NMAPing IP Cameras

Author: Ethan Ace, Published on Mar 05, 2015

The Hikvision hack has increased security concerns.

Indeed, most users do not know whether they are vulnerable or not, which ports of their systems are open, and what services they may be running, leaving them potentially vulnerable.

NMAP, a common security network tool, can be used to check for some vulnerabilities, but is not used as much as it should be.

In this test, we show how it may be used to check your cameras and systems for potential security problems, as well as discovering IP cameras and finding non-standard ports being used for video transmission.

Then we run it on cameras from:

  • Arecont Vision
  • Avigilon
  • Axis
  • Bosch
  • Dahua
  • Hikvision

The test shows which cameras allow the most open ports and the greatest potential security risks.

*** ********* **** *** ********* ******** ********.

******, **** ***** ** *** **** ******* **** *** ********** or ***, ***** ***** ** ***** ******* *** ****, *** what ******** **** *** ** *******, ******* **** *********** **********.

****, * ****** ******** ******* ****, *** ** **** ** check *** **** ***************, *** ** *** **** ** **** as ** ****** **.

** **** ****, ** **** *** ** *** ** **** to ***** **** ******* *** ******* *** ********* ******** ********, as **** ** *********** ** ******* *** ******* ***-******** ***** being **** *** ***** ************.

**** ** *** ** ** ******* ****:

  • ******* ******
  • ********
  • ****
  • *****
  • *****
  • *********

*** **** ***** ***** ******* ***** *** **** **** ***** and *** ******** ********* ******** *****.

[***************]

Using ****

**** ** * **** *** **** ****** ******* **** *** network ******** *** ******** ********. *** **** ********* *** ** IP ************ ** *********** ***** ***** ** * ***** ****** are ****** *** ****. ***** *** ** *** ****** * single ****** ** ********, **** ** ****** ******.

**** ****** ** * ******* **** ******* **** **** ******* switches *** *********. *** ******* ** *** * **** **** of *** *** *****, *** *******, ***** **** ****:

**** -* *-***** -** -* -* ***.**.***.***

*******, ********* ********** *** ********* ***** ******** *** *** *** ****** scan ******* ** * ******** ****, **** ********, ***** **** ** *** ***:

**** ***** ******* *** ***** ********* ** **** ***** *** Zenmap ***.

Scan *******

*** ******* ** * **** ****, ********* ** ***** ** used, **** **** ***** * ***** **** ** **** ***** while ****** *** ********, *****-**** ******* ******* ******* ***** *** identifiers.

**** ******* ***** * ***** **** ** * ****** ****** (***** *********):

******** **** *.** ( ****://****.*** ) ** ****-**-** **:** *** Nmap **** ****** *** ***.**.***.*** **** ** ** (*.***** *******). Not *****: *** ****** ***** **** ***** ******* **/*** **** telnet **/*** **** **** ***/*** **** **** ****/*** **** ****** 5000/tcp **** **** *****/*** **** ******* *** *******: **:**:**:**:**:** (******** Dahua ********** **.) **** ****: * ** ******* (* **** up) ******* ** *.** *******

**** ******* ***** *** **** ******, **** ** ******* **** of *** *** *****. **** **** **** **** ** **** complex, ******* ******** ******* *********** **** *********, **** ** ******* and ** ********. ***** **** ********** ***** **** ************* ****** than ******* *****, ** ** **** ** **** ** ****, versus *-** *******.

******** ******* *********** *** ** **** ** *** ******* **** ** the ****** **** *****, ***** ********* "******* *******" ** *** server ** *** ** *** ******. **** **** ***********, ********* may **** ****** ****** *** **** ** ******* ***** **** ports. ******* ****** *** "******* ******* *******", *** *******, ******* **** *******, ********* ******** ************.

Common ****** *****

** ******* ** ******* **** * ****** ************* ** *** how **** ********. **** ***** *** ******* ******** ****** ******, with **** ******* **** *** ** ***** ******* ***** **** (****, HTTPS, ****), ***** ****** ****** ** ** **** *** ******* services, ********* ******, ***, ****, ******** **** *******, *** ****.

