Skip to content

UsamaSarwar121/ShutterShell-v2

Repository files navigation

πŸ”₯ ShutterShell

Advanced IP Camera Security Assessment Framework

A comprehensive vulnerability scanning and exploitation framework for IP cameras, designed for authorized penetration testing and security assessments.

Platform Python License Status


⚠️ Legal Disclaimer

This tool is provided for authorized security testing and educational purposes only.

By using ShutterShell, you agree that:

  • You have explicit written authorization to test the target systems
  • You understand and comply with all applicable local, state, national, and international laws
  • You will not use this tool for any illegal or unauthorized purposes
  • The developers and contributors of ShutterShell are NOT responsible for any misuse, damage, or legal consequences resulting from the use of this tool
  • Any unauthorized access to computer systems is a criminal offense and may result in prosecution
  • The developers assume NO liability and are NOT responsible for any misuse or damage caused by this software

Use responsibly. Always obtain proper authorization before testing.


πŸ“‹ Table of Contents


πŸš€ Features

Core Capabilities

Feature Description
Multi-Brand Scanning Supports 40+ camera brands worldwide
CVE Exploitation 15+ CVE exploit modules for known vulnerabilities
Weak Password Detection Configurable credential lists with 200+ default passwords
Camera Snapshots Capture live feeds from vulnerable cameras
ONVIF Discovery Discover and test ONVIF-compatible devices
Brute Force FTP, Telnet, and RTSP brute force modules
Concurrent Scanning High-performance async scanning with gevent
Resume Capability Interrupt and resume scans without losing progress
CSV Reports Structured output for easy analysis

Advanced Features

Feature Description
Config Extraction Download and decrypt Hikvision configuration files
Credential Recovery Extract usernames/passwords from encrypted configs
Auto-Extract Continuous monitoring and extraction during scans
Fingerprinting Identify camera brands via HTTP headers, titles, and favicons
Snapshot Pipeline Multi-threaded snapshot capture with retry logic
State Persistence Automatic save/resume of scan progress
Web Dashboard Real-time monitoring interface with auto-refresh
HTML Reports Visual reports with charts and snapshot thumbnails
Fast Extraction Multi-threaded config extraction with rate limiting

πŸ“· Supported Devices

Camera Brands

Brand Vulnerabilities Status
Hikvision CVE-2017-7921, CVE-2021-36260, Config Leak, Weak Password βœ… Full
Dahua CVE-2021-33044/33045, CVE-2023-6895, Hardcoded Creds βœ… Full
Uniview Disclosure, Weak Password βœ… Full
Axis CVE-2023-47565, Weak Password βœ… Full
Foscam Weak Password βœ… Full
AVTech Weak Password βœ… Full
GeoVision Weak Password βœ… Full
Xiongmai Bypass, Weak Password βœ… Full
Netwave CVE-2018-17240, CVE-2018-6479 βœ… Full
ONVIF Devices Discovery, Credential Testing βœ… Full

Additional Supported Brands

Amcrest, CP Plus, Instar, IP Camera, Nuuo, ReeCam, Tenda, 
D-Link DCS, DVR, Panasonic, Sony, Bosch, FLIR, 
Mobotix, Vivotek, Reolink, YI, EZVIZ, UNV, 
Tiandy, Sricam, Zoom, Q-See, Swann, Night Owl,
iCare, XVIM, SANNCE, ZOSI, Wanscam, Shixin, 
KDLink, JOOAN, HiPC, HDCVI, CVILUX, Samsung,
Prama, Secureye, Zebronics, TVT, Jovision, Vicon,
KBVision, Gallagher, i-Pro, IndigoVision, Pelco,
Arecont Vision, Avigilon, Milestone

πŸ“¦ Installation

Prerequisites

  • Python >= 3.8 (Python 3.10-3.11 recommended)
  • Linux or macOS (Windows not recommended)
  • pip (Python package manager)

Install

# Clone the repository
git clone https://github.com/UsamaSarwar121/ShutterShell-v2.git
cd ShutterShell-v2

# Create virtual environment
python3 -m virtualenv venv
source venv/bin/activate

# Install dependencies
pip3 install -r requirements.txt

Dependencies

gevent          # Async networking
requests        # HTTP client
loguru          # Logging
lxml            # XML parsing
pycryptodome    # AES decryption
flask           # Web dashboard

