
BEHOLDERISHERE cheat sheets are an indispensable tool for cybersecurity and digital incident investigation professionals. These cheat sheets provide detailed instructions and methods for extracting data from video surveillance systems (CCTV), allowing you to obtain valuable evidence and information for conducting investigations and analyzing events. With BEHOLDERISHERE’s cheat sheets, cyber security professionals can quickly and efficiently access surveillance footage using various techniques and methods.
Default ports and protocols used:
HTTP (Hypertext Transfer Protocol): Port: 80 (usually used for insecure HTTP) or 8080.
HTTPS (Hypertext Transfer Protocol Secure): Port: 443 (usually used for secure HTTPS).
RTSP (Real-Time Streaming Protocol): Port: 554 (usually used for real-time streaming).
RTMP (Real-Time Messaging Protocol): Port: 1935 (Typically used for real-time video streaming).
ONVIF (Open Network Video Interface Forum): Port: 8000, 8899, 6688 (usually used to communicate with ONVIF-enabled devices).
FTP (File Transfer Protocol): Port: 21 or 20 (21 is used for connection, 20 for data transfer).
SSH (Secure Shell): Port: 22 (usually used for remote access to an encrypted connection device).
Telnet: Port: 23 (usually used for remote device management).
DVR-IP, NetSurveillance, Sofia Port: TCP 34567 and UDP 34568 (used by the NETSurveillance ActiveX component).
Complete list of standard settings: https://www.ispyconnect.com/userguide-default-passwords.aspx
Example of a search query: product:
“IP Camera” city:”New York” has_screenshot:true -“admin login” port:554 os:”Linux” org:”Hikvision” country:”USA”
In this example, we use several operators to refine our search:
product:” IP Camera” – a filter that indicates a specific product or device. In this case, we are looking for devices with the “IP Camera” product.
city:”New York” is a filter used to limit the search by city. In this case, we are looking for devices located in the city of “Moscow”.
has_screenshot:true is a filter that indicates that we are looking for devices for which screenshots are available.
-“admin login” – operator “-“ is used to exclude certain words or phrases from search results. In this case, we exclude devices in which the phrase “admin login” occurs.
Port: 554 – a filter indicating a specific port. In this case, we’re looking for devices that use port 554, which is often associated with RTSP for video streaming.
os:”Linux” is a filter that indicates the device’s operating system. In this case, we are looking for devices that run on the Linux operating system.
org:”Hikvision” is a filter used to search for devices belonging to a specific organization. In this case, we are looking for devices from the manufacturer “Hikvision”.
country:”US” is a filter used to limit the search by country. In this case, we’re looking for devices located in the US.
intext:” Powered by IP Camera Viewer” – searches web pages containing the text “Powered by IP Camera Viewer”.
intitle:”Network Camera” inurl:top.htm – Searches for web pages with the title “Network Camera” and a URL containing “top.htm”.
intitle:”Live View / – AXIS” – search for web pages with the title “Live View / – AXIS”.
intitle:”D-Link” inurl:top.htm – Search for web pages with the title “D-Link” and a URL containing “top.htm”.
intitle:”Network Camera” intext:”Video Web Server” – searches for web pages with the name “Network Camera” and containing the text “Video Web Server”.
inurl:view/view.shtml – searches for web pages with the URL “view/view.shtml”.
intitle:”Hikvision” inurl:”/login.html” – Search web pages with the title “Hikvision” and the URL contains “/login.html”.
site:axis.com intitle:” Live View / – AXIS” – searches for web pages on the axis.com site with the title “Live View / – AXIS”.
inurl:”/nphMotionJpeg? Resolution=” – searches web pages that contain “/nphMotionJpeg? Resolution=”.
inurl:/cgi-bin/guestimage.html – searches for web pages with “/cgi-bin/guestimage.html” in the URL.
http://username:password@ip_address:port/path/to/mjpeg/stream
username – username for authentication, if required.
password – password for authentication, if required.
ip_address – IP address of the device or source of the MJPEG stream.
port – the port to connect to the device or source of the MJPEG stream (usually 80).
path/to/mjpeg/stream – the path or location of the MJPEG stream on the device.
rtsp://username:password@ip_address:port/onvif/profile/profile_token
username – username for ONVIF authentication.
password – password for ONVIF authentication.
ip_address – IP address of the ONVIF device.
port – the port to connect to the ONVIF device (usually 80 or 554).
profile_token is the ONVIF media service profile token.
rtsp://username:password@ip_address:port/video_stream
username – username for authentication.
password – password for authentication.
ip_address – IP address of the device or video stream source.
port – the port to connect to the device or stream source (usually 554 for RTSP).
video_stream – The path or stream ID for the video stream.
The specific stream path can be determined using Fiddler or Wireshark
ZoomEye is a Chinese search engine for discovering network devices and web services. It works similarly to Shodan and Censys, scanning the Internet to collect information about connected devices, including their types, software versions, ports used, and other characteristics.
Censys is a similar search engine used to discover and analyze all devices and services connected to the Internet. It collects data by scanning open ports and using SSL certificates to gather information about servers, network equipment, and IoT devices.
Thingful is an IoT search engine that allows users to find information about the location and status of various IoT devices around the world. It indexes data from public and private sources, providing the ability to view and analyze information about weather stations, air quality sensors, mobile devices and other IoT objects.
Shodan is a search engine that scans the Internet for various network-connected devices such as servers, webcams, printers, routers, and other IoT (Internet of Things) devices. It allows users to find specific types of devices using various filters such as geolocation, port used or vulnerabilities.