How to detect IP cameras

Is it possible to detect surveillance cameras (CCTV, DVR, NVR, ANPR, Dome Camera, IP cameras, body cameras)?

If a camera uses Wi-Fi, then its MAC address is visible to everyone. If you compare this MAC with the database of camera manufacturers, you can identify this camera.

If a camera does not use Wi-Fi, but uses a wired network, then it can be detected only if you are connected to the same network (for example, to the network of a hotel, airport, etc.).

If the device does not use a wired or wireless network, then the methods described below cannot detect such a device. That is, for example, DVRs cannot be found in this way.

For Wi-Fi devices, MAC addresses can be collected using Airodump-ng, for devices on the network to which we are connected, MAC addresses can be obtained using Nmap. But we need a database of surveillance/hidden camera manufacturers, and cameras in general.

MAC address database of all hidden cameras

I have not found any database of camera manufacturers' MAC addresses other than small lists put together by enthusiasts. Maybe it would be good for a starting point, but still not that I wish.

I found a site that lists manufacturers of specialized equipment: https://directory.ifsecglobal.com/video-surveillance-code004812.html. I do not know if these lists are relevant or not, complete or incomplete, but they are quite large and there are all manufacturers mentioned by enthusiasts (and those that are not on the site, I did not find them in the OUI list containing the MAC addresses of all device manufacturers).

The correct manufacturer name can be easily matched to the MAC database, so we just need to collect the vendor names – this is perfect for our purpose of finding surveillance/hidden cameras.

Create a vendors.sh file:

gedit vendors.sh

Copy the following code into it:

Expand

#!/bin/bash
 
TMP_FILE='/tmp/vendors.txt'
FILE='vendors.txt'

curl -s 'https://directory.ifsecglobal.com/screens-monitors-code004843.html' | grep -E 'ed-companyName' | grep -E -o '">[^/]+<' | sed 's/<//' | sed 's/">//' > $TMP_FILE

for urlpath in  cameras-code004815.html cctv-poles-and-columns-code004816.html cctv-poles-and-columns-code004816.html data-storage-solutions-code009685.html voice-video-integrated-data-systems-code004908.html dvr-code004822.html voice-video-integrated-data-storage-code004941.html nvr-code004827.html 4k-cameras-code009684.html anpr-code004813.html body-worn-cameras-code007865.html hd-quality-cameras-code007866.html low-light-level-camera-systems-code007867.html camera-housings-code004814.html internet-remote-surveillance-code004932.html cctv-monitoring-code004999.html dome-camera-code004821.html ip-cameras-code004823.html security-camera-lenses-code004824.html security-monitors-code004825.html security-screens-code007437.html ptz-camera-code004828.html switches-code004968.html remote-surveillance-code004829.html public-space-surveillance-code005012.html infrared-cameras-code007439.html thermal-imaging-code004833.html ai-machinelearning-code009668.html security-cameras-code007485.html video-surveillance-code007482.html video-surveillance-code004812.html
do
	curl -s "https://directory.ifsecglobal.com/$urlpath" | grep -E 'ed-companyName' | grep -E -o '">[^/]+<' | sed 's/<//' | sed 's/">//' >> $TMP_FILE
done 
#curl -s '' | grep -E 'ed-companyName' | grep -E -o '">[^/]+<' | sed 's/<//' | sed 's/">//' >> $TMP_FILE


for letter in {A..Z} {2..5} {7..9}
do
	curl -s "https://www.ispyconnect.com/sources.aspx?letter=$letter" | grep -E -o 'man\.aspx\?n=[^"]{1,}"' | sed 's/man.aspx?n=//' | sed 's/"//' | while read -r line ; do
grep -E "$line " vendors.txt >> $TMP_FILE
	done
done


echo 'Tenda Technology Co., Ltd.' >> $TMP_FILE #https://www.google.com/search?q=Tenda+Technology+CCTV&tbm=isch
echo 'LG Innotek' >> $TMP_FILE #https://www.google.com/search?q=LG+Innotek+CCTV&tbm=isch
echo 'Hand Held Products Inc' >> $TMP_FILE #Handheld Thermal Cameras
echo 'Wistron Neweb Corporation' >> $TMP_FILE #https://www.wnc.com.tw/index.php?action=pro_detail&id=76
echo 'HangZhou KuoHeng Technology Co.,ltd' >> $TMP_FILE #https://www.google.com/search?q=HangZhou+KuoHeng+Technology&tbm=isch
echo 'VCS Video Communication Systems AG' >> $TMP_FILE
echo 'D-Link International' >> $TMP_FILE
echo 'Cisco-Linksys, LLC' >> $TMP_FILE
echo 'ICP Internet Communication Payment AG' >> $TMP_FILE
echo 'China Dragon Technology Limited' >> $TMP_FILE
echo 'SAMSUNG TECHWIN CO.,LTD' >> $TMP_FILE
echo 'Hanwha Techwin Security Vietnam' >> $TMP_FILE
echo 'Beward R&D Co., Ltd.' >> $TMP_FILE
echo 'Lorex Technology Inc.' >> $TMP_FILE
echo 'TP-LINK TECHNOLOGIES CO.,LTD.' >> $TMP_FILE
echo 'ABUS Security-Center GmbH & Co. KG' >> $TMP_FILE
echo 'ACM Systems' >> $TMP_FILE
echo 'Aztech Electronics Pte Ltd' >> $TMP_FILE
echo 'Axium Technologies, Inc.' >> $TMP_FILE
echo 'Ace Axis Limited' >> $TMP_FILE
#echo '' >> $TMP_FILE
 
