Skip to main content

RTSP Pentesting

Default Port: 554

RTSP (Real-Time Streaming Protocol) is a network protocol used to control multimedia streams such as audio and video. RTSP is commonly used for controlling live streams in devices like IP cameras and media servers.

Connect

Connecting to an RTSP Service

Various tools can be used to connect to an RTSP service. For example, VLC Media Player or FFmpeg are commonly used.

To connect to an RTSP service with VLC, follow these steps:

  • Open VLC Media Player.
  • From the Media menu, select Open Network Stream.
  • Enter the RTSP URL in the following format:
rtsp://<username>:<password>@<IP-address>:554/<path>

To connect to an RTSP stream using FFmpeg, use this command:

ffmpeg -i rtsp://<username>:<password>@<IP-address>:554/<path>

Capturing RTSP Streams

To capture an RTSP stream, tools like Wireshark can be used to monitor the network traffic. You can filter RTSP traffic on port 554 in Wireshark using this filter:

tcp.port == 554

Recon

Identifying an RTSP Service

You can use Nmap to identify an RTSP service running on a target. To discover services running on port 554, use the following command:

nmap -p 554 X.X.X.X

This command checks if there is an RTSP service running on the target device.

Netcat or Telnet can be used to grab banners from the RTSP service, which can reveal important information about the service:

    nc -nv X.X.X.X 554
    OPTIONS rtsp://X.X.X.X/

These commands help retrieve information about the supported commands and potential vulnerabilities.

Enumeration

Enumerating RTSP Capabilities

Once connected to the RTSP service, you can use supported commands to learn about the media files and capabilities. For example, the DESCRIBE command helps retrieve information about the available streams:

OPTIONS rtsp://<IP-address>:554/
DESCRIBE rtsp://<IP-address>:554/<path>

This command reveals details such as media file formats, codecs, and resolutions available in the stream.

Attack Vectors

Credential Brute-Forcing

Brute-forcing login credentials of an RTSP service can be done with tools like Hydra:

hydra -l <username> -P /path/to/passwords.txt <IP-address> rtsp

This command performs a brute-force attack against the RTSP service to find weak credentials.

Exploiting Misconfigurations

RTSP services may be misconfigured, allowing access without authentication. If such a misconfiguration is found, access to streams can be gained directly:

ffmpeg -i rtsp://<IP-address>:554/<path>

If no authentication is required, the stream can be accessed and data can be extracted easily.

Unauthorized Stream Access

Some RTSP servers may allow unauthorized users to access live streams due to poor configuration. Once such a vulnerability is identified, you can use a media player or FFmpeg to access the live stream without credentials.

Post-Exploitation

Capturing and Saving Media Streams

Once connected to the RTSP service, media streams can be captured and saved locally. To save an RTSP stream to a file using FFmpeg, use this command:

ffmpeg -i rtsp://<username>:<password>@<IP-address>:554/<path> -c copy output.mp4

This command saves the RTSP stream to output.mp4.

Persistent Access

For persistent access, the configuration files or authentication mechanisms of the IP camera or media server can be altered. By modifying configurations, you could potentially maintain continuous access to the RTSP stream.

Covering Tracks

Clearing log files and command history is crucial in post-exploitation. If logs are being kept by the server, they can be cleared using appropriate commands:

rsh <remote-server-ip> -l <username> echo "" > /var/log/rtsp.log
rsh <remote-server-ip> -l <username> history -c

These commands clear the RTSP log and wipe the shell command history, helping to cover tracks.