** *** ****. **** ***, ***** ***** ** ****** by ******* *** ****.

**/*** **** ***
**/*** **** ******
**/*** **** ****
***/*** **** *****
***/*** **** ****
****/*** **** ****-********
****/*** **** ****-***
****/*** **** ********
*****/*** **** *******

****** ****** ****

********* **************** * ***** ********* ** ******** **** ******** *** ******** (*** **** *******). An ******* ** ******* ** **** ***** ** ***** ***** ******* a ****** ******* *.*.* ******** *** *** ******* *.*.*, **** telnet ****** (** **** ** *** *** *****, ***** *** now ******** ** *******).

********* **-********-** ***

** **** ******* ******** ********* ****, ******* ******** **** ***** in ******** ** ******* **** ********. ** ***** ** *** to ***** ***** ***** *** ********.

**/*** **** ****
****/*** **** ****-***
****/*** **** ***
****/*** **** *******
*****/*** **** *******
*****/*** **** ******* 

***** *************

**** ********, ***** ************* **** ** ****, *********, *** ***** opened **** **** *** **** ***** ** *******, **** **** also ********* **** (******** *** ********).

Other ****

***** *** *** ***** ********* **** *** **** ** ************:

** ********

**** *** **** ** **** ** **** * ****** ** see ***** ******* *** ** (********** ** ****) ** ***. These ******* *** ******* ** ******** ***** **** ** ***** ** ***************** ** *******. ***** ** ***** *******, ***** *** ****** *** ** more ******* ** ******* ****** ***** ****.

** ***** *******, **** **** *********** ******* ** ***, *********** *** ************ ** **** ****** ***** ********.

******* ***-******** *****

** **** *******, ***-******** ***** *** ** **** *** **** streams ** *****. **** ** **** ***** **** ***-**** ******, though ****** **********, ** ** ***. ***** **** ****** ***** to ********* ***** ***** *** ** *** *** ***** ********.

*** *******, ***** ******* **** **, *** ******* ****** **** our***** ***-**** ******** **** *** ******* ** *** ***. **** *******, *** ****** ******* typical ***** *** ****, ****, *** ******, *** *** ******* ones: **** *** ****. ******* * ****** **** ** **** these ***** ***** ** **** **** **** ** **** *** running ****, *** ******** **** ** *****.

****      *****  *******
****/*** ****    ****    ***** **** *.*

****** *** ****** ***** ***** *** **** ****, ** ************ connects ** *****.

Comments (10)

**** ** * ***** *******. ***** ***.

**** ** * ***** *******. * *** *** ***** ** this ****. ***** *** *** *******.

**** ******* **** * ***** *******, ******.

*** ***** ****'* **** ******* ** ** ** ***** ******* Hikvision *********** ********.. * *** *** ******* **** ****** **** are ******** ***** ********* ******* *** **** *************** *** ** present. ***** ******* **** **** **** ********* **** ***** "******."

** *********'* ********* **** **** **** **** ** ***** **** vulnerabilities ** ***** *******. **** **** ***** *** ******* ********, and ****** ***** *********, *** ******** *** ****** ******** ** that **** ** ******* ****** *** ******* ****** ******** ******. In *** **** ********* **** **** ***** ***** *** ********--**** discussing ******* *********, ******, *** ******** ******. (*'* ******* ***** this *********: *****://****-*******.**.*********.***/*******/****/****/**********************************************.*** )

** ******, ******* *********, **** *********, *** ****** (******* ** exposes ********* ** *** *****) ***** *** ** **** ** gain **** ** ***** ***** ****** ** * ******. *** in **** ***** **** ************* *** ** ** ******* **** due ** *** ********** **** ** ******* **** *********** ** order ** ******* ******* *** ******/*******. *.*, "*** *** *** in *** ****** *** ********** ** ** ******, *** ****."

*** *** ***** *********** *********** ****** ********* ******** **** ***** their **** ** ********** *** *** **** ****** ******** ***** (wired *******: ****://***.*****.***/****/**/*********/ , ************ *******: ****://***.************.***/********-***************-*****-*********-***-******* ). *** **** appear ** ** ******* * ***** (/***/********). *** *** ******** are ***** ** ******* "**** *******" ** *** ******.

* ** **** ******** **** *** ******* *'** ****** **** that ****/**** *** *** **** **** **** ********** ** * surveillance *******. **** **** ** ** **** ******** *******, ******* hold *** *** ***** (** ********** ***** ** **** *******), tend ** *** * ****** ***** (** *******) ******* *** if *** ******* * **** ********* ** *** **** *** at ******* **** ** *******, ******* **** **** ******** *************** for **************** *** ***********, *** *** ** ***** ** * commodity ******** ******** ****** **** *** **** ****** **** **** in **** *******.