 
echo "Total vendors in the list: "`cat $TMP_FILE | wc -l`
cat $TMP_FILE | sort| uniq > $FILE
echo "Unique vendors in the list: "`cat $FILE | wc -l`

#!/bin/bash
 
TMP_FILE='/tmp/vendors.txt'
FILE='vendors.txt'

curl -s 'https://directory.ifsecglobal.com/screens-monitors-code004843.html' | grep -E 'ed-companyName' | grep -E -o '">[^/]+<' | sed 's/<//' | sed 's/">//' > $TMP_FILE

for urlpath in  cameras-code004815.html cctv-poles-and-columns-code004816.html cctv-poles-and-columns-code004816.html data-storage-solutions-code009685.html voice-video-integrated-data-systems-code004908.html dvr-code004822.html voice-video-integrated-data-storage-code004941.html nvr-code004827.html 4k-cameras-code009684.html anpr-code004813.html body-worn-cameras-code007865.html hd-quality-cameras-code007866.html low-light-level-camera-systems-code007867.html camera-housings-code004814.html internet-remote-surveillance-code004932.html cctv-monitoring-code004999.html dome-camera-code004821.html ip-cameras-code004823.html security-camera-lenses-code004824.html security-monitors-code004825.html security-screens-code007437.html ptz-camera-code004828.html switches-code004968.html remote-surveillance-code004829.html public-space-surveillance-code005012.html infrared-cameras-code007439.html thermal-imaging-code004833.html ai-machinelearning-code009668.html security-cameras-code007485.html video-surveillance-code007482.html video-surveillance-code004812.html
do
	curl -s "https://directory.ifsecglobal.com/$urlpath" | grep -E 'ed-companyName' | grep -E -o '">[^/]+<' | sed 's/<//' | sed 's/">//' >> $TMP_FILE
done 
#curl -s '' | grep -E 'ed-companyName' | grep -E -o '">[^/]+<' | sed 's/<//' | sed 's/">//' >> $TMP_FILE


for letter in {A..Z} {2..5} {7..9}
do
	curl -s "https://www.ispyconnect.com/sources.aspx?letter=$letter" | grep -E -o 'man\.aspx\?n=[^"]{1,}"' | sed 's/man.aspx?n=//' | sed 's/"//' | while read -r line ; do
grep -E "$line " vendors.txt >> $TMP_FILE
	done
done


echo 'Tenda Technology Co., Ltd.' >> $TMP_FILE #https://www.google.com/search?q=Tenda+Technology+CCTV&tbm=isch
echo 'LG Innotek' >> $TMP_FILE #https://www.google.com/search?q=LG+Innotek+CCTV&tbm=isch
echo 'Hand Held Products Inc' >> $TMP_FILE #Handheld Thermal Cameras
echo 'Wistron Neweb Corporation' >> $TMP_FILE #https://www.wnc.com.tw/index.php?action=pro_detail&id=76
echo 'HangZhou KuoHeng Technology Co.,ltd' >> $TMP_FILE #https://www.google.com/search?q=HangZhou+KuoHeng+Technology&tbm=isch
echo 'VCS Video Communication Systems AG' >> $TMP_FILE
echo 'D-Link International' >> $TMP_FILE
echo 'Cisco-Linksys, LLC' >> $TMP_FILE
echo 'ICP Internet Communication Payment AG' >> $TMP_FILE
echo 'China Dragon Technology Limited' >> $TMP_FILE
echo 'SAMSUNG TECHWIN CO.,LTD' >> $TMP_FILE
echo 'Hanwha Techwin Security Vietnam' >> $TMP_FILE
echo 'Beward R&D Co., Ltd.' >> $TMP_FILE
echo 'Lorex Technology Inc.' >> $TMP_FILE
echo 'TP-LINK TECHNOLOGIES CO.,LTD.' >> $TMP_FILE
echo 'ABUS Security-Center GmbH & Co. KG' >> $TMP_FILE
echo 'ACM Systems' >> $TMP_FILE
echo 'Aztech Electronics Pte Ltd' >> $TMP_FILE
echo 'Axium Technologies, Inc.' >> $TMP_FILE
echo 'Ace Axis Limited' >> $TMP_FILE
#echo '' >> $TMP_FILE
 
 
echo "Total vendors in the list: "`cat $TMP_FILE | wc -l`
cat $TMP_FILE | sort| uniq > $FILE
echo "Unique vendors in the list: "`cat $FILE | wc -l`

Run like this:

bash ./vendors.sh

This will create a vendors.txt file.

