NMAPing IP Cameras

Author: Ethan Ace, Published on Mar 05, 2015

The Hikvision hack has increased security concerns.

Indeed, most users do not know whether they are vulnerable or not, which ports of their systems are open, and what services they may be running, leaving them potentially vulnerable.

NMAP, a common security network tool, can be used to check for some vulnerabilities, but is not used as much as it should be.

In this test, we show how it may be used to check your cameras and systems for potential security problems, as well as discovering IP cameras and finding non-standard ports being used for video transmission.

Then we run it on cameras from:

  • Arecont Vision
  • Avigilon
  • Axis
  • Bosch
  • Dahua
  • Hikvision

The test shows which cameras allow the most open ports and the greatest potential security risks.

*** ********* **** *** ********* ******** ********.

******, **** ***** ** *** **** ******* **** *** ********** or ***, ***** ***** ** ***** ******* *** ****, *** what ******** **** *** ** *******, ******* **** *********** **********.

****, * ****** ******** ******* ****, *** ** **** ** check *** **** ***************, *** ** *** **** ** **** as ** ****** **.

** **** ****, ** **** *** ** *** ** **** to ***** **** ******* *** ******* *** ********* ******** ********, as **** ** *********** ** ******* *** ******* ***-******** ***** being **** *** ***** ************.

**** ** *** ** ** ******* ****:

  • ******* ******
  • ********
  • ****
  • *****
  • *****
  • *********

*** **** ***** ***** ******* ***** *** **** **** ***** and *** ******** ********* ******** *****.

[***************]

Using ****

**** ** * **** *** **** ****** ******* **** *** network ******** *** ******** ********. *** **** ********* *** ** IP ************ ** *********** ***** ***** ** * ***** ****** are ****** *** ****. ***** *** ** *** ****** * single ****** ** ********, **** ** ****** ******.

**** ****** ** * ******* **** ******* **** **** ******* switches *** *********. *** ******* ** *** * **** **** of *** *** *****, *** *******, ***** **** ****:

**** -* *-***** -** -* -* ***.**.***.***

*******, ********* ********** *** ********* ***** ******** *** *** *** ****** scan ******* ** * ******** ****, **** ********, ***** **** ** *** ***:

**** ***** ******* *** ***** ********* ** **** ***** *** Zenmap ***.

Scan *******

*** ******* ** * **** ****, ********* ** ***** ** used, **** **** ***** * ***** **** ** **** ***** while ****** *** ********, *****-**** ******* ******* ******* ***** *** identifiers.

**** ******* ***** * ***** **** ** * ****** ****** (***** *********):

******** **** *.** ( ****://****.*** ) ** ****-**-** **:** *** Nmap **** ****** *** ***.**.***.*** **** ** ** (*.***** *******). Not *****: *** ****** ***** **** ***** ******* **/*** **** telnet **/*** **** **** ***/*** **** **** ****/*** **** ****** 5000/tcp **** **** *****/*** **** ******* *** *******: **:**:**:**:**:** (******** Dahua ********** **.) **** ****: * ** ******* (* **** up) ******* ** *.** *******

**** ******* ***** *** **** ******, **** ** ******* **** of *** *** *****. **** **** **** **** ** **** complex, ******* ******** ******* *********** **** *********, **** ** ******* and ** ********. ***** **** ********** ***** **** ************* ****** than ******* *****, ** ** **** ** **** ** ****, versus *-** *******.

******** ******* *********** *** ** **** ** *** ******* **** ** the ****** **** *****, ***** ********* "******* *******" ** *** server ** *** ** *** ******. **** **** ***********, ********* may **** ****** ****** *** **** ** ******* ***** **** ports. ******* ****** *** "******* ******* *******", *** *******, ******* **** *******, ********* ******** ************.

Common ****** *****

** ******* ** ******* **** * ****** ************* ** *** how **** ********. **** ***** *** ******* ******** ****** ******, with **** ******* **** *** ** ***** ******* ***** **** (****, HTTPS, ****), ***** ****** ****** ** ** **** *** ******* services, ********* ******, ***, ****, ******** **** *******, *** ****.

