Volatility 2.6 – Advanced Memory Forensics Framework

In 2007, the first version of The Volatility Framework was released publicly at Black Hat DC. The software was based on years of published academic research into advanced memory analysis and forensics. Up until that point, digital investigations had focused primarily on finding contraband within hard drive images. Volatility introduced people to the power of analyzing the runtime state of a system using the data found in volatile storage (RAM). It also provided a cross-platform, modular, and extensible platform to encourage further work into this exciting area of research. Another major goal of the project was to encourage the collaboration, innovation, and accessibility to the knowledge that had been common within the offensive software communities.Since that time, memory analysis has become one of the most important topics to the future of digital investigations and Volatility has become the world’s most widely used memory forensics platform. The project is supported by one of the largest and most active communities in the forensics industry. Volatility also provides a unique platform that enables cutting-edge research to be immediately transitioned into the hands of digital investigators. As a result, research built on top of Volatility has appeared at the top academic conferences and Volatility has been used on some of the most critical investigations of the past decade. It has become an indispensable digital investigation tool relied upon by law enforcement, military, academia, and commercial investigators throughout the world.Volatility development is now supported by The Volatility Foundation, an independent 501(c) (3) non-profit organization. The foundation was established to promote the use of Volatility and memory analysis within the forensics community, to defend the project’s intellectual property (trademarks, licenses, etc.) and longevity, and, finally, to help advance innovative memory analysis research. Along these lines, the foundation was also formed to help protect the rights of the developers who sacrifice their time and resources to make the world’s most advanced memory forensics platform free and open source.Quick StartChoose a release – the most recent is [Volatility 2.6] (http://www.volatilityfoundation.org/26), released December 2016. Older versions are also available on the Releases page or respective release pages. If you want the cutting edge development build, use a git client and clone the master.Install the code – Volatility is packaged in several formats, including source code in zip or tar archive (all platforms), a Pyinstaller executable (Windows only) and a standalone executable (Windows only). For help deciding which format is best for your needs, and for installation or upgrade instructions, see Installation.Target OS specific setup – the Linux, Mac, and Android support may require accessing symbols and building your own profiles before using Volatility. If you plan to analyze these operating systems, please see Linux, Mac, or Android.Read usage and plugins – command-line parameters, options, and plugins may differ between releases. For the most recent information, see Volatility Usage, Command Reference and our Volatility Cheat Sheet.Why VolatilityA single, cohesive framework analyzes RAM dumps from 32- and 64-bit Windows, Linux, mac, and android systems. Volatility’s modular design allows it to easily support new operating systems and architectures as they are released. All your devices are targets…so don’t limit your forensic capabilities to just Windows computers.It’s Open Source GPLv2, which means you can read it, learn from it, and extend it. Why use a tool that outputs results without giving you any indication where the values came from or how they were interpreted? Learn how your tools work, understand why and how to tweak and enhance them – help yourself become a smarter analyst. You can also immediately fix any issues you discover, instead of having to wait weeks or months for vendors to communicate, reproduce, and publish patches.It’s written in Python, an established forensic and reverse engineering language with loads of libraries that can easily integrate into volatility. Most analysts are already familiar with Python and don’t want to learn new languages. For example, windbg’s scripting syntax which is often seen as cryptic and many times the capabilities just aren’t there. Other memory analysis frameworks require you to use Visual Studio to compile C# DLLs and the rest don’t expose a programming API at all.Runs on Windows, Linux, or Mac analysis systems (anywhere Python runs) – a refreshing break from other memory analysis tools that only run on windows and require .NET installations and admin privileges just to open. If you’re already accustomed to performing forensics on a particular host OS, by all means, keep using it – and take volatility with you.Extensible and scriptable API gives you the power to go beyond and continue innovating. For example, you can use volatility to build a customized web interface or GUI, drive your malware sandbox, perform virtual machine introspection or just explore kernel memory in an automated fashion. Analysts can add new address spaces, plugins, data structures, and overlays to truly weld the framework to their needs. You can explore the Doxygen documentation for Volatility to get an idea of its internals.Unparalleled feature sets based on reverse engineering and specialized research. Volatility provides capabilities that Microsoft’s own kernel debugger doesn’t allow, such as carving command histories, console input/output buffers, USER objects (GUI memory), and network-related data structures. Just because it’s not documented doesn’t mean you can’t analyze it!Comprehensive coverage of file formats – volatility can analyze raw dumps, crash dumps, hibernation files, VMware .vmem, VMware saved state and suspended files (.vmss/.vmsn), VirtualBox core dumps, LiME (Linux Memory Extractor), expert witness (EWF), and direct physical memory over Firewire. You can even convert back and forth between these formats. In the heat of your incident response moment, don’t get caught looking like a fool when someone hands you a format your other tools can’t parse.Fast and efficient algorithms let you analyze RAM dumps from large systems without unnecessary overhead or memory consumption. For example, volatility is able to list kernel modules from an 80 GB system in just a few seconds. There is always room for improvement, and timing differs per command, however other memory analysis frameworks can take several hours to do the same thing on much smaller memory dumps.A serious and powerful community of practitioners and researchers who work in the forensics, IR, and malware analysis fields. It brings together contributors from commercial companies, law enforcement, and academic institutions around the world. Don’t just take our word for it – check out the Volatility Documentation Project – a collection of over 200 docs from 60+ different authors. Volatility is also being built on by a number of large organizations such as Google, National DoD Laboratories, DC3, and many Antivirus and security shops.Forensics/IR/malware focus – Volatility was designed by forensics, incident response, and malware experts to focus on the types of tasks these analysts typically form. As a result, there are things that are often very important to a forensics analysts that are not as important to a person debugging a kernel driver (unallocated storage, indirect artifacts, etc).Download Volatility