Statistics:

Total vendors in the list: 1665
Unique vendors in the list: 680

In total, 680 unique manufacturers were found – this is quite a lot. If you know other lists or databases, then write in the comments – we can use them or add data from them. I do not know if “no name” got here. On AliExpress, surveillance cameras are sold without a name on the case, without mentioning the manufacturer in the instructions and without mentioning it on the box (because there is no box). If you have MAC addresses of such “no name”, then write them in the comments, we can add them to the script to improve coverage.

You can also browse the list of vendors.txt and remove entries that you think are unnecessary. For example, I noticed that a lot of possible false positives are caused by “HUAWEI TECHNOLOGIES CO.,LTD”, since this company also makes mobile phones (but they do surveillance cameras as well: https://www.google.com/search?q=HUAWEI+CCTV&tbm=isch).

Wi-Fi hidden camera scanner by MAC address

Now that we have a database of hidden camera manufacturers, we need to collect MAC addresses in the neighborhood.

I will use the tried and tested method described in the article “How to detect all Wi-Fi devices in the area?”

The following are the commands to start collecting information. If you do not understand something about them, then refer to the article to which the link is given.

To parse the .csv file, you need airodump-ng to create it. To do this, we set the wireless card to monitor mode. I always start with the following two commands so that no processes get in the way:

sudo systemctl stop NetworkManager
sudo airmon-ng check kill

After that I set the Wi-Fi card into monitor mode:

sudo ip link set wlan0 down
sudo iw wlan0 set monitor control
sudo ip link set wlan0 up

Now we run airodump-ng with the following command:

sudo airodump-ng --berlin 60000 -w /tmp/test wlan0

If you are also interested in the 5 GHz band and if your wireless card supports it, then you can use this command:

sudo airodump-ng --channel 1-13,36-165 --berlin 60000 -w /tmp/test wlan0

I saved collected information to the file /home/mial/cameras-01.csv, I got 1600 lines there, of course, we won't analyze it manually:

cat /home/mial/cameras-01.csv | wc -l
1600

In general, we can use the script from the article “How to detect all Wi-Fi devices in the area?”, Simply adding to it a check against the database of camera manufacturers. And this is exactly what we will do, but later. The point is that the script works slowly with numerous entries.

Therefore, first we will use a lighter script that will simply check if there is a surveillance camera around. And if they are, then you can run a heavier script to analyze which Access Points they are connected to.

Create fc.sh file:

gedit fc.sh

Copy the following code into it:

Expand

#!/bin/bash

if [[ "$1" && -f "$1" ]]; then
	FILE="$1"
else
	echo 'Specify the .csv file you want to parse.';
	echo 'Launch example:';
	echo -e "\tbash fc.sh /tmp/test-01.csv";
	exit	
fi

while read -r line ; do

newline="$(echo $line | grep -E '([A-Z0-9:]{17})')"

	if [ "$newline" ]; then	
		MAC2=`echo "$newline" | sed 's/ //g' | sed 's/-//g' | sed 's/://g' | cut -c1-6`
		resultshort="$(grep -i ^$MAC2 ./oui.txt)";
		vendor=`echo "$resultshort" | cut -f 3`
		#vendor=`echo "$resultshort" | awk -F '\t' '{print $3}'`

		if [ "$vendor" ]; then
			result3=${vendor%,*}

			iscamera=''
			iscamera=`cat vendors.txt | grep -i "$result3"`

			if [ "$iscamera" ]; then
				echo
				echo $newline
				echo $vendor
				echo -e "\t\t\t\033[7mIt is likely a camera or other surveillance device\e[0m"
				echo
			fi 
		fi
	fi

done < <(grep -E '([A-Za-z0-9._: @\(\)\\=\[\{\}\"%;-]+,){5} ([A-Z0-9:]{17})|(not associated)' $FILE | awk -F ',' '{print $1}')

