NMAPing IP Cameras

By: Ethan Ace, Published on Mar 05, 2015

The Hikvision hack has increased security concerns.

Indeed, most users do not know whether they are vulnerable or not, which ports of their systems are open, and what services they may be running, leaving them potentially vulnerable.

NMAP, a common security network tool, can be used to check for some vulnerabilities, but is not used as much as it should be.

In this test, we show how it may be used to check your cameras and systems for potential security problems, as well as discovering IP cameras and finding non-standard ports being used for video transmission.

Then we run it on cameras from:

  • Arecont Vision
  • Avigilon
  • Axis
  • Bosch
  • Dahua
  • Hikvision

The test shows which cameras allow the most open ports and the greatest potential security risks.

*** ********* **** *** increased ******** ********.

******, **** ***** ** not **** ******* **** are ********** ** ***, which ***** ** ***** systems *** ****, *** what ******** **** *** be *******, ******* **** potentially **********.

****, * ****** ******** network ****, *** ** used ** ***** *** some ***************, *** ** not **** ** **** as ** ****** **.

** **** ****, ** show *** ** *** be **** ** ***** your ******* *** ******* for ********* ******** ********, as **** ** *********** IP ******* *** ******* non-standard ***** ***** **** for ***** ************.

**** ** *** ** on ******* ****:

  • ******* ******
  • ********
  • ****
  • *****
  • *****
  • *********

*** **** ***** ***** cameras ***** *** **** open ***** *** *** greatest ********* ******** *****.

[***************]

Using ****

**** ** * **** and **** ****** ******* used *** ******* ******** and ******** ********. *** most ********* *** ** IP ************ ** *********** which ***** ** * given ****** *** ****** and ****. ***** *** be *** ****** * single ****** ** ********, even ** ****** ******.

**** ****** ** * command **** ******* **** many ******* ******** *** operators. *** ******* ** run * **** **** of *** *** *****, for *******, ***** **** this:

**** -* *-***** -** -A -* ***.**.***.***

*******, ********* ********** *** available ***** ******** *** and *** ****** **** options ** * ******** menu, **** ********, ***** **** ** Mac ***:

**** ***** ******* *** basic ********* ** **** using *** ****** ***.

Scan *******

*** ******* ** * scan ****, ********* ** which ** ****, **** some ***** * ***** list ** **** ***** while ****** *** ********, multi-page ******* ******* ******* types *** ***********.

**** ******* ***** * quick **** ** * single ****** (***** *********):

******** **** *.** ( http://nmap.org ) ** ****-**-** 16:47 *** **** **** report *** ***.**.***.*** **** is ** (*.***** *******). Not *****: *** ****** ports **** ***** ******* 23/tcp **** ****** **/*** open **** ***/*** **** rtsp ****/*** **** ****** 5000/tcp **** **** *****/*** open ******* *** *******: 90:02:A9:08:14:8A (******** ***** ********** Co.) **** ****: * IP ******* (* **** up) ******* ** *.** seconds

**** ******* ***** *** same ******, **** ** intense **** ** *** TCP *****. **** **** this **** ** **** complex, ******* ******** ******* information **** *********, **** as ******* *** ** versions. ***** **** ********** scans **** ************* ****** than ******* *****, ** to **** ** **** or ****, ****** *-** seconds.

******** ******* *********** *** be **** ** *** intense **** ** *** telnet **** *****, ***** indicates "******* *******" ** the ****** ** *** by *** ******. **** this ***********, ********* *** more ****** ****** *** ways ** ******* ***** open *****. ******* ****** *** "******* telnetd *******", *** *******, ******* many *******, ********* ******** instructions.

Common ****** *****

** ******* ** ******* from * ****** ************* to *** *** **** differed. **** ***** *** running ******** ****** ******, with **** ******* **** two ** ***** ******* ports **** (****, *****, RTSP), ***** ****** ****** 10 ** **** *** various ********, ********* ******, SSH, ****, ******** **** streams, *** ****.