Link: http://feedproxy.google.com/~r/PentestTools/~3/v5REAo8QpqY/volatility-26-advanced-memory-forensics.html

CloudFail – Utilize misconfigured DNS and old database records to find hidden IP’s behind the CloudFlare network

CloudFail is a tactical reconnaissance tool which aims to gather enough information about a target protected by CloudFlare in the hopes of discovering the location of the server. Using Tor to mask all requests, the tool as of right now has 3 different attack phases.Misconfigured DNS scan using DNSDumpster.com.Scan the Crimeflare.com database.Bruteforce scan over 2500 subdomains.Please feel free to contribute to this project. If you have an idea or improvement issue a pull request!DisclaimerThis tool is a PoC (Proof of Concept) and does not guarantee results. It is possible to setup CloudFlare properly so that the IP is never released or logged anywhere; this is not often the case and hence why this tool exists. This tool is only for academic purposes and testing under controlled environments. Do not use without obtaining proper authorization from the network owner of the network under testing. The author bears no responsibility for any misuse of the tool.UsageTo run a scan against a target:python cloudfail.py –target seo.comTo run a scan against a target using Tor:service tor start(or if you are using Windows or Mac install vidalia or just run the Tor browser)python cloudfail.py –target seo.com –torDependenciesPython3argparsecoloramasocketbinasciidatetimerequestswin_inet_ptonDownload CloudFail

Link: http://feedproxy.google.com/~r/PentestTools/~3/cALQrMF3f3A/cloudfail-utilize-misconfigured-dns-and.html

