How to detect IP cameras

Is it possible to detect surveillance cameras (CCTV, DVR, NVR, ANPR, Dome Camera, IP cameras, body cameras)?

If a camera uses Wi-Fi, then its MAC address is visible to everyone. If you compare this MAC with the database of camera manufacturers, you can identify this camera.

If a camera does not use Wi-Fi, but uses a wired network, then it can be detected only if you are connected to the same network (for example, to the network of a hotel, airport, etc.).

If the device does not use a wired or wireless network, then the methods described below cannot detect such a device. That is, for example, DVRs cannot be found in this way.

For Wi-Fi devices, MAC addresses can be collected using Airodump-ng, for devices on the network to which we are connected, MAC addresses can be obtained using Nmap. But we need a database of surveillance/hidden camera manufacturers, and cameras in general.

Related article: How to lookup MAC-address to find device manufacturer in Kali Linux

MAC address database of all hidden cameras

I have not found any database of camera manufacturers' MAC addresses other than small lists put together by enthusiasts. Maybe it would be good for a starting point, but still not that I wish.

I found a site that lists manufacturers of specialized equipment: https://directory.ifsecglobal.com/video-surveillance-code004812.html. I do not know if these lists are relevant or not, complete or incomplete, but they are quite large and there are all manufacturers mentioned by enthusiasts (and those that are not on the site, I did not find them in the OUI list containing the MAC addresses of all device manufacturers).

The correct manufacturer name can be easily matched to the MAC database, so we just need to collect the vendor names – this is perfect for our purpose of finding surveillance/hidden cameras.

Create a vendors.sh file:

gedit vendors.sh

Copy the following code into it:

Run like this:

bash ./vendors.sh

This will create a vendors.txt file.

Statistics:

Total vendors in the list: 1665
Unique vendors in the list: 680

In total, 680 unique manufacturers were found – this is quite a lot. If you know other lists or databases, then write in the comments – we can use them or add data from them. I do not know if “no name” got here. On AliExpress, surveillance cameras are sold without a name on the case, without mentioning the manufacturer in the instructions and without mentioning it on the box (because there is no box). If you have MAC addresses of such “no name”, then write them in the comments, we can add them to the script to improve coverage.

You can also browse the list of vendors.txt and remove entries that you think are unnecessary. For example, I noticed that a lot of possible false positives are caused by “HUAWEI TECHNOLOGIES CO.,LTD”, since this company also makes mobile phones (but they do surveillance cameras as well: https://www.google.com/search?q=HUAWEI+CCTV&tbm=isch).

Wi-Fi hidden camera scanner by MAC address

Now that we have a database of hidden camera manufacturers, we need to collect MAC addresses in the neighborhood.

I will use the tried and tested method described in the article “How to detect all Wi-Fi devices in the area?

The following are the commands to start collecting information. If you do not understand something about them, then refer to the article to which the link is given.

To parse the .csv file, you need airodump-ng to create it. To do this, we set the wireless card to monitor mode. I always start with the following two commands so that no processes get in the way:

sudo systemctl stop NetworkManager
sudo airmon-ng check kill

After that I set the Wi-Fi card into monitor mode:

sudo ip link set wlan0 down
sudo iw wlan0 set monitor control
sudo ip link set wlan0 up

Now we run airodump-ng with the following command:

sudo airodump-ng --berlin 60000 -w /tmp/test wlan0

If you are also interested in the 5 GHz band and if your wireless card supports it, then you can use this command:

sudo airodump-ng --channel 1-13,36-165 --berlin 60000 -w /tmp/test wlan0

I saved collected information to the file /home/mial/cameras-01.csv, I got 1600 lines there, of course, we won't analyze it manually:

cat /home/mial/cameras-01.csv | wc -l
1600

In general, we can use the script from the article “How to detect all Wi-Fi devices in the area?”, Simply adding to it a check against the database of camera manufacturers. And this is exactly what we will do, but later. The point is that the script works slowly with numerous entries.

Therefore, first we will use a lighter script that will simply check if there is a surveillance camera around. And if they are, then you can run a heavier script to analyze which Access Points they are connected to.