#!/bin/bash

if [[ "$1" && -f "$1" ]]; then
	FILE="$1"
else
	echo 'Specify the .csv file you want to parse.';
	echo 'Launch example:';
	echo -e "\tbash fc.sh /tmp/test-01.csv";
	exit	
fi

while read -r line ; do

newline="$(echo $line | grep -E '([A-Z0-9:]{17})')"

	if [ "$newline" ]; then	
		MAC2=`echo "$newline" | sed 's/ //g' | sed 's/-//g' | sed 's/://g' | cut -c1-6`
		resultshort="$(grep -i ^$MAC2 ./oui.txt)";
		vendor=`echo "$resultshort" | cut -f 3`
		#vendor=`echo "$resultshort" | awk -F '\t' '{print $3}'`

		if [ "$vendor" ]; then
			result3=${vendor%,*}

			iscamera=''
			iscamera=`cat vendors.txt | grep -i "$result3"`

			if [ "$iscamera" ]; then
				echo
				echo $newline
				echo $vendor
				echo -e "\t\t\t\033[7mIt is likely a camera or other surveillance device\e[0m"
				echo
			fi 
		fi
	fi

done < <(grep -E '([A-Za-z0-9._: @\(\)\\=\[\{\}\"%;-]+,){5} ([A-Z0-9:]{17})|(not associated)' $FILE | awk -F ',' '{print $1}')

Run like this:

bash ./fc.sh /PATH/TO/FILE.csv

If the file that I got from airodump-ng is located at /tmp/test-01.csv then my command is as follows:

bash fc.sh /tmp/test-01.csv

We also need a file with a database of MAC addresses and their respective manufacturers, download it to the same directory where you placed the fc.sh file – you need to download this file before running fc.sh and all other scripts from this article:

wget http://standards-oui.ieee.org/oui/oui.txt

We fix the downloaded file, because it uses a DOS/Windows line break, and this leads to the problems, without this fix, the grep program could not find the line, even if it matches the pattern:

dos2unix -i oui.txt

The script, using a database that maps manufacturers to their assigned MAC addresses (oui.txt), will determine the vendor name for each collected MAC address and then check if this vendor is present in the list of surveillance camera manufacturers.

The script will show the MAC address and manufacturer names for all potential cameras. If the script showed nothing, then nothing was found.

Remember that some vendors produce not only surveillance cameras, but also a variety of other electronics (HUAWEI, Sony, Bosch), therefore, “false positives” are very likely – devices can be assigned to “surveillance cameras”, but actually they are not (for example, mobile HUAWEI phones). That is, if something was found, or even if the script brought up a dozen devices, this does not mean that these are all cameras. First of all, pay attention to the manufacturer – quite often they are popular phone manufacturers.

If you find something interesting, then you can use a script that shows which Access Points all devices are connected to.

Create findcameras.sh file:

gedit findcameras.sh

Copy the following code into it:

Expand

#!/bin/bash

if [[ "$1" && -f "$1" ]]; then
	FILE="$1"
else
	echo 'Specify the .csv file to analyze.';
	echo 'Usage:';
	echo -e "\tbash findcameras.sh /tmp/test-01.csv";
	exit	
fi

echo -e "\033[1mTotal Access Points: \033[0;31m`grep -E '([A-Za-z0-9._: @\(\)\\=\[\{\}\"%;-]+,){14}' $FILE | wc -l`\e[0m"
echo -e "\033[1mTotal Stations: \033[0;31m`grep -E '([A-Za-z0-9._: @\(\)\\=\[\{\}\"%;-]+,){5} ([A-Z0-9:]{17})|(not associated)' $FILE | wc -l`\e[0m"
echo -e "\033[1mTotal Stations without association: \033[0;31m`grep -E '(not associated)' $FILE | wc -l`\e[0m"
 
echo -e "\033[0;36m\033[1mAvailable Access Points:\e[0m"

while read -r line ; do

	if [ "`echo "$line" | cut -d ',' -f 14`" != " " ]; then
		echo -e "\033[1m" `echo -e "$line" | cut -d ',' -f 14` "\e[0m"
	else
		echo -e " \e[3mcould not get network name (ESSID)\e[0m"
	fi

	fullMAC=`echo "$line" | cut -d ',' -f 1`
	echo -e "\tMAC-address: $fullMAC"

	MAC=`echo "$fullMAC" | sed 's/ //g' | sed 's/-//g' | sed 's/://g' | cut -c1-6`

	result="$(grep -i -A 1 ^$MAC ./oui.txt)";
 
	if [ "$result" ]; then
		echo -e "\tVendor: `echo "$result" | cut -f 3`"
	else
		echo -e "\tVendor: \e[3mInformation not found in the database.\e[0m"
	fi

	is5ghz=`echo "$line" | cut -d ',' -f 4 | grep -i -E '36|40|44|48|52|56|60|64|100|104|108|112|116|120|124|128|132|136|140'`

	if [ "$is5ghz" ]; then
		echo -e "\t\033[0;31mIt operates at 5 GHz!\e[0m"
	fi

	printonce="\ttStations:"