LFISuite – Totally Automatic LFI Exploiter (+ Reverse Shell) and Scanner

LFI Suite is a totally automatic tool able to scan and exploit Local File Inclusion vulnerabilities using many different methods of attack, listed in the section Features. Features Works with Windows, Linux and OS X Automatic Configuration Automatic Update Provides 8 different Local File Inclusion attack modalities: /proc/self/environphp://filterphp://input/proc/self/fdaccess logphpinfodata://expect://Provides a ninth modality, called Auto-Hack, which scans and exploits the target automatically by trying all the attacks one after the other without you having to do anything (except for providing, at the beginning, a list of paths to scan, which if you don’t have you can find in this project directory in two versions, small and huge). Tor proxy support Reverse Shell for Windows, Linux and OS X How to use it? Usage is extremely simple and LFI Suite has an easy-to-use user interface; just run it and let it lead you.Reverse ShellWhen you got a LFI shell by using one of the available attacks, you can easily obtain a reverse shell by entering the command “reverseshell" (obviously you must put your system listening for the reverse connection, for instance using "nc -lvp port"). Dependencies Python 2.7.xPython extra modules: termcolor, requestssocks.pyWhen you run the script, in case you are missing some modules, it will check if you have pip installed and, in case you don’t, it will install it automatically, then using pip it will install also the missing modules and download the necessary file socks.py.I tried it on different operating systems (Debian,Ubuntu,Fedora,Windows 10,OS X) and it worked great, but if something strange happens to you and the automatic installation of pip and other modules fails, please install missing modules manually and re-run the script. IMPORTANT: In order to allow the script to install missing modules (and in case pip) automatically, you MUST run the script as root (or, at least, with sufficient permissions) the first time.VideoDownload LFISuite

Link: http://feedproxy.google.com/~r/PentestTools/~3/kH1zGMPK2nc/lfisuite-totally-automatic-lfi.html

