NMAPing IP Cameras

Author: Ethan Ace, Published on Mar 05, 2015

The Hikvision hack has increased security concerns.

Indeed, most users do not know whether they are vulnerable or not, which ports of their systems are open, and what services they may be running, leaving them potentially vulnerable.

NMAP, a common security network tool, can be used to check for some vulnerabilities, but is not used as much as it should be.

In this test, we show how it may be used to check your cameras and systems for potential security problems, as well as discovering IP cameras and finding non-standard ports being used for video transmission.

Then we run it on cameras from:

  • Arecont Vision
  • Avigilon
  • Axis
  • Bosch
  • Dahua
  • Hikvision

The test shows which cameras allow the most open ports and the greatest potential security risks.

*** ********* **** *** ********* ******** ********.

******, **** ***** ** *** **** ******* **** *** ********** or ***, ***** ***** ** ***** ******* *** ****, *** what ******** **** *** ** *******, ******* **** *********** **********.

****, * ****** ******** ******* ****, *** ** **** ** check *** **** ***************, *** ** *** **** ** **** as ** ****** **.

** **** ****, ** **** *** ** *** ** **** to ***** **** ******* *** ******* *** ********* ******** ********, as **** ** *********** ** ******* *** ******* ***-******** ***** being **** *** ***** ************.

**** ** *** ** ** ******* ****:

  • ******* ******
  • ********
  • ****
  • *****
  • *****
  • *********

*** **** ***** ***** ******* ***** *** **** **** ***** and *** ******** ********* ******** *****.

[***************]

Using ****

**** ** * **** *** **** ****** ******* **** *** network ******** *** ******** ********. *** **** ********* *** ** IP ************ ** *********** ***** ***** ** * ***** ****** are ****** *** ****. ***** *** ** *** ****** * single ****** ** ********, **** ** ****** ******.

**** ****** ** * ******* **** ******* **** **** ******* switches *** *********. *** ******* ** *** * **** **** of *** *** *****, *** *******, ***** **** ****:

**** -* *-***** -** -* -* ***.**.***.***

*******, ********* ********** *** ********* ***** ******** *** *** *** ****** scan ******* ** * ******** ****, **** ********, ***** **** ** *** ***:

**** ***** ******* *** ***** ********* ** **** ***** *** Zenmap ***.

Scan *******

*** ******* ** * **** ****, ********* ** ***** ** used, **** **** ***** * ***** **** ** **** ***** while ****** *** ********, *****-**** ******* ******* ******* ***** *** identifiers.

**** ******* ***** * ***** **** ** * ****** ****** (***** *********):

******** **** *.** ( ****://****.*** ) ** ****-**-** **:** *** Nmap **** ****** *** ***.**.***.*** **** ** ** (*.***** *******). Not *****: *** ****** ***** **** ***** ******* **/*** **** telnet **/*** **** **** ***/*** **** **** ****/*** **** ****** 5000/tcp **** **** *****/*** **** ******* *** *******: **:**:**:**:**:** (******** Dahua ********** **.) **** ****: * ** ******* (* **** up) ******* ** *.** *******

**** ******* ***** *** **** ******, **** ** ******* **** of *** *** *****. **** **** **** **** ** **** complex, ******* ******** ******* *********** **** *********, **** ** ******* and ** ********. ***** **** ********** ***** **** ************* ****** than ******* *****, ** ** **** ** **** ** ****, versus *-** *******.

******** ******* *********** *** ** **** ** *** ******* **** ** the ****** **** *****, ***** ********* "******* *******" ** *** server ** *** ** *** ******. **** **** ***********, ********* may **** ****** ****** *** **** ** ******* ***** **** ports. ******* ****** *** "******* ******* *******", *** *******, ******* **** *******, ********* ******** ************.

Common ****** *****

** ******* ** ******* **** * ****** ************* ** *** how **** ********. **** ***** *** ******* ******** ****** ******, with **** ******* **** *** ** ***** ******* ***** **** (****, HTTPS, ****), ***** ****** ****** ** ** **** *** ******* services, ********* ******, ***, ****, ******** **** *******, *** ****.

