NMAPing IP Cameras

By: Ethan Ace, Published on Mar 05, 2015

The Hikvision hack has increased security concerns.

Indeed, most users do not know whether they are vulnerable or not, which ports of their systems are open, and what services they may be running, leaving them potentially vulnerable.

NMAP, a common security network tool, can be used to check for some vulnerabilities, but is not used as much as it should be.

In this test, we show how it may be used to check your cameras and systems for potential security problems, as well as discovering IP cameras and finding non-standard ports being used for video transmission.

Then we run it on cameras from:

  • Arecont Vision
  • Avigilon
  • Axis
  • Bosch
  • Dahua
  • Hikvision

The test shows which cameras allow the most open ports and the greatest potential security risks.

Using ****

**** ** * **** and **** ****** ******* used *** ******* ******** and ******** ********. *** most ********* *** ** IP ************ ** *********** which ***** ** * given ****** *** ****** and ****. ***** *** be *** ****** * single ****** ** ********, even ** ****** ******.

**** ****** ** * command **** ******* **** many ******* ******** *** operators. *** ******* ** run * **** **** of *** *** *****, for *******, ***** **** this:

**** -* *-***** -** -A -* ***.**.***.***

*******, ********* ********** *** ********* which ******** *** *** add ****** **** ******* to * ******** ****, such ********, ***** **** ** Mac ***:

**** ***** ******* *** basic ********* ** **** using *** ****** ***.

Scan *******

*** ******* ** * scan ****, ********* ** which ** ****, **** some ***** * ***** list ** **** ***** while ****** *** ********, multi-page ******* ******* ******* types *** ***********.

**** ******* ***** * quick **** ** * single ****** (***** *********):

******** **** *.** ( http://nmap.org ) ** ****-**-** 16:47 *** **** **** report *** ***.**.***.*** **** is ** (*.***** *******). Not *****: *** ****** ports **** ***** ******* 23/tcp **** ****** **/*** open **** ***/*** **** rtsp ****/*** **** ****** 5000/tcp **** **** *****/*** open ******* *** *******: 90:02:A9:08:14:8A (******** ***** ********** Co.) **** ****: * IP ******* (* **** up) ******* ** *.** seconds

**** ******* ***** *** same ******, **** ** intense **** ** *** TCP *****. **** **** this **** ** **** complex, ******* ******** ******* information **** *********, **** as ******* *** ** versions. ***** **** ********** scans **** ************* ****** than ******* *****, ** to **** ** **** or ****, ****** *-** seconds.

******** ******* *********** *** ** seen ** *** ******* scan ** *** ****** port *****, ***** ********* "Busybox *******" ** *** server ** *** ** the ******. **** **** information, ********* *** **** easily ****** *** **** to ******* ***** **** ports. ******* ****** *** "******* telnetd *******", *** *******, ******* many *******, ********* ******** instructions.

Common ****** *****

** ******* ** ******* from * ****** ************* to *** *** **** differed. **** ***** *** running ******** ****** ******, with **** ******* **** two ** ***** ******* ***** open (****, *****, ****), while ****** ****** ** or **** *** ******* services, ********* ******, ***, UPnP, ******** **** *******, and ****.

***** ** * ********* of ******* **** ****** manufacturers, ******* **** ******* open ***** (**** *** RTSP) ** ********, ** well ** ******** ** whether ***** ***** ***** be ****** *** *** camera's *** *********:

******* ****** ********

******* ****** ******* **** only **** *** **** ports. **** **** **** probes (-** ** *** command ****) **** ** disabled ** ***** ** scan ******* ******* ** all, ** **** ***** the **** ** ****** first. 

**/*** **** ****
***/*** **** ****
****/*** **** ****-*****

******** *.**-***-***

** **** *******, ********'* cameras **** **** *** bare ******* ** *****, HTTP, *****, *** ****. 

**/*** **** ****
***/*** **** *****
***/*** **** ****

**** *****

*** *****, ** **** as *** ***** **** cameras ** ******, *** four ***** ****, *** common **** *** **** ports, ** **** ** FTP (**** ** ****** firmware, **** ************, ***. to *** ******), *** UPnP, ******* ** **** 49152. *** *** **** may **** ** ****** off ** ******* ********.

**/*** **** ***
**/*** **** ****
***/*** **** ****
*****/*** **** ******* 

***** ***-*****

***** ******* ******* ****** typical **** *** **** ports, ** **** ** iSCSI, ***** **** *** for **** *******, ******, and **** ** *****. Telnet *** **** *** be ****** *** *** web *********.

