README.md

# SetecSuite — Camera MITM Framework

A modular IoT camera pentesting toolkit for intercepting, analyzing, and testing the security of cloud-connected IP cameras. Built for authorized security research on devices you own.

> **This is the camera-specific case study fork.** It bundles the generic [setec-mitm](https://repo.seteclabs.io/SetecLabs/setec-mitm) core *plus* a fully built-out target plugin for the Javiscam 2604 / UBox / UBIA camera family — UBox cloud client, OAM HMAC forging, CVE-2025-12636 / CVE-2021-28372 / CVE-2023-6322 verifiers, firmware multi-version fetcher, OTA bucket probe, and a 146-endpoint API fuzzer wordlist. It's the engine that produced the **[camhak.seteclabs.io](https://camhak.seteclabs.io)** research report. Clone, run, point at the camera. No additional setup.

> If you want the bare framework without any of the camera-specific code, use [setec-mitm](https://repo.seteclabs.io/SetecLabs/setec-mitm) instead. Both share the same core; cam-mitm is what you get when you fill in the `targets/javiscam_2604/` plugin slot all the way.

## File layout — generic core vs camera-specific

The same code organisation that setec-mitm formalises with its `targets/` plugin system is present here, just inlined into the top-level directories. Mapping:

| File / dir | Generic core or camera plugin? |
|---|---|
| `mitm.py`, `gui.py` | **Generic core** — Controller + PyQt6 GUI + curses TUI |
| `services/arp_spoof.py` | **Generic core** |
| `services/dns_spoof.py` | **Generic core** |
| `services/http_server.py` | **Generic core** (peek-before-wrap on :443) |
| `services/udp_listener.py` | **Generic core** |
| `services/sniffer.py` | **Generic core** (conntrack original-dst lookup, protocol fingerprinting) |
| `services/intruder_watch.py` | **Generic core** |
| `inject/packet.py` | **Generic core** |
| `utils/log.py` | **Generic core** (1 GiB rotation) |
| `utils/proto.py` | **Generic core** (12+ protocol fingerprints) |
| `regen_cert.sh` | **Generic core** |
| `api/server.py` | **Generic core** (REST API on :9090) |
| `api/ubox_client.py` | **Camera plugin** — UBox cloud client + OAM HMAC signing |
| `api/firmware_fetch.py` | **Camera plugin** — multi-version `check_version/v3` caller |
| `api/ota_bucket_probe.py` | **Camera plugin** — Tencent COS OTA bucket enumerator |
| `api/cve_checks.py` | **Camera plugin** — CVE-2025-12636 / CVE-2021-28372 / CVE-2023-6322 verifiers |
| `api/fuzzer.py` | **Camera plugin** — 146 hardcoded UBox endpoints + ~600 wordlist |
| `gui.py` Cloud API tab | **Camera plugin** UI |
| `gui.py` Fuzzer tab | **Camera plugin** UI |
| `gui.py` CVEs tab | **Camera plugin** UI |
| `site/` | **Camera research output** — published as `camhak.seteclabs.io` |

If you want to retarget this engine at a different device, the cleaner path is to use the generic [setec-mitm](https://repo.seteclabs.io/SetecLabs/setec-mitm) and write your own `targets/<your_brand>/plugin.py` rather than fork this one.

## Features

- **ARP Spoofing** — MITM positioning between camera and gateway with automatic ARP table restoration on exit
- **DNS Interception** — Spoof cloud domain resolution to redirect camera traffic through your machine
- **HTTP/HTTPS MITM** — Auto-generated SSL certificates, full request/response logging with hex dumps
- **Raw Packet Sniffer** — Catches all camera traffic on any port, detects new connections in real-time
- **UDP Capture** — Dedicated listeners for P2P master services (port 10240) and other protocols
- **Cloud API Client** — Authenticate to vendor cloud APIs, enumerate devices, extract credentials and firmware info
- **API Fuzzer** — Endpoint discovery via wordlist, parameter mutation (SQLi, IDOR, type confusion, overflow), and authentication bypass testing
- **Packet Injection** — Craft and send raw UDP, ARP, DNS, and Ethernet frames
- **REST API** — External control interface on port 9090 for AI-assisted automated testing and integration with other tools
- **TUI** — Full terminal interface with scrolling logs, status bar, command history, and color-coded output

## Requirements

- Linux (tested on Ubuntu/Debian ARM64 and x86_64)
- Python 3.10+
- Root access (required for raw sockets, ARP, iptables)
- `openssl` (for certificate generation)

No external Python packages required — uses only the standard library.