	while read -r line2 ; do

		clientsMAC=`echo $line2 | grep -E "$fullMAC"`
		if [ "$clientsMAC" ]; then

			if [ "$printonce" ]; then
				echo -e $printonce
				printonce=''
			fi

			echo -e "\t\t\033[0;32m" `echo $clientsMAC | cut -d ',' -f 1` "\e[0m"
			MAC2=`echo "$clientsMAC" | sed 's/ //g' | sed 's/-//g' | sed 's/://g' | cut -c1-6`

			result2="$(grep -i -A 1 ^$MAC2 ./oui.txt)";
 
			if [ "$result2" ]; then
				echo -e "\t\t\tПроизводитель: `echo "$result2" | cut -f 3`"
				ismobile=`echo $result2 | grep -i -E 'Olivetti|Sony|Mobile|Apple|Samsung|HUAWEI|Motorola|TCT|LG|Ragentek|Lenovo|Shenzhen|Intel|Xiaomi|zte|MEIZU'`
				warning=`echo $result2 | grep -i -E 'ALFA|Intel'`
				if [ "$ismobile" ]; then
					echo -e "\t\t\t\033[0;33mThis is probably a mobile device\e[0m"
				fi

				if [ "$warning" ]; then
					echo -e "\t\t\t\033[0;31;5;7mThe device can support the monitor mode\e[0m"
				fi
				
				
				resultshort="$(grep -i ^$MAC2 ./oui.txt)";			
				vendor=`echo "$resultshort" | cut -f 3`
				if [ "$vendor" ]; then
					result3=${vendor%,*}
					iscamera=''
					iscamera=`cat vendors.txt | grep -i "$result3"`
					if [ "$iscamera" ]; then
						echo -e "\t\t\t\033[7mIt is likely a camera or other surveillance device\e[0m"
					fi 
				fi

			else
				echo -e "\t\t\tVendor: \e[3mInformation not found in the database.\e[0m"
			fi

			probed=`echo $line2 | cut -d ',' -f 7`

			if [ "`echo $probed | grep -E [A-Za-z0-9_\\-]+`" ]; then
				echo -e "\t\t\tIt probed networks: $probed"
			fi			
		fi
	done < <(grep -E '([A-Za-z0-9._: @\(\)\\=\[\{\}\"%;-]+,){5} ([A-Z0-9:]{17})|(not associated)' $FILE)
	
done < <(grep -E '([A-Za-z0-9._: @\(\)\\=\[\{\}\"%;-]+,){14}' $FILE)

echo -e "\033[0;36m\033[1mNot associated Stations:\e[0m"

while read -r line2 ; do

	clientsMAC=`echo $line2  | cut -d ',' -f 1`

	echo -e "\033[0;31m" `echo $clientsMAC | cut -d ',' -f 1` "\e[0m"
	MAC2=`echo "$clientsMAC" | sed 's/ //g' | sed 's/-//g' | sed 's/://g' | cut -c1-6`

	result2="$(grep -i -A 1 ^$MAC2 ./oui.txt)";

	if [ "$result2" ]; then
		echo -e "\tVendor: `echo "$result2" | cut -f 3`"
		ismobile=`echo $result2 | grep -i -E 'Olivetti|Sony|Mobile|Apple|Samsung|HUAWEI|Motorola|TCT|LG|Ragentek|Lenovo|Shenzhen|Intel|Xiaomi|zte'`
		warning=`echo $result2 | grep -i -E 'ALFA|Intel'`
		if [ "$ismobile" ]; then
			echo -e "\t\033[0;33mThis is probably a mobile device\e[0m"
		fi
		if [ "$warning" ]; then
			echo -e "\t\033[0;31;5;7mThe device can support the monitor mode\e[0m"
		fi
		
		
		resultshort="$(grep -i ^$MAC2 ./oui.txt)";			
		vendor=`echo "$resultshort" | cut -f 3`
		if [ "$vendor" ]; then
			result3=${vendor%,*}
			iscamera=''
			iscamera=`cat vendors.txt | grep -i "$result3"`
			if [ "$iscamera" ]; then
				echo -e "\t\t\t\033[7mIt is likely a camera or other surveillance device\e[0m"
			fi 
		fi
		
		
	else
		echo -e "\tVendor: \e[3mInformation not found in the database.\e[0m"
	fi

	probed=`echo $line2 | cut -d ',' -f 7`

	if [ "`echo $probed | grep -E [A-Za-z0-9_\\-]+`" ]; then
		echo -e "\tIt probed networks: $probed"
	fi			

done < <(grep -E '(not associated)' $FILE)

