hacktricks/network-services-pentesting/554-8554-pentesting-rtsp.md

554,8554 - Pentesting RTSP

htARTE (HackTricks AWS Red Team Expert) !HackTricks AWS Red Team Expert!

Other ways to support HackTricks:

• If you want to see your company advertised in HackTricks or download HackTricks in PDF Check the SUBSCRIPTION PLANS!
• Get the official PEASS & HackTricks swag
• Discover The PEASS Family, our collection of exclusive NFTs
• Join the 💬 Discord group or the telegram group or follow us on Twitter 🐦 @carlospolopm.
• Share your hacking tricks by submitting PRs to the HackTricks and HackTricks Cloud github repos.

Basic Information

From wikipedia:

The Real Time Streaming Protocol (RTSP) is a network control protocol designed for use in entertainment and communications systems to control streaming media servers. The protocol is used for establishing and controlling media sessions between end points. Clients of media servers issue VHS-style commands, such as play, record and pause, to facilitate real-time control of the media streaming from the server to a client (Video On Demand) or from a client to the server (Voice Recording).

The transmission of streaming data itself is not a task of RTSP. Most RTSP servers use the Real-time Transport Protocol (RTP) in conjunction with Real-time Control Protocol (RTCP) for media stream delivery. However, some vendors implement proprietary transport protocols. The RTSP server software from RealNetworks, for example, also used RealNetworks' proprietary Real Data Transport (RDT).

Default ports: 554,8554

PORT    STATE SERVICE
554/tcp open  rtsp

Key Details

RTSP jatlh HTTP vItlhutlh. 'oH vItlhutlh straightforward specification defined 'e' vItlhutlh:

RTSP – RFC2326

Devices unauthenticated 'ej authenticated access. pagh, "DESCRIBE" request bI'egh. 'ejmeylIj 'e' vItlhutlh example:

DESCRIBE rtsp://<ip>:<port> RTSP/1.0\r\nCSeq: 2\r\n

ghaH, consistent response 'e'egh "\r\n" Duj. "200 OK" response unauthenticated access jatlh, "401 Unauthorized" authentication, Basic 'ej Digest authentication required jatlh.

Basic authentication jatlh, username 'ej password base64 encode 'ej request vItlhutlh include:

DESCRIBE rtsp://<ip>:<port> RTSP/1.0\r\nCSeq: 2\r\nAuthorization: Basic YWRtaW46MTIzNA==\r\n

example 'oH "admin" 'ej "1234" credentials. Python script vItlhutlh request bI'egh:

import socket
req = "DESCRIBE rtsp://<ip>:<port> RTSP/1.0\r\nCSeq: 2\r\nAuthorization: Basic YWRtaW46MTIzNA==\r\n\r\n"
s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
s.connect(("192.168.1.1", 554))
s.sendall(req)
data = s.recv(1024)
print(data)

tlhIngan Hol:

Basic authentication vItlhutlh. Digest authentication vItlhutlh "401 Unauthorized" response Daq authentication details vItlhutlh vItlhutlhlaHbej.

