Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

rtsp error for ipcams #1781

Closed
49handyman opened this issue Oct 11, 2019 · 6 comments
Closed

rtsp error for ipcams #1781

49handyman opened this issue Oct 11, 2019 · 6 comments
Assignees
Labels

Comments

@49handyman
Copy link

@49handyman 49handyman commented Oct 11, 2019

NSE: rtsp-url-brute against 192.168.1.12:554 threw an error!

C:\Program Files (x86)\Nmap/nselib/rtsp.lua:87: invalid value (nil) at index 3 in table for 'concat'

stack traceback:

[C]: in function 'table.concat'

C:\Program Files (x86)\Nmap/nselib/rtsp.lua:87: in function <C:\Program Files (x86)\Nmap/nselib/rtsp.lua:77>

[C]: in function 'tostring'

C:\Program Files (x86)\Nmap/nselib/rtsp.lua:208: in function <C:\Program Files (x86)\Nmap/nselib/rtsp.lua:200>

(...tail calls...)

C:\Program Files (x86)\Nmap/scripts\rtsp-url-brute.nse:84: in upvalue 'fetch_url'

C:\Program Files (x86)\Nmap/scripts\rtsp-url-brute.nse:142: in function <C:\Program Files (x86)\Nmap/scripts\rtsp-url-brute.nse:116>

(...tail calls...)

Here is Wireshark capture from vlc

OPTIONS rtsp://192.168.1.14:554/user=admin_password=_channel=1_stream=0.sdp RTSP/1.0
CSeq: 2
User-Agent: LibVLC/3.0.8 (LIVE555 Streaming Media v2016.11.28)

RTSP/1.0 200 OK
Server: H264DVR 1.0
Cseq: 2
Public: OPTIONS, DESCRIBE, SETUP, TEARDOWN, GET_PARAMETER, SET_PARAMETER, PLAY, PAUSE

DESCRIBE rtsp://192.168.1.14:554/user=admin_password=_channel=1_stream=0.sdp RTSP/1.0
CSeq: 3
User-Agent: LibVLC/3.0.8 (LIVE555 Streaming Media v2016.11.28)
Accept: application/sdp

RTSP/1.0 200 OK
Content-Type: application/sdp
Server: H264DVR 1.0
Cseq: 3
Content-Base: rtsp://192.168.1.14:554/user=admin_password=_channel=1_stream=0.sdp
Cache-Control: private
x-Accept-Retransmit: our-retransmit
x-Accept-Dynamic-Rate: 1
Content-Length: 429

v=0
o=- 38990265062388 38990265062388 IN IP4 192.168.1.14
s=RTSP Session
c=IN IP4 192.168.1.14
t=0 0
a=control:*
a=range:npt=0-
m=video 0 RTP/AVP 98
a=rtpmap:98 H265/90000
a=range:npt=0-
a=framerate:0S
a=fmtp:98 profile-id=010101;sprop-pps=RAHA8vA8kA==;sprop-sps=QgEBAWAAAAMAsAAAAwAAAwBdoAKAgC0WNrkky9NwEBAQCA==;sprop-vps=QAEMAf//AWAAAAMAsAAAAwAAAwBdrAk=;sprop-sei=TgHlBM0eAACA;
a=framerate:25
a=control:trackID=3
SETUP rtsp://192.168.1.14:554/user=admin_password=_channel=1_stream=0.sdp/trackID=3 RTSP/1.0
CSeq: 4
User-Agent: LibVLC/3.0.8 (LIVE555 Streaming Media v2016.11.28)
Transport: RTP/AVP;unicast;client_port=58558-58559

RTSP/1.0 200 OK
Server: H264DVR 1.0
Cseq: 4
Session: 27804510;timeout=60
Transport: RTP/AVP;unicast;mode=PLAY;source=192.168.1.14;client_port=58558-58559;server_port=40000-40001;ssrc=00001BCC
Cache-Control: private
x-Dynamic-Rate: 1