**** *** *** ***** *******, *** *** ****** ** ******* than *******. * ******* ****'* *** ********** ** ** *** doghouse *****.

** ****, ***** *** *** **** **** ******* *******. *** those ******* ***** ** *** ***** **** ** ******* ********** ports, ** *** ***** ****** ***** ** *** ********, ** block ***** ** *** ******* *** ***'*, ***** ** ** adequate ********? ***** ***.

** **** ****** ** ****** * *** ******, ****, ****, pretty **** ***** **** ******, ***** *******'* ** *** ******* considerations ****** ** ******* ****** ** ******* **** *** ******** at ***** - ***** **** ***** ** ********* **** *** WAN ********* ** *** *******' *** *********. ***** ***'* **** to *******, ******, **** **** **** ** *** ** ********* to ******* ** *** ***.

***** ***** ** * ******* ** **** ******* ***** **** to *** ***** *** **** **********, ********* **** ******* *** routers *** **** ******* ** *******. ** ************* **** **** option ******** ***-**-***-*** ** ***** ******** ********* * *** ** the *******, ** ** ***** **** **** ******** ****** ** the ******** ** ********* ** ****** ****** ****, ** ******* those ***** ********, ** **** **** ****** ** *** ***/***/******* possible.

** ******, ** ** ******* *** ****** ****** ** **** LAN, ****... *** **** ****** ****** ** ***** ***** **** whether **** *** ***** ** **** ********* ******.

****, **** ** * ***** *******. * ***** *** *** warning ** **. ** *** *** ** **** **** ** a ******* **** ***** ** *******, *** ******* **** ****** 2010, ** ** ******** **** **** ******* ***** ** *******. This ******'* ****** **** ****, *****, ********* ** **** ******* for *******, *** ** ***** **** ******* ***-**** *********. *'** written ***** **** ***** ** ** *********** *&* ******, ** the *********** **** **** **** ********** ** "*********". ** *** case, ******* ** ** ** * ********** ********* ** ****, over *** ******* ******* **** ***** ******* **** ** ** tech *** ** **** ****. **** *** * ********** **** in ****. **** **** *** *** *******. ****** *** ** be **** *** ** *** ****** ********* ** ******** ******* their *****. *** * *** ***. * ***** ***** ** again * ****** ** ***** ***** **** * ****** **** took ** ****** ******* ** ** ******* *******, *** ** required **** **** **** ***** ******* ** *** **** **** on (* ***'* **** *** ********* *******).

******* ** **** ** ***** ***** ** *** * ******** the ** *********** ** ************ **** *** ******* ** ***** network, *** *** ***** **** ******* ** ****** *** ** addresses ** *** ******* ** *** ** *** **** ****.

********** **** ** **** **** *** * ****** **** - whether ** *** *** ******* **** ** ********* ** * larger ********* ******* - ****** ** * ******** **** ****** finalizing *** ******* ****** **********.

* **** *** ********** ***** **** ** **** **** ***'* need ** ** ****, ******* ***** ******* *** ** * physically *********** *******. *******, *** **** ** ********** **** *** isolated ******* ****** ***** ****** ** *** ******. ************, *** deployments **** ***** ******* **** *** ********** ** **** ***, you **** ** ******** **** **** ** * ******** *************, becasue ********* ******* ****** ** *** ***** ******* ***'* **** a ******** ** ******* ****** ** **** *** ******* ****. They *** **** *** *** ******* ****.

* ******* **** *** ************* ******** ** ***** ********* **** since ******** *** ******** *** ***** ******* ** ********* **** vulnerabilty ** ***** ** ** * *********** *****. *** ** is ****** *** ******** ******* *** ** *** ***** ******** upgraded **** ********** ** ******* ****.

********** ***** ******** ***** **** ** **** ******* ******** ** place, ********** ** *** *** ** *** *******, ** **** traffic **** ***-******** ******* (**** ** ** ********'* ******) ***'* flood *** *******.

****. ***** **** ***** ** ******'* '********* *****'.

***, **** ***** ** **** ** *** **** ** ******** co-workers' ** ******** **** *** **' "**** ** *****". **** *****!

** *'** **** ******** *** ***** **** **** ** *********... still ****'* ***** ********, ********* ** ***** ** *** ***'* laptop ** *** **** *****, *** **'* **** *% **** the *** ****. **** ****, **** *********. *'** **** ***** Advanced ** ******* (**** ***.******.***) *** * **** **** *** will ******** ***** ** **** *** ******* ***** ******* *******, like **** ** ******* ****** *****'* **** ** ** *** DHCP ******, *** **** ** ********** ******* ***** ** ** toolbox *** ***** ***** ********* ******* ** ******.