RTSP streams laH access process vItlhutlhlaHbej, Basic authentication vItlhutlhlaHbej, vItlhutlhlaHbejlaHbe'chugh Digest authentication vItlhutlhlaHbejlaHbe'chugh vItlhutlhlaHbejlaHbe'chugh vItlhutlhlaHbejlaHbe'chugh vItlhutlhlaHbejlaHbe'chugh vItlhutlhlaHbejlaHbe'chugh vItlhutlhlaHbejlaHbe'chugh vItlhutlhlaHbejlaHbe'chugh vItlhutlhlaHbejlaHbe'chugh vItlhutlhlaHbejlaHbe'chugh vItlhutlhlaHbejlaHbe'chugh vItlhutlhlaHbejlaHbe'chugh vItlhutlhlaHbejlaHbe'chugh vItlhutlhlaHbejlaHbe'chugh vItlhutlhlaHbejlaHbe'chugh vItlhutlhlaHbejlaHbe'chugh vItlhutlhlaHbejlaHbe'chugh vItlhutlhlaHbejlaHbe'chugh vItlhutlhlaHbejlaHbe'chugh vItlhutlhlaHbejlaHbe'chugh vItlhutlhlaHbejlaHbe'chugh vItlhutlhlaHbejlaHbe'chugh vItlhutlhlaHbejlaHbe'chugh vItlhutlhlaHbejlaHbe'chugh vItlhutlhlaHbejlaHbe'chugh vItlhutlhlaHbejlaHbe'chugh vItlhutlhlaHbejlaHbe'chugh vItlhutlhlaHbejlaHbe'chugh vItlhutlhlaHbejlaHbe'chugh vItlhutlhlaHbejlaHbe'chugh vItlhutlhlaHbejlaHbe'chugh vItlhutlhlaHbejlaHbe'chugh vItlhutlhlaHbejlaHbe'chugh vItlhutlhlaHbejlaHbe'chugh vItlhutlhlaHbejlaHbe'chugh vItlhutlhlaHbejlaHbe'chugh vItlhutlhlaHbejlaHbe'chugh vItlhutlhlaHbejlaHbe'chugh vItlhutlhlaHbejlaHbe'chugh vItlhutlhlaHbejlaHbe'chugh vItlhutlhlaHbejlaHbe'chugh vItlhutlhlaHbejlaHbe'chugh vItlhutlhlaHbejlaHbe'chugh vItlhutlhlaHbejlaHbe'chugh vItlhutlhlaHbejlaHbe'chugh vItlhutlhlaHbejlaHbe'chugh vItlhutlhlaHbejlaHbe'chugh vItlhutlhlaHbejlaHbe'chugh vItlhutlhlaHbejlaHbe'chugh vItlhutlhlaHbejlaHbe'chugh vItlhutlhlaHbejlaHbe'chugh vItlhutlhlaHbejlaHbe'chugh vItlhutlhlaHbejlaHbe'chugh vItlhutlhlaHbejlaHbe'chugh vItlhutlhlaHbejlaHbe'chugh vItlhutlhlaHbejlaHbe'chugh vItlhutlhlaHbejlaHbe'chugh vItlhutlhlaHbejlaHbe'chugh vItlhutlhlaHbejlaHbe'chugh vItlhutlhlaHbejlaHbe'chugh vItlhutlhlaHbejlaHbe'chugh vItlhutlhlaHbejlaHbe'chugh vItlhutlhlaHbejlaHbe'chugh vItlhutlhlaHbejlaHbe'chugh vItlhutlhlaHbejlaHbe'chugh vItlhutlhlaHbejlaHbe'chugh vItlhutlhlaHbejlaHbe'chugh vItlhutlhlaHbejlaHbe'chugh vItlhutlhlaHbejlaHbe'chugh vItlhutlhlaHbejlaHbe'chugh vItlhutlhlaHbejlaHbe'chugh vItlhutlhlaHbejlaHbe'chugh vItlhutlhlaHbejlaHbe'chugh vItlhutlhlaHbejlaHbe'chugh vItlhutlhlaHbejlaHbe'chugh vItlhutlhlaHbejlaHbe'chugh vItlhutlhlaHbejlaHbe'chugh vItlhutlhlaHbejlaHbe'chugh vItlhutlhlaHbejlaHbe'chugh vItlhutlhlaHbejlaHbe'chugh vItlhutlhlaHbejlaHbe'chugh vItlhutlhlaHbejlaHbe'chugh vItlhutlhlaHbejlaHbe'chugh vItlhutlhlaHbejlaHbe'chugh vItlhutlhlaHbejlaHbe'chugh vItlhutlhlaHbejlaHbe'chugh vItlhutlhlaHbejlaHbe'chugh vItlhutlhlaHbejlaHbe'chugh vItlhutlhlaHbejlaHbe'chugh vItlhutlhlaHbejlaHbe'chugh vItlhutlhlaHbejlaHbe'chugh vItlhutlhlaHbejlaHbe'chugh vItlhutlhlaHbejlaHbe'chugh vItlhutlhlaHbejlaHbe'chugh vItlhutlhlaHbejlaHbe'chugh vItlhutlhlaHbejlaHbe'chugh vItlhutlhlaHbejlaHbe'chugh vItlhutlhlaHbejlaHbe'chugh vItlhutlhlaHbejlaHbe'chugh vItlhutlhlaHbejlaHbe'chugh vItlhutlhlaHbejlaHbe'chugh vItlhutlhlaHbejlaHbe'chugh vItlhutlhlaHbejlaHbe'chugh vItlhutlhlaHbejlaHbe'chugh vItlhutlhlaHbejlaHbe'chugh vItlhutlhlaHbejlaHbe'chugh vItlhutlhlaHbejlaHbe'chugh vItlhutlhlaHbejlaHbe'chugh vItlhutlhlaHbejlaHbe'chugh vItlhutlhlaHbejlaHbe'chugh vItlhutlhlaHbejlaHbe'chugh vItlhutlhlaHbejlaHbe'chugh vItlhutlhlaHbejlaHbe'chugh vItlhutlhlaHbejlaHbe'chugh vItlhutlhlaHbejlaHbe'chugh vItlhutlhlaHbejlaHbe'chugh vItlhutlhlaHbejlaHbe'chugh vItlhutlhlaHbejlaHbe'chugh vItlhutlhlaHbejlaHbe'chugh vItlhutlhlaHbejlaHbe'chugh vItlhutlhlaHbejlaHbe'chugh vItlhutlhlaHbejlaHbe'chugh vItlhutlhlaHbejlaHbe'chugh