***** ** * ********* ** ******* **** ****** *************, ******* from ******* **** ***** (**** *** ****) ** ********, ** well ** ******** ** ******* ***** ***** ***** ** ****** via *** ******'* *** *********:

******* ****** ********

******* ****** ******* **** **** **** *** **** *****. **** that **** ****** (-** ** *** ******* ****) **** ** disabled ** ***** ** **** ******* ******* ** ***, ** they ***** *** **** ** ****** *****. 

**/*** **** ****
***/*** **** ****
****/*** **** ****-*****

******** *.**-***-***

** **** *******, ********'* ******* **** **** *** **** ******* of *****, ****, *****, *** ****. 

**/*** **** ****
***/*** **** *****
***/*** **** ****

**** *****

*** *****, ** **** ** *** ***** **** ******* ** tested, *** **** ***** ****, *** ****** **** *** **** ports, ** **** ** *** (**** ** ****** ********, **** applications, ***. ** *** ******), *** ****, ******* ** **** 49152. *** *** **** *** **** ** ****** *** ** network ********.

**/*** **** ***
**/*** **** ****
***/*** **** ****
*****/*** **** ******* 

***** ***-*****

***** ******* ******* ****** ******* **** *** **** *****, ** well ** *****, ***** **** *** *** **** *******, ******, and **** ** *****. ****** *** **** *** ** ****** via *** *** *********.

**/*** **** ******
**/*** **** ****
***/*** **** *****
***/*** **** ****
****/*** **** *****
*****/*** **** ******* 

***** ***-********

***** ******* **** *** ********* ***** ** *******. **** **** may ** ********. ***** ** ** ****** ** ***** ***** ports.

**/*** **** ******
**/*** **** ****
***/*** **** ****
****/*** **** ******
****/*** **** ****
*****/*** **** ******* 

****** ****** ****

****** **** ** ** ****** ** ***** ******* ** ******** 2.400 *** **, **** ** ****** ** ****** ** ** the ******'* *** *********. ***** **** ***** ****** *********. ****** was ********** **** ** ****** ***** ******* ** * ***** scale ****** (***:****** ***** ******* ***** ******* ***** ******).

**/*** **** ****
***/*** **** ****
****/*** **** ******
****/*** **** ****
*****/*** **** ******* 

********* **-*******-*

** **** ******, ******** ***** *** **** *** ******** ***** than **** *** ****. **** ***, ***** ***** ** ****** by ******* *** ****.

**/*** **** ***
**/*** **** ******
**/*** **** ****
***/*** **** *****
***/*** **** ****
****/*** **** ****-********
****/*** **** ****-***
****/*** **** ********
*****/*** **** *******

****** ****** ****

********* **************** * ***** ********* ** ******** **** ******** *** ******** (*** **** *******). An ******* ** ******* ** **** ***** ** ***** ***** ******* a ****** ******* *.*.* ******** *** *** ******* *.*.*, **** telnet ****** (** **** ** *** *** *****, ***** *** now ******** ** *******).

********* **-********-** ***

** **** ******* ******** ********* ****, ******* ******** **** ***** in ******** ** ******* **** ********. ** ***** ** *** to ***** ***** ***** *** ********.

**/*** **** ****
****/*** **** ****-***
****/*** **** ***
****/*** **** *******
*****/*** **** *******
*****/*** **** ******* 

***** *************

**** ********, ***** ************* **** ** ****, *********, *** ***** opened **** **** *** **** ***** ** *******, **** **** also ********* **** (******** *** ********).

Other ****

***** *** *** ***** ********* **** *** **** ** ************:

** ********

**** *** **** ** **** ** **** * ****** ** see ***** ******* *** ** (********** ** ****) ** ***. These ******* *** ******* ** ******** ***** **** ** ***** ** ***************** ** *******. ***** ** ***** *******, ***** *** ****** *** ** more ******* ** ******* ****** ***** ****.

** ***** *******, **** **** *********** ******* ** ***, *********** *** ************ ** **** ****** ***** ********.

******* ***-******** *****

** **** *******, ***-******** ***** *** ** **** *** **** streams ** *****. **** ** **** ***** **** ***-**** ******, though ****** **********, ** ** ***. ***** **** ****** ***** to ********* ***** ***** *** ** *** *** ***** ********.