***** ** * ********* ** ******* **** ****** *************, ******* from ******* **** ***** (**** *** ****) ** ********, ** well ** ******** ** ******* ***** ***** ***** ** ****** via *** ******'* *** *********:

******* ****** ********

******* ****** ******* **** **** **** *** **** *****. **** that **** ****** (-** ** *** ******* ****) **** ** disabled ** ***** ** **** ******* ******* ** ***, ** they ***** *** **** ** ****** *****. 

**/*** **** ****
***/*** **** ****
****/*** **** ****-*****

******** *.**-***-***

** **** *******, ********'* ******* **** **** *** **** ******* of *****, ****, *****, *** ****. 

**/*** **** ****
***/*** **** *****
***/*** **** ****

**** *****

*** *****, ** **** ** *** ***** **** ******* ** tested, *** **** ***** ****, *** ****** **** *** **** ports, ** **** ** *** (**** ** ****** ********, **** applications, ***. ** *** ******), *** ****, ******* ** **** 49152. *** *** **** *** **** ** ****** *** ** network ********.

**/*** **** ***
**/*** **** ****
***/*** **** ****
*****/*** **** ******* 

***** ***-*****

***** ******* ******* ****** ******* **** *** **** *****, ** well ** *****, ***** **** *** *** **** *******, ******, and **** ** *****. ****** *** **** *** ** ****** via *** *** *********.

**/*** **** ******
**/*** **** ****
***/*** **** *****
***/*** **** ****
****/*** **** *****
*****/*** **** ******* 

***** ***-********

***** ******* **** *** ********* ***** ** *******. **** **** may ** ********. ***** ** ** ****** ** ***** ***** ports.

**/*** **** ******
**/*** **** ****
***/*** **** ****
****/*** **** ******
****/*** **** ****
*****/*** **** ******* 

****** ****** ****

****** **** ** ** ****** ** ***** ******* ** ******** 2.400 *** **, **** ** ****** ** ****** ** ** the ******'* *** *********. ***** **** ***** ****** *********. ****** was ********** **** ** ****** ***** ******* ** * ***** scale ****** (***:****** ***** ******* ***** ******* ***** ******).

**/*** **** ****
***/*** **** ****
****/*** **** ******
****/*** **** ****
*****/*** **** ******* 

********* **-*******-*

** **** ******, ******** ***** *** **** *** ******** ***** than **** *** ****. **** ***, ***** ***** ** ****** by ******* *** ****.

**/*** **** ***
**/*** **** ******
**/*** **** ****
***/*** **** *****
***/*** **** ****
****/*** **** ****-********
****/*** **** ****-***
****/*** **** ********
*****/*** **** *******

****** ****** ****

********* **************** * ***** ********* ** ******** **** ******** *** ******** (*** **** *******). An ******* ** ******* ** **** ***** ** ***** ***** ******* a ****** ******* *.*.* ******** *** *** ******* *.*.*, **** telnet ****** (** **** ** *** *** *****, ***** *** now ******** ** *******).

********* **-********-** ***

** **** ******* ******** ********* ****, ******* ******** **** ***** in ******** ** ******* **** ********. ** ***** ** *** to ***** ***** ***** *** ********.

**/*** **** ****
****/*** **** ****-***
****/*** **** ***
****/*** **** *******
*****/*** **** *******
*****/*** **** ******* 

***** *************

**** ********, ***** ************* **** ** ****, *********, *** ***** opened **** **** *** **** ***** ** *******, **** **** also ********* **** (******** *** ********).

Other ****

***** *** *** ***** ********* **** *** **** ** ************:

** ********

**** *** **** ** **** ** **** * ****** ** see ***** ******* *** ** (********** ** ****) ** ***. These ******* *** ******* ** ******** ***** **** ** ***** ** ***************** ** *******. ***** ** ***** *******, ***** *** ****** *** ** more ******* ** ******* ****** ***** ****.

** ***** *******, **** **** *********** ******* ** ***, *********** *** ************ ** **** ****** ***** ********.

******* ***-******** *****

** **** *******, ***-******** ***** *** ** **** *** **** streams ** *****. **** ** **** ***** **** ***-**** ******, though ****** **********, ** ** ***. ***** **** ****** ***** to ********* ***** ***** *** ** *** *** ***** ********.

*** *******, ***** ******* **** **, *** ******* ****** **** our***** ***-**** ******** **** *** ******* ** *** ***. **** *******, *** ****** ******* typical ***** *** ****, ****, *** ******, *** *** ******* ones: **** *** ****. ******* * ****** **** ** **** these ***** ***** ** **** **** **** ** **** *** running ****, *** ******** **** ** *****.

