{"id":27155441,"url":"https://github.com/john0n1/camsniff","last_synced_at":"2025-10-11T14:50:28.538Z","repository":{"id":286417587,"uuid":"961343600","full_name":"John0n1/CamSniff","owner":"John0n1","description":"IP camera \u0026 IoT device detection and monitoring","archived":false,"fork":false,"pushed_at":"2025-04-06T10:46:40.000Z","size":21,"stargazers_count":1,"open_issues_count":0,"forks_count":0,"subscribers_count":1,"default_branch":"main","last_synced_at":"2025-04-06T11:23:33.704Z","etag":null,"topics":["arp","camera-monitor","dvr-tool","ip-camera","ip-scanning","kali-tools","linux-tools","nmap","nvr-box","onvif","penetration-testing","pentesting","rtsp","shell-script","sniffing","white-hat"],"latest_commit_sha":null,"homepage":"https://github.com/John0n1/CamSniff","language":"Shell","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"mit","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/John0n1.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null}},"created_at":"2025-04-06T10:11:29.000Z","updated_at":"2025-04-06T10:46:37.000Z","dependencies_parsed_at":"2025-04-06T11:33:41.651Z","dependency_job_id":null,"html_url":"https://github.com/John0n1/CamSniff","commit_stats":null,"previous_names":["john0n1/camsniff"],"tags_count":0,"template":false,"template_full_name":null,"repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/John0n1%2FCamSniff","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/John0n1%2FCamSniff/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/John0n1%2FCamSniff/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/John0n1%2FCamSniff/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/John0n1","download_url":"https://codeload.github.com/John0n1/CamSniff/tar.gz/refs/heads/main","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":247913870,"owners_count":21017215,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["arp","camera-monitor","dvr-tool","ip-camera","ip-scanning","kali-tools","linux-tools","nmap","nvr-box","onvif","penetration-testing","pentesting","rtsp","shell-script","sniffing","white-hat"],"created_at":"2025-04-08T19:40:25.751Z","updated_at":"2025-10-11T14:50:28.516Z","avatar_url":"https://github.com/John0n1.png","language":"Shell","funding_links":[],"categories":[],"sub_categories":[],"readme":"# CamSniff\n\n\u003e **Automated IP Camera \u0026 Network Video Stream Reconnaissance Toolkit**\n\u003e Smart, mode-aware reconnaissance that maps every camera and stream across your infrastructure, from living rooms to datacenters.\n\n\u003cdiv align=\"center\"\u003e\n\n[![Last Commit](https://img.shields.io/github/last-commit/John0n1/CamSniff?style=flat-square\\\u0026logo=github\\\u0026color=red)](https://github.com/John0n1/CamSniff/commits/main)\n[![Shell](https://img.shields.io/badge/language-bash-black?logo=gnubash\\\u0026style=flat-square)](#)\n[![Python](https://img.shields.io/badge/language-python-black?logo=python\\\u0026style=flat-square)](#)\n[![License: MIT](https://img.shields.io/badge/License-MIT-yellow.svg?style=flat-square)](LICENSE)\n\n**Current version:** `2.2.0` · \n\n\u003cimg src=\"docs/camsniff.png\" alt=\"CamSniff logo\" width=\"320\" /\u003e\n\n\u003c/div\u003e\n\n---\n\n# Table of contents\n\n1. [Overview](#overview)\n2. [Why CamSniff?](#why-camsniff)\n3. [Feature matrix](#feature-matrix)\n4. [Architecture \u0026 flow](#architecture--flow)\n5. [Scanning modes](#scanning-modes)\n6. [Install \u0026 quick start](#install--quick-start)\n7. [Command line examples](#command-line-examples)\n8. [Output format \u0026 artifacts](#output-format--artifacts)\n9. [Discovery \u0026 profiling logic (short)](#discovery--profiling-logic-short)\n10. [Credential probing behavior](#credential-probing-behavior)\n11. [Configuration \u0026 extending dictionaries](#configuration--extending-dictionaries)\n12. [Analysis helper \u0026 IVRE