NMAPing IP Cameras

Author: Ethan Ace, Published on Mar 05, 2015

The Hikvision hack has increased security concerns.

Indeed, most users do not know whether they are vulnerable or not, which ports of their systems are open, and what services they may be running, leaving them potentially vulnerable.

NMAP, a common security network tool, can be used to check for some vulnerabilities, but is not used as much as it should be.

In this test, we show how it may be used to check your cameras and systems for potential security problems, as well as discovering IP cameras and finding non-standard ports being used for video transmission.

Then we run it on cameras from:

  • Arecont Vision
  • Avigilon
  • Axis
  • Bosch
  • Dahua
  • Hikvision

The test shows which cameras allow the most open ports and the greatest potential security risks.

*** ********* **** *** ********* ******** ********.

******, **** ***** ** *** **** ******* **** *** ********** or ***, ***** ***** ** ***** ******* *** ****, *** what ******** **** *** ** *******, ******* **** *********** **********.

****, * ****** ******** ******* ****, *** ** **** ** check *** **** ***************, *** ** *** **** ** **** as ** ****** **.

** **** ****, ** **** *** ** *** ** **** to ***** **** ******* *** ******* *** ********* ******** ********, as **** ** *********** ** ******* *** ******* ***-******** ***** being **** *** ***** ************.

**** ** *** ** ** ******* ****:

  • ******* ******
  • ********
  • ****
  • *****
  • *****
  • *********

*** **** ***** ***** ******* ***** *** **** **** ***** and *** ******** ********* ******** *****.

[***************]

Using ****

**** ** * **** *** **** ****** ******* **** *** network ******** *** ******** ********. *** **** ********* *** ** IP ************ ** *********** ***** ***** ** * ***** ****** are ****** *** ****. ***** *** ** *** ****** * single ****** ** ********, **** ** ****** ******.

**** ****** ** * ******* **** ******* **** **** ******* switches *** *********. *** ******* ** *** * **** **** of *** *** *****, *** *******, ***** **** ****:

**** -* *-***** -** -* -* ***.**.***.***

*******, ********* ********** *** ********* ***** ******** *** *** *** ****** scan ******* ** * ******** ****, **** ********, ***** **** ** *** ***:

**** ***** ******* *** ***** ********* ** **** ***** *** Zenmap ***.

Scan *******

*** ******* ** * **** ****, ********* ** ***** ** used, **** **** ***** * ***** **** ** **** ***** while ****** *** ********, *****-**** ******* ******* ******* ***** *** identifiers.

**** ******* ***** * ***** **** ** * ****** ****** (***** *********):

******** **** *.** ( ****://****.*** ) ** ****-**-** **:** *** Nmap **** ****** *** ***.**.***.*** **** ** ** (*.***** *******). Not *****: *** ****** ***** **** ***** ******* **/*** **** telnet **/*** **** **** ***/*** **** **** ****/*** **** ****** 5000/tcp **** **** *****/*** **** ******* *** *******: **:**:**:**:**:** (******** Dahua ********** **.) **** ****: * ** ******* (* **** up) ******* ** *.** *******

**** ******* ***** *** **** ******, **** ** ******* **** of *** *** *****. **** **** **** **** ** **** complex, ******* ******** ******* *********** **** *********, **** ** ******* and ** ********. ***** **** ********** ***** **** ************* ****** than ******* *****, ** ** **** ** **** ** ****, versus *-** *******.

******** ******* *********** *** ** **** ** *** ******* **** ** the ****** **** *****, ***** ********* "******* *******" ** *** server ** *** ** *** ******. **** **** ***********, ********* may **** ****** ****** *** **** ** ******* ***** **** ports. ******* ****** *** "******* ******* *******", *** *******, ******* **** *******, ********* ******** ************.

Common ****** *****

** ******* ** ******* **** * ****** ************* ** *** how **** ********. **** ***** *** ******* ******** ****** ******, with **** ******* **** *** ** ***** ******* ***** **** (****, HTTPS, ****), ***** ****** ****** ** ** **** *** ******* services, ********* ******, ***, ****, ******** **** *******, *** ****.

