Camtruder is a high-performance RTSP camera discovery and vulnerability assessment tool written in Go. It efficiently scans and identifies vulnerable RTSP cameras across networks using various authentication methods and path combinations, with support for both targeted and internet-wide scanning capabilities.
Raw CIDR output for integration with other tools
Screenshot Capability
Configurable output directory
Location-Based Search
Raw output mode for scripting
Comprehensive Authentication Testing
Credential validation system
Smart Path Discovery
Automatic path validation
High Performance Architecture
Parallel connection handling
Advanced Output & Analysis
go install github.com/ALW1EZ/camtruder@v3.7.0
git clone https://github.com/ALW1EZ/camtruder.git
cd camtruder
go build
# Scan a single IP
./camtruder -t 192.168.1.100
# Scan a network range
./camtruder -t 192.168.1.0/24
# Search by location with detailed output
./camtruder -t london -s
> [ NET-ISP ] [ 192.168.1.0/24 ] [256]
# Get raw CIDR ranges for location
./camtruder -t london -ss
> 192.168.1.0/24
# Scan multiple IPs from file
./camtruder -t targets.txt
# Take screenshots of discovered cameras
./camtruder -t 192.168.1.0/24 -m screenshots
# Pipe from port scanners
naabu -host 192.168.1.0/24 -p 554 | camtruder
masscan 192.168.1.0/24 -p554 --rate 1000 | awk '{print $6}' | camtruder
zmap -p554 192.168.0.0/16 | camtruder
# Internet scan (scan till 100 hits)
./camtruder -t 100
# Custom credentials with increased threads
./camtruder -t 192.168.1.0/24 -u admin,root -p pass123,admin123 -w 50
# Location search with raw output piped to zmap
./camtruder -t berlin -ss | while read range; do zmap -p 554 $range; done
# Save results to file (as full url, you can use mpv --playlist=results.txt to watch the streams)
./camtruder -t istanbul -o results.txt
# Internet scan with limit of 50 workers and verbose output
./camtruder -t 100 -w 50 -v
| Option | Description | Default | 
|---|---|---|
| -t | Target IP, CIDR range, location, or file | Required | 
| -u | Custom username(s) | Built-in list | 
| -p | Custom password(s) | Built-in list | 
| -w | Number of threads | 20 | 
| -to | Connection timeout (seconds) | 5 | 
| -o | Output file path | None | 
| -v | Verbose output | False | 
| -s | Search only - shows ranges with netnames | False | 
| -ss | Raw IP range output - only CIDR ranges | False | 
| -po | RTSP port | 554 | 
| -m | Directory to save screenshots (requires ffmpeg) | None | 
[ TR-NET-ISP ] [ 193.3.52.0/24 ] [256]
[ EXAMPLE-ISP ] [ 212.175.100.136/29 ] [8]
193.3.52.0/24
212.175.100.136/29
โญโ Found vulnerable camera [Hikvision, H264, 30fps]
โ Host      : 192.168.1.100:554
โ Geo       : United States/California/Berkeley
โ Auth      : admin:12345
โ Path      : /Streaming/Channels/1
โฐ URL       : rtsp://admin:12345@192.168.1.100:554/Streaming/Channels/1
This tool is intended for security research and authorized testing only. Users are responsible for ensuring they have permission to scan target systems and comply with all applicable laws and regulations.
This project is licensed under the MIT License - see the LICENSE file for details.
Made by @ALW1EZ
Evade EDR's the simple way, by not touching any of the API's they hook.
I've noticed that most EDRs fail to scan scripting files, treating them merely as text files. While this might be unfortunate for them, it's an opportunity for us to profit.
Flashy methods like residing in memory or thread injection are heavily monitored. Without a binary signed by a valid Certificate Authority, execution is nearly impossible.
Enter BYOSI (Bring Your Own Scripting Interpreter). Every scripting interpreter is signed by its creator, with each certificate being valid. Testing in a live environment revealed surprising results: a highly signatured PHP script from this repository not only ran on systems monitored by CrowdStrike and Trellix but also established an external connection without triggering any EDR detections. EDRs typically overlook script files, focusing instead on binaries for implant delivery. They're configured to detect high entropy or suspicious sections in binaries, not simple scripts.
This attack method capitalizes on that oversight for significant profit. The PowerShell script's steps mirror what a developer might do when first entering an environment. Remarkably, just four lines of PowerShell code completely evade EDR detection, with Defender/AMSI also blind to it. Adding to the effectiveness, GitHub serves as a trusted deployer.
The PowerShell script achieves EDR/AV evasion through four simple steps (technically 3):
1.) It fetches the PHP archive for Windows and extracts it into a new directory named 'php' within 'C:\Temp'.
2.) The script then proceeds to acquire the implant PHP script or shell, saving it in the same 'C:\Temp\php' directory.
3.) Following this, it executes the implant or shell, utilizing the whitelisted PHP binary (which exempts the binary from most restrictions in place that would prevent the binary from running to begin with.)
With these actions completed, congratulations: you now have an active shell on a Crowdstrike-monitored system. What's particularly amusing is that, if my memory serves me correctly, Sentinel One is unable to scan PHP file types. So, feel free to let your imagination run wild.
I am in no way responsible for the misuse of this. This issue is a major blind spot in EDR protection, i am only bringing it to everyones attention.
A big thanks to @im4x5yn74x for affectionately giving it the name BYOSI, and helping with the env to test in bringing this attack method to life.
It appears as though MS Defender is now flagging the PHP script as malicious, but still fully allowing the Powershell script full execution. so, modify the PHP script.
hello sentinel one :) might want to make sure that you are making links not embed.
A vulnerable application made using node.js, express server and ejs template engine. This application is meant for educational purposes only.
git clone https://github.com/4auvar/VulnNodeApp.git
npm install
CREATE USER 'vulnnodeapp'@'localhost' IDENTIFIED BY 'password';
create database vuln_node_app_db;
GRANT ALL PRIVILEGES ON vuln_node_app_db.* TO 'vulnnodeapp'@'localhost';
USE vuln_node_app_db;
create table users (id int AUTO_INCREMENT PRIMARY KEY, fullname varchar(255), username varchar(255),password varchar(255), email varchar(255), phone varchar(255), profilepic varchar(255));
insert into users(fullname,username,password,email,phone) values("test1","test1","test1","test1@test.com","976543210");
insert into users(fullname,username,password,email,phone) values("test2","test2","test2","test2@test.com","9887987541");
insert into users(fullname,username,password,email,phone) values("test3","test3","test3","test3@test.com","9876987611");
insert into users(fullname,username,password,email,phone) values("test4","test4","test4","test4@test.com","9123459876");
insert into users(fullname,username,password,email,phone) values("test5","test5","test   5","test5@test.com","7893451230");
npm start
You can reach me out at @4auvar