README.md

# SetecSuite — Camera MITM Framework

A modular IoT camera pentesting toolkit for intercepting, analyzing, and testing the security of cloud-connected IP cameras. Built for authorized security research on devices you own.

## Features

- **ARP Spoofing** — MITM positioning between camera and gateway with automatic ARP table restoration on exit
- **DNS Interception** — Spoof cloud domain resolution to redirect camera traffic through your machine
- **HTTP/HTTPS MITM** — Auto-generated SSL certificates, full request/response logging with hex dumps
- **Raw Packet Sniffer** — Catches all camera traffic on any port, detects new connections in real-time
- **UDP Capture** — Dedicated listeners for P2P master services (port 10240) and other protocols
- **Cloud API Client** — Authenticate to vendor cloud APIs, enumerate devices, extract credentials and firmware info
- **API Fuzzer** — Endpoint discovery via wordlist, parameter mutation (SQLi, IDOR, type confusion, overflow), and authentication bypass testing
- **Packet Injection** — Craft and send raw UDP, ARP, DNS, and Ethernet frames
- **REST API** — External control interface on port 9090 for AI-assisted automated testing and integration with other tools
- **TUI** — Full terminal interface with scrolling logs, status bar, command history, and color-coded output

## Requirements

- Linux (tested on Ubuntu/Debian ARM64 and x86_64)
- Python 3.10+
- Root access (required for raw sockets, ARP, iptables)
- `openssl` (for certificate generation)

No external Python packages required — uses only the standard library.

## Installation

```bash
git clone <repo_url> /path/to/setec_suite/cam-mitm
cd /path/to/setec_suite/cam-mitm
sudo python3 mitm.py
```

## Usage

### Quick Start

```bash
cd /home/snake/setec_suite/cam-mitm
sudo python3 mitm.py
```

### TUI Commands

#### MITM Services
| Command | Description |
|---------|-------------|
| `start` | Start all MITM services (ARP, DNS, HTTP/S, UDP, sniffer) |
| `stop` | Stop all services and restore ARP tables |
| `status` | Show running service status |

#### Configuration
| Command | Description |
|---------|-------------|
| `config` | Show current settings |
| `set <key> <value>` | Change a setting |
| `save` | Save config to disk |

Configurable keys: `camera_ip`, `camera_mac`, `our_ip`, `router_ip`, `iface`, `api_email`, `api_password`, `rest_port`, `fuzzer_threads`, `fuzzer_delay`

#### Cloud API
| Command | Description |
|---------|-------------|
| `login` | Authenticate to vendor cloud API |
| `devices` | List devices and extract credentials |
| `firmware` | Check firmware version |
| `services` | Query device cloud services |
| `families` | List account families/groups |
| `api <endpoint>` | Raw POST to any API endpoint |

#### Fuzzer
| Command | Description |
|---------|-------------|
| `fuzz endpoints` | Discover hidden API endpoints via wordlist |
| `fuzz params <endpoint>` | Test parameter mutations on an endpoint |
| `fuzz auth` | Test authentication bypass techniques |
| `fuzz stop` | Stop a running fuzz job |
| `fuzz results` | Save results to JSON file |

#### Packet Injection
| Command | Description |
|---------|-------------|
| `inject udp <ip> <port> <hex>` | Send a UDP packet with hex payload |
| `inject arp_reply <src_ip> <dst_ip>` | Send a spoofed ARP reply |
| `inject dns_query <domain>` | Send a DNS query |

### REST API

The built-in REST API (default port 9090) enables external tool integration and AI-assisted automated testing workflows.

#### Endpoints

| Method | Path | Description |
|--------|------|-------------|
| GET | `/status` | Service status, flags, config |
| GET | `/logs?count=N` | Recent log entries |
| GET | `/devices` | Cached device list |
| GET | `/config` | Current configuration |
| GET | `/fuzz/results` | Fuzzer results |
| POST | `/start` | Start MITM services |
| POST | `/stop` | Stop MITM services |
| POST | `/config` | Update config `{"key": "value"}` |
| POST | `/command` | Execute TUI command `{"cmd": "..."}` |
| POST | `/api` | Proxy cloud API call `{"endpoint": "...", "data": {}}` |
| POST | `/fuzz/endpoints` | Start endpoint fuzzer |
| POST | `/fuzz/params` | Start param fuzzer `{"endpoint": "..."}` |
| POST | `/fuzz/auth` | Start auth bypass fuzzer |
| POST | `/fuzz/stop` | Stop fuzzer |
| POST | `/inject` | Send packet `{"type": "udp", "dst_ip": "...", ...}` |

#### Example: AI-Automated Testing

```bash
# Start MITM
curl -X POST http://localhost:9090/start

# Run endpoint fuzzer
curl -X POST http://localhost:9090/fuzz/endpoints

# Check results
curl http://localhost:9090/fuzz/results | python3 -m json.tool

# Send custom API request
curl -X POST http://localhost:9090/api \
  -H "Content-Type: application/json" \
  -d '{"endpoint": "user/device_list", "data": {}}'

# Inject a packet
curl -X POST http://localhost:9090/inject \
  -H "Content-Type: application/json" \
  -d '{"type": "udp", "dst_ip": "10.0.0.47", "dst_port": 10240, "payload": "deadbeef", "payload_hex": true}'
```