🎯 Quick Start

1. Create a Target File

Create targets.txt with IP addresses, ranges, or CIDR notation:

# Single IP
192.168.1.100

# IP with specific port
192.168.1.100:80

# CIDR range
192.168.1.0/24

# IP range
192.168.1.1-192.168.1.255

# Comments start with #

2. Run the Scanner

python3 run_shuttershell.py -i targets.txt -o results

3. Check Results

# View vulnerable targets
cat results/results.csv

# View snapshots
ls results/snapshots/

πŸ“– Usage Guide

Basic Scanning

python3 run_shuttershell.py -i targets.txt -o output

Custom Ports

By default, ShutterShell scans common camera ports:

80, 81, 82, 83, 84, 85, 88, 443, 554, 2051, 
8000, 8001, 8080-8090, 8181, 8443, 8888, 9000, 
37777, 49152, 55555

Override with custom ports:

python3 run_shuttershell.py -i targets.txt -o output -p 80 8080 8443

Concurrency Control

Adjust the number of concurrent coroutines:

# Low concurrency (slower, less network load)
python3 run_shuttershell.py -i targets.txt -o output -t 30

# High concurrency (faster, more network load)
python3 run_shuttershell.py -i targets.txt -o output -t 200

Custom Credentials

Use your own username/password lists:

python3 run_shuttershell.py -i targets.txt -o output \
    --users usernames.txt \
    --passwords passwords.txt

Resume Interrupted Scans

Scans automatically save progress. To resume:

# Simply run the same command again
python3 run_shuttershell.py -i targets.txt -o output

# Or start fresh (ignore previous state)
python3 run_shuttershell.py -i targets.txt -o output --no-resume

Disable Snapshots

Skip snapshot capture for faster scanning:

python3 run_shuttershell.py -i targets.txt -o output -D

πŸ› οΈ Tools

Config Extractor

Extract and decrypt Hikvision configuration files from scan results.

python3 extract_configs.py -i results.csv -o extracted

Features:

  • Downloads configs via CVE-2017-7921 unauthenticated endpoint
  • Decrypts AES-ECB encrypted Hikvision configs
  • Extracts usernames and passwords
  • Saves individual config files

Fast Extractor

Multi-threaded config extraction with rate limiting (20x faster).

python3 fast_extract.py -i results.csv -o extracted -w 20 --rps 50

Options:

-w, --workers    Worker threads (default: 20)
--rps            Requests per second (default: 50)
-t, --timeout    Request timeout (default: 5)

Auto-Extract

Continuously monitor scan results and auto-extract configs.

python3 auto_extract.py -i results.csv -o auto_extracted --interval 60

HTML Report Generator

Generate visual HTML reports with charts and snapshot thumbnails.

python3 generate_report.py -i results_dir -o report.html

Web Dashboard

Real-time monitoring interface with auto-refresh.

python3 web_dashboard.py -d results_dir --port 8080

Access at: http://localhost:8080


πŸ” Vulnerability Modules

CVE Exploits

Module CVE Target Impact
cve-2017-7921 CVE-2017-7921 Hikvision Auth bypass, config leak
cve-2021-36260 CVE-2021-36260 Hikvision Command injection
cve-2021-33044 CVE-2021-33044 Dahua Auth bypass
cve-2021-33045 CVE-2021-33045 Dahua Auth bypass
cve-2022-30564 CVE-2022-30564 Dahua Remote code execution
cve-2023-6895 CVE-2023-6895 Dahua Information disclosure
cve-2023-47565 CVE-2023-47565 Axis Remote code execution
cve-2018-17240 CVE-2018-17240 Netwave Memory dump
cve-2018-6479 CVE-2018-6479 Netwave Denial of service
cve-2018-9995 CVE-2018-9995 DVR Auth bypass
cve-2020-25078 CVE-2020-25078 D-Link Config disclosure

Weak Password Modules

Module Target Method
hikvision-weak-password Hikvision HTTP Digest
dahua-weak-password Dahua RPC login
uniview-weak-password Uniview HTTP Basic
axis-weak-password Axis HTTP Basic
avtech-weak-password AVTech HTTP
geovision-weak-password GeoVision HTTP
foscam-weak-password Foscam HTTP
netwave-weak-password Netwave HTTP
instar-weak-password Instar HTTP
dvr-weak-password DVR HTTP

Brute Force Modules

Module Protocol Target
ftp-brute FTP Any FTP service
telnet-brute Telnet Any Telnet service
rtsp-brute RTSP RTSP streams

