RTSP Pentesting

A skill for testing Real Time Streaming Protocol (RTSP) services, commonly used by IP cameras and streaming media servers.

What is RTSP?

RTSP is a network control protocol for controlling streaming media servers. It uses VHS-style commands (play, record, pause) to control media sessions. The actual media transmission typically uses RTP/RTCP, though some vendors use proprietary protocols.

Default ports: 554/tcp, 8554/tcp

Quick Start

If you have a target IP and want to test RTSP immediately:

# Quick enumeration
nmap -sV --script "rtsp-*" -p 554,8554 <TARGET_IP>

# Test with our script
python scripts/test-rtsp-auth.py <TARGET_IP> 554

Enumeration

Nmap Scripts

Use Nmap's RTSP-specific scripts to enumerate services:

# Basic RTSP enumeration
nmap -sV --script "rtsp-*" -p 554,8554 <TARGET_IP>

# More detailed with version detection
nmap -sV -p 554,8554 <TARGET_IP>

Manual RTSP Requests

RTSP is similar to HTTP. Send a DESCRIBE request to check access:

# Unauthenticated test
echo -e "DESCRIBE rtsp://<IP>:<PORT>/ RTSP/1.0\r\nCSeq: 1\r\n\r\n" | nc <IP> <PORT>

Response codes:

• 200 OK

  - Unauthenticated access granted

• 401 Unauthorized

  - Authentication required (check for Basic or Digest)

Authentication Testing

Basic Authentication

For Basic auth, encode credentials in base64:

# Example: admin:1234
# Base64: YWRtaW46MTIzNA==

echo -e "DESCRIBE rtsp://<IP>:<PORT>/ RTSP/1.0\r\nCSeq: 1\r\nAuthorization: Basic YWRtaW46MTIzNA==\r\n\r\n" | nc <IP> <PORT>

Using the Test Script

The bundled

test-rtsp-auth.py

script automates authentication testing:

# Test unauthenticated access
python scripts/test-rtsp-auth.py <IP> <PORT>

# Test with credentials
python scripts/test-rtsp-auth.py <IP> <PORT> -u admin -p password

# Test with wordlist
python scripts/test-rtsp-auth.py <IP> <PORT> -w /path/to/wordlist.txt

Viewing RTSP Streams

Once you have a valid path and credentials, use ffplay to view the stream:

# Basic stream viewing
ffplay -rtsp_transport tcp rtsp://<IP>:<PORT>/<PATH>

# With resolution control
ffplay -rtsp_transport tcp rtsp://<IP>:<PORT>/mpeg4 -x 2560 -y 1440

# Common RTSP paths to try:
# /, /live.sdp, /mpeg4, /stream1, /video, /cam1, /axis-media/media.amp

Key flags:

• -rtsp_transport tcp

  - Use TCP for more reliable streaming (recommended)

• -x

  ,

  -y

  - Control video resolution

Brute Force Tools

Cameradar

Cameradar is a comprehensive RTSP testing tool:

• Detects open RTSP hosts
• Gets public info (hostname, port, camera model)
• Automated dictionary attacks for stream routes
• Automated dictionary attacks for credentials
• Generates thumbnails for quick preview
• Validates streams with Gstreamer

# Install
pip install cameradar

# Basic scan
cameradar <IP>

# With wordlists
cameradar <IP> -u users.txt -p passwords.txt

RTSP AuthGrinder

RTSP AuthGrinder for brute forcing:

# Usage
python rtsp_authgrinder.py -t <IP> -p <PORT> -u <users_file> -w <passwords_file>

Common RTSP Paths

Try these common stream paths:

/
/live.sdp
/mpeg4
/stream1
/video
/cam1
/axis-media/media.amp
/h264
/mjpeg
/stream
/ch00_0.h264

Common Default Credentials

Test these common defaults:

admin:admin
admin:password
admin:1234
admin:12345
admin:123456
root:root
root:password
user:user
admin:(blank)
:(blank)

Workflow Summary

1. Enumerate - Use nmap to find RTSP services
2. Test access - Try unauthenticated DESCRIBE request
3. Check auth type - If 401, determine Basic vs Digest
4. Brute force - Use cameradar or authgrinder with wordlists
5. Access stream - Use ffplay with discovered credentials
6. Document - Save stream URLs and credentials found

Security Considerations

• Only test systems you have authorization to assess
• RTSP cameras often expose sensitive video feeds
• Document all findings for remediation
• Consider the privacy implications of accessing video streams

References

• RTSP RFC 2326
• Wikipedia - RTSP
• Cameradar GitHub
• RTSP AuthGrinder GitHub