## Installation

```bash
git clone <repo_url> /path/to/setec_suite/cam-mitm
cd /path/to/setec_suite/cam-mitm
sudo python3 mitm.py
```

## Usage

### Quick Start

```bash
cd /home/snake/setec_suite/cam-mitm
sudo python3 mitm.py
```

### TUI Commands

#### MITM Services
| Command | Description |
|---------|-------------|
| `start` | Start all MITM services (ARP, DNS, HTTP/S, UDP, sniffer) |
| `stop` | Stop all services and restore ARP tables |
| `status` | Show running service status |

#### Configuration
| Command | Description |
|---------|-------------|
| `config` | Show current settings |
| `set <key> <value>` | Change a setting |
| `save` | Save config to disk |

Configurable keys: `camera_ip`, `camera_mac`, `our_ip`, `router_ip`, `iface`, `api_email`, `api_password`, `rest_port`, `fuzzer_threads`, `fuzzer_delay`

#### Cloud API
| Command | Description |
|---------|-------------|
| `login` | Authenticate to vendor cloud API |
| `devices` | List devices and extract credentials |
| `firmware` | Check firmware version |
| `services` | Query device cloud services |
| `families` | List account families/groups |
| `api <endpoint>` | Raw POST to any API endpoint |

#### Fuzzer
| Command | Description |
|---------|-------------|
| `fuzz endpoints` | Discover hidden API endpoints via wordlist |
| `fuzz params <endpoint>` | Test parameter mutations on an endpoint |
| `fuzz auth` | Test authentication bypass techniques |
| `fuzz stop` | Stop a running fuzz job |
| `fuzz results` | Save results to JSON file |

#### Packet Injection
| Command | Description |
|---------|-------------|
| `inject udp <ip> <port> <hex>` | Send a UDP packet with hex payload |
| `inject arp_reply <src_ip> <dst_ip>` | Send a spoofed ARP reply |
| `inject dns_query <domain>` | Send a DNS query |

### REST API

The built-in REST API (default port 9090) enables external tool integration and AI-assisted automated testing workflows.

#### Endpoints

| Method | Path | Description |
|--------|------|-------------|
| GET | `/status` | Service status, flags, config |
| GET | `/logs?count=N` | Recent log entries |
| GET | `/devices` | Cached device list |
| GET | `/config` | Current configuration |
| GET | `/fuzz/results` | Fuzzer results |
| POST | `/start` | Start MITM services |
| POST | `/stop` | Stop MITM services |
| POST | `/config` | Update config `{"key": "value"}` |
| POST | `/command` | Execute TUI command `{"cmd": "..."}` |
| POST | `/api` | Proxy cloud API call `{"endpoint": "...", "data": {}}` |
| POST | `/fuzz/endpoints` | Start endpoint fuzzer |
| POST | `/fuzz/params` | Start param fuzzer `{"endpoint": "..."}` |
| POST | `/fuzz/auth` | Start auth bypass fuzzer |
| POST | `/fuzz/stop` | Stop fuzzer |
| POST | `/inject` | Send packet `{"type": "udp", "dst_ip": "...", ...}` |

#### Example: AI-Automated Testing

```bash
# Start MITM
curl -X POST http://localhost:9090/start

# Run endpoint fuzzer
curl -X POST http://localhost:9090/fuzz/endpoints

# Check results
curl http://localhost:9090/fuzz/results | python3 -m json.tool

# Send custom API request
curl -X POST http://localhost:9090/api \
  -H "Content-Type: application/json" \
  -d '{"endpoint": "user/device_list", "data": {}}'

# Inject a packet
curl -X POST http://localhost:9090/inject \
  -H "Content-Type: application/json" \
  -d '{"type": "udp", "dst_ip": "10.0.0.47", "dst_port": 10240, "payload": "deadbeef", "payload_hex": true}'
```

## Project Structure

```
cam-mitm/
├── mitm.py              # Entry point + TUI + controller
├── config.py            # Persistent JSON configuration
├── services/
│   ├── arp_spoof.py     # ARP cache poisoning
│   ├── dns_spoof.py     # DNS response spoofing
│   ├── http_server.py   # HTTP/HTTPS interception with SSL
│   ├── udp_listener.py  # UDP protocol capture
│   └── sniffer.py       # Raw packet monitor
├── api/
│   ├── ubox_client.py   # Vendor cloud API client
│   ├── fuzzer.py        # API security fuzzer
│   └── server.py        # REST API for external integration
├── inject/
│   └── packet.py        # Packet crafting and injection
└── utils/
    └── log.py           # Shared logging utilities
```

## TUI Navigation

| Key | Action |
|-----|--------|
| Enter | Execute command |
| Up/Down Arrow | Command history |
| Page Up/Down | Scroll log |
| Home/End | Jump to oldest/newest log |
| Escape | Clear input |
| Ctrl+C | Graceful shutdown |

## Legal

This tool is intended for authorized security testing on devices you own. Unauthorized interception of network traffic is illegal. Always obtain proper authorization before testing.