***** ** * ********* ** ******* **** ****** *************, ******* from ******* **** ***** (**** *** ****) ** ********, ** well ** ******** ** ******* ***** ***** ***** ** ****** via *** ******'* *** *********:

******* ****** ********

******* ****** ******* **** **** **** *** **** *****. **** that **** ****** (-** ** *** ******* ****) **** ** disabled ** ***** ** **** ******* ******* ** ***, ** they ***** *** **** ** ****** *****. 

**/*** **** ****
***/*** **** ****
****/*** **** ****-*****

******** *.**-***-***

** **** *******, ********'* ******* **** **** *** **** ******* of *****, ****, *****, *** ****. 

**/*** **** ****
***/*** **** *****
***/*** **** ****

**** *****

*** *****, ** **** ** *** ***** **** ******* ** tested, *** **** ***** ****, *** ****** **** *** **** ports, ** **** ** *** (**** ** ****** ********, **** applications, ***. ** *** ******), *** ****, ******* ** **** 49152. *** *** **** *** **** ** ****** *** ** network ********.

**/*** **** ***
**/*** **** ****
***/*** **** ****
*****/*** **** ******* 

***** ***-*****

***** ******* ******* ****** ******* **** *** **** *****, ** well ** *****, ***** **** *** *** **** *******, ******, and **** ** *****. ****** *** **** *** ** ****** via *** *** *********.

**/*** **** ******
**/*** **** ****
***/*** **** *****
***/*** **** ****
****/*** **** *****
*****/*** **** ******* 

***** ***-********

***** ******* **** *** ********* ***** ** *******. **** **** may ** ********. ***** ** ** ****** ** ***** ***** ports.

**/*** **** ******
**/*** **** ****
***/*** **** ****
****/*** **** ******
****/*** **** ****
*****/*** **** ******* 

****** ****** ****

****** **** ** ** ****** ** ***** ******* ** ******** 2.400 *** **, **** ** ****** ** ****** ** ** the ******'* *** *********. ***** **** ***** ****** *********. ****** was ********** **** ** ****** ***** ******* ** * ***** scale ****** (***:****** ***** ******* ***** ******* ***** ******).

**/*** **** ****
***/*** **** ****
****/*** **** ******
****/*** **** ****
*****/*** **** ******* 

********* **-*******-*

** **** ******, ******** ***** *** **** *** ******** ***** than **** *** ****. **** ***, ***** ***** ** ****** by ******* *** ****.

**/*** **** ***
**/*** **** ******
**/*** **** ****
***/*** **** *****
***/*** **** ****
****/*** **** ****-********
****/*** **** ****-***
****/*** **** ********
*****/*** **** *******

****** ****** ****

********* **************** * ***** ********* ** ******** **** ******** *** ******** (*** **** *******). An ******* ** ******* ** **** ***** ** ***** ***** ******* a ****** ******* *.*.* ******** *** *** ******* *.*.*, **** telnet ****** (** **** ** *** *** *****, ***** *** now ******** ** *******).

********* **-********-** ***

** **** ******* ******** ********* ****, ******* ******** **** ***** in ******** ** ******* **** ********. ** ***** ** *** to ***** ***** ***** *** ********.

**/*** **** ****
****/*** **** ****-***
****/*** **** ***
****/*** **** *******
*****/*** **** *******
*****/*** **** ******* 

***** *************

**** ********, ***** ************* **** ** ****, *********, *** ***** opened **** **** *** **** ***** ** *******, **** **** also ********* **** (******** *** ********).

Other ****

***** *** *** ***** ********* **** *** **** ** ************:

** ********

**** *** **** ** **** ** **** * ****** ** see ***** ******* *** ** (********** ** ****) ** ***. These ******* *** ******* ** ******** ***** **** ** ***** ** ***************** ** *******. ***** ** ***** *******, ***** *** ****** *** ** more ******* ** ******* ****** ***** ****.

** ***** *******, **** **** *********** ******* ** ***, *********** *** ************ ** **** ****** ***** ********.

******* ***-******** *****

** **** *******, ***-******** ***** *** ** **** *** **** streams ** *****. **** ** **** ***** **** ***-**** ******, though ****** **********, ** ** ***. ***** **** ****** ***** to ********* ***** ***** *** ** *** *** ***** ********.