****      *****  *******
****/*** ****    ****    ***** **** *.*

****** *** ****** ***** ***** *** **** ****, ** ************ connects ** *****.

Comments (10)

Eric Taylor

03/05/15 04:24pm

**** ** * ***** *******. ***** ***.

Pat Villerot

03/05/15 05:02pm

**** ** * ***** *******. * *** *** ***** ** this ****. ***** *** *** *******.

Steve Mitchell

03/05/15 07:03pm

**** ******* **** * ***** *******, ******.

*** ***** ****'* **** ******* ** ** ** ***** ******* Hikvision *********** ********.. * *** *** ******* **** ****** **** are ******** ***** ********* ******* *** **** *************** *** ** present. ***** ******* **** **** **** ********* **** ***** "******."

** *********'* ********* **** **** **** **** ** ***** **** vulnerabilities ** ***** *******. **** **** ***** *** ******* ********, and ****** ***** *********, *** ******** *** ****** ******** ** that **** ** ******* ****** *** ******* ****** ******** ******. In *** **** ********* **** **** ***** ***** *** ********--**** discussing ******* *********, ******, *** ******** ******. (*'* ******* ***** this *********: *****://****-*******.**.*********.***/*******/****/****/**********************************************.*** )

** ******, ******* *********, **** *********, *** ****** (******* ** exposes ********* ** *** *****) ***** *** ** **** ** gain **** ** ***** ***** ****** ** * ******. *** in **** ***** **** ************* *** ** ** ******* **** due ** *** ********** **** ** ******* **** *********** ** order ** ******* ******* *** ******/*******. *.*, "*** *** *** in *** ****** *** ********** ** ** ******, *** ****."

*** *** ***** *********** *********** ****** ********* ******** **** ***** their **** ** ********** *** *** **** ****** ******** ***** (wired *******: ****://***.*****.***/****/**/*********/ , ************ *******: ****://***.************.***/********-***************-*****-*********-***-******* ). *** **** appear ** ** ******* * ***** (/***/********). *** *** ******** are ***** ** ******* "**** *******" ** *** ******.

* ** **** ******** **** *** ******* *'** ****** **** that ****/**** *** *** **** **** **** ********** ** * surveillance *******. **** **** ** ** **** ******** *******, ******* hold *** *** ***** (** ********** ***** ** **** *******), tend ** *** * ****** ***** (** *******) ******* *** if *** ******* * **** ********* ** *** **** *** at ******* **** ** *******, ******* **** **** ******** *************** for **************** *** ***********, *** *** ** ***** ** * commodity ******** ******** ****** **** *** **** ****** **** **** in **** *******.

**** *** *** ***** *******, *** *** ****** ** ******* than *******. * ******* ****'* *** ********** ** ** *** doghouse *****.

Luke Maslen

IPVMU Certified | 03/05/15 10:46pm

** ****, ***** *** *** **** **** ******* *******. *** those ******* ***** ** *** ***** **** ** ******* ********** ports, ** *** ***** ****** ***** ** *** ********, ** block ***** ** *** ******* *** ***'*, ***** ** ** adequate ********? ***** ***.

Matt Ion

In reply to Luke Maslen | 03/06/15 07:44pm

** **** ****** ** ****** * *** ******, ****, ****, pretty **** ***** **** ******, ***** *******'* ** *** ******* considerations ****** ** ******* ****** ** ******* **** *** ******** at ***** - ***** **** ***** ** ********* **** *** WAN ********* ** *** *******' *** *********. ***** ***'* **** to *******, ******, **** **** **** ** *** ** ********* to ******* ** *** ***.

***** ***** ** * ******* ** **** ******* ***** **** to *** ***** *** **** **********, ********* **** ******* *** routers *** **** ******* ** *******. ** ************* **** **** option ******** ***-**-***-*** ** ***** ******** ********* * *** ** the *******, ** ** ***** **** **** ******** ****** ** the ******** ** ********* ** ****** ****** ****, ** ******* those ***** ********, ** **** **** ****** ** *** ***/***/******* possible.