AQUATONE – A Tool for Domain Flyovers

AQUATONE is a set of tools for performing reconnaissance on domain names. It can discover subdomains on a given domain by using open sources as well as the more common subdomain dictionary brute force approach. After subdomain discovery, AQUATONE can then scan the hosts for common web ports and HTTP headers, HTML bodies and screenshots can be gathered and consolidated into a report for easy analysis of the attack surface.InstallationDependenciesAQUATONE depends on Node.js and NPM package manager for its web page screenshotting capabilities. Follow this guide for Installation instructions.You will also need a newer version of Ruby installed. If you plan to use AQUATONE in Kali Linux, you are already set up with this. If not, it is recommended to install Ruby with RVM.Finally, the tool itself can be installed with the following command in a terminal:$ gem install aquatoneIMPORTANT: AQUATONE’s screenshotting capabilities depend on being run on a system with a graphical desktop environment. It is strongly recommended to install and run AQUATONE in a Kali linux virtual machine. I will not provide support or bug fixing for other systems than Kali Linux.UsageDiscoveryThe first stage of an AQUATONE assessment is the discovery stage where subdomains are discovered on the target domain using open sources, services and the more common dictionary brute force approach:$ aquatone-discover –domain example.comaquatone-discover will find the target’s nameservers and shuffle DNS lookups between them. Should a lookup fail on the target domain’s nameservers, aquatone-discover will fall back to using Google’s public DNS servers to maximize discovery. The fallback DNS servers can be changed with the –fallback-nameservers option:$ aquatone-discover –domain example.com –fallback-nameservers, will use 5 threads as default for concurrently performing DNS lookups. This provides reasonable performance but can be tuned to be more or less aggressive with the –threads option:$ aquatone-discover –domain example.com –threads 25Hammering a DNS server with failing lookups can potentially be picked up by intrusion detection systems, so if that is a concern for you, you can make aquatone-discover a bit more stealthy with the –sleep and –jitter options. –sleep accepts a number of seconds to sleep between each DNS lookup while –jitter accepts a percentage of the –sleep value to randomly add or subtract to or from the sleep interval in order to break the sleep pattern and make it less predictable.$ aquatone-discover –domain example.com –sleep 5 –jitter 30Please note that setting the –sleep option will force the thread count to one. The –jitter option will only be considered if the –sleep option has also been set.API keysSome of the passive collectors will require API keys or similar credentials in order to work. Setting these values can be done with the –set-key option:$ aquatone-discover –set-key shodan o1hyw8pv59vSVjrZU3Qaz6ZQqgM91ihQAll keys will be saved in ~/aquatone/.keys.yml.ResultsWhen aquatone-discover is finished, it will create a hosts.txt file in the ~/aquatone/ folder, so for a scan of example.com it would be located at ~/aquatone/example.com/hosts.txt. The format will be a comma-separated list of hostnames and their IP, for example:example.com,,,,…In addition to the hosts.txt file, it will also generate a hosts.json which includes the same information but in JSON format. This format might be preferable if you want to use the information in custom scripts and tools. hosts.json will also be used by the aquatone-scan and aquatone-gather tools.See aquatone-discover –help for more options.ScanningThe scanning stage is where AQUATONE will enumerate the discovered hosts for open TCP ports that are commonly used for web services:$ aquatone-scan –domain example.comThe –domain option will look for hosts.json in the domain’s AQUATONE assessment directory, so in the example above it would look for ~/aquatone/example.com/hosts.json. This file should be present if aquatone-discover –domain example.com has been run previously.PortsBy default, aquatone-scan will scan the following TCP ports: 80, 443, 8000, 8080 and 8443. These are very common ports for web services and will provide a reasonable coverage. Should you want to specifiy your own list of ports, you can use the –ports option:$ aquatone-scan –domain example.com –ports 80,443,3000,8080Instead of a comma-separated list of ports, you can also specify one of the built-in list aliases:small: 80, 443medium: 80, 443, 8000, 8080, 8443 (same as default)large: 80, 81, 443, 591, 2082, 2095, 2096, 3000, 8000, 8001, 8008, 8080, 8083, 8443, 8834, 8888, 55672huge: 80, 81, 300, 443, 591, 593, 832, 981, 1010, 1311, 2082, 2095, 2096, 2480, 3000, 3128, 3333, 4243, 4567, 4711, 4712, 4993, 5000, 5104, 5108, 5280, 5281, 5800, 6543, 7000, 7396, 7474, 8000, 8001, 8008, 8014, 8042, 8069, 8080, 8081, 8083, 8088, 8090, 8091, 8118, 8123, 8172, 8222, 8243, 8280, 8281, 8333, 8337, 8443, 8500, 8834, 8880, 8888, 8983, 9000, 9043, 9060, 9080, 9090, 9091, 9200, 9443, 9800, 9981, 11371, 12443, 16080, 18091, 18092, 20720, 55672Example:$ aquatone-scan –domain example.com –ports largeTuningLike aquatone-discover, you can make the scanning more or less aggressive with the –threads option which accepts a number of threads for concurrent port scans. The default number of threads is 5.$ aquatone-scan –domain example.com –threads 25As aquatone-scan is performing port scanning, it can obviously be picked up by intrusion detection systems. While it will attempt to lessen the risk of detection by randomising hosts and ports, you can tune the stealthiness more with the –sleep and –jitter options which work just like the similarly named options for aquatone-discover. Keep in mind that setting the –sleep option will force the number of threads to one.ResultsWhen aquatone-scan is finished, it will create a urls.txt file in the ~/aquatone/<domain> directory, so for a scan of example.com it would be located at ~/aquatone/example.com/urls.txt. The format will be a list of URLs, for example:http://example.com/https://example.com/http://www.example.com/https://www.example.com/http://secret.example.com:8001/https://secret.example.com:8443/http://cdn.example.com/https://cdn.example.com/…This file can be loaded into other tools such as EyeWitness.aquatone-scan will also generate a open_ports.txt file, which is a comma-separated list of hosts and their open ports, for example:,80,44393.184.216.34,8093.184.216.36,80,443,8443192.0.2.42,80,8080…See aquatone-scan –help for more options.GatheringThe final stage is the gathering part where the results of the discovery and scanning stages are used to query the discovered web services in order to retrieve and save HTTP response headers and HTML bodies, as well as taking screenshots of how the web pages look like in a web browser to make analysis easier. The screenshotting is done with the Nightmare.js Node.js library. This library will be installed automatically if it’s not present in the system.$ aquatone-gather –domain example.comaquatone-gather will look for hosts.json and open_ports.txt in the given domain’s AQUATONE assessment directory and request and screenshot every IP address for each domain name for maximum coverage.TuningLike aquatone-discover and aquatone-scan, you can make the gathering more or less aggressive with the –threads option which accepts a number of threads for concurrent requests. The default number of threads is 5.$ aquatone-gather –domain example.com –threads 25As aquatone-gather is interacting with web services, it can be picked up by intrusion detection systems. While it will attempt to lessen the risk of detection by randomising hosts and ports, you can tune the stealthiness more with the –sleep and –jitter options which work just like the similarly named options for aquatone-discover. Keep in mind that setting the –sleep option will force the number of threads to one.ResultsWhen aquatone-gather is finished, it will have created several directories in the domain’s AQUATONE assessment directory:headers/: Contains text files with HTTP response headers from each web pagehtml/: Contains text files with HTML response bodies from each web pagescreenshots/: Contains PNG images of how each web page looks like in a browserreport/ Contains report files in HTML displaying the gathered information for easy analysisDownload AQUATONE

