rtsp error for ipcams

[49handyman]

NSE: rtsp-url-brute against 192.168.1.12:554 threw an error!

C:\Program Files (x86)\Nmap/nselib/rtsp.lua:87: invalid value (nil) at index 3 in table for 'concat'

stack traceback:

[C]: in function 'table.concat'

C:\Program Files (x86)\Nmap/nselib/rtsp.lua:87: in function <C:\Program Files (x86)\Nmap/nselib/rtsp.lua:77>

[C]: in function 'tostring'

C:\Program Files (x86)\Nmap/nselib/rtsp.lua:208: in function <C:\Program Files (x86)\Nmap/nselib/rtsp.lua:200>

(...tail calls...)

C:\Program Files (x86)\Nmap/scripts\rtsp-url-brute.nse:84: in upvalue 'fetch_url'

C:\Program Files (x86)\Nmap/scripts\rtsp-url-brute.nse:142: in function <C:\Program Files (x86)\Nmap/scripts\rtsp-url-brute.nse:116>

(...tail calls...)

Here is Wireshark capture from vlc

OPTIONS rtsp://192.168.1.14:554/user=admin_password=_channel=1_stream=0.sdp RTSP/1.0
CSeq: 2
User-Agent: LibVLC/3.0.8 (LIVE555 Streaming Media v2016.11.28)

RTSP/1.0 200 OK
Server: H264DVR 1.0
Cseq: 2
Public: OPTIONS, DESCRIBE, SETUP, TEARDOWN, GET_PARAMETER, SET_PARAMETER, PLAY, PAUSE

DESCRIBE rtsp://192.168.1.14:554/user=admin_password=_channel=1_stream=0.sdp RTSP/1.0
CSeq: 3
User-Agent: LibVLC/3.0.8 (LIVE555 Streaming Media v2016.11.28)
Accept: application/sdp

RTSP/1.0 200 OK
Content-Type: application/sdp
Server: H264DVR 1.0
Cseq: 3
Content-Base: rtsp://192.168.1.14:554/user=admin_password=_channel=1_stream=0.sdp
Cache-Control: private
x-Accept-Retransmit: our-retransmit
x-Accept-Dynamic-Rate: 1
Content-Length: 429

v=0
o=- 38990265062388 38990265062388 IN IP4 192.168.1.14
s=RTSP Session
c=IN IP4 192.168.1.14
t=0 0
a=control:*
a=range:npt=0-
m=video 0 RTP/AVP 98
a=rtpmap:98 H265/90000
a=range:npt=0-
a=framerate:0S
a=fmtp:98 profile-id=010101;sprop-pps=RAHA8vA8kA==;sprop-sps=QgEBAWAAAAMAsAAAAwAAAwBdoAKAgC0WNrkky9NwEBAQCA==;sprop-vps=QAEMAf//AWAAAAMAsAAAAwAAAwBdrAk=;sprop-sei=TgHlBM0eAACA;
a=framerate:25
a=control:trackID=3
SETUP rtsp://192.168.1.14:554/user=admin_password=_channel=1_stream=0.sdp/trackID=3 RTSP/1.0
CSeq: 4
User-Agent: LibVLC/3.0.8 (LIVE555 Streaming Media v2016.11.28)
Transport: RTP/AVP;unicast;client_port=58558-58559

RTSP/1.0 200 OK
Server: H264DVR 1.0
Cseq: 4
Session: 27804510;timeout=60
Transport: RTP/AVP;unicast;mode=PLAY;source=192.168.1.14;client_port=58558-58559;server_port=40000-40001;ssrc=00001BCC
Cache-Control: private
x-Dynamic-Rate: 1

PLAY rtsp://192.168.1.14:554/user=admin_password=_channel=1_stream=0.sdp RTSP/1.0
CSeq: 5
User-Agent: LibVLC/3.0.8 (LIVE555 Streaming Media v2016.11.28)
Session: 27804510
Range: npt=0.000-

RTSP/1.0 200 OK
Server: H264DVR 1.0
Cseq: 5
Range: npt=now-
Session: 27804510

TEARDOWN rtsp://192.168.1.14:554/user=admin_password=_channel=1_stream=0.sdp RTSP/1.0
CSeq: 6
User-Agent: LibVLC/3.0.8 (LIVE555 Streaming Media v2016.11.28)
Session: 27804510

[49handyman]

these are xm cams and can use it with or without default password if none is set

[kc0bfv]

I think I had the same issue as you, and decided to try to fix it. Mine seems to work after making the change referenced in my pull request.

[nnposter]

The issue has been hopefully rectified in r37751. Please report back if the error persists.

