NMAPing IP Cameras

By Ethan Ace, Published Mar 05, 2015, 12:00am EST (Research)

The Hikvision hack has increased security concerns.

Indeed, most users do not know whether they are vulnerable or not, which ports of their systems are open, and what services they may be running, leaving them potentially vulnerable.

NMAP, a common security network tool, can be used to check for some vulnerabilities, but is not used as much as it should be.

In this test, we show how it may be used to check your cameras and systems for potential security problems, as well as discovering IP cameras and finding non-standard ports being used for video transmission.

Then we run it on cameras from:

Arecont Vision
Avigilon
Axis
Bosch
Dahua
Hikvision

The test shows which cameras allow the most open ports and the greatest potential security risks.

Using NMAP

NMAP is a free and open source utility used for network scanning and security auditing. Its most practical use in IP surveillance is determining which ports of a given device are active and open. Scans may be run across a single device or multiple, even an entire subnet.

NMAP itself is a command line utility with many complex switches and operators. The command to run a deep scan of all TCP ports, for example, looks like this:

nmap -p 1-65535 -T4 -A -v 172.20.128.123

However, graphical interfaces are available which simplify use and add common scan options to a dropdown menu, such as Zenmap, shown here on Mac OSX:

This video reviews the basic operation of NMAP using the Zenmap GUI.

Scan Results

The results of a scan vary, depending on which is used, with some being a short list of open ports while others are detailed, multi-page reports showing service types and identifiers.

This example shows a quick scan of a single camera (Dahua HFW3200SN):

Starting Nmap 6.47 ( http://nmap.org ) at 2015-03-04 16:47 EST
Nmap scan report for 172.20.128.123
Host is up (0.0023s latency).
Not shown: 994 closed ports
PORT      STATE SERVICE
23/tcp    open  telnet
80/tcp    open  http
554/tcp   open  rtsp
3800/tcp  open  pwgpsi
5000/tcp  open  upnp
49152/tcp open  unknown
MAC Address: 90:02:A9:08:14:8A (Zhejiang Dahua Technology Co.)

Nmap done: 1 IP address (1 host up) scanned in 5.92 seconds

This example shows the same camera, only an intense scan of all TCP ports. Note that this scan is more complex, showing detailed service information when available, such as service and OS versions. These more aggressive scans take substantially longer than regular scans, up to half an hour or more, versus 5-10 seconds.

Detailed service information can be seen in the intense scan of the telnet port below, which indicates "Busybox telnetd" is the server in use by the camera. With this information, attackers may more easily search for ways to exploit these open ports. A Google search for "busybox telnetd exploit", for example, returns many results, including detailed instructions.

Common Camera Scans

We scanned 15 cameras from 8 common manufacturers to see how they differed. Open ports and running services varied widely, with some leaving only two or three typical ports open (HTTP, HTTPS, RTSP), while others opened 10 or more for various services, including Telnet, SSH, UPnP, multiple RTSP streams, and more.

Below is a selection of results from common manufacturers, ranging from minimal open ports (HTTP and RTSP) to numerous, as well as comments on whether these ports could be closed via the camera's web interface:

Arecont Vision AV3116DN

Arecont Vision cameras open only HTTP and RTSP ports. Note that ping probes (-Pn on the command line) must be disabled in order to scan Arecont cameras at all, as they block the scan if pinged first.

80/tcp open http
554/tcp open rtsp
8080/tcp open http-proxy

Avigilon 3.0W-H3A-BO1

As with Arecont, Avigilon's cameras open only the bare minimum of ports, HTTP, HTTPS, and RTSP.

80/tcp open http
443/tcp open https
554/tcp open rtsp

Axis Q1615

The Q1615, as well as all other Axis cameras we tested, had four ports open, the common HTTP and RTSP ports, as well as FTP (used to upload firmware, ACAP applications, etc. to the camera), and UPnP, running on port 49152. FTP and UPnP may both be turned off in network settings.

21/tcp open ftp
80/tcp open http
554/tcp open rtsp
49152/tcp open unknown

Bosch NBN-80122

Bosch cameras scanned opened typical HTTP and RTSP ports, as well as iSCSI, which they use for edge storage, telnet, and UPnP on 49152. Telnet and UPnP may be closed via the web interface.

23/tcp open telnet
80/tcp open http
443/tcp open https
554/tcp open rtsp
3260/tcp open iscsi
49152/tcp open unknown

Dahua IPC-HFW3200S

Dahua cameras open the following ports by default. Only UPnP may be disabled. There is no option to close other ports.

23/tcp open telnet
80/tcp open http
554/tcp open rtsp
3800/tcp open pwgpsi
5000/tcp open upnp
49152/tcp open unknown

UPDATE Summer 2016

Telnet port 23 is closed on Dahua cameras in firmware 2.400 and up, with no option to enable it in the camera's web interface. Other open ports remain unchanged. Telnet was reportedly used to attack Dahua cameras in a large scale botnet (see: Hacked Dahua Cameras Drive Massive Cyber Attack).

80/tcp open http
554/tcp open rtsp
3800/tcp open pwgpsi
5000/tcp open upnp
49152/tcp open unknown

Hikvision DS-2CD2132-I

On this camera, numerous ports are open for services other than HTTP and RTSP. Only one, 49152 could be closed by turning off UPnP.

21/tcp open ftp
23/tcp open telnet
80/tcp open http
443/tcp open https
554/tcp open rtsp
7001/tcp open afs3-callback
8000/tcp open http-alt
8200/tcp open trivnet1
49152/tcp open unknown

UPDATE Summer 2015

Hikvision products suffered a major attack and in response have released new firmware (see test results). An excerpt of changes in open ports is shown below between a camera running 5.3.0 firmware and one running 5.2.x, with telnet closed (as well as ftp and https, which are now disabled by default).

Hikvision DS-7204HGHI-SH DVR

We also scanned multiple Hikvision DVRs, finding multiple open ports in addition to typical HTTP services. We found no way to close these ports via software.

80/tcp open http
8000/tcp open http-alt
9010/tcp open sdr
9020/tcp open tambora
10554/tcp open unknown
30960/tcp open unknown

Other Manufacturers

Most commonly, other manufacturers such as Sony, Panasonic, and Pelco opened only HTTP and RTSP ports by default, with some also including UPnP (disabled via software).

Other Uses

These are two other practical uses for NMAP in surveillance:

IP Scanning

NMAP may also be used to scan a subnet to see which devices are up (responding to ping) or not. These results are similar to scanning tools such as Angry IP Scanner or Advanced IP Scanner. Based on these results, users may select one or more devices to perform deeper scans upon.

In these results, NMAP also resolves MAC address to OUI, identifying the manufacturer of each device where possible.

Finding Non-Standard Ports

In some cameras, non-standard ports may be used for RTSP streams or ONVIF. This is most often seen low-cost models, though poorly documented, if at all. Using NMAP allows users to determine which ports are in use for these services.

For example, using default port 80, the Cantonk camera from our Super Low-Cost shootout does not connect to any VMS. When scanned, the camera returns typical ports for HTTP, RTSP, and telnet, and two unusual ones: 1234 and 8999. Running a deeper scan on just these ports shows us that port 8999 is open and running SOAP, the protocol used by ONVIF.