** ******, ** ** ******* *** ****** ****** ** **** LAN, ****... *** **** ****** ****** ** ***** ***** **** whether **** *** ***** ** **** ********* ******.

Ray Bernard

03/06/15 03:18pm

****, **** ** * ***** *******. * ***** *** *** warning ** **. ** *** *** ** **** **** ** a ******* **** ***** ** *******, *** ******* **** ****** 2010, ** ** ******** **** **** ******* ***** ** *******. This ******'* ****** **** ****, *****, ********* ** **** ******* for *******, *** ** ***** **** ******* ***-**** *********. *'** written ***** **** ***** ** ** *********** *&* ******, ** the *********** **** **** **** ********** ** "*********". ** *** case, ******* ** ** ** * ********** ********* ** ****, over *** ******* ******* **** ***** ******* **** ** ** tech *** ** **** ****. **** *** * ********** **** in ****. **** **** *** *** *******. ****** *** ** be **** *** ** *** ****** ********* ** ******** ******* their *****. *** * *** ***. * ***** ***** ** again * ****** ** ***** ***** **** * ****** **** took ** ****** ******* ** ** ******* *******, *** ** required **** **** **** ***** ******* ** *** **** **** on (* ***'* **** *** ********* *******).

******* ** **** ** ***** ***** ** *** * ******** the ** *********** ** ************ **** *** ******* ** ***** network, *** *** ***** **** ******* ** ****** *** ** addresses ** *** ******* ** *** ** *** **** ****.

********** **** ** **** **** *** * ****** **** - whether ** *** *** ******* **** ** ********* ** * larger ********* ******* - ****** ** * ******** **** ****** finalizing *** ******* ****** **********.

* **** *** ********** ***** **** ** **** **** ***'* need ** ** ****, ******* ***** ******* *** ** * physically *********** *******. *******, *** **** ** ********** **** *** isolated ******* ****** ***** ****** ** *** ******. ************, *** deployments **** ***** ******* **** *** ********** ** **** ***, you **** ** ******** **** **** ** * ******** *************, becasue ********* ******* ****** ** *** ***** ******* ***'* **** a ******** ** ******* ****** ** **** *** ******* ****. They *** **** *** *** ******* ****.

* ******* **** *** ************* ******** ** ***** ********* **** since ******** *** ******** *** ***** ******* ** ********* **** vulnerabilty ** ***** ** ** * *********** *****. *** ** is ****** *** ******** ******* *** ** *** ***** ******** upgraded **** ********** ** ******* ****.

********** ***** ******** ***** **** ** **** ******* ******** ** place, ********** ** *** *** ** *** *******, ** **** traffic **** ***-******** ******* (**** ** ** ********'* ******) ***'* flood *** *******.

Undisclosed #1

In reply to Ray Bernard | 03/06/15 06:57pm

****. ***** **** ***** ** ******'* '********* *****'.

Matt Ion

In reply to Ray Bernard | 03/06/15 07:48pm

***, **** ***** ** **** ** *** **** ** ******** co-workers' ** ******** **** *** **' "**** ** *****". **** *****!

Undisclosed Integrator #2

03/06/15 08:15pm

** *'** **** ******** *** ***** **** **** ** *********... still ****'* ***** ********, ********* ** ***** ** *** ***'* laptop ** *** **** *****, *** **'* **** *% **** the *** ****. **** ****, **** *********. *'** **** ***** Advanced ** ******* (**** ***.******.***) *** * **** **** *** will ******** ***** ** **** *** ******* ***** ******* *******, like **** ** ******* ****** *****'* **** ** ** *** DHCP ******, *** **** ** ********** ******* ***** ** ** toolbox *** ***** ***** ********* ******* ** ******.

Thumbnail recadr

Marc Pichaud

03/08/15 10:40am

**** ******* *******.

***'* *** **** **** **** *******, **** ***** ** ******* (factory ********) ***'* ******* ***********....** .... *** *** ***** ***** the *******, *** *** *** *** **** ****** ***** ******* passwords **** ***. ** *** *** *** *** ******** **** inside, **** * ******** ************ ******* **** ****.. *****!

Login to read this IPVM report.
Why do I need to log in?
IPVM conducts unique testing and research funded by member's payments enabling us to offer the most independent, accurate and in-depth information.