#!/bin/bash

if [[ "$1" && -f "$1" ]]; then
	FILE="$1"
else
	echo 'Specify the .csv file to analyze.';
	echo 'Usage:';
	echo -e "\tbash findcameras.sh /tmp/test-01.csv";
	exit	
fi

echo -e "\033[1mTotal Access Points: \033[0;31m`grep -E '([A-Za-z0-9._: @\(\)\\=\[\{\}\"%;-]+,){14}' $FILE | wc -l`\e[0m"
echo -e "\033[1mTotal Stations: \033[0;31m`grep -E '([A-Za-z0-9._: @\(\)\\=\[\{\}\"%;-]+,){5} ([A-Z0-9:]{17})|(not associated)' $FILE | wc -l`\e[0m"
echo -e "\033[1mTotal Stations without association: \033[0;31m`grep -E '(not associated)' $FILE | wc -l`\e[0m"
 
echo -e "\033[0;36m\033[1mAvailable Access Points:\e[0m"

while read -r line ; do

	if [ "`echo "$line" | cut -d ',' -f 14`" != " " ]; then
		echo -e "\033[1m" `echo -e "$line" | cut -d ',' -f 14` "\e[0m"
	else
		echo -e " \e[3mcould not get network name (ESSID)\e[0m"
	fi

	fullMAC=`echo "$line" | cut -d ',' -f 1`
	echo -e "\tMAC-address: $fullMAC"

	MAC=`echo "$fullMAC" | sed 's/ //g' | sed 's/-//g' | sed 's/://g' | cut -c1-6`

	result="$(grep -i -A 1 ^$MAC ./oui.txt)";
 
	if [ "$result" ]; then
		echo -e "\tVendor: `echo "$result" | cut -f 3`"
	else
		echo -e "\tVendor: \e[3mInformation not found in the database.\e[0m"
	fi

	is5ghz=`echo "$line" | cut -d ',' -f 4 | grep -i -E '36|40|44|48|52|56|60|64|100|104|108|112|116|120|124|128|132|136|140'`

	if [ "$is5ghz" ]; then
		echo -e "\t\033[0;31mIt operates at 5 GHz!\e[0m"
	fi

	printonce="\ttStations:"

	while read -r line2 ; do

		clientsMAC=`echo $line2 | grep -E "$fullMAC"`
		if [ "$clientsMAC" ]; then

			if [ "$printonce" ]; then
				echo -e $printonce
				printonce=''
			fi

			echo -e "\t\t\033[0;32m" `echo $clientsMAC | cut -d ',' -f 1` "\e[0m"
			MAC2=`echo "$clientsMAC" | sed 's/ //g' | sed 's/-//g' | sed 's/://g' | cut -c1-6`

			result2="$(grep -i -A 1 ^$MAC2 ./oui.txt)";
 
			if [ "$result2" ]; then
				echo -e "\t\t\tПроизводитель: `echo "$result2" | cut -f 3`"
				ismobile=`echo $result2 | grep -i -E 'Olivetti|Sony|Mobile|Apple|Samsung|HUAWEI|Motorola|TCT|LG|Ragentek|Lenovo|Shenzhen|Intel|Xiaomi|zte|MEIZU'`
				warning=`echo $result2 | grep -i -E 'ALFA|Intel'`
				if [ "$ismobile" ]; then
					echo -e "\t\t\t\033[0;33mThis is probably a mobile device\e[0m"
				fi

				if [ "$warning" ]; then
					echo -e "\t\t\t\033[0;31;5;7mThe device can support the monitor mode\e[0m"
				fi
				
				
				resultshort="$(grep -i ^$MAC2 ./oui.txt)";			
				vendor=`echo "$resultshort" | cut -f 3`
				if [ "$vendor" ]; then
					result3=${vendor%,*}
					iscamera=''
					iscamera=`cat vendors.txt | grep -i "$result3"`
					if [ "$iscamera" ]; then
						echo -e "\t\t\t\033[7mIt is likely a camera or other surveillance device\e[0m"
					fi 
				fi

			else
				echo -e "\t\t\tVendor: \e[3mInformation not found in the database.\e[0m"
			fi

			probed=`echo $line2 | cut -d ',' -f 7`

			if [ "`echo $probed | grep -E [A-Za-z0-9_\\-]+`" ]; then
				echo -e "\t\t\tIt probed networks: $probed"
			fi			
		fi
	done < <(grep -E '([A-Za-z0-9._: @\(\)\\=\[\{\}\"%;-]+,){5} ([A-Z0-9:]{17})|(not associated)' $FILE)
	
done < <(grep -E '([A-Za-z0-9._: @\(\)\\=\[\{\}\"%;-]+,){14}' $FILE)

echo -e "\033[0;36m\033[1mNot associated Stations:\e[0m"

while read -r line2 ; do

	clientsMAC=`echo $line2  | cut -d ',' -f 1`

	echo -e "\033[0;31m" `echo $clientsMAC | cut -d ',' -f 1` "\e[0m"
	MAC2=`echo "$clientsMAC" | sed 's/ //g' | sed 's/-//g' | sed 's/://g' | cut -c1-6`

	result2="$(grep -i -A 1 ^$MAC2 ./oui.txt)";

