Cameradar scans RTSP endpoints on authorized targets, and uses dictionary attacks to bruteforce their credentials and routes.
- Detects open RTSP hosts on accessible targets.
- Detects the device model that streams the RTSP feed.
- Attempts dictionary-based discovery of stream routes (for example,
/live.sdp). - Attempts dictionary-based discovery of camera credentials.
- Produces a report of findings.
- Quick start with Docker
- Install the binary
- Install on Android (Termux)
- Configuration
- Security and responsible use
- Output
- Check camera access
- Command-line options
- Input file format
- Environment variables
- Build and contribute
- Frequently asked questions
- Examples
- License
Install Docker and run:
docker run --rm -t --net=host ullaakut/cameradar --targets <target>Example:
docker run --rm -t --net=host ullaakut/cameradar --targets 192.168.100.0/24This scans ports 554, 5554, and 8554 on the target subnet. It attempts to enumerate RTSP streams. For all options, see command-line options.
-
Targets can be CIDRs, IPs, IP ranges or a hostname.
- Subnet:
172.16.100.0/24 - IP:
172.16.100.10 - Host:
localhost - Range:
172.16.100.10-20
- Subnet:
-
To use custom dictionaries, mount them and pass both flags:
docker run --rm -t --net=host \ -v /path/to/dictionaries:/tmp/dictionaries \ ullaakut/cameradar \ --custom-routes /tmp/dictionaries/my_routes \ --custom-credentials /tmp/dictionaries/my_credentials.json \ --targets 192.168.100.0/24
Use this option if Docker is not available or if you want a local build.
- Go 1.25 or later
go install github.com/Ullaakut/cameradar/v6/cmd/cameradar@latest
The cameradar binary is now in your $GOPATH/bin.
For available flags, see command-line options.
These steps summarize a working Termux setup for Android. Use Termux 117 from F-Droid or the official Termux site, not Google Play.
Install the required packages in Termux:
pkg update
pkg install mc wget git nmap proot-distroInstall Alpine and log in:
proot-distro install alpine
proot-distro login alpineapk add wget git go gcc clang musl-dev makeCreate a module path and clone the repo:
mkdir -p go/pkg/mod/github.com/Ullaakut
cd go/pkg/mod/github.com/Ullaakut
git clone https://github.com/Ullaakut/cameradar.git
cd cameradar/cmd/cameradar
go installCopy dictionaries and run the binary:
mkdir -p /tmp
cp -r ../../dictionaries /tmp/dictionaries
/go/bin/cameradar --targets=<target> --custom-credentials=/tmp/dictionaries/credentials.json --custom-routes=/tmp/dictionaries/routes --ui=plain --debug Replace <target> with an IP, range, host or subnet you are authorized to test.
The default RTSP ports are 554, 5554, 8554.
If you do not specify ports, Cameradar uses those.
Example of scanning custom ports:
docker run --rm -t --net=host \
ullaakut/cameradar \
--ports "18554,19000-19010" \
--targets localhostYou can replace the default dictionaries with your own routes and credentials files.
The repository provides baseline dictionaries in the dictionaries folder.
docker run --rm -t --net=host \
-v /my/folder/with/dictionaries:/tmp/dictionaries \
ullaakut/cameradar \
--custom-routes /tmp/dictionaries/my_routes \
--custom-credentials /tmp/dictionaries/my_credentials.json \
--targets 172.19.124.0/24If you already know the RTSP endpoints, you can skip discovery and treat each target and port as a stream candidate. This mode does not run nmap and can be useful on restricted networks or when you want to attack a known inventory.
Skipping discovery means:
- Cameradar does not run nmap and does not detect device models.
- Targets resolve to IP addresses. Hostnames resolve via DNS.
- CIDR blocks and IPv4 ranges expand to every address in the range.
- Large ranges create many targets, so use them carefully.
Example:
docker run --rm -t --net=host \
ullaakut/cameradar \
--skip-scan \
--ports "554,8554" \
--targets 192.168.1.10In this example, Cameradar attempts dictionary attacks against
ports 554 and 8554 of 192.168.1.10.
Cameradar is a penetration testing tool. Only scan networks and devices you own or have explicit permission to test. Do not use this tool to access unauthorized systems or streams. If you are unsure, stop and get written approval before scanning.
Cameradar presents results in a readable terminal UI.
It logs findings to the console.
The report includes discovered hosts, identified device models, and valid routes or credentials.
If you specify a path for the --output flag, Cameradar also writes an M3U playlist with the discovered streams.