Related Reports on ONVIF

Uniview Low-Cost Bullet PTZ Tested on Jun 21, 2017
Uniview is offering a HD zoom bullet camera, the IPC742SR9-PZ30-32G, with an integrated pan / tilt positioner, for the price of a low-cost...
Camera Course Summer 2017 on Jun 08, 2017
Learn video surveillance and get certified. IPVM provides live online classes, recorded videos, personal help, cutting edge education and...
Chinese Direct Disruptor Reolink Tested on May 31, 2017
Another Chinese disruptor, Reolink, is gaining attention. This one is selling direct from its own website, with fulfillment by Amazon. And a...
H.265 / HEVC Codec Tutorial 2017 on May 25, 2017
Since 2013, video surveillance professionals have talked about the potential for H.265. Now, in 2017, H.265 is starting to gain mainstream...
48MP 180 Camera (Digital Watchdog) Test on May 10, 2017
Camera resolution continues to advance, with Digital Watchdog offering the MegaPIX PANO 48MP 180° camera, the highest resolution mainstream camera...
Aqueti 100MP Mantis Camera Profile on Apr 14, 2017
One of the original gigapixel camera startups, Aqueti, which we first covered in 2012, is back. This time, they have partnered with NVIDIA,...
Best and Worst - ISC West 2017 Show Report on Apr 10, 2017
IPVM went to Las Vegas, examining what vendors are showcasing and what is new. Attendance was up, according to the show, and was certainly well...
TVI 4.0 Doubles HD Analog Bandwidth on Mar 05, 2017
HD analog's move up market continues. Starting a few years ago at just 720p, HD analog is now poised for 4K and beyond. Techpoint, the company...
Uniview NVR Tested on Mar 02, 2017
Uniview, China's self proclaimed #3 video surveillance manufacturer behind Hikvision and Dahua, is ramping up its international sales efforts. In...
20 Manufacturer Favorability Ranked on Feb 28, 2017
20 security industry organizations' favorability was ranked based on direct feedback from over 100 integrators. In-depth comments revealed insights...

Most Recent Industry Reports

Importance of Sales To Integrators - Statistics on Jun 23, 2017
One of the top trends in the industry over the past few years has been the rise of across-the-board sales (e.g.: Hikvision Sales, Dahua Sale,...
Deep Learning Surveillance Startups Deep Problem on Jun 23, 2017
The undeniably good news for the video surveillance market is that we are seeing the rise of more startups than in many years. The cause of this...
Avigilon Announces RADAR-Based Presence Detector on Jun 22, 2017
RADAR is gaining momentum within physical security. Two months after Axis announced a network radar detector, Avigilon has announced a RADAR-Based...
Covert Cloud Camera Service Launching (KJB) on Jun 22, 2017
Cloud IP cameras, for consumers, has become increasingly commonplace. However, covert cameras, lag there, with few options. Now, North America's...
Manufacturers Shipping Unlicensed H.265 Products on Jun 22, 2017
While H.265 support in video surveillance is growing, IPVM's research shows that most surveillance manufacturers are shipping H.265 products with...
Uniview Low-Cost Bullet PTZ Tested on Jun 21, 2017
Uniview is offering a HD zoom bullet camera, the IPC742SR9-PZ30-32G, with an integrated pan / tilt positioner, for the price of a low-cost...
QSR Video Surveillance Best Practices on Jun 21, 2017
Fast food restaurants or QSRs (quick service restaurants), are frequent victims of crime and fraud. Because they are open late, deal with cash, and...
45 Drives 'Lowest Cost' Enterprise Storage Company Profile on Jun 21, 2017
45 Drives claims the "lowest cost per Hard Drive Slot in the industry." But who or what is '45 Drives'? What started as a product design to...
No Hack, Still Liable, Court Finds ADT on Jun 20, 2017
Recently, ADT has been in the news for a $16 million settlement for a cyber security vulnerability class action suit. One of the most important...
Resolver / PPM 2000 Incident Management Platform Profile on Jun 20, 2017
You might have seen the company whose employees wear hockey jerseys at trade shows and wondered "what do they do?" PPM 2000 has been active in...

The world's leading video surveillance information source, IPVM provides the best reporting, testing and training for 10,000+ members globally. Dedicated to independent and objective information, we uniquely refuse any and all advertisements, sponsorship and consulting from manufacturers.

About | FAQ | Contact