***** ** * ********* of ******* **** ****** manufacturers, ******* **** ******* open ***** (**** *** RTSP) ** ********, ** well ** ******** ** whether ***** ***** ***** be ****** *** *** camera's *** *********:

******* ****** ********

******* ****** ******* **** only **** *** **** ports. **** **** **** probes (-** ** *** command ****) **** ** disabled ** ***** ** scan ******* ******* ** all, ** **** ***** the **** ** ****** first.

**/*** **** ****
***/*** **** ****
****/*** **** ****-*****

******** *.**-***-***

** **** *******, ********'* cameras **** **** *** bare ******* ** *****, HTTP, *****, *** ****.

**/*** **** ****
***/*** **** *****
***/*** **** ****

**** *****

*** *****, ** **** as *** ***** **** cameras ** ******, *** four ***** ****, *** common **** *** **** ports, ** **** ** FTP (**** ** ****** firmware, **** ************, ***. to *** ******), *** UPnP, ******* ** **** 49152. *** *** **** may **** ** ****** off ** ******* ********.

**/*** **** ***
**/*** **** ****
***/*** **** ****
*****/*** **** *******

***** ***-*****

***** ******* ******* ****** typical **** *** **** ports, ** **** ** iSCSI, ***** **** *** for **** *******, ******, and **** ** *****. Telnet *** **** *** be ****** *** *** web *********.

**/*** **** ******
**/*** **** ****
***/*** **** *****
***/*** **** ****
****/*** **** *****
*****/*** **** *******

***** ***-********

***** ******* **** *** following ***** ** *******. Only **** *** ** disabled. ***** ** ** option ** ***** ***** ports.

**/*** **** ******
**/*** **** ****
***/*** **** ****
****/*** **** ******
****/*** **** ****
*****/*** **** *******

****** ****** ****

****** **** ** ** closed ** ***** ******* in ******** *.*** *** up, **** ** ****** to ****** ** ** the ******'* *** *********. Other **** ***** ****** unchanged. ****** *** ********** used ** ****** ***** cameras ** * ***** scale ****** (***:****** ***** ******* ***** Massive ***** ******).

**/*** **** ****
***/*** **** ****
****/*** **** ******
****/*** **** ****
*****/*** **** *******

********* **-*******-*

** **** ******, ******** ports *** **** *** services ***** **** **** and ****. **** ***, 49152 ***** ** ****** by ******* *** ****.

**/*** **** ***
**/*** **** ******
**/*** **** ****
***/*** **** *****
***/*** **** ****
****/*** **** ****-********
****/*** **** ****-***
****/*** **** ********
*****/*** **** *******

****** ****** ****

********* **************** * ***** ********* ** ******** **** released *** ******** (*** test *******). ** ******* of ******* ** **** ports ** ***** ***** between * ****** ******* 5.3.0 ******** *** *** running *.*.*, **** ****** closed (** **** ** ftp *** *****, ***** are *** ******** ** default).

********* **-********-** ***

** **** ******* ******** Hikvision ****, ******* ******** open ***** ** ******** to ******* **** ********. We ***** ** *** to ***** ***** ***** via ********.

**/*** **** ****
****/*** **** ****-***
****/*** **** ***
****/*** **** *******
*****/*** **** *******
*****/*** **** *******

***** *************

**** ********, ***** ************* such ** ****, *********, and ***** ****** **** HTTP *** **** ***** by *******, **** **** also ********* **** (******** via ********).

Other ****

***** *** *** ***** practical **** *** **** in ************:

** ********

**** *** **** ** used ** **** * subnet ** *** ***** devices *** ** (********** to ****) ** ***. These ******* *** ******* to ******** ***** **** as***** ** ***************** ** *******. ***** ** ***** results, ***** *** ****** one ** **** ******* to ******* ****** ***** upon.

