简体中文 | English

Introduction

=======

Mainly for the vulnerability scanning framework of network cameras, it has integrated common equipment such as Hikvision, Dahua, and Uniview. More camera devices and router devices will be added later.

Install

Windows still has some bugs, Linux and Mac can be used normally. Please make sure to install Python 3.7 and above, 3.8 is recommended

• clone the repository:

git clone https://github.com/avikowy/Ingram.git

• Enter the project directory to install dependencies:

cd Ingram
pip3 install virtualenv
python3 -m virtualenv venv
source venv/bin/activate

• 安装依赖:

pip3 install -r requirements.txt

So far the installation is complete!

run

• You need to prepare a target file, such as target.txt, which stores the IP addresses you want to scan, one target per line, the specific format is as follows:

# You can use the pound sign (#) to comment
# single IP address
192.168.0.1
# IP address and port to scan
192.168.0.2:80
# IP segment with '/'
192.168.0.0/16
# IP segment with '-'
192.168.0.0-192.168.255.255

• run after:

python run_ingram.py -i files you want to scan -o output folder

• port: If the target port is specified in the target.txt file, for example: 192.168.6.6:8000, then the target port 8000 will be scanned

Otherwise, only common ports are scanned by default. If you want to scan other ports in batches, you need to specify them yourself, for example:

python run_ingram.py -i files you want to scan -o output folder -p 80 81 8000

• The default number of concurrency may be so easy for your broadband, you can increase it appropriately according to the network conditions, for example, increasing the number of concurrency to 800 on my test machine still works well, and the speed is extremely fast:

python run_ingram.py -i files you want to scan -o output folder -t 800

• other parameters:

optional arguments:
  -h, --help print parameter information
  -i IN_FILE, --in_file IN_FILE
                        file to scan
  -o OUT_DIR, --out_dir OUT_DIR
                        Scan result output path
  -p PORT [PORT ...], --port PORT [PORT ...]
                        The port to scan, you can specify multiple ports, such as -p 80 81 82
  -t TH_NUM, --th_num TH_NUM
                        The number of concurrent, adjusted according to the network conditions
  -T TIME_OUT, --time_out TIME_OUT
                        time out
  --debug debug mode

• (Optional) The scan time may be very long, if you want to send a reminder via WeChat when the program scan is over, you need to follow [wxpusher](https://wxpusher.zjiecode.com/docs /) to get your own UID and APP_TOKEN and write them into run_ingram.py: =======

端口扫描器

• 我们可以利用强大的端口扫描器来获取活动主机，进而缩小 Ingram 的扫描范围，提高运行速度，具体做法是将端口扫描器的结果文件整理成 ip:port 的格式，并作为 Ingram 的输入

• 这里以 masscan 为例简单演示一下（masscan 的详细用法这里不再赘述），首先用 masscan 扫描 80 或 8000-8008 端口存活的主机：masscan -p80,8000-8008 -iL 目标文件 -oL 结果文件 --rate 8000

• masscan 运行完之后，将结果文件整理一下：grep 'open' 结果文件 | awk '{printf"%s:%s\n", $4, $3} > targets'

• 之后对这些主机进行扫描：python run_ingram.py -i targets -o out

微信提醒(可有可无)

• (可选) 扫描时间可能会很长，如果你想让程序扫描结束的时候通过微信发送一条提醒的话，你需要按照 wxpusher 的指示来获取你的专属 UID 和 APP_TOKEN，并将其写入 run_ingram.py:

#wechat
config.set_val('WXUID', 'write uid here')
config.set_val('WXTOKEN', 'write token here')

• Support interruption recovery, but because the running status is recorded every 5 minutes, it cannot accurately restore to the last running status. (It's rough here, it will be adjusted in the next version)

result

.
├── not_vulnerable.csv
├── results.csv
├── snapshots
└── log.txt

• results.csv saves the complete results in the format: ip,port,devicetype,username,password,vulnerability entry:

• not_vulnerable.csv stores unexposed devices

• snapshots stores snapshots of some devices:

Live Preview (removed for some reasons)

• You can log in directly through the browser to preview

• If you want to view batches, we provide a script show/show_rtsp/show_all.py, but it still has some problems :

Changelog

• [2022-06-11] Optimize running speed, support storage of non-exposed devices, support interrupt recovery

• [2022-07-23] Username and password can be obtained through CVE-2021-33044(Dahua)! Modify the camera snapshot logic (replace rtsp with http), optimize the running speed

  • Because the new version has added some dependency packages, the environment needs to be reconfigured!!!

• [2022-08-05] Added CVE-2021-33045 (Dahua NVR), but because the account password of the NVR device may not be the same as that of the real camera, the snapshot function does not always work

• [2022-08-06] Added a password exposure module for Uniview devices, but snapshots are not currently supported

• [2022-08-17] A relatively large update, we refactored all the code (need to reconfigure the environment), as follows:

  • Refactored the code structure to facilitate the integration of more vulnerabilities in the future, removed some dependent packages, and reduced hyperparameters
  • Replaced multi-threading with coroutines, the speed is significantly improved than before
  • Solved the bug that the child process could not be closed automatically
  • Removed support for masscan, because the new version will automatically detect the port, of course, you can also extract the result ip of masscan as the input of Ingram
  • Removed several device-related hyperparameters, the new version will automatically detect the device
  • No built-in iplist, because it takes up too much space and is inconvenient to maintain, you can find it online yourself if you need it
  • Solved the problem of memory explosion when reading large files

Disclaimer

This tool is for security testing only, and is strictly prohibited for illegal use, and the consequences have nothing to do with the team

Acknowledgments & Quotes

Thanks to Aiminsun for CVE-2021-36260
Thanks to chrisjd20 for hidvision config file decryptor
Thanks to mcw0 for DahuaConsole