integration](#analysis-helper--ivre-integration)\n13. [Dependencies](#dependencies)\n14. [Troubleshooting \u0026 tips](#troubleshooting--tips)\n15. [Hardening, ethics \u0026 responsible use](#hardening-ethics--responsible-use)\n16. [Contributing \u0026 roadmap](#contributing--roadmap)\n17. [License](#license)\n\n---\n\n# Overview\n\n**CamSniff** is a modular reconnaissance toolkit focused on discovering, profiling and opportunistically acquiring snapshots/streams from IP cameras and networked video sources on *local networks*. It blends active scanning (Nmap, optional Masscan), passive discovery (Avahi/mDNS), short traffic sampling (TShark), and vendor templates (`data/paths.csv`) to produce structured, reproducible results.\n\nKey design points:\n\n* Mode-aware: tune from **stealth** → **nuke** for noise vs coverage tradeoffs\n* Multi-protocol: RTSP, ONVIF, HLS, WebRTC, SRT, RTMP, CoAP probes, etc.\n* Output: structured JSON (`discovery.json`, `credentials.json`) + thumbnails \u0026 logs\n* Offline-friendly: no external lookups required — vendor intelligence lives in `data/`\n\n\u003e ⚠️ **Responsible use only** — Do **not** scan or capture media from devices/networks you are not explicitly authorized to test. Treat captured imagery and credentials as highly sensitive.\n\n---\n\n# Why CamSniff?\n\n* Reduce repetitive manual recon: one command yields a consistent, auditable dataset.\n* Templated vendor intelligence speeds up discovery of likely snapshot/RTSP endpoints.\n* Tunable credential probing keeps operations traceable and bounded by the chosen mode.\n* Designed to be integrated with IVRE for persistent, queryable reconnaissance databases.\n\n---\n\n# Feature matrix\n\n| Area                | Highlights                                                                 |\n| ------------------- | -------------------------------------------------------------------------- |\n| Discovery           | Nmap TCP/UDP scan, NSE RTSP brute, optional Masscan for wide sweeps        |\n| Passive             | Avahi/mDNS \u0026 DNS-SD filtering for camera/service keywords                  |\n| Traffic sampling    | Targeted TShark captures to extract observed URIs                          |\n| Protocols           | ONVIF, RTSP, HLS, WebRTC/STUN, RTMP, SRT, CoAP `/.well-known/core`         |\n| Vendor profiling    | `data/paths.csv` maps OUI/heuristics → RTSP/HTTP templates + CVEs          |\n| Credential strategy | Mode-limited curated username/password lists, default combos               |\n| Acquisition         | ffmpeg RTSP grabs, HTTP snapshot requests, optional ASCII previews (chafa) |\n| Output              | `discovery.json`, `credentials.json`, thumbnails, structured logs          |\n| Extras              | IVRE sync script, post-scan analysis scripts, enrichers                    |\n\n---\n\n# Architecture \u0026 flow (concise)\n\n1. Decide mode (timings, breadth, credential caps) via `scripts/mode-config.sh`.\n2. Active scan: Nmap (scripted RTSP brute NSE); optional Masscan merges ports.\n3. Passive discovery: Avahi/mDNS to pick up friendly names \u0026 services.\n4. Traffic sampling: TShark capture on observed hosts to find candidate URIs.\n5. UDP micro-scan for STUN/WS-Discovery/SRT indicators.\n6. CoAP probe to `/.well-known/core` for constrained devices.\n7. Vendor matching using `data/paths.csv` → produce candidate RTSP/HTTP templates.\n8. Assemble `discovery.json` and run credential/media acquisition phase.\n9. Optionally, push to IVRE with `--extra ivre`.\n\n---\n\n# Scanning modes (summary)\n\nEach mode adjusts port profiles, timing, Masscan usage, NSE breadth, and maximum credential attempts.