Advanced IP Camera Security Assessment Framework
A comprehensive vulnerability scanning and exploitation framework for IP cameras, designed for authorized penetration testing and security assessments.
This tool is provided for authorized security testing and educational purposes only.
By using ShutterShell, you agree that:
- You have explicit written authorization to test the target systems
- You understand and comply with all applicable local, state, national, and international laws
- You will not use this tool for any illegal or unauthorized purposes
- The developers and contributors of ShutterShell are NOT responsible for any misuse, damage, or legal consequences resulting from the use of this tool
- Any unauthorized access to computer systems is a criminal offense and may result in prosecution
- The developers assume NO liability and are NOT responsible for any misuse or damage caused by this software
Use responsibly. Always obtain proper authorization before testing.
- Features
- Supported Devices
- Installation
- Quick Start
- Usage Guide
- Tools
- Vulnerability Modules
- Output Format
- Architecture
- Troubleshooting
- Contributing
- License
| Feature | Description |
|---|---|
| Multi-Brand Scanning | Supports 40+ camera brands worldwide |
| CVE Exploitation | 15+ CVE exploit modules for known vulnerabilities |
| Weak Password Detection | Configurable credential lists with 200+ default passwords |
| Camera Snapshots | Capture live feeds from vulnerable cameras |
| ONVIF Discovery | Discover and test ONVIF-compatible devices |
| Brute Force | FTP, Telnet, and RTSP brute force modules |
| Concurrent Scanning | High-performance async scanning with gevent |
| Resume Capability | Interrupt and resume scans without losing progress |
| CSV Reports | Structured output for easy analysis |
| Feature | Description |
|---|---|
| Config Extraction | Download and decrypt Hikvision configuration files |
| Credential Recovery | Extract usernames/passwords from encrypted configs |
| Auto-Extract | Continuous monitoring and extraction during scans |
| Fingerprinting | Identify camera brands via HTTP headers, titles, and favicons |
| Snapshot Pipeline | Multi-threaded snapshot capture with retry logic |
| State Persistence | Automatic save/resume of scan progress |
| Web Dashboard | Real-time monitoring interface with auto-refresh |
| HTML Reports | Visual reports with charts and snapshot thumbnails |
| Fast Extraction | Multi-threaded config extraction with rate limiting |
| Brand | Vulnerabilities | Status |
|---|---|---|
| Hikvision | CVE-2017-7921, CVE-2021-36260, Config Leak, Weak Password | β Full |
| Dahua | CVE-2021-33044/33045, CVE-2023-6895, Hardcoded Creds | β Full |
| Uniview | Disclosure, Weak Password | β Full |
| Axis | CVE-2023-47565, Weak Password | β Full |
| Foscam | Weak Password | β Full |
| AVTech | Weak Password | β Full |
| GeoVision | Weak Password | β Full |
| Xiongmai | Bypass, Weak Password | β Full |
| Netwave | CVE-2018-17240, CVE-2018-6479 | β Full |
| ONVIF Devices | Discovery, Credential Testing | β Full |
Amcrest, CP Plus, Instar, IP Camera, Nuuo, ReeCam, Tenda,