*** *******, ***** ******* **** **, *** ******* ****** **** our***** ***-**** ******** **** *** ******* ** *** ***. **** *******, *** ****** ******* typical ***** *** ****, ****, *** ******, *** *** ******* ones: **** *** ****. ******* * ****** **** ** **** these ***** ***** ** **** **** **** ** **** *** running ****, *** ******** **** ** *****.

****      *****  *******
****/*** ****    ****    ***** **** *.*

****** *** ****** ***** ***** *** **** ****, ** ************ connects ** *****.

Comments (10)

**** ** * ***** *******. ***** ***.

**** ** * ***** *******. * *** *** ***** ** this ****. ***** *** *** *******.

**** ******* **** * ***** *******, ******.

*** ***** ****'* **** ******* ** ** ** ***** ******* Hikvision *********** ********.. * *** *** ******* **** ****** **** are ******** ***** ********* ******* *** **** *************** *** ** present. ***** ******* **** **** **** ********* **** ***** "******."

** *********'* ********* **** **** **** **** ** ***** **** vulnerabilities ** ***** *******. **** **** ***** *** ******* ********, and ****** ***** *********, *** ******** *** ****** ******** ** that **** ** ******* ****** *** ******* ****** ******** ******. In *** **** ********* **** **** ***** ***** *** ********--**** discussing ******* *********, ******, *** ******** ******. (*'* ******* ***** this *********: *****://****-*******.**.*********.***/*******/****/****/**********************************************.*** )

** ******, ******* *********, **** *********, *** ****** (******* ** exposes ********* ** *** *****) ***** *** ** **** ** gain **** ** ***** ***** ****** ** * ******. *** in **** ***** **** ************* *** ** ** ******* **** due ** *** ********** **** ** ******* **** *********** ** order ** ******* ******* *** ******/*******. *.*, "*** *** *** in *** ****** *** ********** ** ** ******, *** ****."

*** *** ***** *********** *********** ****** ********* ******** **** ***** their **** ** ********** *** *** **** ****** ******** ***** (wired *******: ****://***.*****.***/****/**/*********/ , ************ *******: ****://***.************.***/********-***************-*****-*********-***-******* ). *** **** appear ** ** ******* * ***** (/***/********). *** *** ******** are ***** ** ******* "**** *******" ** *** ******.

* ** **** ******** **** *** ******* *'** ****** **** that ****/**** *** *** **** **** **** ********** ** * surveillance *******. **** **** ** ** **** ******** *******, ******* hold *** *** ***** (** ********** ***** ** **** *******), tend ** *** * ****** ***** (** *******) ******* *** if *** ******* * **** ********* ** *** **** *** at ******* **** ** *******, ******* **** **** ******** *************** for **************** *** ***********, *** *** ** ***** ** * commodity ******** ******** ****** **** *** **** ****** **** **** in **** *******.

**** *** *** ***** *******, *** *** ****** ** ******* than *******. * ******* ****'* *** ********** ** ** *** doghouse *****.

** ****, ***** *** *** **** **** ******* *******. *** those ******* ***** ** *** ***** **** ** ******* ********** ports, ** *** ***** ****** ***** ** *** ********, ** block ***** ** *** ******* *** ***'*, ***** ** ** adequate ********? ***** ***.

** **** ****** ** ****** * *** ******, ****, ****, pretty **** ***** **** ******, ***** *******'* ** *** ******* considerations ****** ** ******* ****** ** ******* **** *** ******** at ***** - ***** **** ***** ** ********* **** *** WAN ********* ** *** *******' *** *********. ***** ***'* **** to *******, ******, **** **** **** ** *** ** ********* to ******* ** *** ***.

***** ***** ** * ******* ** **** ******* ***** **** to *** ***** *** **** **********, ********* **** ******* *** routers *** **** ******* ** *******. ** ************* **** **** option ******** ***-**-***-*** ** ***** ******** ********* * *** ** the *******, ** ** ***** **** **** ******** ****** ** the ******** ** ********* ** ****** ****** ****, ** ******* those ***** ********, ** **** **** ****** ** *** ***/***/******* possible.