*** *******, ***** ******* **** **, *** ******* ****** **** our***** ***-**** ******** **** *** ******* ** *** ***. **** *******, *** ****** ******* typical ***** *** ****, ****, *** ******, *** *** ******* ones: **** *** ****. ******* * ****** **** ** **** these ***** ***** ** **** **** **** ** **** *** running ****, *** ******** **** ** *****.

****      *****  *******
****/*** ****    ****    ***** **** *.*

****** *** ****** ***** ***** *** **** ****, ** ************ connects ** *****.

Comments (10)

**** ** * ***** *******. ***** ***.

**** ** * ***** *******. * *** *** ***** ** this ****. ***** *** *** *******.

**** ******* **** * ***** *******, ******.

*** ***** ****'* **** ******* ** ** ** ***** ******* Hikvision *********** ********.. * *** *** ******* **** ****** **** are ******** ***** ********* ******* *** **** *************** *** ** present. ***** ******* **** **** **** ********* **** ***** "******."

** *********'* ********* **** **** **** **** ** ***** **** vulnerabilities ** ***** *******. **** **** ***** *** ******* ********, and ****** ***** *********, *** ******** *** ****** ******** ** that **** ** ******* ****** *** ******* ****** ******** ******. In *** **** ********* **** **** ***** ***** *** ********--**** discussing ******* *********, ******, *** ******** ******. (*'* ******* ***** this *********: *****://****-*******.**.*********.***/*******/****/****/**********************************************.*** )

** ******, ******* *********, **** *********, *** ****** (******* ** exposes ********* ** *** *****) ***** *** ** **** ** gain **** ** ***** ***** ****** ** * ******. *** in **** ***** **** ************* *** ** ** ******* **** due ** *** ********** **** ** ******* **** *********** ** order ** ******* ******* *** ******/*******. *.*, "*** *** *** in *** ****** *** ********** ** ** ******, *** ****."

*** *** ***** *********** *********** ****** ********* ******** **** ***** their **** ** ********** *** *** **** ****** ******** ***** (wired *******: ****://***.*****.***/****/**/*********/ , ************ *******: ****://***.************.***/********-***************-*****-*********-***-******* ). *** **** appear ** ** ******* * ***** (/***/********). *** *** ******** are ***** ** ******* "**** *******" ** *** ******.

* ** **** ******** **** *** ******* *'** ****** **** that ****/**** *** *** **** **** **** ********** ** * surveillance *******. **** **** ** ** **** ******** *******, ******* hold *** *** ***** (** ********** ***** ** **** *******), tend ** *** * ****** ***** (** *******) ******* *** if *** ******* * **** ********* ** *** **** *** at ******* **** ** *******, ******* **** **** ******** *************** for **************** *** ***********, *** *** ** ***** ** * commodity ******** ******** ****** **** *** **** ****** **** **** in **** *******.

**** *** *** ***** *******, *** *** ****** ** ******* than *******. * ******* ****'* *** ********** ** ** *** doghouse *****.

** ****, ***** *** *** **** **** ******* *******. *** those ******* ***** ** *** ***** **** ** ******* ********** ports, ** *** ***** ****** ***** ** *** ********, ** block ***** ** *** ******* *** ***'*, ***** ** ** adequate ********? ***** ***.

** **** ****** ** ****** * *** ******, ****, ****, pretty **** ***** **** ******, ***** *******'* ** *** ******* considerations ****** ** ******* ****** ** ******* **** *** ******** at ***** - ***** **** ***** ** ********* **** *** WAN ********* ** *** *******' *** *********. ***** ***'* **** to *******, ******, **** **** **** ** *** ** ********* to ******* ** *** ***.

***** ***** ** * ******* ** **** ******* ***** **** to *** ***** *** **** **********, ********* **** ******* *** routers *** **** ******* ** *******. ** ************* **** **** option ******** ***-**-***-*** ** ***** ******** ********* * *** ** the *******, ** ** ***** **** **** ******** ****** ** the ******** ** ********* ** ****** ****** ****, ** ******* those ***** ********, ** **** **** ****** ** *** ***/***/******* possible.