Link: http://feedproxy.google.com/~r/PentestTools/~3/U2WbUREyKK0/aquatone-tool-for-domain-flyovers.html

spoilerwall – Avoid being scanned by spoiling movies on all your ports!

Spoilerwall introduces a brand new concept in the field of network hardening. Avoid being scanned by spoiling movies on all your ports!Firewall? How about Fire’em’all! Stop spending thousand of dollars on big teams that you don’t need! Just fire up the Spoilers Server and that’s it!Movie Spoilers DB + Open Ports + Pure Evil = SpoilerwallSet your own:Clone this repo$ git clone git@github.com:infobyte/spoilerwall.git Edit the file server-spoiler.py and set the HOST and PORT variables. Run the server $ python2 server-spoiler.pyThe server will listen on the selected port (8080 by default). Redirect incoming TCP traffic in all ports to this service by running:iptables -A PREROUTING -t nat -i eth0 -p tcp –dport 1:65535 -j DNAT –to-destination {HOST}:{PORT}Change {HOST} and {PORT} for the values set in step (2). Also, if the traffic is redirected to localhost, run:sysctl -w net.ipv4.conf.eth0.route_localnet=1Using this config, an nmap scan will show every port as open and a spoiler for each one.View the live demo running in spoilerwall.faradaysec.com~ ❯❯❯ telnet spoilerwall.faradaysec.com 23Trying…Connected to spoilerwall.faradaysec.com.Escape character is ‘^]’.GummoFucked up people killing cats after a tornadoConnection closed by foreign host.Browse in Shodan (but beware of the Spoilers!):https://www.shodan.io/host/ careful in your next CTF – you never know when the spoilers are coming!Download spoilerwall

Link: http://feedproxy.google.com/~r/PentestTools/~3/PJANilmXRHM/spoilerwall-avoid-being-scanned-by.html

RED HAWK – RED HAWK is An All In One Tool For Information Gathering, SQL Vulnerability Scannig and Crawling

RED HAWK is An All In One Tool For Information Gathering, SQL Vulnerability Scannig and Crawling. Coded In PHP.Features Of The Tool:Server detectionCloudflare detectorrobots scannerCMS Detector WordPressJoomlaDrupalMagentoWhoisGEO-IP ScanNMAP Port ScanDNS LookupSubNet CalculatorSubdomain FinderReverse IP Scanner CMS detection For Sites On the same server.Parameter Finder Error based SQLi DetectorCrawler Basic Crawler {69}[ – ] Admin scanner[ – ] Backups Finder[ – ] Misc. CrawlerAdvance Crawler{420}[ – ] Admin scanner[ – ] Backups Finder[ – ] Misc. CrawlerChangelog:Version 1.0.0 Initial LaunchInstallation:Run The Tool and Type fix This will Install All Required Modules.Usage:git clone https://github.com/Tuhinshubhra/RED_HAWKcd RED_HAWKphp rhawk.phpUse the “help" command to see the command list or type in the domain name you want to scan (without Http:// OR Https://).Select whether The Site Runs On HTTPS or not.Leave The Rest To The ScannerDownload RED HAWK

Link: http://feedproxy.google.com/~r/PentestTools/~3/hSjg3bTiXTM/red-hawk-red-hawk-is-all-in-one-tool.html

portSpider – A Lightning Fast Multithreaded Network Scanner Framework With Modules