## License

MIT

## Author

sssnake — Setec Labs
Initial commit — SetecSuite Camera MITM Framework Original tooling from the Camhak research project (camera teardown of a rebranded UBIA / Javiscam IP camera). PyQt6 GUI on top of a curses TUI on top of a service controller; per-service start/stop, intruder detection, protocol fingerprinting, OAM HMAC signing, CVE verifiers, OTA bucket probe, firmware fetcher, fuzzer, packet injection. Tabs: Dashboard, Live Log, Intruders, Cloud API, Fuzzer, Inject, CVEs, Config, Help. Real-time per-packet protocol detection, conntrack-based original-destination lookup, log rotation at 1 GiB. See SECURITY_PAPER.md for the full writeup, site/index.html for the public report, README.md for usage. Run with: sudo /usr/bin/python3 gui.py Co-authored by Setec Labs. 2026-04-09 08:14:18 -07:00			`# SetecSuite — Camera MITM Framework`

			`A modular IoT camera pentesting toolkit for intercepting, analyzing, and testing the security of cloud-connected IP cameras. Built for authorized security research on devices you own.`

README: document generic core vs camera plugin file layout Add a section explaining the relationship to setec-mitm and which files are generic core vs camera-specific. No file moves — clone-and-run UX preserved. 2026-04-09 08:46:27 -07:00			> This is the camera-specific case study fork. It bundles the generic [setec-mitm](https://repo.seteclabs.io/SetecLabs/setec-mitm) core plus a fully built-out target plugin for the Javiscam 2604 / UBox / UBIA camera family — UBox cloud client, OAM HMAC forging, CVE-2025-12636 / CVE-2021-28372 / CVE-2023-6322 verifiers, firmware multi-version fetcher, OTA bucket probe, and a 146-endpoint API fuzzer wordlist. It's the engine that produced the [camhak.seteclabs.io](https://camhak.seteclabs.io) research report. Clone, run, point at the camera. No additional setup.

			> If you want the bare framework without any of the camera-specific code, use [setec-mitm](https://repo.seteclabs.io/SetecLabs/setec-mitm) instead. Both share the same core; cam-mitm is what you get when you fill in the `targets/javiscam_2604/` plugin slot all the way.

			`## File layout — generic core vs camera-specific`

			The same code organisation that setec-mitm formalises with its `targets/` plugin system is present here, just inlined into the top-level directories. Mapping:

			`\| File / dir \| Generic core or camera plugin? \|`
			`\|---\|---\|`
			\| `mitm.py`, `gui.py` \| Generic core — Controller + PyQt6 GUI + curses TUI \|
			\| `services/arp_spoof.py` \| Generic core \|
			\| `services/dns_spoof.py` \| Generic core \|
			\| `services/http_server.py` \| Generic core (peek-before-wrap on :443) \|
			\| `services/udp_listener.py` \| Generic core \|
			\| `services/sniffer.py` \| Generic core (conntrack original-dst lookup, protocol fingerprinting) \|
			\| `services/intruder_watch.py` \| Generic core \|
			\| `inject/packet.py` \| Generic core \|
			\| `utils/log.py` \| Generic core (1 GiB rotation) \|
			\| `utils/proto.py` \| Generic core (12+ protocol fingerprints) \|
			\| `regen_cert.sh` \| Generic core \|
			\| `api/server.py` \| Generic core (REST API on :9090) \|
			\| `api/ubox_client.py` \| Camera plugin — UBox cloud client + OAM HMAC signing \|
			\| `api/firmware_fetch.py` \| Camera plugin — multi-version `check_version/v3` caller \|
			\| `api/ota_bucket_probe.py` \| Camera plugin — Tencent COS OTA bucket enumerator \|
			\| `api/cve_checks.py` \| Camera plugin — CVE-2025-12636 / CVE-2021-28372 / CVE-2023-6322 verifiers \|
			\| `api/fuzzer.py` \| Camera plugin — 146 hardcoded UBox endpoints + ~600 wordlist \|
			\| `gui.py` Cloud API tab \| Camera plugin UI \|
			\| `gui.py` Fuzzer tab \| Camera plugin UI \|
			\| `gui.py` CVEs tab \| Camera plugin UI \|
			\| `site/` \| Camera research output — published as `camhak.seteclabs.io` \|

			If you want to retarget this engine at a different device, the cleaner path is to use the generic [setec-mitm](https://repo.seteclabs.io/SetecLabs/setec-mitm) and write your own `targets/<your_brand>/plugin.py` rather than fork this one.