** ******, ** ** ******* *** ****** ****** ** **** LAN, ****... *** **** ****** ****** ** ***** ***** **** whether **** *** ***** ** **** ********* ******.

****, **** ** * ***** *******. * ***** *** *** warning ** **. ** *** *** ** **** **** ** a ******* **** ***** ** *******, *** ******* **** ****** 2010, ** ** ******** **** **** ******* ***** ** *******. This ******'* ****** **** ****, *****, ********* ** **** ******* for *******, *** ** ***** **** ******* ***-**** *********. *'** written ***** **** ***** ** ** *********** *&* ******, ** the *********** **** **** **** ********** ** "*********". ** *** case, ******* ** ** ** * ********** ********* ** ****, over *** ******* ******* **** ***** ******* **** ** ** tech *** ** **** ****. **** *** * ********** **** in ****. **** **** *** *** *******. ****** *** ** be **** *** ** *** ****** ********* ** ******** ******* their *****. *** * *** ***. * ***** ***** ** again * ****** ** ***** ***** **** * ****** **** took ** ****** ******* ** ** ******* *******, *** ** required **** **** **** ***** ******* ** *** **** **** on (* ***'* **** *** ********* *******).

******* ** **** ** ***** ***** ** *** * ******** the ** *********** ** ************ **** *** ******* ** ***** network, *** *** ***** **** ******* ** ****** *** ** addresses ** *** ******* ** *** ** *** **** ****.

********** **** ** **** **** *** * ****** **** - whether ** *** *** ******* **** ** ********* ** * larger ********* ******* - ****** ** * ******** **** ****** finalizing *** ******* ****** **********.

* **** *** ********** ***** **** ** **** **** ***'* need ** ** ****, ******* ***** ******* *** ** * physically *********** *******. *******, *** **** ** ********** **** *** isolated ******* ****** ***** ****** ** *** ******. ************, *** deployments **** ***** ******* **** *** ********** ** **** ***, you **** ** ******** **** **** ** * ******** *************, becasue ********* ******* ****** ** *** ***** ******* ***'* **** a ******** ** ******* ****** ** **** *** ******* ****. They *** **** *** *** ******* ****.

* ******* **** *** ************* ******** ** ***** ********* **** since ******** *** ******** *** ***** ******* ** ********* **** vulnerabilty ** ***** ** ** * *********** *****. *** ** is ****** *** ******** ******* *** ** *** ***** ******** upgraded **** ********** ** ******* ****.

********** ***** ******** ***** **** ** **** ******* ******** ** place, ********** ** *** *** ** *** *******, ** **** traffic **** ***-******** ******* (**** ** ** ********'* ******) ***'* flood *** *******.

****. ***** **** ***** ** ******'* '********* *****'.

***, **** ***** ** **** ** *** **** ** ******** co-workers' ** ******** **** *** **' "**** ** *****". **** *****!

** *'** **** ******** *** ***** **** **** ** *********... still ****'* ***** ********, ********* ** ***** ** *** ***'* laptop ** *** **** *****, *** **'* **** *% **** the *** ****. **** ****, **** *********. *'** **** ***** Advanced ** ******* (**** ***.******.***) *** * **** **** *** will ******** ***** ** **** *** ******* ***** ******* *******, like **** ** ******* ****** *****'* **** ** ** *** DHCP ******, *** **** ** ********** ******* ***** ** ** toolbox *** ***** ***** ********* ******* ** ******.

**** ******* *******.

***'* *** **** **** **** *******, **** ***** ** ******* (factory ********) ***'* ******* ***********....** .... *** *** ***** ***** the *******, *** *** *** *** **** ****** ***** ******* passwords **** ***. ** *** *** *** *** ******** **** inside, **** * ******** ************ ******* **** ****.. *****!

Login to read this IPVM report.
Why do I need to log in?
IPVM conducts unique testing and research funded by member's payments enabling us to offer the most independent, accurate and in-depth information.