***** ** * ********* ** ******* **** ****** *************, ******* from ******* **** ***** (**** *** ****) ** ********, ** well ** ******** ** ******* ***** ***** ***** ** ****** via *** ******'* *** *********:

******* ****** ********

******* ****** ******* **** **** **** *** **** *****. **** that **** ****** (-** ** *** ******* ****) **** ** disabled ** ***** ** **** ******* ******* ** ***, ** they ***** *** **** ** ****** *****. 

**/*** **** ****
***/*** **** ****
****/*** **** ****-*****

******** *.**-***-***

** **** *******, ********'* ******* **** **** *** **** ******* of *****, ****, *****, *** ****. 

**/*** **** ****
***/*** **** *****
***/*** **** ****

**** *****

*** *****, ** **** ** *** ***** **** ******* ** tested, *** **** ***** ****, *** ****** **** *** **** ports, ** **** ** *** (**** ** ****** ********, **** applications, ***. ** *** ******), *** ****, ******* ** **** 49152. *** *** **** *** **** ** ****** *** ** network ********.

**/*** **** ***
**/*** **** ****
***/*** **** ****
*****/*** **** ******* 

***** ***-*****

***** ******* ******* ****** ******* **** *** **** *****, ** well ** *****, ***** **** *** *** **** *******, ******, and **** ** *****. ****** *** **** *** ** ****** via *** *** *********.

**/*** **** ******
**/*** **** ****
***/*** **** *****
***/*** **** ****
****/*** **** *****
*****/*** **** ******* 

***** ***-********

***** ******* **** *** ********* ***** ** *******. **** **** may ** ********. ***** ** ** ****** ** ***** ***** ports.

**/*** **** ******
**/*** **** ****
***/*** **** ****
****/*** **** ******
****/*** **** ****
*****/*** **** ******* 

****** ****** ****

****** **** ** ** ****** ** ***** ******* ** ******** 2.400 *** **, **** ** ****** ** ****** ** ** the ******'* *** *********. ***** **** ***** ****** *********. ****** was ********** **** ** ****** ***** ******* ** * ***** scale ****** (***:****** ***** ******* ***** ******* ***** ******).

**/*** **** ****
***/*** **** ****
****/*** **** ******
****/*** **** ****
*****/*** **** ******* 

********* **-*******-*

** **** ******, ******** ***** *** **** *** ******** ***** than **** *** ****. **** ***, ***** ***** ** ****** by ******* *** ****.

**/*** **** ***
**/*** **** ******
**/*** **** ****
***/*** **** *****
***/*** **** ****
****/*** **** ****-********
****/*** **** ****-***
****/*** **** ********
*****/*** **** *******

****** ****** ****

********* **************** * ***** ********* ** ******** **** ******** *** ******** (*** **** *******). An ******* ** ******* ** **** ***** ** ***** ***** ******* a ****** ******* *.*.* ******** *** *** ******* *.*.*, **** telnet ****** (** **** ** *** *** *****, ***** *** now ******** ** *******).

********* **-********-** ***

** **** ******* ******** ********* ****, ******* ******** **** ***** in ******** ** ******* **** ********. ** ***** ** *** to ***** ***** ***** *** ********.

**/*** **** ****
****/*** **** ****-***
****/*** **** ***
****/*** **** *******
*****/*** **** *******
*****/*** **** ******* 

***** *************

**** ********, ***** ************* **** ** ****, *********, *** ***** opened **** **** *** **** ***** ** *******, **** **** also ********* **** (******** *** ********).

Other ****

***** *** *** ***** ********* **** *** **** ** ************:

** ********

**** *** **** ** **** ** **** * ****** ** see ***** ******* *** ** (********** ** ****) ** ***. These ******* *** ******* ** ******** ***** **** ** ***** ** ***************** ** *******. ***** ** ***** *******, ***** *** ****** *** ** more ******* ** ******* ****** ***** ****.

** ***** *******, **** **** *********** ******* ** ***, *********** *** ************ ** **** ****** ***** ********.

******* ***-******** *****

** **** *******, ***-******** ***** *** ** **** *** **** streams ** *****. **** ** **** ***** **** ***-**** ******, though ****** **********, ** ** ***. ***** **** ****** ***** to ********* ***** ***** *** ** *** *** ***** ********.

*** *******, ***** ******* **** **, *** ******* ****** **** our***** ***-**** ******** **** *** ******* ** *** ***. **** *******, *** ****** ******* typical ***** *** ****, ****, *** ******, *** *** ******* ones: **** *** ****. ******* * ****** **** ** **** these ***** ***** ** **** **** **** ** **** *** running ****, *** ******** **** ** *****.

