Hacking RTSP (Pwning RTSP)

A.R Maheer
4 min readSep 8, 2022

--

REAL TIME STREAMING PROTOCOL

RTSP Known as Real time Streaming Protocol, It’s based on http protocol, and commonly used for streaming media content. This protocol doesn’t directly deal with streaming content but it uses RTP (Real-time Transport Protocol). It uses some basic security mechanism coming from HTTP to perform communication between two entities. Because of its HTTP Background it’s commonly vulnerable to some basic http based attack, in this document we will describe how we can get inside a RTSP and take a real time snapshot of that stream. Basically our target here is WEBCAM. We will capture some snapshot of those publicly accessible RSTP which are using Basic Auth, Default Route, No Auth. RTSP commonly uses 554/TCP port to communicate.

RTSP ACTION DIAGRAM:

Disclaimer: -

Every Demonstration shown on this document is for Educational Purposes only, either me or the System00 Security Team is not responsible for misuse of this research.

Main Phase:

Final idea comes from shodan, recently i saw threat intel platform like shodan, criminalip collects snapshot of cctv camera, on response part i saw something like the image below.

So my brain was analyzing how the threat intel platform collects snapshots of cctv/webcam. In the executive summary I described it’s based on http protocol but used to stream media, as it’s based on http protocol it uses some common and similar authentication system like http protocol. Example : Basic HTTP Authorization, Basic Session management sometimes it allows users to capture the stream without any authorization. It’s commonly vulnerable to some known attacks and attackers can use those to get inside the stream and capture media from it.

We can communicate with rtsp using a schema like rtsp://ip:port/route_if_any , lets see an example how we can communicate with rtsp protocol using a linux utility named CURL. Lets see an example Request how we can communicate with rtsp.

curl -i -X OPTIONS rtsp://77.238.150.161:554/stream1 RTSP/1.1

A valid RTSP response should look like below:

We can get into a RTSP stream using these 2 types of attack.

  • Route Bruteforce
  • Basic Authorization using RTSP Header/GET parameter (Authentication based on know credentials)

Route Bruteforce:

Basically RTSP uses a default/common sometime uncommon route to stream media content. Sometimes that route doesn’t require any credentials, if somehow we found the route by bruteforcing with a common route wordlist we can get access to the stream.

For that we can use common wordlist like https://github.com/nmap/nmap/blob/master/nselib/data/rtsp-urls.txt

We can write a bash script for that or we can use python to automate the full process.

Basic Authorization using RTSP Header/GET parameter:

Basic http like authorization using header example Authorization: Basic YWRtaW46MTIzNA== (base64 of admin:1234) or we can send the basic authentication credential through get parameter user=admin&password=&channel=1&stream=0.sdp.

Or we can combine the route bruteforce and default credential process, sometimes we have to input credentials in traditional RTSP Method. rtsp://admin@password:127.0.0.1:554

There is a script already built with the full attack process we described. RTSP BRUTE. (sudo pip3 install rtspbrute)

We can use shodan to collect ip, and test if we really can pwn the rtsp of a webcam.

We can download the result from shodan and input that into rtsp brute, to bruteforce route and credential fast and automatically. It will save the result in the result folder, by clicking index.html we can see those collected screenshots

.

Result.txt file contains all the pwned rtsp streams, we can see the stream live using vlc media player.

VLC>MEDIA>Open Network Stream and input the rtsp:// url.

This document was based on pure research, the research is older than 1.2 year, but I decided to publish it now. Before the rtsp brute script i have written my own script to find those vulnerable rtsp servers. For some security reason I am unable to publish it.

About Me:

Joy Ghosh (0xjoyghosh@gmail.com)

Director of a small open cybersecurity research center System00 Security

Passionate Cyber Security Researcher , Focused on Web-application, IOT and Threat Intel

https://twitter.com/0xjoyghosh

--

--