Step 0 : KNOW YOUR ENNMY 📷

The first thing to know is the difference between surveillance systems (CCTV – Closed-Circuit Television), which are generally used in public and professional environments, and connected cameras (Smart cameras), which are more suitable for private environments and usually accessible via smartphone. However, you can find CCTV equipment in large homes or with people who are knowledgeable.
Step 1 : SCAN THE NETWORK 📡

You need to now the IP addresses of the cameras and also the devices related to them such as the NVR. For this, you can use the nmap or zenmap. There are also other tools such as AngryIPScanner.

sudo nmap –sn 192.168.0.0/24

This command allows us to retrieve the MAC addresses of the devices connected. Most of the time the vendor is specified but sometimes it’s not (see the screenshot above). Once you get the MAC addresses you can check with the OUI (stands for Organizationally Unique Identifier) whether the device is a camera or not. Here are the most popular CCTV and their OUI :

Hikvision : F8:4D:FC / C4:2F:90 / C0:56:E3
Dahua Technology : E0:50:8B / C0:39:5A / BC:32:5F
Axis Communications : B8:A4:4F / AC:CC:8E
Bosch Security Systems : 00:1C:44 / 00:04:63
Samsung / Hanwha Techwin : 00:09:18
Avigilon : 00:1F:92 / 00:18:85
Vivotek : 00:02:D1
Honeywell : 00:0A:13

For this, you can use those tools :
MAC Address Finder 🌐 https://www.adminsub.net/mac-address-finder : just type the vendor and you’ll get the MAC Addresses / OUI

OUI LOOKUP 🌐 https://www.wireshark.org/tools/oui-lookup.html : just type the OUI of the MAC address (first 6 characters) and you’ll get the vendor

⚠️Be aware, when it’s well configured, those systems are isolated on dedicated VLAN, those VLAN have rules from firewalls, if the firewall doesn’t allow communication between 192.168.0.0/24 (the network you’re on), and 192.168.1.0/24 (the network the cameras are on) you’ll not be able to query the cameras.⚠️

Step 2 : TAKE A LOOK IN DEPTH 🔬

Once we get the IP and MAC addresses (of the cameras and the NVR) we can take a look at running services on these devices with the following command :
nmap –sV –A ip_address [space] ip_address [space] ip_address ...

The result of the command will of course depend if the cameras have an built-in web server, or if they rely on the NVR for the configuration and the connection.

Since we got the open ports and services running, we should also see the version of the service, and this leads us to the next step.

Step 3 : EXPLOITS ⚔️

As we know the brand, the model, and the services running, you can look for known exploits on websites such as :

https://www.exploit-db.com/
If you find something matching the service / firmware version you can try to exploit it, otherwise, let’s move on the next option.

Step 4 : other options

Here is a list of different options you can go through with different objectives such as :

A. Gaining access to the web server (all vulnerabilities concerning web servers)

a. Default credentials
b. Weak password (bruteforce attack)
c. Credentials stuffing (data breaches)
d. Firmware exploit
e. XSS
f. SQLi
g. Command Injection
h. Path Traversal
i. Remote File Inclusion
j. Local File Inclusion
k. SSL/TLS Stripping
l. Session Hijacking

B. Intercepting video traffic

a. DNS Poisoning / Rogue DNS
b. ARP Spoofing
c. Sniffing (many CCTV cameras do not use encrypted traffic)


I think that there are other ways, I’ll improve this thread in time.