****      *****  *******
****/*** ****    ****    ***** **** *.*

****** *** ****** ***** ***** *** **** ****, ** ************ connects ** *****.

Comments (10)

Eric Taylor

03/05/15 04:24pm

**** ** * ***** *******. ***** ***.

Pat Villerot

03/05/15 05:02pm

**** ** * ***** *******. * *** *** ***** ** this ****. ***** *** *** *******.

Steve Mitchell

03/05/15 07:03pm

**** ******* **** * ***** *******, ******.

*** ***** ****'* **** ******* ** ** ** ***** ******* Hikvision *********** ********.. * *** *** ******* **** ****** **** are ******** ***** ********* ******* *** **** *************** *** ** present. ***** ******* **** **** **** ********* **** ***** "******."

** *********'* ********* **** **** **** **** ** ***** **** vulnerabilities ** ***** *******. **** **** ***** *** ******* ********, and ****** ***** *********, *** ******** *** ****** ******** ** that **** ** ******* ****** *** ******* ****** ******** ******. In *** **** ********* **** **** ***** ***** *** ********--**** discussing ******* *********, ******, *** ******** ******. (*'* ******* ***** this *********: *****://****-*******.**.*********.***/*******/****/****/**********************************************.*** )

** ******, ******* *********, **** *********, *** ****** (******* ** exposes ********* ** *** *****) ***** *** ** **** ** gain **** ** ***** ***** ****** ** * ******. *** in **** ***** **** ************* *** ** ** ******* **** due ** *** ********** **** ** ******* **** *********** ** order ** ******* ******* *** ******/*******. *.*, "*** *** *** in *** ****** *** ********** ** ** ******, *** ****."

*** *** ***** *********** *********** ****** ********* ******** **** ***** their **** ** ********** *** *** **** ****** ******** ***** (wired *******: ****://***.*****.***/****/**/*********/ , ************ *******: ****://***.************.***/********-***************-*****-*********-***-******* ). *** **** appear ** ** ******* * ***** (/***/********). *** *** ******** are ***** ** ******* "**** *******" ** *** ******.

* ** **** ******** **** *** ******* *'** ****** **** that ****/**** *** *** **** **** **** ********** ** * surveillance *******. **** **** ** ** **** ******** *******, ******* hold *** *** ***** (** ********** ***** ** **** *******), tend ** *** * ****** ***** (** *******) ******* *** if *** ******* * **** ********* ** *** **** *** at ******* **** ** *******, ******* **** **** ******** *************** for **************** *** ***********, *** *** ** ***** ** * commodity ******** ******** ****** **** *** **** ****** **** **** in **** *******.

**** *** *** ***** *******, *** *** ****** ** ******* than *******. * ******* ****'* *** ********** ** ** *** doghouse *****.

Luke Maslen

IPVMU Certified | 03/05/15 10:46pm

** ****, ***** *** *** **** **** ******* *******. *** those ******* ***** ** *** ***** **** ** ******* ********** ports, ** *** ***** ****** ***** ** *** ********, ** block ***** ** *** ******* *** ***'*, ***** ** ** adequate ********? ***** ***.

Matt Ion

In reply to Luke Maslen | 03/06/15 07:44pm

** **** ****** ** ****** * *** ******, ****, ****, pretty **** ***** **** ******, ***** *******'* ** *** ******* considerations ****** ** ******* ****** ** ******* **** *** ******** at ***** - ***** **** ***** ** ********* **** *** WAN ********* ** *** *******' *** *********. ***** ***'* **** to *******, ******, **** **** **** ** *** ** ********* to ******* ** *** ***.

***** ***** ** * ******* ** **** ******* ***** **** to *** ***** *** **** **********, ********* **** ******* *** routers *** **** ******* ** *******. ** ************* **** **** option ******** ***-**-***-*** ** ***** ******** ********* * *** ** the *******, ** ** ***** **** **** ******** ****** ** the ******** ** ********* ** ****** ****** ****, ** ******* those ***** ********, ** **** **** ****** ** *** ***/***/******* possible.

** ******, ** ** ******* *** ****** ****** ** **** LAN, ****... *** **** ****** ****** ** ***** ***** **** whether **** *** ***** ** **** ********* ******.