Initial commit — SetecSuite Camera MITM Framework Original tooling from the Camhak research project (camera teardown of a rebranded UBIA / Javiscam IP camera). PyQt6 GUI on top of a curses TUI on top of a service controller; per-service start/stop, intruder detection, protocol fingerprinting, OAM HMAC signing, CVE verifiers, OTA bucket probe, firmware fetcher, fuzzer, packet injection. Tabs: Dashboard, Live Log, Intruders, Cloud API, Fuzzer, Inject, CVEs, Config, Help. Real-time per-packet protocol detection, conntrack-based original-destination lookup, log rotation at 1 GiB. See SECURITY_PAPER.md for the full writeup, site/index.html for the public report, README.md for usage. Run with: sudo /usr/bin/python3 gui.py Co-authored by Setec Labs. 2026-04-09 08:14:18 -07:00			`## Features`

			`- ARP Spoofing — MITM positioning between camera and gateway with automatic ARP table restoration on exit`
			`- DNS Interception — Spoof cloud domain resolution to redirect camera traffic through your machine`
			`- HTTP/HTTPS MITM — Auto-generated SSL certificates, full request/response logging with hex dumps`
			`- Raw Packet Sniffer — Catches all camera traffic on any port, detects new connections in real-time`
			`- UDP Capture — Dedicated listeners for P2P master services (port 10240) and other protocols`
			`- Cloud API Client — Authenticate to vendor cloud APIs, enumerate devices, extract credentials and firmware info`
			`- API Fuzzer — Endpoint discovery via wordlist, parameter mutation (SQLi, IDOR, type confusion, overflow), and authentication bypass testing`
			`- Packet Injection — Craft and send raw UDP, ARP, DNS, and Ethernet frames`
			`- REST API — External control interface on port 9090 for AI-assisted automated testing and integration with other tools`
			`- TUI — Full terminal interface with scrolling logs, status bar, command history, and color-coded output`

			`## Requirements`

			`- Linux (tested on Ubuntu/Debian ARM64 and x86_64)`
			`- Python 3.10+`
			`- Root access (required for raw sockets, ARP, iptables)`
			- `openssl` (for certificate generation)

			`No external Python packages required — uses only the standard library.`

			`## Installation`

			```bash
			`git clone <repo_url> /path/to/setec_suite/cam-mitm`
			`cd /path/to/setec_suite/cam-mitm`
			`sudo python3 mitm.py`
			```

			`## Usage`

			`### Quick Start`

			```bash
			`cd /home/snake/setec_suite/cam-mitm`
			`sudo python3 mitm.py`
			```

			`### TUI Commands`

			`#### MITM Services`
			`\| Command \| Description \|`
			`\|---------\|-------------\|`
			\| `start` \| Start all MITM services (ARP, DNS, HTTP/S, UDP, sniffer) \|
			\| `stop` \| Stop all services and restore ARP tables \|
			\| `status` \| Show running service status \|

			`#### Configuration`
			`\| Command \| Description \|`
			`\|---------\|-------------\|`
			\| `config` \| Show current settings \|
			\| `set <key> <value>` \| Change a setting \|
			\| `save` \| Save config to disk \|

			Configurable keys: `camera_ip`, `camera_mac`, `our_ip`, `router_ip`, `iface`, `api_email`, `api_password`, `rest_port`, `fuzzer_threads`, `fuzzer_delay`

			`#### Cloud API`
			`\| Command \| Description \|`
			`\|---------\|-------------\|`
			\| `login` \| Authenticate to vendor cloud API \|
			\| `devices` \| List devices and extract credentials \|
			\| `firmware` \| Check firmware version \|
			\| `services` \| Query device cloud services \|
			\| `families` \| List account families/groups \|
			\| `api <endpoint>` \| Raw POST to any API endpoint \|