A lightning fast multithreaded network scanner framework with modules.modules:http – Scan for open HTTP ports, and get the the titles.mysql – Scan for open MySQL servers, and try to log in with the default credentials.mongodb – Scan for open MongoDB instances, and check if they are password protected.ssh – Scan for open SSH ports.printer – Scan for open printer ports and websites.gameserver – Scan for open game server ports.manual – Scan custom ports.commands:modules – List all modules.use – Use a module.options – Show a module’s options.set – Set an option.run – Run the selected module.back – Go back to menu.exit – Shut down portSpider.installing:Debian based systems:$ sudo apt-get update && sudo apt-get install python3 python3-pip -y$ git clone https://github.com/xdavidhu/portSpider$ cd portSpider/$ python3 -m pip install -r requirements.txtmacOS / OSX:$ brew install python3$ git clone https://github.com/xdavidhu/portSpider$ cd portSpider/$ python3 -m pip install -r requirements.txtNOTE: You need to have Homebrew installed before running the macOS/OSX installation.WARNING: portSpider is only compatible with Python 3.3 & 3.4 & 3.5 & 3.6developers:David Schütz (@xdavidhu)László Simonffy (@Letsgo00HUN) – MultithreadingDownload portSpider

Link: http://feedproxy.google.com/~r/PentestTools/~3/N59Vt34hZns/portspider-lightning-fast-multithreaded.html

Cangibrina – A Fast And Powerfull Dashboard (Admin) Finder

Cangibrina is a multi platform tool which aims to obtain the Dashboard of sites using brute-force over wordlist, google, nmap, and robots.txtRequirements:Python 2.7mechanizePySocksbeautifulsoup4html5libNmap (–nmap)TOR (–tor)Install:Linux git clone http://github.com/fnk0c/cangibrina.git cd cangibrina pip install -r requirements.txtUsageusage: cangibrina.py [-h] -u U [-w W] [-t T] [-v] [–ext EXT] [–user-agent] [–tor] [–search] [–dork DORK] [–nmap [NMAP]]Fast and powerful admin finderoptional arguments: -h, –help show this help message and exit -u U target site -w W set wordlist (default: wl_medium) -t T set threads number (default: 5) -v enable verbose –ext EXT filter path by target extension –user-agent modify user-agent –tor set TOR proxy –search use google and duckduckgo to search –dork DORK set custom dork –nmap [NMAP] use nmap to scan ports and servicesExamples python cangibrina.py -u facebook.com python cangibrina.py -u facebook.com -v python cangibrina.py -u facebook.com -w /root/diretorios.txt -t 10 -v python cangibrina.py -u facebook.com –search -v python cangibrina.py -u facebook.com –search –dork ‘site:facebook.com inurl:login’ python cangibrina.py -u facebook.com -v –nmap python cangibrina.py -u facebook.com -v –nmap ‘sudo nmap -D -F facebook.com’ python cangibrina.py -u facebook.com –user-agent python cangibrina.py -u facebook.com –ext php [IMPORTANT] DORK MUST BE WRITE BETWEEN QUOTES ! [Example] ‘inurl:login.php’Download Cangibrina

Link: http://feedproxy.google.com/~r/PentestTools/~3/4R-YSa8oJ-c/cangibrina-fast-and-powerfull-dashboard.html