[l4jos]

Issue appears.
I run nmap --script-updatedb and nmap version is 7.80

#sudo nmap -p 554 --script=rtsp-methods 192.168.52.200 -d
Starting Nmap 7.80 ( https://nmap.org ) at 2020-01-11 20:14 CET
--------------- Timing report ---------------
  hostgroups: min 1, max 100000
  rtt-timeouts: init 1000, min 100, max 10000
  max-scan-delay: TCP 1000, UDP 1000, SCTP 1000
  parallelism: min 0, max 0
  max-retries: 10, host-timeout: 0
  min-rate: 0, max-rate: 0
---------------------------------------------
NSE: Using Lua 5.3.
NSE: Arguments from CLI: 
NSE: Loaded 1 scripts for scanning.
NSE: Script Pre-scanning.
NSE: Starting runlevel 1 (of 1) scan.
Initiating NSE at 20:14
Completed NSE at 20:14, 0.00s elapsed
Initiating ARP Ping Scan at 20:14
Scanning 192.168.52.200 [1 port]
Packet capture filter (device wlan0): arp and arp[18:4] = 0xC8F7339D and arp[22:2] = 0xF053
Completed ARP Ping Scan at 20:14, 0.04s elapsed (1 total hosts)
Overall sending rates: 22.61 packets / s, 949.58 bytes / s.
mass_rdns: Using DNS server 213.109.112.112
mass_rdns: Using DNS server 157.97.63.63
Initiating Parallel DNS resolution of 1 host. at 20:14
mass_rdns: 0.03s 0/1 [#: 2, OK: 0, NX: 0, DR: 0, SF: 0, TR: 1]
Completed Parallel DNS resolution of 1 host. at 20:14, 0.03s elapsed
DNS resolution of 1 IPs took 0.03s. Mode: Async [#: 2, OK: 0, NX: 1, DR: 0, SF: 0, TR: 1, CN: 0]
Initiating SYN Stealth Scan at 20:14
Scanning 192.168.52.200 [1 port]
Packet capture filter (device wlan0): dst host 192.168.52.31 and (icmp or icmp6 or ((tcp or udp or sctp) and (src host 192.168.52.200)))
Discovered open port 554/tcp on 192.168.52.200
Completed SYN Stealth Scan at 20:14, 0.09s elapsed (1 total ports)
Overall sending rates: 11.63 packets / s, 511.92 bytes / s.
NSE: Script scanning 192.168.52.200.
NSE: Starting runlevel 1 (of 1) scan.
Initiating NSE at 20:14
NSE: Starting rtsp-methods against 192.168.52.200:554.
NSE: rtsp-methods against 192.168.52.200:554 threw an error!
/usr/bin/../share/nmap/nselib/rtsp.lua:87: invalid value (nil) at index 3 in table for 'concat'
stack traceback:
	[C]: in function 'table.concat'
	/usr/bin/../share/nmap/nselib/rtsp.lua:87: in function </usr/bin/../share/nmap/nselib/rtsp.lua:77>
	[C]: in function 'tostring'
	/usr/bin/../share/nmap/nselib/rtsp.lua:208: in function </usr/bin/../share/nmap/nselib/rtsp.lua:200>
	(...tail calls...)
	/usr/bin/../share/nmap/scripts/rtsp-methods.nse:52: in function </usr/bin/../share/nmap/scripts/rtsp-methods.nse:42>
	(...tail calls...)

Completed NSE at 20:14, 0.06s elapsed
Nmap scan report for 192.168.52.200
Host is up, received arp-response (0.014s latency).
Scanned at 2020-01-11 20:14:31 CET for 0s

PORT    STATE SERVICE REASON
554/tcp open  rtsp    syn-ack ttl 64
MAC Address: 64:DB:8B:A7:3E:10 (Hangzhou Hikvision Digital Technology)
Final times for host: srtt: 13540 rttvar: 12778  to: 100000

NSE: Script Post-scanning.
NSE: Starting runlevel 1 (of 1) scan.
Initiating NSE at 20:14
Completed NSE at 20:14, 0.00s elapsed
Read from /usr/bin/../share/nmap: nmap-mac-prefixes nmap-payloads nmap-services.
Nmap done: 1 IP address (1 host up) scanned in 0.58 seconds
           Raw packets sent: 2 (72B) | Rcvd: 2 (72B)

[nnposter]

Please double-check that your version of nselib/rtsp.lua is newer than November 6.

From the man page:

--script-updatedb
This option updates the script database found in scripts/script.db which is used by Nmap to determine the available default scripts and categories. It is only necessary to update the database if you have added or removed NSE scripts from the default scripts directory or if you have changed the categories of any script. This option is generally used by itself: nmap --script-updatedb.

The key point here is that the option rebuilds file scripts/script.db, which is a script reference table. It does not update the scripts.

[l4jos]

wget new version, doing it's job now

PORT    STATE SERVICE
554/tcp open  rtsp
| rtsp-url-brute: 
|   other responses: 
|     401: 
|       rtsp://192.168.52.200/PSIA/Streaming/channels/1
|       rtsp://192.168.52.200/PSIA/Streaming/channels/1?videoCodecType=MPEG4
|       rtsp://192.168.52.200/Streaming/Channels/1
|       rtsp://192.168.52.200/Streaming/Channels/101
|       rtsp://192.168.52.200/Streaming/Channels/102
|       rtsp://192.168.52.200/Streaming/Channels/2
|       rtsp://192.168.52.200/Streaming/Unicast/channels/101
|_      rtsp://192.168.52.200/Streaming/channels/101
MAC Address: 64:DB:8B:A7:3E:10 (Hangzhou Hikvision Digital Technology)

[victorassisr]

Hello! If you still have this problem, to me works doing it...
Go to: nselib/rstp.lua

Edit this file in line 81 changing the variable local req to this:

local req = {
("%s %s RTSP/1.0"):format(self.method, self.url),
("CSeq: %d"):format(self.cseq),
table.unpack(self.headers)
}

Save the file, if you dont have permission, make it to save in same place with the same name of file.

After saves, run again the command:

nmap --script rtsp-url-brute -p 554 < ip >

Maybe works to you.. =)