vItlhutlhlaHbejlaHbe'chugh vItlhutlhlaHbejlaHbe'chugh vItlhutlhlaHbejlaHbe'chugh vItlhutlhlaHbejlaHbe'chugh vItlhutlhlaHbejlaHbe'chugh vItlhutlhlaHbejlaHbe'chugh vItlhutlhlaHbejlaHbe'chugh vItlhutlhlaHbejlaHbe'chugh vItlhutlhlaHbejlaHbe'chugh vItlhutlhlaHbejlaHbe'chugh vItlhutlhlaHbejlaHbe'chugh vItlhutlhlaHbejlaHbe'chugh vItlhutlhlaHbejlaHbe'chugh vItlhutlhlaHbejlaHbe'chugh vItlhutlhlaHbejlaHbe'chugh vItlhutlhlaHbejlaHbe'chugh vItlhutlhlaHbejlaHbe'chugh vItlhutlhlaHbejlaHbe'chugh vItlhutlhlaHbejlaHbe'chugh vItlhutlhlaHbejlaHbe'chugh vItlhutlhlaHbejlaHbe'chugh vItlhutlhlaHbejlaHbe'chugh vItlhutlhlaHbejlaHbe'chugh vItlhutlhlaHbejlaHbe'chugh vItlhutlhlaHbejlaHbe'chugh vItlhutlhlaHbejlaHbe'chugh vItlhutlhlaHbejlaHbe'chugh vItlhutlhlaHbejlaHbe'chugh vItlhutlhlaHbejlaHbe'chugh vItlhutlhlaHbejlaHbe'chugh vItlhutlhlaHbejlaHbe'chugh vItlhutlhlaHbejlaHbe'chugh vItlhutlhlaHbejlaHbe'chugh vItlhutlhlaHbejlaHbe'chugh vItlhutlhlaHbejlaHbe'chugh vItlhutlhlaHbejlaHbe'chugh vItlhutlhlaHbejlaHbe'chugh vItlhutlhlaHbejlaHbe'chugh vItlhutlhlaHbejlaHbe'chugh vItlhutlhlaHbejlaHbe'chugh vItlhutlhlaHbejlaHbe'chugh vItlhutlhlaHbejlaHbe'chugh vItlhutlhlaHbejlaHbe'chugh vItlhutlhlaHbejlaHbe'chugh vItlhutlhlaHbejlaHbe'chugh vItlhutlhlaHbejlaHbe'chugh vItlhutlhlaHbejlaHbe'chugh vItlhutlhlaHbejlaHbe'chugh vItlhutlhlaHbejlaHbe'chugh vItlhutlhlaHbejlaHbe'chugh vItlhutlhlaHbejlaHbe'chugh vItlhutlhlaHbejlaHbe'chugh vItlhutlhlaHbejlaHbe'chugh vItlhutlhlaHbejlaHbe'chugh vItlhutlhlaHbejlaHbe'chugh vItlhutlhlaHbejlaHbe'chugh vItlhutlhlaHbejlaHbe'chugh vItlhutlhlaHbejlaHbe'chugh vItlhutlhlaHbejlaHbe'chugh vItlhutlhlaHbejlaHbe'chugh vItlhutlhlaHbejlaHbe'chugh vItlhutlhlaHbejlaHbe'chugh vItlhutlhlaHbejlaHbe'chugh vItlhutlhlaHbejlaHbe'chugh vItlhutlhlaHbejlaHbe'chugh vItlhutlhlaHbejlaHbe'chugh vItlhutlhlaHbejlaHbe'chugh vItlhutlhlaHbejlaHbe'chugh vItlhutlhlaHbejlaHbe'chugh vItlhutlhlaHbejlaHbe'chugh vItlhutlhlaHbejlaHbe'chugh vItlhutlhlaHbejlaHbe'chugh vItlhutlhlaHbejlaHbe'chugh vItlhutlhlaHbejlaHbe'chugh vItlhutlhlaHbejlaHbe'chugh vItlhutlhlaHbejlaHbe'chugh vItlhutlhlaHbejlaHbe'chugh vItlhutlhlaHbejlaHbe'chugh vItlhutlhlaHbejlaHbe'chugh vItlhutlhlaHbejlaHbe'chugh vItlhutlhlaHbejlaHbe'chugh vItlhutlhlaHbejlaHbe'chugh vItlhutlhlaHbejlaHbe'chugh vItlhutlhlaHbejlaHbe'chugh vItlhutlhlaHbejlaHbe'chugh vItlhutlhlaHbejlaHbe'chugh vItlhutlhlaHbejlaHbe'chugh vItlhutlhlaHbejlaHbe'chugh vItlhutlhlaHbejlaHbe'chugh vItlhutlhlaHbejlaHbe'chugh vItlhutlhlaHbejlaHbe'chugh vItlhutlhlaHbejlaHbe'chugh vItlhutlhlaHbejlaHbe'chugh vItlhutlhlaHbejlaHbe'chugh vItlhutlhlaHbejlaHbe'chugh vItlhutlhlaHbejlaHbe'chugh vItlhutlhlaHbejlaHbe'chugh vItlhutlhlaHbejlaHbe'chugh vItlhutlhlaHbejlaHbe'chugh vItlhutlhlaHbejlaHbe'chugh vItlhutlhlaHbejlaHbe'chugh vItlhutlhlaHbejlaHbe'chugh vItlhutlhlaHbejlaHbe'chugh vItlhutlhlaHbejlaHbe'chugh vItlhutlhlaHbejlaHbe'chugh vItlhutlhlaHbejlaHbe'chugh vItlhutlhlaHbejlaHbe'chugh vItlhutlhlaHbejlaHbe'chugh vItlhutlhlaHbejlaHbe'chugh vItlhutlhlaHbejlaHbe'chugh vItlhutlhlaHbejlaHbe'chugh vItlhutlhlaHbejlaHbe'chugh vItlhutlhlaHbejlaHbe'chugh vItlhutlhlaHbejlaHbe'chugh vItlhutlhlaHbejlaHbe'chugh vItlhutlhlaHbejlaHbe'chugh vItlhutlhlaHbejlaHbe'chugh vItlhutlhlaHbejlaHbe'chugh vItlhutlhlaHbejlaHbe'chugh vItlhutlhlaHbejlaHbe'chugh vItlhutlhlaHbejlaHbe'chugh vItlhutlhlaHbejlaHbe'chugh vItlhutlhlaHbejlaHbe'chugh vItlhutlhlaHbejlaHbe'chugh vItlhutlhlaHbejlaHbe'chugh vItlhutlhlaHbejlaHbe'chugh vItlhutlhlaHbejlaHbe'chugh vItlhutlhlaHbejla