Related Reports on ONVIF

Hikvision NVR 4.0 Improvements Tested on Nov 14, 2017
Hikvision has released firmware version 4.0 for select NVRs, touting two years of research and development, and claiming "the new generation GUI...
Milestone XProtect Essential+ Free VMS Tested on Nov 09, 2017
Milestone continues to expand its aggressive free and low-cost offerings, with this year, Milestone releasing XProtect Essential+, part of their...
Top 2017 Trends - Cyber and Analytics on Nov 09, 2017
The 2 clear top 2017 trends, according to IPVM integrator statistics are: Cyber Security Video Analytics This is a change from 2016...
Axis M3106-LVE Mk 4MP Camera Tested on Nov 06, 2017
Axis has released the latest in their low(er) cost M series outdoor cameras, the M3105-LVE Mk II, a 4MP turret model specifying 15m IR, their...
Hikvision Upgrade Breaks ONVIF VMS Integration on Oct 31, 2017
Hikvision IP cameras using ONVIF for VMS integration will break when upgrading to Hikvision new 5.5 firmware, IPVM testing has verified. This...
ONVIF Wire Free Camera Tested (Netgear FlexPower) on Oct 31, 2017
Totally wire-free cameras are a hot growth market. But they have had one major problem: Proprietary. IPVM has tested Netgear's Arlo and Arlo Go,...
Exacq M Series Low Cost NVR Tested on Oct 12, 2017
With recent cyber security issues hitting NVRs and cameras from low cost leaders Dahua and Hikvision, users are increasingly seeking alternatives...
Bosch Divar NVR Tested vs Dahua on Oct 05, 2017
Bosch has a partnership with Dahua. But what type of partnership is it? How much is Bosch's own vs taken from embattled mega-OEM Dahua? We bought...
Last Chance October Camera Course Registration on Oct 05, 2017
This is the last chance to register for the October Camera Course. Register now. Learn video surveillance and get certified. IPVM provides live...
Geovision Doorstation Tested (CS1320) on Sep 12, 2017
Geovision has released the GV-CS1320 door station, priced at a fraction of others, with additional bells and whistles like a built in card reader,...

Most Recent Industry Reports

Dahua Hard-Coded Credentials Vulnerability on Nov 20, 2017
A newly discovered Dahua backdoor is described by the researcher discovering it as: not the result of an accidental logic error or poor...
Panasonic Unified Surveillance Strategy Analyzed on Nov 17, 2017
Panasonic is now a "Unified Surveillance" offering, as their ASIS 2017 booth proclaimed: Looking to make a comeback in the security industry,...
Amazon Cloud Cam Is Poor (Tested) on Nov 17, 2017
Retail behemoth Amazon has entered the surveillance market with the Amazon Cloud Cam, the eyes of its just-announced Amazon Key delivery...
Nest Secure Alarm System Tested on Nov 16, 2017
Google's expansion continues, this time into home security with their Nest subsidiary's move into alarm systems. They paid more than a...
Dahua Forbes 'Next Web Crisis' Vulnerability Dispute on Nov 16, 2017
The buffer overflow vulnerability in Dahua products is not in dispute, in fact we covered it when it was first published. What is in dispute is...
Isonas Cofounders Split, Launch Partner/Competitor on Nov 16, 2017
Breaking up is hard to do, especially when door access security is at stake. But that is exactly what has happened at Isonas. Senior employees...
Hikvision China Criticizes The WSJ on Nov 15, 2017
Hikvision, through the Chinese government's authoritative news service, has criticized the WSJ investigation into Hikvision. In this...
PoE UPS Tested (Energy Reconnect) on Nov 15, 2017
In security, backup power is important, but most often requires UPS systems or extra cabling to devices for low voltage power. Now, some have...
Axis Commits To Long-Term Firmware Support on Nov 15, 2017
With the rise of cyber security awareness, and a general increase in hardware reliability, "software warranties" may prove more valuable than...

The world's leading video surveillance information source, IPVM provides the best reporting, testing and training for 10,000+ members globally. Dedicated to independent and objective information, we uniquely refuse any and all advertisements, sponsorship and consulting from manufacturers.

About | FAQ | Contact