	if [ "$result2" ]; then
		echo -e "\tVendor: `echo "$result2" | cut -f 3`"
		ismobile=`echo $result2 | grep -i -E 'Olivetti|Sony|Mobile|Apple|Samsung|HUAWEI|Motorola|TCT|LG|Ragentek|Lenovo|Shenzhen|Intel|Xiaomi|zte'`
		warning=`echo $result2 | grep -i -E 'ALFA|Intel'`
		if [ "$ismobile" ]; then
			echo -e "\t\033[0;33mThis is probably a mobile device\e[0m"
		fi
		if [ "$warning" ]; then
			echo -e "\t\033[0;31;5;7mThe device can support the monitor mode\e[0m"
		fi
		
		
		resultshort="$(grep -i ^$MAC2 ./oui.txt)";			
		vendor=`echo "$resultshort" | cut -f 3`
		if [ "$vendor" ]; then
			result3=${vendor%,*}
			iscamera=''
			iscamera=`cat vendors.txt | grep -i "$result3"`
			if [ "$iscamera" ]; then
				echo -e "\t\t\t\033[7mIt is likely a camera or other surveillance device\e[0m"
			fi 
		fi
		
		
	else
		echo -e "\tVendor: \e[3mInformation not found in the database.\e[0m"
	fi

	probed=`echo $line2 | cut -d ',' -f 7`

	if [ "`echo $probed | grep -E [A-Za-z0-9_\\-]+`" ]; then
		echo -e "\tIt probed networks: $probed"
	fi			

done < <(grep -E '(not associated)' $FILE)

Run like this:

bash findcameras.sh /PATH/TO/FILE.csv

For example:

bash findcameras.sh /tmp/test-01.csv

If you look closely, you can see that this is the wfw.sh script from the article about finding all Wi-Fi devices around you, but a check has been added to it against the list of surveillance camera manufacturers.

This script, like the previous one, requires both oui.txt and vendors.txt files.

Hand Held Products Inc makes both thermal cameras and various barcode scanners, etc. - it can be any of these devices, since this is a store's AP.

Wistron Neweb Corporation makes a variety of electronics, including Security IP Camera.

Instead of connecting via Wi-Fi, cameras can use a wired network – such cameras will not be included in the list.

Searching for surveillance cameras in the local network

This method works only on networks where you can get the MAC addresses of other devices, that is, only on local networks. Scanning the Internet is useless. Examples of LANs that we often connect to are public Wi-Fi hotspots at airports, hotels, restaurants, public transport, etc.).

Create fcl.sh file:

gedit fcl.sh

Copy the following code into it:

Expand

#!/bin/bash

if [[ "$1" ]]; then
	NET="$1"
else
	echo 'Specify a subnet to search for surveillance cameras';
	echo 'Usage example:';
	echo -e "\tbash ./fcl.sh 192.168.0.0/24";
	exit	
fi
found=0
while read -r line ; do

newline=$line


	if [ "$newline" ]; then	
		MAC2=`echo "$newline" | sed 's/ //g' | sed 's/-//g' | sed 's/://g' | cut -c1-6`
		resultshort="$(grep -i ^$MAC2 ./oui.txt)";
		vendor=`echo "$resultshort" | cut -f 3`

		if [ "$vendor" ]; then
			result3=${vendor%,*}
			iscamera=''
			iscamera=`cat vendors.txt | grep  -i "$result3"`
			if [ "$iscamera" ]; then
				echo
				echo $newline
				echo $vendor
				echo -e "\t\t\t\033[7mIt is likely a camera or other surveillance device\e[0m"
				echo
				found=1
			fi 
		fi
	fi

done < <(sudo nmap -n -sn -PR -PS -PA -PU -T5 $NET | grep -E -o '[A-Z0-9:]{17}')

if [ $found -eq 1 ]; then
	sudo nmap -A $NET
fi

#!/bin/bash

if [[ "$1" ]]; then
	NET="$1"
else
	echo 'Specify a subnet to search for surveillance cameras';
	echo 'Usage example:';
	echo -e "\tbash ./fcl.sh 192.168.0.0/24";
	exit	
fi
found=0
while read -r line ; do

newline=$line


	if [ "$newline" ]; then	
		MAC2=`echo "$newline" | sed 's/ //g' | sed 's/-//g' | sed 's/://g' | cut -c1-6`
		resultshort="$(grep -i ^$MAC2 ./oui.txt)";
		vendor=`echo "$resultshort" | cut -f 3`

		if [ "$vendor" ]; then
			result3=${vendor%,*}
			iscamera=''
			iscamera=`cat vendors.txt | grep  -i "$result3"`
			if [ "$iscamera" ]; then
				echo
				echo $newline
				echo $vendor
				echo -e "\t\t\t\033[7mIt is likely a camera or other surveillance device\e[0m"
				echo
				found=1
			fi 
		fi
	fi

done < <(sudo nmap -n -sn -PR -PS -PA -PU -T5 $NET | grep -E -o '[A-Z0-9:]{17}')

if [ $found -eq 1 ]; then
	sudo nmap -A $NET
fi

Run like this (Nmap requires root privileges):

sudo bash fcl.sh NET/MASK

For example:

sudo bash ./fcl.sh 192.168.0.0/24

If devices with MAC addresses of surveillance camera manufacturers are found, they will be shown.