D-Link DCS, DVR, Panasonic, Sony, Bosch, FLIR,
Mobotix, Vivotek, Reolink, YI, EZVIZ, UNV,
Tiandy, Sricam, Zoom, Q-See, Swann, Night Owl,
iCare, XVIM, SANNCE, ZOSI, Wanscam, Shixin,
KDLink, JOOAN, HiPC, HDCVI, CVILUX, Samsung,
Prama, Secureye, Zebronics, TVT, Jovision, Vicon,
KBVision, Gallagher, i-Pro, IndigoVision, Pelco,
Arecont Vision, Avigilon, Milestone
- Python >= 3.8 (Python 3.10-3.11 recommended)
- Linux or macOS (Windows not recommended)
- pip (Python package manager)
# Clone the repository
git clone https://github.com/UsamaSarwar121/ShutterShell-v2.git
cd ShutterShell-v2
# Create virtual environment
python3 -m virtualenv venv
source venv/bin/activate
# Install dependencies
pip3 install -r requirements.txtgevent # Async networking
requests # HTTP client
loguru # Logging
lxml # XML parsing
pycryptodome # AES decryption
flask # Web dashboard
Create targets.txt with IP addresses, ranges, or CIDR notation:
# Single IP
192.168.1.100
# IP with specific port
192.168.1.100:80
# CIDR range
192.168.1.0/24
# IP range
192.168.1.1-192.168.1.255
# Comments start with #
python3 run_shuttershell.py -i targets.txt -o results# View vulnerable targets
cat results/results.csv
# View snapshots
ls results/snapshots/python3 run_shuttershell.py -i targets.txt -o outputBy default, ShutterShell scans common camera ports:
80, 81, 82, 83, 84, 85, 88, 443, 554, 2051,
8000, 8001, 8080-8090, 8181, 8443, 8888, 9000,
37777, 49152, 55555
Override with custom ports:
python3 run_shuttershell.py -i targets.txt -o output -p 80 8080 8443Adjust the number of concurrent coroutines:
# Low concurrency (slower, less network load)
python3 run_shuttershell.py -i targets.txt -o output -t 30
# High concurrency (faster, more network load)
python3 run_shuttershell.py -i targets.txt -o output -t 200Use your own username/password lists:
python3 run_shuttershell.py -i targets.txt -o output \
--users usernames.txt \
--passwords passwords.txtScans automatically save progress. To resume:
# Simply run the same command again
python3 run_shuttershell.py -i targets.txt -o output
# Or start fresh (ignore previous state)
python3 run_shuttershell.py -i targets.txt -o output --no-resumeSkip snapshot capture for faster scanning:
python3 run_shuttershell.py -i targets.txt -o output -DExtract and decrypt Hikvision configuration files from scan results.
python3 extract_configs.py -i results.csv -o extractedFeatures:
- Downloads configs via CVE-2017-7921 unauthenticated endpoint
- Decrypts AES-ECB encrypted Hikvision configs
- Extracts usernames and passwords
- Saves individual config files
Multi-threaded config extraction with rate limiting (20x faster).
python3 fast_extract.py -i results.csv -o extracted -w 20 --rps 50Options:
-w, --workers Worker threads (default: 20)
--rps Requests per second (default: 50)
-t, --timeout Request timeout (default: 5)Continuously monitor scan results and auto-extract configs.
python3 auto_extract.py -i results.csv -o auto_extracted --interval 60Generate visual HTML reports with charts and snapshot thumbnails.
python3 generate_report.py -i results_dir -o report.htmlReal-time monitoring interface with auto-refresh.