			`#### Fuzzer`
			`\| Command \| Description \|`
			`\|---------\|-------------\|`
			\| `fuzz endpoints` \| Discover hidden API endpoints via wordlist \|
			\| `fuzz params <endpoint>` \| Test parameter mutations on an endpoint \|
			\| `fuzz auth` \| Test authentication bypass techniques \|
			\| `fuzz stop` \| Stop a running fuzz job \|
			\| `fuzz results` \| Save results to JSON file \|

			`#### Packet Injection`
			`\| Command \| Description \|`
			`\|---------\|-------------\|`
			\| `inject udp <ip> <port> <hex>` \| Send a UDP packet with hex payload \|
			\| `inject arp_reply <src_ip> <dst_ip>` \| Send a spoofed ARP reply \|
			\| `inject dns_query <domain>` \| Send a DNS query \|

			`### REST API`

			`The built-in REST API (default port 9090) enables external tool integration and AI-assisted automated testing workflows.`

			`#### Endpoints`

			`\| Method \| Path \| Description \|`
			`\|--------\|------\|-------------\|`
			\| GET \| `/status` \| Service status, flags, config \|
			\| GET \| `/logs?count=N` \| Recent log entries \|
			\| GET \| `/devices` \| Cached device list \|
			\| GET \| `/config` \| Current configuration \|
			\| GET \| `/fuzz/results` \| Fuzzer results \|
			\| POST \| `/start` \| Start MITM services \|
			\| POST \| `/stop` \| Stop MITM services \|
			\| POST \| `/config` \| Update config `{"key": "value"}` \|
			\| POST \| `/command` \| Execute TUI command `{"cmd": "..."}` \|
			\| POST \| `/api` \| Proxy cloud API call `{"endpoint": "...", "data": {}}` \|
			\| POST \| `/fuzz/endpoints` \| Start endpoint fuzzer \|
			\| POST \| `/fuzz/params` \| Start param fuzzer `{"endpoint": "..."}` \|
			\| POST \| `/fuzz/auth` \| Start auth bypass fuzzer \|
			\| POST \| `/fuzz/stop` \| Stop fuzzer \|
			\| POST \| `/inject` \| Send packet `{"type": "udp", "dst_ip": "...", ...}` \|

			`#### Example: AI-Automated Testing`

			```bash
			`# Start MITM`
			`curl -X POST http://localhost:9090/start`

			`# Run endpoint fuzzer`
			`curl -X POST http://localhost:9090/fuzz/endpoints`

			`# Check results`
			`curl http://localhost:9090/fuzz/results \| python3 -m json.tool`

			`# Send custom API request`
			`curl -X POST http://localhost:9090/api \`
			`-H "Content-Type: application/json" \`
			`-d '{"endpoint": "user/device_list", "data": {}}'`

			`# Inject a packet`
			`curl -X POST http://localhost:9090/inject \`
			`-H "Content-Type: application/json" \`
			`-d '{"type": "udp", "dst_ip": "10.0.0.47", "dst_port": 10240, "payload": "deadbeef", "payload_hex": true}'`
			```

			`## Project Structure`

			```
			`cam-mitm/`
			`├── mitm.py # Entry point + TUI + controller`
			`├── config.py # Persistent JSON configuration`
			`├── services/`
			`│ ├── arp_spoof.py # ARP cache poisoning`
			`│ ├── dns_spoof.py # DNS response spoofing`
			`│ ├── http_server.py # HTTP/HTTPS interception with SSL`
			`│ ├── udp_listener.py # UDP protocol capture`
			`│ └── sniffer.py # Raw packet monitor`
			`├── api/`
			`│ ├── ubox_client.py # Vendor cloud API client`
			`│ ├── fuzzer.py # API security fuzzer`
			`│ └── server.py # REST API for external integration`
			`├── inject/`
			`│ └── packet.py # Packet crafting and injection`
			`└── utils/`
			`└── log.py # Shared logging utilities`
			```

			`## TUI Navigation`

			`\| Key \| Action \|`
			`\|-----\|--------\|`
			`\| Enter \| Execute command \|`
			`\| Up/Down Arrow \| Command history \|`
			`\| Page Up/Down \| Scroll log \|`
			`\| Home/End \| Jump to oldest/newest log \|`
			`\| Escape \| Clear input \|`
			`\| Ctrl+C \| Graceful shutdown \|`

			`## Legal`

			`This tool is intended for authorized security testing on devices you own. Unauthorized interception of network traffic is illegal. Always obtain proper authorization before testing.`

			`## License`

			`MIT`

			`## Author`

			`sssnake — Setec Labs`