Create fc.sh file:

gedit fc.sh

Copy the following code into it:

Run like this:

bash ./fc.sh /PATH/TO/FILE.csv

If the file that I got from airodump-ng is located at /tmp/test-01.csv then my command is as follows:

bash fc.sh /tmp/test-01.csv

We also need a file with a database of MAC addresses and their respective manufacturers, download it to the same directory where you placed the fc.sh file – you need to download this file before running fc.sh and all other scripts from this article:

wget http://standards-oui.ieee.org/oui/oui.txt

We fix the downloaded file, because it uses a DOS/Windows line break, and this leads to the problems, without this fix, the grep program could not find the line, even if it matches the pattern:

dos2unix -i oui.txt

The script, using a database that maps manufacturers to their assigned MAC addresses (oui.txt), will determine the vendor name for each collected MAC address and then check if this vendor is present in the list of surveillance camera manufacturers.

The script will show the MAC address and manufacturer names for all potential cameras. If the script showed nothing, then nothing was found.

Remember that some vendors produce not only surveillance cameras, but also a variety of other electronics (HUAWEI, Sony, Bosch), therefore, “false positives” are very likely – devices can be assigned to “surveillance cameras”, but actually they are not (for example, mobile HUAWEI phones). That is, if something was found, or even if the script brought up a dozen devices, this does not mean that these are all cameras. First of all, pay attention to the manufacturer – quite often they are popular phone manufacturers.

If you find something interesting, then you can use a script that shows which Access Points all devices are connected to.

Create findcameras.sh file:

gedit findcameras.sh

Copy the following code into it:

Run like this:

bash findcameras.sh /PATH/TO/FILE.csv

For example:

bash findcameras.sh /tmp/test-01.csv

If you look closely, you can see that this is the wfw.sh script from the article about finding all Wi-Fi devices around you, but a check has been added to it against the list of surveillance camera manufacturers.

This script, like the previous one, requires both oui.txt and vendors.txt files.

Hand Held Products Inc makes both thermal cameras and various barcode scanners, etc. - it can be any of these devices, since this is a store's AP.

Wistron Neweb Corporation makes a variety of electronics, including Security IP Camera.

Instead of connecting via Wi-Fi, cameras can use a wired network – such cameras will not be included in the list.

Searching for surveillance cameras in the local network

This method works only on networks where you can get the MAC addresses of other devices, that is, only on local networks. Scanning the Internet is useless. Examples of LANs that we often connect to are public Wi-Fi hotspots at airports, hotels, restaurants, public transport, etc.).

Create fcl.sh file:

gedit fcl.sh

Copy the following code into it:

Run like this (Nmap requires root privileges):

sudo bash fcl.sh NET/MASK

For example:

sudo bash ./fcl.sh 192.168.0.0/24

If devices with MAC addresses of surveillance camera manufacturers are found, they will be shown.

If nothing is shown, then nothing was found.

If at least one camera is found, another Nmap scan will be launched – more aggressive, with full output of the results so that you can see the IP of the device, which may be a camera, as well as with an attempt to determine the version of the OS and services – this can help with identifying the camera.

Fragment of output from additional scan:

|_http-title: NETSurveillance WEB
554/tcp  open  rtsp    H264DVR rtspd 1.0
|_rtsp-methods: OPTIONS, DESCRIBE, SETUP, TEARDOWN, GET_PARAMETER, SET_PARAMETER, PLAY, PAUSE
8899/tcp open  soap    gSOAP 2.7
|_http-server-header: gSOAP/2.7

The “NETSurveillance WEB” title hints that it is a network surveillance camera. Open ports 554 and 8899 belong to RTSP and ONVIF services specific to IP cameras.

Related article: IP Camera Security Audit

Conclusion

The quality of scanning is primarily determined by the quality of the list of manufacturers of surveillance cameras – if you know the better lists, write in the comments, I will modify the instructions and scripts.

If you have examples of MAC addresses of surveillance cameras produced by “no name” and “Unbranded”, then also write them in the comments – they can be added to scripts for additional verification by them.

See also trackerjacker and “Wi-Fi device tracking”. Using trackerjacker, you can also monitor wireless devices, for example, you can see when a Wi-Fi camera has started sending traffic – this may mean that the camera has noticed movement.

Another related article “How to perform selective jamming of Wi-Fi networks and clients (DoS attack on individual access points/clients)” (but remember that cameras usually have memory cards inside to store video).

Detecting hidden cameras by network traffic characteristics

When I already wrote this article and googled “mac addresses of hidden cameras” to find at least something about “Unbranded”, because hidden cameras are usually produced either without a brand at all, or under random names that are absent from the OUI, I stumbled upon a study “Detecting Hidden Wireless Cameras through Network Traffic Analysis”. They were able to find patterns in the traffic characteristics of hidden cameras, although they did not share either the code or MAC addresses. Nevertheless, it may be interesting for someone to read it and push on new ideas.

Recommended for you:

Leave a Reply

Your email address will not be published.