** ***** *******, **** also *********** ******* ** ***, *********** *** ************ of **** ****** ***** possible.

******* ***-******** *****

** **** *******, ***-******** ports *** ** **** for **** ******* ** ONVIF. **** ** **** often **** ***-**** ******, though ****** **********, ** at ***. ***** **** allows ***** ** ********* which ***** *** ** use *** ***** ********.

*** *******, ***** ******* port **, *** ******* camera **** ******** ***-**** ************ *** ******* ** any ***. **** *******, the ****** ******* ******* ports *** ****, ****, and ******, *** *** unusual ****: **** *** 8999. ******* * ****** scan ** **** ***** ports ***** ** **** port **** ** **** and ******* ****, *** protocol **** ** *****.

**** ***** *******
****/*** **** **** ***** soap *.*

****** *** ****** ***** ONVIF *** **** ****, it ************ ******** ** VMSes.

Comments (10)

Eric Taylor

03/05/15 04:24pm

This is a great article. Thank you.

Pat Villerot

03/05/15 05:02pm

This is a great article. I was not aware of this tool. Thank you for posting.

Steve Mitchell

03/05/15 07:03pm

This article does a great service, thanks.

One thing that's been nagging at me in these various Hikvision discussions recently.. I get the feeling many people here are thinking about Hikvision cameras and what vulnerabilities may be present. Maybe because when they hear Hikvision they think "camera."

In Hikvision's statement from last year they do admit some vulnerabilities in their cameras. They talk about the default password, and telnet being available, and released new camera firmware at that time to disable telnet and enforce better password policy. In the same statement they talk about their DVR firmware--also discussing default passwords, telnet, and password policy. (I'm talking about this statement: https://ipvm-uploads.s3.amazonaws.com/uploads/8341/3f4f/HikvisionOutlinesUpdatesToSurveillanceProducts.pdf )

Of course, default passwords, weak passwords, and telnet (because it exposes passwords in the clear) could all be used to gain user or admin level access to a device. But in some cases that vulnerability may be of limited risk due to the additional need to elevate ones permissions in order to further exploit the device/network. I.e, "you can log in and change the resolution of my camera, big deal."

But the other discussions surrounding actual Hikvision exploits talk about their DVRs in particular and the RTSP buffer overflow issue (wired article: http://www.wired.com/2014/04/hikvision/ , SecurityWeek article: http://www.securityweek.com/multiple-vulnerabilities-found-hikvision-dvr-devices ). The DVRs appear to be running a linux (/dev/watchdog). And the exploits are shown to provide "full control" of the device.

I am just pointing this out because I've always felt that DVRs/NVRs are the real high risk components in a surveillance network. They tend to be more powerful devices, already hold all the video (if protecting video is your concern), tend to run a fuller linux (or Windows) command set if not running a full commodity OS and thus are at greater risk of rootkit, require more open protocol implementations for interoperability and integration, and may be based on a commodity hardware platform rather than the more exotic SoCs used in many cameras.

DVRs are big juicy targets, and are harder to protect than cameras. I suspect that's why Hikivision is in the doghouse today.

Luke Maslen

IPVMU Certified | 03/05/15 10:46pm

Hi John, thank you for your very helpful article. For those cameras which do not offer ways to disable unnecssary ports, do you think adding rules to the firewall, to block ports on the cameras and NVR's, would be an adequate solution? Thank you.

Matt Ion

In reply to Luke Maslen | 03/06/15 07:44pm

If your system is behind a NAT device, like, well, pretty much every home router, there shouldn't be any special considerations needed to prevent access to devices from the Internet at large - ports must still be forwarded from the WAN interface to the devices' LAN addresses. Ports don't need to blocked, really, they just need to NOT be forwarded to devices on the LAN.

Where there IS a concern is with devices using UPnP to map their own port forwarding, something many devices AND routers now have enabled by default. If manufacturers left this option disabled out-of-the-box it would probably eliminate a lot of the concern, as it would then take specific action by the operator or installer to either enable UPnP, or forward those ports manually, to even make access to the DVR/NVR/cameras possible.

