6.2 KiB
554,8554 - Pentesting RTSP
Learn AWS hacking from zero to hero with htARTE (HackTricks AWS Red Team Expert)!
Other ways to support HackTricks:
- If you want to see your company advertised in HackTricks or download HackTricks in PDF Check the SUBSCRIPTION PLANS!
- Get the official PEASS & HackTricks swag
- Discover The PEASS Family, our collection of exclusive NFTs
- Join the 💬 Discord group or the telegram group or follow us on Twitter 🐦 @carlospolopm.
- Share your hacking tricks by submitting PRs to the HackTricks and HackTricks Cloud github repos.
Basic Information
From wikipedia:
The Real Time Streaming Protocol (RTSP) is a network control protocol designed for use in entertainment and communications systems to control streaming media servers. The protocol is used for establishing and controlling media sessions between end points. Clients of media servers issue VHS-style commands, such as play, record and pause, to facilitate real-time control of the media streaming from the server to a client (Video On Demand) or from a client to the server (Voice Recording).
The transmission of streaming data itself is not a task of RTSP. Most RTSP servers use the Real-time Transport Protocol (RTP) in conjunction with Real-time Control Protocol (RTCP) for media stream delivery. However, some vendors implement proprietary transport protocols. The RTSP server software from RealNetworks, for example, also used RealNetworks' proprietary Real Data Transport (RDT).
Default ports: 554,8554
PORT STATE SERVICE
554/tcp open rtsp
Key Details
RTSP is similar to HTTP but designed specifically for media streaming. It's defined in a straightforward specification which can be found here:
Devices might allow unauthenticated or authenticated access. To check, a "DESCRIBE" request is sent. A basic example is shown below:
DESCRIBE rtsp://<ip>:<port> RTSP/1.0\r\nCSeq: 2\r
Remember, the correct formatting includes a double "\r\n" for a consistent response. A "200 OK" response indicates unauthenticated access, while "401 Unauthorized" signals the need for authentication, revealing if Basic or Digest authentication is required.
For Basic authentication, you encode the username and password in base64 and include it in the request like so:
DESCRIBE rtsp://<ip>:<port> RTSP/1.0\r\nCSeq: 2\r\nAuthorization: Basic YWRtaW46MTIzNA==\r
This example uses "admin" and "1234" for the credentials. Here's a Python script to send such a request:
import socket
req = "DESCRIBE rtsp://<ip>:<port> RTSP/1.0\r\nCSeq: 2\r\nAuthorization: Basic YWRtaW46MTIzNA==\r\n\r\n"
s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
s.connect(("192.168.1.1", 554))
s.sendall(req)
data = s.recv(1024)
print(data)
Basic authentication is simpler and preferred. Digest authentication requires careful handling of the authentication details provided in the "401 Unauthorized" response.
This overview simplifies the process of accessing RTSP streams, focusing on Basic authentication for its simplicity and practicality in initial attempts.
Enumeration
Lets get information about valid methods and URLs are supported and try to brute-force the access (if needed) to get access to the content.
nmap -sV --script "rtsp-*" -p <PORT> <IP>
Brute Force
Other useful programs
To bruteforce: https://github.com/Tek-Security-Group/rtsp_authgrinder
- Detect open RTSP hosts on any accessible target
- Get their public info (hostname, port, camera model, etc.)
- Launch automated dictionary attacks to get their stream route (for example /live.sdp)
- Launch automated dictionary attacks to get the username and password of the cameras
- Generate thumbnails from them to check if the streams are valid and to have a quick preview of their content
- Try to create a Gstreamer pipeline to check if they are properly encoded
- Print a summary of all the informations Cameradar could get
References
- https://en.wikipedia.org/wiki/Real_Time_Streaming_Protocol
- http://badguyfu.net/rtsp-brute-forcing-for-fun-and-naked-pictures/
- https://github.com/Ullaakut/cameradar
Learn AWS hacking from zero to hero with htARTE (HackTricks AWS Red Team Expert)!
Other ways to support HackTricks:
- If you want to see your company advertised in HackTricks or download HackTricks in PDF Check the SUBSCRIPTION PLANS!
- Get the official PEASS & HackTricks swag
- Discover The PEASS Family, our collection of exclusive NFTs
- Join the 💬 Discord group or the telegram group or follow us on Twitter 🐦 @carlospolopm.
- Share your hacking tricks by submitting PRs to the HackTricks and HackTricks Cloud github repos.