Special Modules

Module Description
onvif-discovery ONVIF service discovery and credential testing
camera-snapshot Generic snapshot grabber for unauthenticated cameras
hikvision-config-leak Hikvision configuration file disclosure
dahua-hardcoded Dahua hardcoded/backdoor credentials
xiongmai-bypass Xiongmai authentication bypass

πŸ“Š Output Format

Directory Structure

output/
β”œβ”€β”€ results.csv           # Vulnerable devices
β”œβ”€β”€ not_vulnerable.csv    # Scanned but not vulnerable
β”œβ”€β”€ snapshots/            # Captured camera snapshots
β”œβ”€β”€ log.txt               # Detailed scan log
└── .state                # Resume state (hidden)

Results CSV Format

ip,port,device_type,username,password,vulnerability
192.168.1.100,80,hikvision,admin,admin123,hikvision-weak-password
192.168.1.101,80,dahua,,,dahua-weak-password
192.168.1.102,80,hikvision,,,hikvision-config-leak-unauth

πŸ—οΈ Architecture

ShutterShell/
β”œβ”€β”€ core.py              # Main scanning engine
β”œβ”€β”€ data.py              # Data flow and state management
β”œβ”€β”€ config.py            # Global configuration
β”œβ”€β”€ pocs/                # Vulnerability modules
β”‚   β”œβ”€β”€ base.py          # Base POC class
β”‚   β”œβ”€β”€ __init__.py      # Auto-loader
β”‚   └── *.py             # Individual POCs
β”œβ”€β”€ utils/               # Utilities
β”‚   β”œβ”€β”€ fingerprint.py   # Device fingerprinting
β”‚   β”œβ”€β”€ port_scan.py     # Port scanning
β”‚   β”œβ”€β”€ logo.py          # ASCII art logo
β”‚   └── ...
β”œβ”€β”€ lib/                 # External libraries
β”‚   └── DahuaConsole/    # Dahua interaction library
β”œβ”€β”€ rules.csv            # Fingerprint rules
β”œβ”€β”€ snapshot_urls.py     # Snapshot URL patterns
β”œβ”€β”€ extract_configs.py   # Config extractor
β”œβ”€β”€ fast_extract.py      # Fast multi-threaded extractor
β”œβ”€β”€ auto_extract.py      # Auto-extraction monitor
β”œβ”€β”€ generate_report.py   # HTML report generator
β”œβ”€β”€ web_dashboard.py     # Web dashboard
└── run_shuttershell.py  # Main entry point

❓ Troubleshooting

Common Issues

"gevent Waiter.switch error"

This is a known gevent compatibility warning. 
The scan continues normally despite this message.

"Connection timeout"

# Increase timeout
python3 run_shuttershell.py -i targets.txt -o output -T 10

# Reduce concurrency
python3 run_shuttershell.py -i targets.txt -o output -t 30

"No module named 'Crypto'"

pip3 install pycryptodome

"No module named 'flask'"

pip3 install flask

Performance Tips

  1. Pre-filter with masscan - Reduces scan time dramatically
  2. Adjust concurrency - Start with -t 50, increase if stable
  3. Disable snapshots - Use -D for faster scanning
  4. Use specific ports - -p 80 8080 instead of all ports
  5. Custom credential lists - Smaller lists = faster scans
  6. Use fast extractor - 20x faster than standard extraction

🀝 Contributing

Contributions are welcome! Please feel free to submit a Pull Request.

  1. Fork the repository
  2. Create your feature branch (git checkout -b feature/AmazingFeature)
  3. Commit your changes (git commit -m 'Add some AmazingFeature')
  4. Push to the branch (git push origin feature/AmazingFeature)
  5. Open a Pull Request

πŸ“œ License

This project is licensed under the MIT License - see the LICENSE file for details.


⚠️ Disclaimer

ShutterShell is provided "as is" without warranty of any kind, express or implied. The developers shall not be held responsible for any damages arising from the use of this software. Always use this tool responsibly and only on systems you have explicit authorization to test.


⚠️ Use responsibly. Always obtain proper authorization before testing.

About

Advanced IP Camera Security Assessment Framework for Authorized Penetration Testing

Resources

License

Stars

0 stars

Watchers

0 watching

Forks

Releases

No releases published

Packages

 
 
 

Contributors

Languages