Ray Bernard

03/06/15 03:18pm

****, **** ** * ***** *******. * ***** *** *** warning ** **. ** *** *** ** **** **** ** a ******* **** ***** ** *******, *** ******* **** ****** 2010, ** ** ******** **** **** ******* ***** ** *******. This ******'* ****** **** ****, *****, ********* ** **** ******* for *******, *** ** ***** **** ******* ***-**** *********. *'** written ***** **** ***** ** ** *********** *&* ******, ** the *********** **** **** **** ********** ** "*********". ** *** case, ******* ** ** ** * ********** ********* ** ****, over *** ******* ******* **** ***** ******* **** ** ** tech *** ** **** ****. **** *** * ********** **** in ****. **** **** *** *** *******. ****** *** ** be **** *** ** *** ****** ********* ** ******** ******* their *****. *** * *** ***. * ***** ***** ** again * ****** ** ***** ***** **** * ****** **** took ** ****** ******* ** ** ******* *******, *** ** required **** **** **** ***** ******* ** *** **** **** on (* ***'* **** *** ********* *******).

******* ** **** ** ***** ***** ** *** * ******** the ** *********** ** ************ **** *** ******* ** ***** network, *** *** ***** **** ******* ** ****** *** ** addresses ** *** ******* ** *** ** *** **** ****.

********** **** ** **** **** *** * ****** **** - whether ** *** *** ******* **** ** ********* ** * larger ********* ******* - ****** ** * ******** **** ****** finalizing *** ******* ****** **********.

* **** *** ********** ***** **** ** **** **** ***'* need ** ** ****, ******* ***** ******* *** ** * physically *********** *******. *******, *** **** ** ********** **** *** isolated ******* ****** ***** ****** ** *** ******. ************, *** deployments **** ***** ******* **** *** ********** ** **** ***, you **** ** ******** **** **** ** * ******** *************, becasue ********* ******* ****** ** *** ***** ******* ***'* **** a ******** ** ******* ****** ** **** *** ******* ****. They *** **** *** *** ******* ****.

* ******* **** *** ************* ******** ** ***** ********* **** since ******** *** ******** *** ***** ******* ** ********* **** vulnerabilty ** ***** ** ** * *********** *****. *** ** is ****** *** ******** ******* *** ** *** ***** ******** upgraded **** ********** ** ******* ****.

********** ***** ******** ***** **** ** **** ******* ******** ** place, ********** ** *** *** ** *** *******, ** **** traffic **** ***-******** ******* (**** ** ** ********'* ******) ***'* flood *** *******.

Undisclosed #1

In reply to Ray Bernard | 03/06/15 06:57pm

****. ***** **** ***** ** ******'* '********* *****'.

Matt Ion

In reply to Ray Bernard | 03/06/15 07:48pm

***, **** ***** ** **** ** *** **** ** ******** co-workers' ** ******** **** *** **' "**** ** *****". **** *****!

Undisclosed Integrator #2

03/06/15 08:15pm

** *'** **** ******** *** ***** **** **** ** *********... still ****'* ***** ********, ********* ** ***** ** *** ***'* laptop ** *** **** *****, *** **'* **** *% **** the *** ****. **** ****, **** *********. *'** **** ***** Advanced ** ******* (**** ***.******.***) *** * **** **** *** will ******** ***** ** **** *** ******* ***** ******* *******, like **** ** ******* ****** *****'* **** ** ** *** DHCP ******, *** **** ** ********** ******* ***** ** ** toolbox *** ***** ***** ********* ******* ** ******.

Thumbnail recadr

Marc Pichaud

03/08/15 10:40am

**** ******* *******.

***'* *** **** **** **** *******, **** ***** ** ******* (factory ********) ***'* ******* ***********....** .... *** *** ***** ***** the *******, *** *** *** *** **** ****** ***** ******* passwords **** ***. ** *** *** *** *** ******** **** inside, **** * ******** ************ ******* **** ****.. *****!

Login to read this IPVM report.
Why do I need to log in?
IPVM conducts unique testing and research funded by member's payments enabling us to offer the most independent, accurate and in-depth information.

