NSE: rtsp-url-brute (How to Connect to RTSP via VLC Media Player)

I was fumbling around with a network scan on an old machine in my lab environment and it lead me down this path of research.  It had a protocol "rtsp" on port 554. So I dug in and gathered some information.

RTSP - What is it?

RTSP or Real Time Streaming Protocol is a protocol designed for controlling streaming media servers.  

Kind of a weird protocol to see on a random windows 7 machine that's been living in a box for 5 years.  I wanted to learn how to exploit this protocol and I stumbled on something huge.

RTSP is used in many media servers and when not properly secured can easily expose your video to the public internet.  

The picture below are just 6 of the 68,213 that came up from a shodan search.

So what do we do when we find rtsp service running on a target?  Well because rtsp runs kind of similar to http (similar only in that the string you use starts with rtsp:// vs http://) and one of the first things we do when we encounter http is we run directory enumeration on it, let's do the same thing for the rtsp service.

#nmap -sV --script "rtsp-* -p 554 <IP>

What happens upon launching the command is that we are enumerating URLS by testing common paths .  We are sending a DESCRIBE request to each URL that is listed in the dictionary.  Nmap then parses through the responses.  

Image demonstrates nothing returned.

This second image though shows us a successful enumeration.  Take a look at the "Discovered" section.  These are actual URLs that responded to the DESCRIBE that was sent to it.

That's great but what do we do with this information?

Well it's a media server that is hosting a camera so technically we could actually watch what the camera is capturing.

Watching RTSP on VLC Media Player

1. Open VLC
Select the drop down "Media"

2. Select Open Network Stream

3.Input your rtsp string under the network tab.  Select "Play"

*image has been modified for the blog, but this technique does work.
*Poking around on cameras is not cool, you do need permission.

Popular Posts