PLAY rtsp://192.168.1.14:554/user=admin_password=_channel=1_stream=0.sdp RTSP/1.0
CSeq: 5
User-Agent: LibVLC/3.0.8 (LIVE555 Streaming Media v2016.11.28)
Session: 27804510
Range: npt=0.000-

RTSP/1.0 200 OK
Server: H264DVR 1.0
Cseq: 5
Range: npt=now-
Session: 27804510

TEARDOWN rtsp://192.168.1.14:554/user=admin_password=_channel=1_stream=0.sdp RTSP/1.0
CSeq: 6
User-Agent: LibVLC/3.0.8 (LIVE555 Streaming Media v2016.11.28)
Session: 27804510

@49handyman
Copy link
Author

@49handyman 49handyman commented Oct 11, 2019

these are xm cams and can use it with or without default password if none is set

kc0bfv added a commit to kc0bfv/nmap that referenced this issue Oct 25, 2019
This seemed to fix bug nmap#1781 for me.  table.unpack on self.headers was returning "nil", and causing the error described in that bug.  This addition detects that state in a similar way as the code prior to the most recent commit to this file.  The most recent commit to this file seems to have introduced this bug.
@kc0bfv kc0bfv mentioned this issue Oct 25, 2019
@kc0bfv
Copy link

@kc0bfv kc0bfv commented Oct 25, 2019

I think I had the same issue as you, and decided to try to fix it. Mine seems to work after making the change referenced in my pull request.

@nnposter nnposter self-assigned this Nov 6, 2019
@nnposter nnposter added bug NSE labels Nov 6, 2019
@nnposter
Copy link

@nnposter nnposter commented Nov 6, 2019

The issue has been hopefully rectified in r37751. Please report back if the error persists.

@nmap-bot nmap-bot closed this in 08a6d8d Nov 6, 2019
@nnposter nnposter added the duplicate label Nov 7, 2019
@l4jos
Copy link

@l4jos l4jos commented Jan 11, 2020

Issue appears.
I run nmap --script-updatedb and nmap version is 7.80


#sudo nmap -p 554 --script=rtsp-methods 192.168.52.200 -d
Starting Nmap 7.80 ( https://nmap.org ) at 2020-01-11 20:14 CET
--------------- Timing report ---------------
  hostgroups: min 1, max 100000
  rtt-timeouts: init 1000, min 100, max 10000
  max-scan-delay: TCP 1000, UDP 1000, SCTP 1000
  parallelism: min 0, max 0
  max-retries: 10, host-timeout: 0
  min-rate: 0, max-rate: 0
---------------------------------------------
NSE: Using Lua 5.3.
NSE: Arguments from CLI: 
NSE: Loaded 1 scripts for scanning.
NSE: Script Pre-scanning.
NSE: Starting runlevel 1 (of 1) scan.
Initiating NSE at 20:14
Completed NSE at 20:14, 0.00s elapsed
Initiating ARP Ping Scan at 20:14
Scanning 192.168.52.200 [1 port]
Packet capture filter (device wlan0): arp and arp[18:4] = 0xC8F7339D and arp[22:2] = 0xF053
Completed ARP Ping Scan at 20:14, 0.04s elapsed (1 total hosts)
Overall sending rates: 22.61 packets / s, 949.58 bytes / s.
mass_rdns: Using DNS server 213.109.112.112
mass_rdns: Using DNS server 157.97.63.63
Initiating Parallel DNS resolution of 1 host. at 20:14
mass_rdns: 0.03s 0/1 [#: 2, OK: 0, NX: 0, DR: 0, SF: 0, TR: 1]
Completed Parallel DNS resolution of 1 host. at 20:14, 0.03s elapsed
DNS resolution of 1 IPs took 0.03s. Mode: Async [#: 2, OK: 0, NX: 1, DR: 0, SF: 0, TR: 1, CN: 0]
Initiating SYN Stealth Scan at 20:14
Scanning 192.168.52.200 [1 port]
Packet capture filter (device wlan0): dst host 192.168.52.31 and (icmp or icmp6 or ((tcp or udp or sctp) and (src host 192.168.52.200)))
Discovered open port 554/tcp on 192.168.52.200
Completed SYN Stealth Scan at 20:14, 0.09s elapsed (1 total ports)
Overall sending rates: 11.63 packets / s, 511.92 bytes / s.
NSE: Script scanning 192.168.52.200.
NSE: Starting runlevel 1 (of 1) scan.
Initiating NSE at 20:14
NSE: Starting rtsp-methods against 192.168.52.200:554.
NSE: rtsp-methods against 192.168.52.200:554 threw an error!
/usr/bin/../share/nmap/nselib/rtsp.lua:87: invalid value (nil) at index 3 in table for 'concat'
stack traceback:
	[C]: in function 'table.concat'
	/usr/bin/../share/nmap/nselib/rtsp.lua:87: in function </usr/bin/../share/nmap/nselib/rtsp.lua:77>
	[C]: in function 'tostring'
	/usr/bin/../share/nmap/nselib/rtsp.lua:208: in function </usr/bin/../share/nmap/nselib/rtsp.lua:200>
	(...tail calls...)
	/usr/bin/../share/nmap/scripts/rtsp-methods.nse:52: in function </usr/bin/../share/nmap/scripts/rtsp-methods.nse:42>
	(...tail calls...)