**** ******* *******.

***'* *** **** **** **** *******, **** ***** ** ******* (factory ********) ***'* ******* ***********....** .... *** *** ***** ***** the *******, *** *** *** *** **** ****** ***** ******* passwords **** ***. ** *** *** *** *** ******** **** inside, **** * ******** ************ ******* **** ****.. *****!

Login to read this IPVM report.
Why do I need to log in?
IPVM conducts unique testing and research funded by member's payments enabling us to offer the most independent, accurate and in-depth information.

Related Reports on ONVIF

Mercury Releases New Series 3 Redboard Access Panels on Feb 15, 2018
Mercury Security has their first major product release post-HID buyout, and things literally look different. The Series 3 SIO boards now are red...
Last Chance February 2018 Camera Course on Feb 15, 2018
This is the last chance to get into the Winter camera course, starts next Tuesday. Register now. IPVM provides the best education, live online...
Hanwha Wisenet X 5MP Camera Tested (XNV-8080R) on Feb 13, 2018
Wisenet X is Hanwha's high-end camera line. We tested their Wisenet X 1080p camera last year. Now Hanwha is offering 5MP cameras listing super low...
Dahua 5MP Starlight Camera Tested (N52BM3Z) on Jan 30, 2018
Is 5MP the new 1080p? According to our recent statistics, average resolution continues to trend upwards. And now, manufacturers releasing new...
The 2018 Surveillance Industry Guide on Jan 16, 2018
The 300 page, 2018 Video Surveillance Industry Guide, covering the key events and the future of the video surveillance market, is now available,...
Hikvision NA Biggest Sale of 2017 (Twice) on Dec 28, 2017
Hikvision North America has been relatively disciplined the past 5 months, reducing the number of sales and the breadth of what is on sale. No...
D-Link ONVIF Switch Tested on Dec 04, 2017
D-Link's surveillance switches claim to "enhance ease of use and streamline management" for network administrators, with simplified UIs and...
Hikvision Door Station Tested on Nov 30, 2017
Hikvision has entered the video intercom market, aiming to bring the race to the bottom to a whole new audience. To see how it stacks up, we...
Law Breaking Longse Enters USA on Nov 22, 2017
Longse has established itself as world class, at least in spamming the industry, ripping off Milestone and Video Insight as well as Hikvision. But...
Hikvision NVR 4.0 Tested on Nov 14, 2017
Hikvision has released firmware version 4.0 for select NVRs, touting two years of research and development, and claiming "the new generation GUI...

Most Recent Industry Reports

Change Orders - Sometimes Necessary, Sometimes Unethical on Feb 19, 2018
Change orders are a common element in project sales. Sometimes they are a necessity and appropriate ways to deal with arising issues, but sometimes...
Bosch Merges Video, Intrusion and Access Businesses on Feb 19, 2018
Bosch is merging their "video systems, intrusion detection, as well as its access control and management software business units to form a single...
Why 3VR Failed on Feb 16, 2018
3VR destroyed transformed ~$65 million in VC funding into a $6.9 million exit. The reason they failed is simple. They bet on analytics. They...
"Fear Mongering": Hikvision USA Cybersecurity Director Dismisses Chinese Government Ownership Concerns on Feb 16, 2018
The facts are: The Chinese government created Hikvision and is Hikvision's controlling shareholder. Hikvision's Chairman, a Communist Party...
16:9 vs 4:3 Video Aspect Ratio Statistics on Feb 16, 2018
What aspect ratio do security integrators prefer? The 'standard' 4:3 or the 'wide' 16:9 one? 100+ integrators told us what they preferred, with...
Mercury Releases New Series 3 Redboard Access Panels on Feb 15, 2018
Mercury Security has their first major product release post-HID buyout, and things literally look different. The Series 3 SIO boards now are red...
Last Chance February 2018 Camera Course on Feb 15, 2018
This is the last chance to get into the Winter camera course, starts next Tuesday. Register now. IPVM provides the best education, live online...
Hikvision DeepInMind Tested Terribly on Feb 15, 2018
While Hikvision is heavily marketing deep learning and 'AI' as their next big thing, new IPVM test results of their DeepInMind NVR shows their deep...
Genetec CEO: You Cannot Buy Trust on Feb 14, 2018
Genetec's CEO, Pierre Racz, delivered a direct message at their channel partner conference: Racz has become a focal point in the industry debate...
Assa's Lowest Power Draw Maglock: Securitron M680E Examined on Feb 14, 2018
Securitron produces some of the most extreme maglocks on the market, including massively strong maglocks and even ones with integrated CCTV cams...

The world's leading video surveillance information source, IPVM provides the best reporting, testing and training for 10,000+ members globally. Dedicated to independent and objective information, we uniquely refuse any and all advertisements, sponsorship and consulting from manufacturers.

About | FAQ | Contact