** ******, ** ** ******* *** ****** ****** ** **** LAN, ****... *** **** ****** ****** ** ***** ***** **** whether **** *** ***** ** **** ********* ******.

****, **** ** * ***** *******. * ***** *** *** warning ** **. ** *** *** ** **** **** ** a ******* **** ***** ** *******, *** ******* **** ****** 2010, ** ** ******** **** **** ******* ***** ** *******. This ******'* ****** **** ****, *****, ********* ** **** ******* for *******, *** ** ***** **** ******* ***-**** *********. *'** written ***** **** ***** ** ** *********** *&* ******, ** the *********** **** **** **** ********** ** "*********". ** *** case, ******* ** ** ** * ********** ********* ** ****, over *** ******* ******* **** ***** ******* **** ** ** tech *** ** **** ****. **** *** * ********** **** in ****. **** **** *** *** *******. ****** *** ** be **** *** ** *** ****** ********* ** ******** ******* their *****. *** * *** ***. * ***** ***** ** again * ****** ** ***** ***** **** * ****** **** took ** ****** ******* ** ** ******* *******, *** ** required **** **** **** ***** ******* ** *** **** **** on (* ***'* **** *** ********* *******).

******* ** **** ** ***** ***** ** *** * ******** the ** *********** ** ************ **** *** ******* ** ***** network, *** *** ***** **** ******* ** ****** *** ** addresses ** *** ******* ** *** ** *** **** ****.

********** **** ** **** **** *** * ****** **** - whether ** *** *** ******* **** ** ********* ** * larger ********* ******* - ****** ** * ******** **** ****** finalizing *** ******* ****** **********.

* **** *** ********** ***** **** ** **** **** ***'* need ** ** ****, ******* ***** ******* *** ** * physically *********** *******. *******, *** **** ** ********** **** *** isolated ******* ****** ***** ****** ** *** ******. ************, *** deployments **** ***** ******* **** *** ********** ** **** ***, you **** ** ******** **** **** ** * ******** *************, becasue ********* ******* ****** ** *** ***** ******* ***'* **** a ******** ** ******* ****** ** **** *** ******* ****. They *** **** *** *** ******* ****.

* ******* **** *** ************* ******** ** ***** ********* **** since ******** *** ******** *** ***** ******* ** ********* **** vulnerabilty ** ***** ** ** * *********** *****. *** ** is ****** *** ******** ******* *** ** *** ***** ******** upgraded **** ********** ** ******* ****.

********** ***** ******** ***** **** ** **** ******* ******** ** place, ********** ** *** *** ** *** *******, ** **** traffic **** ***-******** ******* (**** ** ** ********'* ******) ***'* flood *** *******.

****. ***** **** ***** ** ******'* '********* *****'.

***, **** ***** ** **** ** *** **** ** ******** co-workers' ** ******** **** *** **' "**** ** *****". **** *****!

** *'** **** ******** *** ***** **** **** ** *********... still ****'* ***** ********, ********* ** ***** ** *** ***'* laptop ** *** **** *****, *** **'* **** *% **** the *** ****. **** ****, **** *********. *'** **** ***** Advanced ** ******* (**** ***.******.***) *** * **** **** *** will ******** ***** ** **** *** ******* ***** ******* *******, like **** ** ******* ****** *****'* **** ** ** *** DHCP ******, *** **** ** ********** ******* ***** ** ** toolbox *** ***** ***** ********* ******* ** ******.

**** ******* *******.

***'* *** **** **** **** *******, **** ***** ** ******* (factory ********) ***'* ******* ***********....** .... *** *** ***** ***** the *******, *** *** *** *** **** ****** ***** ******* passwords **** ***. ** *** *** *** *** ******** **** inside, **** * ******** ************ ******* **** ****.. *****!

Login to read this IPVM report.
Why do I need to log in?
IPVM conducts unique testing and research funded by member's payments enabling us to offer the most independent, accurate and in-depth information.