Related Reports on ONVIF

IP Camera Specification / RFP Guide 2017 on Aug 14, 2017
RFPs are hard. Do them 'right' and it takes a lot of knowledge and time. Do them 'wrong' and you can be (a) unwittingly locked into a specific...
ONVIF Releases Profile A for Access on Aug 08, 2017
ONVIF has struggled so far in access control. In 2014, ONVIF released Profile C for access control, but in the 3 years since, only 2 companies...
Hikvision H.265+ Bullet Tested (2035) on Jul 24, 2017
Continuing our tests of Hikvision's new low cost Value Plus line, we bought and tested the 3MP DS-2CD2035FWD-I, now including H.265+. We shot the...
PR Campaign Exploiting Manufacturer Cybersecurity on Jul 20, 2017
Manufacturers increasingly have a bulls-eye on their back. As cyber security solutions providers grow, they realize a great way to get publicity...
ONVIF Chairman Criticizes Low Cost Cameras (Also, He Works At Axis) on Jul 12, 2017
ONVIF Chairman Per Björkdahl has taken a strong public stance against low cost cameras that are 'much more vulnerable to attack' as he explains in...
ONVIF Widely Used Toolkit gSOAP Vulnerability Discovered on Jul 10, 2017
A vulnerability has been discovered in a toolkit that video surveillance manufacturers widely use for implementing ONVIF. In this report, we...
Universal HD Analog Encoder Tested (DW Compressor) on Jul 06, 2017
Digital Watchdog has released the Compressor HD, a "universal" HD analog encoder, with support for AHD, CVI, TVI and SD analog cameras. We tested...
H.265 / HEVC Codec Tutorial 2017 on Jun 30, 2017
For years, video surveillance professionals have talked about the potential for H.265. Now, in 2017, H.265 is starting to gain mainstream...
Hikvision H.265+ Tested on Jun 27, 2017
Hikvision, which in the past few years released H.264+ (see test results) has now released H.265+, that claims even greater bandwidth savings. We...
Uniview Low-Cost Bullet PTZ Tested on Jun 21, 2017
Uniview is offering a HD zoom bullet camera, the IPC742SR9-PZ30-32G, with an integrated pan / tilt positioner, for the price of a low-cost...

Most Recent Industry Reports

Avigilon CEO Attacks Asian Companies Cyber Insecurity on Aug 18, 2017
Avigilon CEO is taking aim at their Asian competitors. And he is going directly after these company's cyber security issues. In this note, we...
Sony Next Gen HD Dome Camera Tested (SNC-EM642R) on Aug 18, 2017
Sony has released their latest generation, claiming improved WDR and low light, increased IR range, and more. We tested the SNC-EM642R outdoor IR...
IP Networking Course September 2017 on Aug 17, 2017
This is the only networking course designed specifically for video surveillance professionals plus it includes live training, personal help and...
Knightscope Raises $10 Million With $3,320 Average Per Investor on Aug 17, 2017
Congrats to Knightscope. And condolences to their legion of little investors. Knightscope has disclosed they have raised $10+ million from their...
Axis and Arecont Legal Conflict Over Multi-Imager Cameras on Aug 17, 2017
Arecont threatened Axis. Axis has responded by moving to invalidate an Arecont patent. It is an important contest. Multi-imagers are Arecont's...
Directory Of Consumer Security Cameras on Aug 16, 2017
The consumer camera segment continues to grow, with new startups and models from existing players released seemingly every month. In this report we...
Cat 5e vs Cat 6 vs Cat 6a Network Cable Usage Statistics on Aug 16, 2017
Cat 5e? Cat 6? Cat 6a? What do integrators use in practice, today? 140+ integrators told IPVM. Here are the results: For those who want to...
Hikvision Responds To Cracked Security Codes on Aug 15, 2017
Hikvision has responded to IPVM's report on Hikvision's security code being cracked, both with a 2 page update to dealers and communication...
Stolen Video NVR / DVR Statistics on Aug 15, 2017
"But what happens if someone steals my recorder?" Anyone who has done more than a handful of jobs has probably heard this question several times....
Hikvision Europe Cutting Out Unauthorized End User Sales on Aug 15, 2017
The days of anyone buying Hikvision from anywhere off the Internet are numbered, at least in Europe, if Hikvision's plan comes to fruition. In...

The world's leading video surveillance information source, IPVM provides the best reporting, testing and training for 10,000+ members globally. Dedicated to independent and objective information, we uniquely refuse any and all advertisements, sponsorship and consulting from manufacturers.

About | FAQ | Contact