If nothing is shown, then nothing was found.

If at least one camera is found, another Nmap scan will be launched – more aggressive, with full output of the results so that you can see the IP of the device, which may be a camera, as well as with an attempt to determine the version of the OS and services – this can help with identifying the camera.

Fragment of output from additional scan:

|_http-title: NETSurveillance WEB
554/tcp  open  rtsp    H264DVR rtspd 1.0
|_rtsp-methods: OPTIONS, DESCRIBE, SETUP, TEARDOWN, GET_PARAMETER, SET_PARAMETER, PLAY, PAUSE
8899/tcp open  soap    gSOAP 2.7
|_http-server-header: gSOAP/2.7

The “NETSurveillance WEB” title hints that it is a network surveillance camera. Open ports 554 and 8899 belong to RTSP and ONVIF services specific to IP cameras.

Related article: IP Camera Security Audit

Search with DeviceManager (from python-dvr)

This method is only suitable if you are connected to the same local network as the IP camera.

Programs for working with cameras must know their IP address. The normal user is not required to enter this address manually. You might think that programs are scanning your local network, but this is usually not the case. They actually send specific hexadecimal data to the broadcast address. The data and port differ depending on the camera models. You can see an example of how this works in the article “Reverse engineering of network traffic”.

DeviceManager program (from python-dvr) can work with the following groups of surveillance cameras:

XM
Dahua
Fros
Wans
Beward

Most likely, this is not the manufacturer, but the type of camera detection system used on the LAN. That is, if your camera has a different manufacturer, DeviceManager can still find them.

To install and run DeviceManager, run the commands:

git clone https://github.com/NeiroNx/python-dvr
cd python-dvr
./DeviceManager.py

A graphical interface will open, there it is enough to click the Поиск (“Search”) button.

Conclusion

The quality of scanning is primarily determined by the quality of the list of manufacturers of surveillance cameras – if you know the better lists, write in the comments, I will modify the instructions and scripts.

If you have examples of MAC addresses of surveillance cameras produced by “no name” and “Unbranded”, then also write them in the comments – they can be added to scripts for additional verification by them.

See also trackerjacker and “Wi-Fi device tracking”. Using trackerjacker, you can also monitor wireless devices, for example, you can see when a Wi-Fi camera has started sending traffic – this may mean that the camera has noticed movement.

Another related article “How to perform selective jamming of Wi-Fi networks and clients (DoS attack on individual access points/clients)” (but remember that cameras usually have memory cards inside to store video).

Detecting hidden cameras by network traffic characteristics

When I already wrote this article and googled “mac addresses of hidden cameras” to find at least something about “Unbranded”, because hidden cameras are usually produced either without a brand at all, or under random names that are absent from the OUI, I stumbled upon a study “Detecting Hidden Wireless Cameras through Network Traffic Analysis”. They were able to find patterns in the traffic characteristics of hidden cameras, although they did not share either the code or MAC addresses. Nevertheless, it may be interesting for someone to read it and push on new ideas.

How to add reCAPTCHA v3 to protect against parsing and spam (45.1%)
How to find and remove malware from Linux (45.1%)
How to manage cameras via DVR-IP, NetSurveillance, Sofia protocol (NETsurveillance ActiveX plugin XMeye SDK) (39.8%)
IP camera security audit (13%)
Wi-Fi device tracking (12%)
How to decrypt WPA traffic in Wireshark (RANDOM - 6.3%)

Recommended for you:

Alex December 22, 2020 Airodump-ng, DeviceManager.py, hidden cameras, infogathering, MAC-address, Nmap, python-dvr, surveillance cameras, wireless Anonymity, data encryption and anti-forensics, Improving security, Wireless Attacks No Comments »

Ethical hacking and penetration testing

InfoSec, IT, Kali Linux, BlackArch

How to detect IP cameras

Is it possible to detect surveillance cameras (CCTV, DVR, NVR, ANPR, Dome Camera, IP cameras, body cameras)?

MAC address database of all hidden cameras

Wi-Fi hidden camera scanner by MAC address

Searching for surveillance cameras in the local network

Search with DeviceManager (from python-dvr)

Conclusion

Detecting hidden cameras by network traffic characteristics

Related articles:

Recommended for you:

Leave a Reply Cancel reply