Use VLC Media Player to connect to a stream:
rtsp://username:password@address:port/route
The file can contain IPs, hostnames, IP ranges, and subnets. Separate entries with newlines. Example:
0.0.0.0
localhost
192.17.0.0/16
192.168.1.140-255
192.168.2-3.0-255
When you use --skip-scan, Cameradar expands each entry into explicit IP
addresses before building the target list.
This variable is required. It specifies the target that Cameradar scans and attempts to access.
Examples:
172.16.100.0/24192.168.1.1localhost192.168.1.140-255192.168.2-3.0-255
This variable is optional and allows you to specify the ports to scan.
Default value: 554,5554,8554
Change these only if you are sure cameras stream over different ports. Most cameras use these defaults.
This option is optional. It replaces the default routes dictionary used for the dictionary attack.
If unset, Cameradar uses the built-in routes dictionary.
This option is optional. It replaces the default credentials dictionary used for the dictionary attack.
If unset, Cameradar uses the built-in credentials dictionary.
This optional variable sets nmap discovery presets for speed or accuracy. Lower it on slow networks and raise it on fast networks. See nmap timing templates.
Default value: 4
This optional flag skips network discovery and assumes every target and port pair is an RTSP stream.
Use it when you already know the RTSP endpoints or when discovery is blocked. For best results, specify only RTSP ports.
Default value: false
This optional variable sets a delay between attacks. Increase it for networks that may block brute-force attempts. Default: no delay.
Default value: 0ms
This optional variable sets the timeout for requests sent to the cameras. Increase it for slow networks and decrease it for fast networks.
Default value: 2000ms
This optional variable enables more verbose output.
It outputs nmap results, cURL requests, and more.
Default: false
This option selects the UI mode.
autoselectstuiif your terminal is interactive,plainotherwisetuishows a fullscreen interface with a progress bar and shows the results in a tableplainlogs the steps taken by cameradar as plain text and is meant to be used by non-interactive terminals
Supported values: auto, tui, plain
Default: auto
This optional variable writes an M3U playlist of the discovered streams to the given file path.
Example: /tmp/cameradar.m3u
Run the following command in the repository root:
docker build . -t cameradar
The resulting image is named cameradar.
go install github.com/Ullaakut/cameradar/v6/cmd/cameradar@latest
The cameradar binary is now in $GOPATH/bin/cameradar.
Cameradar does not detect any camera!
This usually means the cameras are not streaming over RTSP.
It can also mean the targets are not in your scan range.
CCTV cameras are often on private subnets.
Use -t to set the correct targets.
If you still see no results, open an issue with device details.
Cameradar detects my cameras, but does not manage to access them!
The camera configuration may have changed, so defaults do not match. Cameradar uses defaults unless you provide custom dictionaries. Add your credentials and routes, then follow the configuration section.
What happened to the C++ version?
The 1.1.4 tag contains the legacy C++ implementation. It is slower and less stable than the Go version, so it is not recommended to use.
I want to scan my local network or my own machine, and it does not work! What's going on?
Use --net=host when running the Docker image, or use the installed binary.
I don't have a camera, but I'd like to try Cameradar!
Run the following container, then run Cameradar against it:
docker run -p 8554:8554 -e RTSP_USERNAME=admin -e RTSP_PASSWORD=12345 -e RTSP_PORT=8554 ullaakut/rtspatt
Cameradar should discover the admin / 12345 credentials.
You can try other default credentials listed in the dictionaries.
What authentication types does Cameradar support?
Cameradar supports both basic and digest authentication.
Running cameradar on your own machine to scan for default ports
docker run --rm -t --net=host ullaakut/cameradar --targets localhost
Running cameradar with an input file, logs enabled on port 8554
docker run --rm -t --net=host -v /tmp:/tmp ullaakut/cameradar --targets /tmp/test.txt --ports 8554
Running cameradar on a subnetwork with custom dictionaries, on ports 554, 5554 and 8554
docker run --rm -t --net=host -v /tmp:/tmp ullaakut/cameradar --targets 192.168.0.0/24 --custom-credentials "/tmp/dictionaries/credentials.json" --custom-routes "/tmp/dictionaries/routes" --ports 554,5554,8554
Copyright 2026 Ullaakut
Permission is hereby granted, free of charge, to any person obtaining a copy of this software and associated documentation files (the "Software"), to deal in the Software without restriction, including without limitation the rights to use, copy, modify, merge, publish, distribute, sublicense, and/or sell copies of the Software, and to permit persons to whom the Software is furnished to do so, subject to the following conditions:
The above copyright notice and this permission notice shall be included in all copies or substantial portions of the Software.
THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.