\n\n|         Mode | Masscan |      Nmap speed      | Creds (max) | TShark (s) | Use case                |\n| -----------: | :-----: | :------------------: | :---------: | :--------: | ----------------------- |\n|   `stealth+` |    no   |          -T1         |      8      |     15     | Minimal noise, slowest  |\n|    `stealth` |    no   |          -T2         |      12     |     20     | Quiet local scans       |\n|     `medium` |   yes   |          -T4         |      32     |     35     | Default balanced        |\n| `aggressive` |   yes   |        -T4 -A        |      64     |     45     | More scripts/versioning |\n|        `war` |   yes   |        -T5 -A        |      96     |     55     | Broad vendor coverage   |\n|       `nuke` |   yes   | -T5 -A --script vuln |     128     |     75     | Full sweep (1–65535)    |\n\nDefault: `--mode medium`. Example: `sudo camsniff --mode stealth`.\n\n---\n\n# Install \u0026 quick start\n\n## A — From releases (Debian package)\n\n```bash\n# download latest release .deb\nsudo apt install ./camsniff_*amd64.deb\n# run\nsudo camsniff --mode medium\n```\n\n## B — From source (developer / live edits)\n\n```bash\ngit clone https://github.com/John0n1/CamSniff.git\ncd CamSniff\nchmod +x scripts/*.sh data/*.sh\nsudo scripts/camsniff.sh        # first run bootstraps dependencies if needed\n```\n\n\u003e On first run the script attempts to install or build missing runtime tooling (where possible). Read logs in `dev/results/\u003crun\u003e/logs/` if a dependency fails.\n\n---\n\n# Command line examples\n\n```bash\n# quick balanced scan (default intensity)\nsudo camsniff --mode medium\n\n# quiet scan (low footprint)\nsudo camsniff --mode stealth+\n\n# aggressive, include IVRE ingestion\nsudo camsniff --mode aggressive --extra ivre\n\n# skip confirmation (non-interactive)\nsudo camsniff --yes\n\n# show help / version\nsudo camsniff --help\nsudo camsniff --version\n```\n\n---\n\n# Output format \u0026 artifacts\n\nAll run outputs live in `dev/results/\u003cUTC_TIMESTAMP\u003e/`:\n\n* `discovery.json` — canonical host dataset with enrichment metadata\n* `credentials.json` — credential attempts \u0026 successes per host\n* `thumbnails/` — JPEG snapshots of successful grabs (organized per run)\n* `logs/` — raw phase logs (`nmap-output.txt`, `masscan-output.json`, `avahi-services.txt`, `tshark-traffic.csv`, `coap-probe.log`)\n* `analysis/` — optional aggregated statistics from `scripts/analyze.sh`\n\n`discovery.json` snapshot example (trimmed):\n\n```jsonc\n{\n  \"ip\": \"192.168.1.42\",\n  \"mac\": \"AA:BB:CC:DD:EE:FF\",\n  \"sources\": [\"Nmap\",\"TShark\",\"Avahi\"],\n  \"ports\": [80,554,8443],\n  \"observed_paths\": [\"/onvif/device_service\", \"rtsp://...\"],\n  \"profile_match\":{\n    \"vendor\":\"VendorX\",\n    \"model\":\"ModelY\",\n    \"matched_by\":\"oui\",\n    \"rtsp_candidates\":[...],\n    \"http_snapshot_candidates\":[...],\n    \"cve_ids\":[\"CVE-2024-XXXX\"]\n  }\n}\n```\n\n---\n\n# Discovery \u0026 profiling logic (short)\n\n* **Observed evidence**: Nmap + TShark + Avahi merge into a host record.\n* **Heuristics**: port fingerprints, OUI regex, observed HTTP/RTSP URIs, ONVIF service behavior.\n* **Vendor templates**: `data/paths.csv` contains OUI \u0026 port heuristics → RTSP/HTTP templates + CVEs.\n* **Enrichment**: small Python post-processor ranks candidates and annotates `discovery.json`.\n\n---\n\n# Credential probing behavior\n\n`scripts/credential-probe.sh` uses:\n\n1. Vendor default combos (from `paths.csv`) + blank/empty password checks.\n2. Curated, mode-bounded username/password pair lists (`data/usernames.txt`, `data/passwords.txt`).\n3. Enumerated RTSP paths (profile + brute + observed from TShark).\n4. HTTP snapshot templated endpoints (`data/http-paths.txt`).\n\nSuccessful attempts record: credential pair, endpoint used, thumbnail path, timestamp. **Credentials are stored in plain JSON** — treat them as sensitive material and secure results directories accordingly.