How to hack CCTV camera (for educational purpose)

HACK, SECURITY NO COMMENTS

Want to learn how to hack CCTV cameras? You are in the right place, but be
aware that I'm writing this article to let you know what is possible to do and how
you must protect your IP cameras to avoid them to be hacked.

DISCLAIMER: I'm not responsible for any of your acts. You don't suppose to
hack CCTV cameras that don't belong to you. You've been warned.

OK, after this disclaimer, let's dive in into the information about IP cameras, and
how they are hacked by malicious people on the Internet.
In this article I will explain step-by-step what are the methods used by hackers to
get into in the IP cameras and recorders such as DVRs and NVRs.

Extra material about CCTV camera hacking

To have extra information about how to hack CCTV camera and how to protect
yourself you can also read the following articles:
How to hack CCTV cameras (10 hacker secrets)
Hacked CCTV cameras used on DDoS attack
Is your CCTV system safe from hackers ?
Your CCTV system is about to hacked
The methods to hack CCTV camera

There are di erent ways to hack CCTV camera, some of them are easy, others
are a little bit more technical and some others are not even hacking.

Let's take a look at the following methods:

1. Use a website that shows hacked CCTV cameras

This is not really hacking, but it's the easiest method. You just visit a website that
list a lot of hacked CCTV cameras and you just need to watch them.

Those website are created by hackers that get into IP CCTV cameras or DVRs
(Digital Video Recorders) and let the information available for you for free.

So, in the end of the day you are not hacking anything but just watching CCTV
camera that have been hacked by somebody else.

See below an example of a website that show such hacked CCTV cameras:

The website lists CCTV hacked cameras around the world and organize them by
manufacturers, countries, places, cities and timezone.

See below an example of live CCTV cameras installed on malls.

The website administrator claims that this The world biggest directory of online
surveillance security cameras and that no privacy of individuals will be respected
by showing only ltered cameras (whatever this means).

According to a message in the main page, the CCTV camera can be removed
from the site when somebody send an email asking for it.

Click here to visit the page and check the hacked cameras

2. Hack CCTV camera using default passwords

That's also not really a hacking but it works. You just need to nd the CCTV
camera online and try to use the default password, a lot of devices on the
Internet are still using the same original password from the factory.

The idea is to look at the IP camera manual and look for the default password, so
you can use it to hack the CCTV camera (or recorder).

How to nd the IP camera on the Internet

OK, before you try the default password to hack CCTV camera you need to nd
them on Internet and there are di erent ways to do that, let's check the rst
method that uses a network IP scanner to nd online IP devices.

In this article I will teach you how to use the Angry IP Scanner to scan the
Internet and look for IP cameras and recorders (DVRs and NVRs)

STEP 1 - Download the Angry IP Scanner

Click here to download the Angry IP scanner for your Operational System:
Windows, Mac or Linux.

See below the Angry IP Scanner website. Make sure you have Java installed and
download the correct version for your computer.

STEP 2 - Install the Angry IP Scanner

The installation is very simple, you just need to run the setup le and follow the
instructions as shown in the images below: (click to enlarge)
Click Next

Click Install
 Click Finish

STEP 3 - Con gure the Angry IP Scanner ports and fetcher

To be able to nd the information we are looking for to hack IP cameras is

necessary to con gure the Angry IP Scanner ports and fetchers so it can display
the right information. See the picture below for the con guration.

Con gure the ports 80, 23, 8080, 8081 and 8082 that are the most one used by
people that install the IP cameras and let them available on the Internet.
Con gure the fetchers to display the Web Detect information that will show
some device information that is useful to nd out who is the manufacturer.

To hack a CCTV camera is really necessary to have such basic information

Go to tools and click on fetchers to open the con guration window

Select the Web detect fetcher on the right side and click the arrow to move it to
the left side so it can be displayed in the software main page.
STEP 4 - Choose the IP port range to scan

To hack a CCTV camera rst is necessary to nd one that is available on the

Internet, so you need to choose an IP Address range to scan with the Angry IP
scanner. See the picture below where a range of IP address was scanned.
 You can use the IP range from your country or service provider, in the example
above I used the range from xx.242.10.0 to xx.242.10.255. Note that you can ll
the rst part of the IP range and choose /24 or /16 for example to let the
software nd the range for you with 254 or 65.534 hosts respectively.

For privacy reasons the rst part of the IP is not shown, after only few scans it's
possible to nd two Hikvision DVRs that are online on the Internet. I know that
because of the Web detect information that shows DNVRS-Webs.