**/*** **** ******
**/*** **** ****
***/*** **** *****
***/*** **** ****
****/*** **** *****
*****/*** **** ******* 

***** ***-********

***** ******* **** *** following ***** ** *******. Only **** *** ** disabled. ***** ** ** option ** ***** ***** ports.

**/*** **** ******
**/*** **** ****
***/*** **** ****
****/*** **** ******
****/*** **** ****
*****/*** **** ******* 

****** ****** ****

****** **** ** ** closed ** ***** ******* in ******** *.*** *** up, **** ** ****** to ****** ** ** the ******'* *** *********. Other **** ***** ****** unchanged. ****** *** ********** used ** ****** ***** cameras ** * ***** scale ****** (***:****** ***** ******* ***** Massive ***** ******).

**/*** **** ****
***/*** **** ****
****/*** **** ******
****/*** **** ****
*****/*** **** ******* 

********* **-*******-*

** **** ******, ******** ports *** **** *** services ***** **** **** and ****. **** ***, 49152 ***** ** ****** by ******* *** ****.

**/*** **** ***
**/*** **** ******
**/*** **** ****
***/*** **** *****
***/*** **** ****
****/*** **** ****-********
****/*** **** ****-***
****/*** **** ********
*****/*** **** *******

****** ****** ****

********* **************** * ***** ********* ** ******** **** released *** ******** (*** test *******). ** ******* of ******* ** **** ports ** ***** ***** ******* a ****** ******* *.*.* firmware *** *** ******* 5.2.x, **** ****** ****** (as **** ** *** and *****, ***** *** now ******** ** *******).

********* **-********-** ***

** **** ******* ******** Hikvision ****, ******* ******** open ***** ** ******** to ******* **** ********. We ***** ** *** to ***** ***** ***** via ********.

**/*** **** ****
****/*** **** ****-***
****/*** **** ***
****/*** **** *******
*****/*** **** *******
*****/*** **** ******* 

***** *************

**** ********, ***** ************* such ** ****, *********, and ***** ****** **** HTTP *** **** ***** by *******, **** **** also ********* **** (******** via ********).

Other ****

***** *** *** ***** practical uses *** **** ** surveillance:

** ********

**** *** **** ** used ** **** * subnet ** *** ***** devices *** ** (********** to ****) ** ***. These ******* *** ******* to ******** ***** **** as ***** ** ***************** ** *******. ***** ** ***** results, ***** *** ****** one ** **** ******* to ******* ****** ***** upon.

** ***** *******, **** also *********** ******* ** ***, *********** *** ************ of **** ****** ***** possible.

******* ***-******** *****

** **** *******, ***-******** ports *** ** **** for **** ******* ** ONVIF. **** ** **** often **** ***-**** ******, though ****** **********, ** at ***. ***** **** allows ***** ** ********* which ***** *** ** use *** ***** ********.

*** *******, ***** ******* port **, *** ******* camera **** ******** ***-**** ******** **** *** ******* ** any ***. **** *******, the ****** ******* ******* ***** for ****, ****, *** telnet, *** *** ******* ones: **** *** ****. Running * ****** **** on **** ***** ***** shows ** **** **** 8999 ** **** *** running ****, *** ******** used ** *****.

****      *****  SERVICE
****/*** ****    ****    ***** **** *.*

****** *** ****** ***** ONVIF *** **** ****, it ************ ******** ** VMSes.

Comments (10)

This is a great article. Thank you.

This is a great article. I was not aware of this tool. Thank you for posting.

This article does a great service, thanks.

One thing that's been nagging at me in these various Hikvision discussions recently.. I get the feeling many people here are thinking about Hikvision cameras and what vulnerabilities may be present. Maybe because when they hear Hikvision they think "camera."

In Hikvision's statement from last year they do admit some vulnerabilities in their cameras. They talk about the default password, and telnet being available, and released new camera firmware at that time to disable telnet and enforce better password policy. In the same statement they talk about their DVR firmware--also discussing default passwords, telnet, and password policy. (I'm talking about this statement: https://ipvm-uploads.s3.amazonaws.com/uploads/8341/3f4f/HikvisionOutlinesUpdatesToSurveillanceProducts.pdf )

Of course, default passwords, weak passwords, and telnet (because it exposes passwords in the clear) could all be used to gain user or admin level access to a device. But in some cases that vulnerability may be of limited risk due to the additional need to elevate ones permissions in order to further exploit the device/network. I.e, "you can log in and change the resolution of my camera, big deal."

