Ullaakut / cameradar

Cameradar RTSP stream access tool Cameradar scans RTSP endpoints on authorized targets, and uses dictionary attacks to bruteforce their credentials and routes. What Cameradar does • Detects open RTSP hosts on accessible targets. • Detects the device model that streams the RTSP feed. • Attempts dictionary-based discovery of stream routes (for example, ). • Attempts dictionary-based discovery of camera credentials. • Produces a report of findings. Table of contents • Quick start with Docker • Install the binary • Install on Android (Termux) • Configuration • Security and responsible use • Output • Check camera access • Command-line options and environment variables • Input file format • Build and contribute • Frequently asked questions • Examples • License --- Quick start with Docker Install Docker and run: Example: This scans ports 554, 5554, and 8554 on the target subnet. It attempts to enumerate RTSP streams. For all options, see Configuration reference. • Targets can be CIDRs, IPs, IP ranges or a hostname. • Subnet: • IP: • Host: • Range: • To use custom dictionaries, mount them and pass both flags: Install the binary Use this option if Docker is not available or if you want a local build. Dependencies • Go 1.25 or later Steps • The binary is now in your . For available flags, see Configuration reference. Install on Android (Termux) These steps summarize a working Termux setup for Android. Use Termux 117 from F-Droid or the official Termux site, not Google Play. 1) Set up Termux and Alpine Install the required packages in Termux: Install Alpine and log in: 2) Install build tools in Alpine 3) Build Cameradar Create a module path and clone the repo: 4) Run Cameradar Copy dictionaries and run the binary: Replace with an IP, range, host or subnet you are authorized to test. Configuration The default RTSP ports are , , . If you do not specify ports, Cameradar uses those. Example of scanning custom ports: You can replace the default dictionaries with your own routes and credentials files. The repository provides baseline dictionaries in the folder. Skip discovery with If you already know the RTSP endpoints, you can skip discovery and treat each target and port as a stream candidate. This mode does not run discovery and can be useful on restricted networks or when you want to attack a known inventory. Skipping discovery means: • Cameradar does not run discovery and does not detect device models. • Targets resolve to IP addresses. Hostnames resolve via DNS. • CIDR blocks and IPv4 ranges expand to every address in the range. • Large ranges create many targets, so use them carefully. Example: In this example, Cameradar attempts dictionary attacks against ports 554 and 8554 of . Choose the discovery scanner with Cameradar supports two discovery backends: • (default) • Use when you want more reliable RTSP discovery: it performs service identification and can better distinguish RTSP from other open ports. Use when scanning very large networks: it is generally faster and more efficient at scale, but it does not provide service discovery. > [!WARNING] > only applies to the scanner. Security and responsible use Cameradar is a penetration testing tool. Only scan networks and devices you own or have explicit permission to test. Do not use this tool to access unauthorized systems or streams. If you are unsure, stop and get written approval before scanning. Output Cameradar presents results in a readable terminal UI. It logs findings to the console. The report includes discovered hosts, identified device models, and valid routes or credentials. If you specify a path for the flag, Cameradar also writes an M3U playlist with the discovered streams. Check camera access Use VLC Media Player to connect to a stream: Input file format The file can contain IPs, hostnames, IP ranges, and subnets. Separate entries with newlines. Example: When you use , Cameradar expands each entry into explicit IP addresses before building the target list. Command-line options and environment variables The complete CLI and environment variable reference is maintained in Configuration reference. This includes all supported flags, defaults, accepted values, and env var mapping. Build and contribute Docker build Run the following command in the repository root: The resulting image is named . Go build • The binary is now in . Frequently asked questions See Troubleshooting & FAQ Examples > Running cameradar on your own machine to scan for default ports > Running cameradar with an input file, logs enabled on port 8554 > Running cameradar on a subnetwork with custom dictionaries, on ports 554, 5554 and 8554 > Running cameradar with masscan discovery License Copyright 2026 Ullaakut Permission is hereby granted, free of charge, to any person obtaining a copy of this software and associated documentation files (the "Software"), to deal in the Software without restriction, including without limitation the rights to use, copy, modify, merge, publish, distribute, sublicense, and/or sell copies of the Software, and to permit persons to whom the Software is furnished to do so, subject to the following conditions: The above copyright notice and this permission notice shall be included in all copies or substantial portions of the Software. THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.