Of course, if an outside has direct access to your LAN, well... you have bigger things to worry about that whether they can snoop on your lunchroom camera.

Thumbnail ray bernard

Ray Bernard

03/06/15 03:18pm

John, this is a great article. I would add one warning to it. If you run an Nmap scan on a network with older IP cameras, say cameras made before 2010, it is possible that some cameras would go offline. This wouldn't happen with Axis, Bosch, Panasonic or Sony cameras for example, but it could with popular low-cost competors. I've written about this twice in my Convergence Q&A column, as the experiences with this were classified as "incidents". In one case, relayed to me by a consulting colleague of mine, over 100 network cameras were taken offline when an IT tech did an Nmap scan. This was a deployment done in 2004. They were not PoE cameras. People had to be sent out to the camera locations to manually recycle their power. Not a fun day. I wrote about it again a couple of years later when a Nessus scan took an entire network of IP cameras offline, and it required more than just power cycling to get them back on (I don't know the technical details).

Because in each of these cases it was a practice the IT departments to periodically scan all devices on their network, ths was taken into account by adding the IP addresses of the cameras to the Do Not Scan list.

Performing both an Nmap scan and a Nessus scan - whether or not the cameras will be connected to a larger corporate network - should be a standard test before finalizing any network camera deployment.

I have had integrator techs tell me that they don't need to do that, because their cameras are on a physically independent network. However, you have to anticipate that the isolated network status could change in the future. Additionally, for deployments with older cameras that are vulnerable in this way, you have to remember that this is a security vulnerability, becasue attackers gaining access to the video network don't need a password or special skills to take the network down. They can just run the default scan.

I believe that two manufacturers involved in these incidents have since upgraded the firmware for their cameras to eliminate this vulnerabilty or fixed it in a replacement model. But it is common for deployed cameras not to get their firmware upgraded once everything is working well.

Standalone video networks still need to have securty measures in place, regardless of the age of the cameras, so that traffic from non-approved devices (such as an attacker's laptop) can't flood the network.

Undisclosed #1

In reply to Ray Bernard | 03/06/15 06:57pm

Nice. Sheds some light on Rodney's 'knockdown scans'.

Matt Ion

In reply to Ray Bernard | 03/06/15 07:48pm

Wow, this takes me back to the days of crashing co-workers' NT machines with the ol' "ping of death". Good times!

Undisclosed Integrator #2

03/06/15 08:15pm

So I've been NMAPping the guest wifi here at Starbucks... still hasn't found anything, including my phone or the guy's laptop at the next table, but it's only 5% into the SYN scan. Neat tool, very inclusive. I've been using Advanced IP Scanner (from www.radmin.com) for a long time and will probably stick to that for finding stray network devices, like when my managed switch doesn't show up on the DHCP server, but this is definitely getting added to my toolbox for those times soemthing stonger is needed.

Thumbnail recadr

Marc Pichaud

03/08/15 10:40am

Very Usefull article.

Let's add that with some vendors, rtsp ports by default (factory settings) don't require credentials....so .... you can first sniff the network, get the IPs and then access video without passwords with Vlc. IF you can see the security from inside, then a physical introduction becomes very easy.. yahoo!

Login to read this IPVM report.
Why do I need to log in?
IPVM conducts unique testing and research funded by member's payments enabling us to offer the most independent, accurate and in-depth information.