But the other discussions surrounding actual Hikvision exploits talk about their DVRs in particular and the RTSP buffer overflow issue (wired article: Hackers Turn Security Camera DVRs Into Worst Bitcoin Miners Ever | WIRED , SecurityWeek article: Multiple Vulnerabilities Found in Hikvision DVR Devices | SecurityWeek.Com ). The DVRs appear to be running a linux (/dev/watchdog). And the exploits are shown to provide "full control" of the device.

I am just pointing this out because I've always felt that DVRs/NVRs are the real high risk components in a surveillance network. They tend to be more powerful devices, already hold all the video (if protecting video is your concern), tend to run a fuller linux (or Windows) command set if not running a full commodity OS and thus are at greater risk of rootkit, require more open protocol implementations for interoperability and integration, and may be based on a commodity hardware platform rather than the more exotic SoCs used in many cameras.

DVRs are big juicy targets, and are harder to protect than cameras. I suspect that's why Hikivision is in the doghouse today.

Hi John, thank you for your very helpful article. For those cameras which do not offer ways to disable unnecssary ports, do you think adding rules to the firewall, to block ports on the cameras and NVR's, would be an adequate solution? Thank you.

If your system is behind a NAT device, like, well, pretty much every home router, there shouldn't be any special considerations needed to prevent access to devices from the Internet at large - ports must still be forwarded from the WAN interface to the devices' LAN addresses. Ports don't need to blocked, really, they just need to NOT be forwarded to devices on the LAN.

Where there IS a concern is with devices using UPnP to map their own port forwarding, something many devices AND routers now have enabled by default. If manufacturers left this option disabled out-of-the-box it would probably eliminate a lot of the concern, as it would then take specific action by the operator or installer to either enable UPnP, or forward those ports manually, to even make access to the DVR/NVR/cameras possible.

Of course, if an outside has direct access to your LAN, well... you have bigger things to worry about that whether they can snoop on your lunchroom camera.

John, this is a great article. I would add one warning to it. If you run an Nmap scan on a network with older IP cameras, say cameras made before 2010, it is possible that some cameras would go offline. This wouldn't happen with Axis, Bosch, Panasonic or Sony cameras for example, but it could with popular low-cost competors. I've written about this twice in my Convergence Q&A column, as the experiences with this were classified as "incidents". In one case, relayed to me by a consulting colleague of mine, over 100 network cameras were taken offline when an IT tech did an Nmap scan. This was a deployment done in 2004. They were not PoE cameras. People had to be sent out to the camera locations to manually recycle their power. Not a fun day. I wrote about it again a couple of years later when a Nessus scan took an entire network of IP cameras offline, and it required more than just power cycling to get them back on (I don't know the technical details).

Because in each of these cases it was a practice the IT departments to periodically scan all devices on their network, ths was taken into account by adding the IP addresses of the cameras to the Do Not Scan list.

Performing both an Nmap scan and a Nessus scan - whether or not the cameras will be connected to a larger corporate network - should be a standard test before finalizing any network camera deployment.

I have had integrator techs tell me that they don't need to do that, because their cameras are on a physically independent network. However, you have to anticipate that the isolated network status could change in the future. Additionally, for deployments with older cameras that are vulnerable in this way, you have to remember that this is a security vulnerability, becasue attackers gaining access to the video network don't need a password or special skills to take the network down. They can just run the default scan.

I believe that two manufacturers involved in these incidents have since upgraded the firmware for their cameras to eliminate this vulnerabilty or fixed it in a replacement model. But it is common for deployed cameras not to get their firmware upgraded once everything is working well.

Standalone video networks still need to have securty measures in place, regardless of the age of the cameras, so that traffic from non-approved devices (such as an attacker's laptop) can't flood the network.

Nice. Sheds some light on Rodney's 'knockdown scans'.

Wow, this takes me back to the days of crashing co-workers' NT machines with the ol' "ping of death". Good times!

So I've been NMAPping the guest wifi here at Starbucks... still hasn't found anything, including my phone or the guy's laptop at the next table, but it's only 5% into the SYN scan. Neat tool, very inclusive. I've been using Advanced IP Scanner (from www.radmin.com) for a long time and will probably stick to that for finding stray network devices, like when my managed switch doesn't show up on the DHCP server, but this is definitely getting added to my toolbox for those times soemthing stonger is needed.

Very Usefull article.

Let's add that with some vendors, rtsp ports by default (factory settings) don't require credentials....so .... you can first sniff the network, get the IPs and then access video without passwords with Vlc. IF you can see the security from inside, then a physical introduction becomes very easy.. yahoo!

Read this IPVM report for free.