The scan can be done for thousand of IP addresses, so it's quite common to nd
a lot of IP cameras, DVRs and NVRs that are connected to the Internet.

After nd an IP camera or DVR online you just need to right click and choose to
open it on a Web Browser. Just like shown in the picture below.
In this case the device is a Hikvision DVR and you can just try to use the default
user and password: "admin/12345" found on Hikvision manual.

Note the manufacturer name (Hikvision) underneath the login screen.

Sometimes you see a big logo and sometimes a small text just like this one.

Did you get the idea? To hack CCTV camera you just need to use a tool to scan
the Internet, nd an online device and try the default password you can get from
the manufacturer manual or from a IP camera default password list.

Below the image from the DVR after login with the admin/12345 credentials.
 Hikvision hacked DVR (click to enlarge)

It's easier to show an example with this manufacturer (Hikvison) because there a
lot of their devices around the world, but the process also works with other
brands as long as you can see the Web Detect information and try to use the
default admin/password credentials to hack the CCTV camera.

Hack CCTV camera process details

If you want to have extra information about how the CCTV camera hacking
works just keep reading, it's important to understand the process so you can
protect yourself against hackers trying to get into your IP security camera.
 How CCTV camera hacking work diagram (click to enlarge)

The network scanner (Angry IP scanner) is used to retrieve information from the
router that is on Internet, Just like shown in the picture below:

How to hack CCTV camera diagram (click to enlarge)

Be aware that this process is something natural, the router don't need to hide
the information and will respond what are the services available.

We can compare the process with a regular store, the owner don't hide where is
the location and what services are available, so people can come and use them.
The owner just will not have the key store available for the public.

3. Hack CCTV camera using shodan

This technique to hack CCTV camera is very similar to the last one, but you don't
need to install a software to scan the network, this process has already been
done for you and you just need to try to use the login credentials.

Shodan is a service in a website that shows Internet devices around the world
and that includes security IP cameras, DVRs and NVRs.

It's necessary just to type the brand of an IP camera or the manufacturer name
and Shodan will you show a lot of information, which includes the number of
devices around the world, the location, IP and open ports.

Take a look at the picture below and see how much information is available
If you create a Free account on the site, Shodan let you to lter the information,
see below an example where the information is ltered by country (Brazil) and
take a look at the details which includes the number of cameras per city (São
Paulo) and even the ISP provider (Vivo).
Shodan shows the details about the IP device
To see the IP device details just click in the details link and new windows will
open to show all the information about the CCTV camera you want to hack.

Details about the device location and owner

The details windows show the device IP and even the organization name

Details about the device ports

As we saw before, each IP device on the Internet has an IP and also some
services available by using speci c ports. Shodan can show these information
very clearly as shown in the picture below.
After see the details, you just need to use a Web Browser to type the IP device
IP and port and try to use the default user and password just as described earlier
in this article. See the picture below.

For this camera I just typed the IP and port like this: XX.226.219.250:88
If you are lucky and the IP camera (or DVR) password has never been changed,
you will be able to login by typing the default device password.

4. Hack CCTV camera using exploit tool (software)

So you want to hack CCTV camera but the default username and password was
changed by somebody, so you can use a CCTV camera exploit tool.

When an IP device has some security problem, hackers can create exploit tools
to automate the hacking process. That happens also with IP cameras.

The Hikvision IP camera security aw

In March 2017 a security aw was discovered in Hikvision IP cameras that allows

direct access to device information such as model, serial number, rmware
version, and users.

The problem was reported to Hikvision on March 6, 2017, which promptly

investigated the problem and admitted the existence of the failure.
Five days later Hikvision released a x for the problem, but cameras that are
using the old rmware will still be vulnerable to this security aw.

How the IP camera exploit works

Just as an example I will talk about a software created to exploit the security
vulnerability on Hikvision IP cameras which are using old speci c rmware.

The Hikvision IP camera exploit tool

So, the Hikvision IP camera exploit is very easy to use, as show in the diagram
above, you just need to run it on a computer or laptop to explorer and hack
CCTV camera that is online on the Internet or in your local network.

Click the link below to download the Hikvision Backdoor exploit tool
Download the Hikvision Backdoor exploit tool

Obviously, you need the IP camera information to be able to con gure the
software properly, and I strongly recommend that you use this tool on the
Hikvision IP cameras you own or have authorization to run security tests.