Good morning, I hope someone can help me, I can’t get to the bottom of this situationGood morning, I hope someone can help me, I can’t get to the bottom of this situation

Premise 1: Shodan does not brute force or log in with default credentials

Shodan manages to access and capture the RTSP stream and take a snapshot of an AXIS Q6045-E Mk II camera.

Premise 2: I didn’t perform the installation and I don’t know (and I don’t want to know) the access credentials for the camera, I’m just checking its security

At the request of the camera owner, I attempted to take a snapshot using ffmpeg:

ffmpeg -hide_banner -loglevel verbose  -y -rtsp_transport tcp -i "rtsp://xxx.xxx.xxx.xxx:554" -an -vframes 1 -q:v 2 image.jpg

and obtain this output:

[tcp @ 0x61b69c5f4400] Starting connection attempt to xxx.xxx.xxx.xxx port 554
[tcp @ 0x61b69c5f4400] Successfully connected to xxx.xxx.xxx.xxx port 554
[in#0 @ 0x61b69c5f16c0] Error opening input: Invalid data found when processing input
Error opening input file rtsp://xxx.xxx.xxx.xxx:554.
Error opening input files: Invalid data found when processing input

On wireshark I can see how the camera requires authentication and ffmpeg responds with a FIN ACK once it receives OK after the DESCRIBE requestOn wireshark I can see how the camera requires authentication and ffmpeg responds with a FIN ACK once it receives OK after the DESCRIBE request:

My OPTION request

Real Time Streaming Protocol
    Request: OPTIONS rtsp://xxx.xxx.xxx.xxx:554 RTSP/1.0rn
        Method: OPTIONS
        URL: rtsp://xxx.xxx.xxx.xxx:554
    CSeq: 1rn
    User-Agent: Lavf61.1.100rn
    rn

Camera response:

Real Time Streaming Protocol
    Response: RTSP/1.0 200 OKrn
        Status: 200
    Server: H264DVR 1.0rn
    Cseq: 1rn
    Public: OPTIONS, DESCRIBE, SETUP, TEARDOWN, GET_PARAMETER, SET_PARAMETER, PLAY, PAUSErn
    rn

My DESCRIBE request:

Real Time Streaming Protocol
    Request: DESCRIBE rtsp://xxx.xxx.xxx.xxx:554 RTSP/1.0rn
        Method: DESCRIBE
        URL: rtsp://xxx.xxx.xxx.xxx:554
    Accept: application/sdprn
    CSeq: 2rn
    User-Agent: Lavf61.1.100rn
    rn

Camera response requesting digest authentication:

Real Time Streaming Protocol
    Response: RTSP/1.0 200 OKrn
        Status: 200
    Server: H264DVR 1.0rn
    Cseq: 2rn
    WWW-Authenticate: Digest realm="135axxxxxxxxxxx", nonce="96n0d4Lv626w8vfu8L090B6rn
    rn

My response at this point is a TCP FIN ACK.

Premise 3: I am not an RTSP or ffmpeg expert

at this point I told the owner that as he could see, credentials were required for access, and he rightly says that this is not the case as shodan still manages to access.

If I assume premise 1 to be true, then I’m doing something wrong in the ffmpeg request, so how can I modify the ffmpeg request to obtain a snapshot compatible with the shodan one and avoid detecting false negatives?