This article is part of IPVM's 6,541 reports, 882 tests and is only available to members. To get a one-time preview of our work, enter your work email to access the full article.

Already a member? Login here | Join now

Related Reports

Uniview Deep Learning Camera Tested on Jul 14, 2020
Uniview's intrusion analytics have performed poorly in our shootouts. Now,...
Dynamic vs Static IP Addresses Tutorial on Apr 16, 2020
While many cameras default to DHCP out of the box, that does not mean you...
Video Analytics 101 on Mar 16, 2020
This guide teaches the fundamentals of video surveillance...
Use Access Control Logs To Constrain Coronavirus on Apr 09, 2020
Access control users have included capabilities that are not commonly used...
IP Networking Course Fall 2020 - Last Chance - Register Now on Sep 23, 2020
Today is the last chance to register for the only IP networking course...
Remote Network Access for Video Surveillance Guide on Jul 27, 2020
Remotely accessing surveillance systems is key in 2020, with more and more...
AI/Smart Camera Tutorial on Feb 20, 2020
Cameras with video analytics, sometimes called 'Smart' camera or 'AI'...
Faked Coronavirus Fever Detection, Athena Used Hikvision; Responds - Selling NDAA Compliant Cameras, Pledging 50% Of Profits to Victims on Mar 24, 2020
US company, Athena Security, faked its coronavirus fever detection marketing,...
Directory of 207 "Fever" Camera Suppliers on Aug 04, 2020
This directory provides a list of "Fever" scanning thermal camera providers...
Quantum Dots Potential for Surveillance Cameras Explained on Sep 08, 2020
Quantum dots are starting to be used in TVs for better images, but how will...
Vulnerability Directory For Access Credentials on Feb 20, 2020
Knowing which access credentials are insecure can be difficult to see,...
Integrated IR Camera Shootout 2020 - Avigilon, Axis, Bosch, Dahua, Hanwha, Hikvision, Panasonic, Uniview, Vivotek on Jan 30, 2020
The best and worst cameras tested in this IPVM shootout showed major...
BICSI For IP Video Surveillance Guide on Feb 11, 2020
Spend enough time around networks and eventually someone will mention BICSI,...
Dahua, Hikvision, ZKTeco Face Mask Detection Shootout on Jun 19, 2020
Temperature tablets with face mask detection are one of the hottest trends in...
Vivotek LPR Camera Tested on Apr 15, 2020
Vivotek has historically sold license plate capture cameras but not LPR. Now,...

Recent Reports

New Products Show Fall 2020 continues tomorrow with Genetec, Milestone, Avigilon, Microsoft and more! on Sep 29, 2020
IPVM's sixth online show continues tomorrow and will feature New Products...
Avigilon / Motorola VS Virtual ISC West on Sep 29, 2020
ISC West has historically been so dominant that no player would think of...
Dartmouth College Deploys K3 Temperature Screening on Sep 29, 2020
While Dartmouth College has a $6+ billion endowment, the College has bought...
Hanwha AI Object Detection Tested on Sep 28, 2020
Hanwha has added detection and classification of people, cars, clothing...
Favorite Access Control Manufacturers 2020 on Sep 28, 2020
200+ Integrators told IPVM "What is your favorite access control management...
OnTech Smart Services Partners With Google and Amazon To Compete With Integrators on Sep 25, 2020
A pain point for many homeowners to use consumer security and surveillance is...
The Future of Metalens For Video Surveillance Cameras - MIT / UMass / Immervision on Sep 25, 2020
Panoramic cameras using 'fisheye' lens have become commonplace in video...
Hikvision Sues Over Brazilian Airport Loss on Sep 24, 2020
Hikvision was excluded from a Brazilian airport project because it is owned...
China General Chamber of Commerce Calls Out US Politics on Sep 24, 2020
While US-China relations are at an all-time low, optimism about relations...
Verkada Disruptive Embedded Live Help on Sep 24, 2020
Call up your integrator? Have someone come by the next day? Verkada is...
IP Networking Course Fall 2020 - Last Chance - Register Now on Sep 23, 2020
Today is the last chance to register for the only IP networking course...
Drain Wire For Access Control Reader Tutorial on Sep 23, 2020
An easy-to-miss cabling specification plays a key role in access control, yet...
Norway Council of Ethics Finds Hikvision Human Rights Abuses "Ongoing" on Sep 23, 2020
Hikvision's involvement in "serious human rights abuse" in Xinjiang is...
IPVM Camera Calculator User Manual / Guide on Sep 23, 2020
Learn how to use the IPVM Camera Calculator (updated for Version 3.1). The...