Related Reports on ONVIF

H.265 / HEVC Codec Tutorial 2017 on May 25, 2017
Since 2013, video surveillance professionals have talked about the potential for H.265. Now, in 2017, H.265 is starting to gain mainstream...
Camera Course Summer 2017 on May 25, 2017
Learn video surveillance and get certified. IPVM provides live online classes, recorded videos, personal help, cutting edge education and...
48MP 180 Camera (Digital Watchdog) Test on May 10, 2017
Camera resolution continues to advance, with Digital Watchdog offering the MegaPIX PANO 48MP 180° camera, the highest resolution mainstream camera...
Aqueti 100MP Mantis Camera Profile on Apr 14, 2017
One of the original gigapixel camera startups, Aqueti, which we first covered in 2012, is back. This time, they have partnered with NVIDIA,...
Best and Worst - ISC West 2017 Show Report on Apr 10, 2017
IPVM went to Las Vegas, examining what vendors are showcasing and what is new. Attendance was up, according to the show, and was certainly well...
TVI 4.0 Doubles HD Analog Bandwidth on Mar 05, 2017
HD analog's move up market continues. Starting a few years ago at just 720p, HD analog is now poised for 4K and beyond. Techpoint, the company...
Uniview NVR Tested on Mar 02, 2017
Uniview, China's self proclaimed #3 video surveillance manufacturer behind Hikvision and Dahua, is ramping up its international sales efforts. In...
20 Manufacturer Favorability Ranked on Feb 28, 2017
20 security industry organizations' favorability was ranked based on direct feedback from over 100 integrators. In-depth comments revealed insights...
Artificial Intelligence Robot Assistant (ACTi) on Feb 23, 2017
Has artificial intelligence come to the video surveillance industry? ACTi has released 'SARA' which it bills as an 'AI assistant that brings...
Axis Favorability Results on Feb 03, 2017
For many years, Axis sold the most IP cameras but, with the rise of Hikvision and Dahua, that has changed. How would that impact Axis...

Most Recent Industry Reports

Anti-Hack Access Card Shields Tested on May 26, 2017
Keeping your access control card information secure is becoming a big priority, especially since cheaper copiers can hack details easily. Multiple...
H.265 / HEVC Codec Tutorial 2017 on May 25, 2017
Since 2013, video surveillance professionals have talked about the potential for H.265. Now, in 2017, H.265 is starting to gain mainstream...
Camera Course Summer 2017 on May 25, 2017
Learn video surveillance and get certified. IPVM provides live online classes, recorded videos, personal help, cutting edge education and...
Most Respected Manufacturer Competitors on May 25, 2017
Manufacturers told IPVM what competitor they most respected. In terms of total revenue, Hikvision, Dahua and Axis are certainly tops but would...
CyPhy 'Unlimited' Flight Time Security Drone Examined on May 25, 2017
Drones face several issues as commercial security platforms - legal restrictions (e.g., in the US, the FAA), costs, and limited flight durations...
Milestone Entry Level Mobile Password Vulnerability Disclosed on May 24, 2017
While many manufacturers have only addressed cybersecurity vulnerabilities after public disclosures were made (or threatened), Milestone has...
How Integrators Use IPVM on May 24, 2017
150 integrators explained how they use IPVM and how it helps them stay informed and improve their business.  The 4 main uses integrators cited for...
Alarm Supervision Guide on May 24, 2017
Burglar alarms can constantly monitor the health of attached circuits, sensors, and devices to ensure that they remain operational. This is known...
Arlo Go Cellular Cloud Camera Tested on May 23, 2017
Totally wireless surveillance cameras are growing but almost all typically depend on a hub and local Internet access. However, many outdoor...
Avigilon New COO James Henderson Profile on May 23, 2017
It has been nearly 2 years since the infamous Bryan Schmode 'resigned' as Avigilon COO. Now, Avigilon once again has a COO, promoting James...

The world's leading video surveillance information source, IPVM provides the best reporting, testing and training for 10,000+ members globally. Dedicated to independent and objective information, we uniquely refuse any and all advertisements, sponsorship and consulting from manufacturers.

About | FAQ | Contact