\n\n---\n\n# Configuration \u0026 extending dictionaries\n\nAll dictionaries live in `data/` and are editable:\n\n* `paths.csv` — vendor OUI regex → default creds, RTSP/HTTP templates, CVE IDs\n* `rtsp-urls.txt` — extend RTSP brute dictionary for NSE\n* `http-paths.txt` — fallback HTTP snapshot endpoints (templated)\n* `usernames.txt` / `passwords.txt` — curated credential lists (comments ignored)\n* `port-profiles.sh` — logical named port sets used per scanning mode\n\nAfter edits, next run will use updated files. Keep additions concise, verifiable, and documented (one vendor per row ideally).\n\n---\n\n# Analysis helper \u0026 IVRE integration\n\n* `scripts/analyze.sh` — prints host counts, vendor diversity, RTSP discovery volume, credential success rate.\n* `scripts/ivre-manager.sh` — optionally bootstraps a Python venv with IVRE + pymongo and pushes enriched hosts into IVRE (use `--extra ivre`).\n\n---\n\n# Dependencies\n\nCore runtime (auto-installed where possible):\n\n* nmap, masscan (optional), tshark (wireshark/tshark), avahi-utils, ffmpeg, curl, jq, python3 (+ venv), chafa (optional, for ASCII previews), libpcap.\n* Build tools for libcoap / `coap-client` (`git`, `cmake`, `build-essential`, `pkg-config`) — script `scripts/build-coap.sh` will attempt to build if missing.\n\n---\n\n# Troubleshooting \u0026 tips\n\n* **Empty `discovery.json`** — verify interface, ARP visibility, run non-stealth mode for testing.\n* **Masscan skipped** — ensure `--mode` permits it (e.g., `medium`+).\n* **No thumbnails** — check `ffmpeg` availability and per-host logs in `dev/results/\u003crun\u003e/logs/`.\n* **ONVIF false negatives** — SSL/certificate redirects or nonstandard ports can hide endpoints — try `curl -k` manually against suspected endpoints.\n* **CoAP probes failing** — build `coap-client` via `scripts/build-coap.sh`, inspect `logs/coap-probe.log`.\n* **Performance** — if `nuke` takes too long, use `medium` or a custom port profile.\n\nEnvironment toggles:\n\n* `NO_ANIM=1` — skip ASCII/intro animation (useful in CI).\n* `CAM_MODE_PORT_PROFILE` — override port profile programmatically (advanced).\n\n---\n\n# Hardening, ethics \u0026 responsible use\n\n* **Authorization** — never use CamSniff on networks/devices without explicit, written permission.\n* **Data protection** — captured images, device metadata and credentials are sensitive — encrypt and limit access.\n* **Least impact** — start with `stealth` modes during discovery and escalate only when authorized.\n* **CVE data** — treated as advisory; manual verification and safe disclosure practices required.\n* **Avoid uncontrolled credential spraying** — credential attempts are mode-bounded; respect target operational stability.\n\n---\n\n# Contributing\n\n1. Fork → create feature branch.\n2. Make focused changes (one concern per PR).\n3. Run `make lint` (uses `shellcheck`) and `scripts/test` if available.\n4. Add sample outputs or before/after notes where relevant.\n5. Submit PR and reference related issues.\n\nGuidelines:\n\n* Document every vendor template change and source of truth.\n* Prefer small, testable commits; avoid large binary additions.\n* Keep default dictionaries conservative — do not include proprietary credential lists.\n\n---\n\n# Roadmap (short)\n\n* Web dashboard: realtime JSON + thumbnails.\n* Live mosaic / timeline capture mode.\n* Encrypted credential store \u0026 role-based access.\n* Pluggable exporters: Markdown/HTML summary reports.\n* Additional protocol signatures (MQTT, SIP, more proprietary APIs).\n\nHave a feature idea? Please open an issue describing the use case.\n\n---\n\n# License\n\nMIT — see [LICENSE](LICENSE). \u003csub\u003e© 2025 John Hauger Mitander. The authors disclaim responsibility for misuse. Practice ethical security research.\u003c/sub\u003e\n\n\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fjohn0n1%2Fcamsniff","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fjohn0n1%2Fcamsniff","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fjohn0n1%2Fcamsniff/lists"}