python3 web_dashboard.py -d results_dir --port 8080Access at: http://localhost:8080
| Module | CVE | Target | Impact |
|---|---|---|---|
cve-2017-7921 |
CVE-2017-7921 | Hikvision | Auth bypass, config leak |
cve-2021-36260 |
CVE-2021-36260 | Hikvision | Command injection |
cve-2021-33044 |
CVE-2021-33044 | Dahua | Auth bypass |
cve-2021-33045 |
CVE-2021-33045 | Dahua | Auth bypass |
cve-2022-30564 |
CVE-2022-30564 | Dahua | Remote code execution |
cve-2023-6895 |
CVE-2023-6895 | Dahua | Information disclosure |
cve-2023-47565 |
CVE-2023-47565 | Axis | Remote code execution |
cve-2018-17240 |
CVE-2018-17240 | Netwave | Memory dump |
cve-2018-6479 |
CVE-2018-6479 | Netwave | Denial of service |
cve-2018-9995 |
CVE-2018-9995 | DVR | Auth bypass |
cve-2020-25078 |
CVE-2020-25078 | D-Link | Config disclosure |
| Module | Target | Method |
|---|---|---|
hikvision-weak-password |
Hikvision | HTTP Digest |
dahua-weak-password |
Dahua | RPC login |
uniview-weak-password |
Uniview | HTTP Basic |
axis-weak-password |
Axis | HTTP Basic |
avtech-weak-password |
AVTech | HTTP |
geovision-weak-password |
GeoVision | HTTP |
foscam-weak-password |
Foscam | HTTP |
netwave-weak-password |
Netwave | HTTP |
instar-weak-password |
Instar | HTTP |
dvr-weak-password |
DVR | HTTP |
| Module | Protocol | Target |
|---|---|---|
ftp-brute |
FTP | Any FTP service |
telnet-brute |
Telnet | Any Telnet service |
rtsp-brute |
RTSP | RTSP streams |
| Module | Description |
|---|---|
onvif-discovery |
ONVIF service discovery and credential testing |
camera-snapshot |
Generic snapshot grabber for unauthenticated cameras |
hikvision-config-leak |
Hikvision configuration file disclosure |
dahua-hardcoded |
Dahua hardcoded/backdoor credentials |
xiongmai-bypass |
Xiongmai authentication bypass |
output/
βββ results.csv # Vulnerable devices
βββ not_vulnerable.csv # Scanned but not vulnerable
βββ snapshots/ # Captured camera snapshots
βββ log.txt # Detailed scan log
βββ .state # Resume state (hidden)
ip,port,device_type,username,password,vulnerability
192.168.1.100,80,hikvision,admin,admin123,hikvision-weak-password
192.168.1.101,80,dahua,,,dahua-weak-password
192.168.1.102,80,hikvision,,,hikvision-config-leak-unauthShutterShell/
βββ core.py # Main scanning engine
βββ data.py # Data flow and state management
βββ config.py # Global configuration
βββ pocs/ # Vulnerability modules
β βββ base.py # Base POC class
β βββ __init__.py # Auto-loader
β βββ *.py # Individual POCs
βββ utils/ # Utilities
β βββ fingerprint.py # Device fingerprinting
β βββ port_scan.py # Port scanning
β βββ logo.py # ASCII art logo
β βββ ...
βββ lib/ # External libraries
β βββ DahuaConsole/ # Dahua interaction library
βββ rules.csv # Fingerprint rules
βββ snapshot_urls.py # Snapshot URL patterns
βββ extract_configs.py # Config extractor
βββ fast_extract.py # Fast multi-threaded extractor
βββ auto_extract.py # Auto-extraction monitor
βββ generate_report.py # HTML report generator
βββ web_dashboard.py # Web dashboard
βββ run_shuttershell.py # Main entry point
"gevent Waiter.switch error"
This is a known gevent compatibility warning.
The scan continues normally despite this message.
"Connection timeout"
# Increase timeout
python3 run_shuttershell.py -i targets.txt -o output -T 10
# Reduce concurrency
python3 run_shuttershell.py -i targets.txt -o output -t 30"No module named 'Crypto'"
pip3 install pycryptodome"No module named 'flask'"
pip3 install flask- Pre-filter with masscan - Reduces scan time dramatically
- Adjust concurrency - Start with
-t 50, increase if stable - Disable snapshots - Use
-Dfor faster scanning - Use specific ports -
-p 80 8080instead of all ports - Custom credential lists - Smaller lists = faster scans
- Use fast extractor - 20x faster than standard extraction
Contributions are welcome! Please feel free to submit a Pull Request.
- Fork the repository
- Create your feature branch (
git checkout -b feature/AmazingFeature) - Commit your changes (
git commit -m 'Add some AmazingFeature') - Push to the branch (
git push origin feature/AmazingFeature) - Open a Pull Request
This project is licensed under the MIT License - see the LICENSE file for details.
ShutterShell is provided "as is" without warranty of any kind, express or implied. The developers shall not be held responsible for any damages arising from the use of this software. Always use this tool responsibly and only on systems you have explicit authorization to test.