Completed NSE at 20:14, 0.06s elapsed
Nmap scan report for 192.168.52.200
Host is up, received arp-response (0.014s latency).
Scanned at 2020-01-11 20:14:31 CET for 0s

PORT    STATE SERVICE REASON
554/tcp open  rtsp    syn-ack ttl 64
MAC Address: 64:DB:8B:A7:3E:10 (Hangzhou Hikvision Digital Technology)
Final times for host: srtt: 13540 rttvar: 12778  to: 100000

NSE: Script Post-scanning.
NSE: Starting runlevel 1 (of 1) scan.
Initiating NSE at 20:14
Completed NSE at 20:14, 0.00s elapsed
Read from /usr/bin/../share/nmap: nmap-mac-prefixes nmap-payloads nmap-services.
Nmap done: 1 IP address (1 host up) scanned in 0.58 seconds
           Raw packets sent: 2 (72B) | Rcvd: 2 (72B)
@nnposter
Copy link

@nnposter nnposter commented Jan 11, 2020

Please double-check that your version of nselib/rtsp.lua is newer than November 6.

From the man page:

--script-updatedb
This option updates the script database found in scripts/script.db which is used by Nmap to determine the available default scripts and categories. It is only necessary to update the database if you have added or removed NSE scripts from the default scripts directory or if you have changed the categories of any script. This option is generally used by itself: nmap --script-updatedb.

The key point here is that the option rebuilds file scripts/script.db, which is a script reference table. It does not update the scripts.

@l4jos
Copy link

@l4jos l4jos commented Jan 12, 2020

wget new version, doing it's job now

PORT    STATE SERVICE
554/tcp open  rtsp
| rtsp-url-brute: 
|   other responses: 
|     401: 
|       rtsp://192.168.52.200/PSIA/Streaming/channels/1
|       rtsp://192.168.52.200/PSIA/Streaming/channels/1?videoCodecType=MPEG4
|       rtsp://192.168.52.200/Streaming/Channels/1
|       rtsp://192.168.52.200/Streaming/Channels/101
|       rtsp://192.168.52.200/Streaming/Channels/102
|       rtsp://192.168.52.200/Streaming/Channels/2
|       rtsp://192.168.52.200/Streaming/Unicast/channels/101
|_      rtsp://192.168.52.200/Streaming/channels/101
MAC Address: 64:DB:8B:A7:3E:10 (Hangzhou Hikvision Digital Technology)
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
Linked pull requests

Successfully merging a pull request may close this issue.

None yet
4 participants
You can’t perform that action at this time.