nmap -sV --script "rtsp-*" -p <PORT> <IP>

Brute Force

Other useful programs

To bruteforce: https://github.com/Tek-Security-Group/rtsp_authgrinder

Cameradar

• Detect open RTSP hosts on any accessible target
• Get their public info (hostname, port, camera model, etc.)
• Launch automated dictionary attacks to get their stream route (for example /live.sdp)
• Launch automated dictionary attacks to get the username and password of the cameras
• Generate thumbnails from them to check if the streams are valid and to have a quick preview of their content
• Try to create a Gstreamer pipeline to check if they are properly encoded
• Print a summary of all the informations Cameradar could get

References

• https://en.wikipedia.org/wiki/Real_Time_Streaming_Protocol
• http://badguyfu.net/rtsp-brute-forcing-for-fun-and-naked-pictures/
• https://github.com/Ullaakut/cameradar

Learn AWS hacking from zero to hero with htARTE (HackTricks AWS Red Team Expert)!

Other ways to support HackTricks:

• If you want to see your company advertised in HackTricks or download HackTricks in PDF Check the SUBSCRIPTION PLANS!
• Get the official PEASS & HackTricks swag
• Discover The PEASS Family, our collection of exclusive NFTs
• Join the 💬 Discord group or the telegram group or follow us on Twitter 🐦 @carlospolopm.
• Share your hacking tricks by submitting PRs to the HackTricks and HackTricks Cloud github repos.