Related Reports on ONVIF

Ranking Manufacturer Favorability 2019 on May 06, 2019
24 manufacturer's favorability was ranked based on 170+ integrators feedback. Voting plus in-depth comments revealed insights on which brands were...
Verkada Cloud VMS/Cameras Tested on May 02, 2019
Verkada is arguably the most ambitious video surveillance startup in many years. The company is developing their own cameras, their own VMS, their...
Camera Configuration Manager Shootout - Avigilon, Axis, Bosch, Dahua, Hanwha, Hikvision on May 01, 2019
Which camera manufacturer has the best management tool? We tested 6 manufacturers - Avigilon, Axis, Bosch, Dahua, Hanwha, Hikvision to find...
Verkada Salesman: IPVM "Stuck In A The Stone Age" on Apr 25, 2019
Verkada is 'tackling dinosaurs' and battling those, like IPVM, who are 'stuck in a the stone age'. Verkada's recent sales recruiting promotion...
Axis Supports HD Analog on Apr 15, 2019
In 2017, Axis declared 'Everything is IP': Now, in 2019, Axis has released support for HD analog, with their new encoders.  Why the change?...
ISC West 2019 Report on Apr 12, 2019
The IPVM team has finished at the Sands looking at what companies are offering and how they are changing their positioning. See below for 50+...
Genetec Security Center 5.8 Tested on Mar 19, 2019
Genetec has released Version 5.8. This comes after a wait of more than a year that caused frustrations for many Genetec partners. Our previous...
ONVIF Favorability Results 2019 on Mar 15, 2019
In the past decade, ONVIF has grown from a reaction to the outside Cisco-lead PSIA challenge, to being the de facto video surveillance standard...
Arcules Favorability Results 2019 on Mar 08, 2019
Arcules has amazing advantages. Tens of millions of funding from Canon. Unlimited access to Milestone's source code (see our test results). But...
Prysm PSIM Profile on Mar 05, 2019
A decade ago, PSIM promised significant potential but has always suffered from significant problems. Now, a number of PSIMs have either gone out of...

Most Recent Industry Reports

Access Control Job Walk Guide on May 22, 2019
Significant money can be saved and problems avoided with an access control job walk if you know what to look for and what to ask. By inviting...
ASCMA / Monitronics Declares Chapter 11 Bankruptcy on May 22, 2019
Monitronics is entering into Chapter 11 bankruptcy. The company, also called Ascent Capital Group Inc., aka ASCMA, aka Brinks Home Security,...
US Considers Sanctions Against Hikvision and Dahua on May 22, 2019
The US government is considering blacklisting "up to 5" PRC surveillance firms, including Hikvision and Dahua, Bloomberg reported, with human...
Dahua USA Celebrates 5 Years of Errors on May 21, 2019
Dahua USA is, in their own words, 'celebrating' 5 years in North America or as trade magazine SSN declared: Dahua Technology finds success in...
Axis ~$150 Outdoor Camera Tested on May 21, 2019
Axis has released the latest in their Companion camera line, the outdoor Companion Dome Mini LE, a 1080p integrated IR model aiming to compete with...
Covert Facial Recognition Using Axis and Amazon By NYTimes on May 20, 2019
What if you took a 33MP Axis camera covering one of the busiest parks in the US and ran Amazon Facial Recognition against it? That is what the...
Amazon Ring Public Subsidy Program Aims To Dominate Residential Security on May 20, 2019
Amazon dominates market after market. Quitely, but increasingly, they are doing so in residential security, through a combination of significant...
LifeSafety Power NetLink Vulnerabilities And Problematic Response on May 20, 2019
'Power supplies' are not devices that many think about when considering vulnerabilities but as more and more devices go 'online', the risks for...
Facial Recognition Systems Fail Simple Liveness Detection Test on May 17, 2019
Facial recognition is being widely promoted as a solution to physical access control but we were able to simply spoof 3 systems because they had no...
Inside Look Into Scam Market Research on May 17, 2019
Scam market research has exploded over the last few years becoming the most commonly cited 'statistics' for most industries, despite there clearly...

The world's leading video surveillance information source, IPVM provides the best reporting, testing and training for 10,000+ members globally. Dedicated to independent and objective information, we uniquely refuse any and all advertisements, sponsorship and consulting from manufacturers.

About | FAQ | Contact