Cameradar – An RTSP Surveillance Camera Access Multitool

Cameradar hacks its way into RTSP CCTV camerasCameradar allows you to:Detect open RTSP hosts on any accessible targetGet their public info (hostname, port, camera model, etc.)Launch automated dictionary attacks to get their stream route (for example /live.sdp)Launch automated dictionary attacks to get the username and password of the camerasGenerate thumbnails from them to check if the streams are valid and to have a quick preview of their contentTry to create a Gstreamer pipeline to check if they are properly encodedPrint a summary of all the informations Cameradar could getAnd all of this in a single command-line.Of course, you can also call for individual tasks if you plug in a Database to Cameradar using the MySQL cache manager for example. You can create your own cache manager by following the simple example of the dumb cache manager.Quick installThe quick install uses docker to build Cameradar without polluting your machine with dependencies and makes it easy to deploy Cameradar in a few commands. However, it may require networking knowledge, as your docker containers will need access to the cameras subnetwork.DependenciesThe only dependencies are docker, docker-tools, git and make.Five steps guidegit clone https://github.com/EtixLabs/cameradar.gitcd cameradar/deploymentTweak the conf/cameradar.conf.json as you need (see the configuration guide here for more information)docker-compose build ; docker-compose upBy default, the version of the package in the deployment should be the last stable release.If you want to scan a different target or different ports, change the values CAMERAS_TARGET and CAMERAS_PORTS in the docker-compose.yml file.The generated thumbnails will be in the cameradar_thumbnails folder after Cameradar has finished executing.If you want to deploy your custom version of Cameradar using the same method, you should check the advanced docker deployment tutorial here.Manual installationThe manual installation is recommended if you want to tweak Cameradar and quickly test them using CMake and running Cameradar in command-line. If you just want to use Cameradar, it is recommended to use the quick install instead.DependenciesTo install Cameradar you will need these packagescmake (cmake)git (git)gstreamer1.x (libgstreamer1.0-dev)ffmpeg (ffmpeg)boost (libboost-all-dev)libcurl (libcurl4-openssl-dev)StepsThe simplest way would be to follow these steps :git clone https://github.com/EtixLabs/cameradar.gitcd cameradarmkdir buildcd buildcmake ..makecd cameradar_standalone./cameradar -s the_target_you_want_to_scanOutputFor each camera, Cameradar will output these JSON objects :{ “address" : "", "ids_found" : true, "password" : "123456", "path_found" : true, "port" : 554, "product" : "Vivotek FD9381-HTV", "protocol" : "tcp", "route" : "/live.sdp", "service_name" : "rtsp", "state" : "open", "thumbnail_path" : "/tmp/", "username" : "admin"}Check camera accessIf you have VLC Media Player, you should be able to use the GUI to connect to the RTSP stream using this format : rtsp://username:password@address:port/routeWith the above result, the RTSP URL would be rtsp://admin:123456@ you’re still in your console however, you can go even faster by using vlc in commmand-line and just run vlc rtsp://username:password@address:port/route with the camera’s info instead of the placeholders.Command line options"-c" : Set a custom path to the configuration file (-c /path/to/conf) <<<<<<< HEAD"-s" : Set custom subnets (overrides configuration) : You can use this argument in many ways, using a subnet (e.g.: or even an IP (e.g.:, a range of IPs (e.g.: or a mix of all those (e.g.:,, ======="-s" : Set custom target (overrides configuration)"-p" : Set custom ports (overrides configuration)"-m" : Set number of threads (Default value : 1)"-l" : Set log level "-l 1" : Log level DEBUG Will print everything including debugging logs"-l 2" : Log level INFO Prints every normal information"-l 4" : Log level WARNING Only prints warning and errors"-l 5" : Log level ERROR Only prints errors"-l 6" : Log level CRITICAL Doesn't print anything since Cameradar can't have critical failures right now, however you can use this level to debug your own code easily or if you add new critical layers"-d" : Launch the discovery tool"-b" : Launch the dictionary attack tool on all discovered devices Needs either to be launched with the -d option or to use an advanced cache manager (DB, file, ...) with data already present"-t" : Generate thumbnails from detected cameras Needs either to be launched with the -d option or to use an advanced cache manager (DB, file, ...) with data already present"-g" : Check if the stream can be opened with GStreamer Needs either to be launched with the -d option or to use an advanced cache manager (DB, file, ...) with data already present"-v" : Display Cameradar's version"-h" : Display this help"--gst-rtsp-server" : Use this option if the attack does not seem to work (only detects the username but not the path, or the opposite). This option will switch the order of the attacks to prioritize path over credentials, which is the way priority is handled for cameras that use GStreamer's RTSP server.Download Cameradar

Link: http://feedproxy.google.com/~r/PentestTools/~3/v__FLCUv4Uk/cameradar-rtsp-surveillance-camera.html