## Project Structure

```
cam-mitm/
├── mitm.py              # Entry point + TUI + controller
├── config.py            # Persistent JSON configuration
├── services/
│   ├── arp_spoof.py     # ARP cache poisoning
│   ├── dns_spoof.py     # DNS response spoofing
│   ├── http_server.py   # HTTP/HTTPS interception with SSL
│   ├── udp_listener.py  # UDP protocol capture
│   └── sniffer.py       # Raw packet monitor
├── api/
│   ├── ubox_client.py   # Vendor cloud API client
│   ├── fuzzer.py        # API security fuzzer
│   └── server.py        # REST API for external integration
├── inject/
│   └── packet.py        # Packet crafting and injection
└── utils/
    └── log.py           # Shared logging utilities
```

## TUI Navigation

| Key | Action |
|-----|--------|
| Enter | Execute command |
| Up/Down Arrow | Command history |
| Page Up/Down | Scroll log |
| Home/End | Jump to oldest/newest log |
| Escape | Clear input |
| Ctrl+C | Graceful shutdown |

## Legal

This tool is intended for authorized security testing on devices you own. Unauthorized interception of network traffic is illegal. Always obtain proper authorization before testing.

## License

MIT

## Author

sssnake — Setec Labs
Initial commit — SetecSuite Camera MITM Framework Original tooling from the Camhak research project (camera teardown of a rebranded UBIA / Javiscam IP camera). PyQt6 GUI on top of a curses TUI on top of a service controller; per-service start/stop, intruder detection, protocol fingerprinting, OAM HMAC signing, CVE verifiers, OTA bucket probe, firmware fetcher, fuzzer, packet injection. Tabs: Dashboard, Live Log, Intruders, Cloud API, Fuzzer, Inject, CVEs, Config, Help. Real-time per-packet protocol detection, conntrack-based original-destination lookup, log rotation at 1 GiB. See SECURITY_PAPER.md for the full writeup, site/index.html for the public report, README.md for usage. Run with: sudo /usr/bin/python3 gui.py Co-authored by Setec Labs. 2026-04-09 08:14:18 -07:00			`# SetecSuite — Camera MITM Framework`

			`A modular IoT camera pentesting toolkit for intercepting, analyzing, and testing the security of cloud-connected IP cameras. Built for authorized security research on devices you own.`

			`## Features`

			`- ARP Spoofing — MITM positioning between camera and gateway with automatic ARP table restoration on exit`
			`- DNS Interception — Spoof cloud domain resolution to redirect camera traffic through your machine`
			`- HTTP/HTTPS MITM — Auto-generated SSL certificates, full request/response logging with hex dumps`
			`- Raw Packet Sniffer — Catches all camera traffic on any port, detects new connections in real-time`
			`- UDP Capture — Dedicated listeners for P2P master services (port 10240) and other protocols`
			`- Cloud API Client — Authenticate to vendor cloud APIs, enumerate devices, extract credentials and firmware info`
			`- API Fuzzer — Endpoint discovery via wordlist, parameter mutation (SQLi, IDOR, type confusion, overflow), and authentication bypass testing`
			`- Packet Injection — Craft and send raw UDP, ARP, DNS, and Ethernet frames`
			`- REST API — External control interface on port 9090 for AI-assisted automated testing and integration with other tools`
			`- TUI — Full terminal interface with scrolling logs, status bar, command history, and color-coded output`

			`## Requirements`

			`- Linux (tested on Ubuntu/Debian ARM64 and x86_64)`
			`- Python 3.10+`
			`- Root access (required for raw sockets, ARP, iptables)`
			- `openssl` (for certificate generation)

			`No external Python packages required — uses only the standard library.`

			`## Installation`

			```bash
			`git clone <repo_url> /path/to/setec_suite/cam-mitm`
			`cd /path/to/setec_suite/cam-mitm`
			`sudo python3 mitm.py`
			```

			`## Usage`

			`### Quick Start`

			```bash
			`cd /home/snake/setec_suite/cam-mitm`
			`sudo python3 mitm.py`
			```

			`### TUI Commands`

			`#### MITM Services`
			`\| Command \| Description \|`
			`\|---------\|-------------\|`
			\| `start` \| Start all MITM services (ARP, DNS, HTTP/S, UDP, sniffer) \|
			\| `stop` \| Stop all services and restore ARP tables \|
			\| `status` \| Show running service status \|

			`#### Configuration`
			`\| Command \| Description \|`
			`\|---------\|-------------\|`
			\| `config` \| Show current settings \|
			\| `set <key> <value>` \| Change a setting \|
			\| `save` \| Save config to disk \|

			Configurable keys: `camera_ip`, `camera_mac`, `our_ip`, `router_ip`, `iface`, `api_email`, `api_password`, `rest_port`, `fuzzer_threads`, `fuzzer_delay`

			`#### Cloud API`
			`\| Command \| Description \|`
			`\|---------\|-------------\|`
			\| `login` \| Authenticate to vendor cloud API \|
			\| `devices` \| List devices and extract credentials \|
			\| `firmware` \| Check firmware version \|
			\| `services` \| Query device cloud services \|
			\| `families` \| List account families/groups \|
			\| `api <endpoint>` \| Raw POST to any API endpoint \|

			`#### Fuzzer`
			`\| Command \| Description \|`
			`\|---------\|-------------\|`
			\| `fuzz endpoints` \| Discover hidden API endpoints via wordlist \|
			\| `fuzz params <endpoint>` \| Test parameter mutations on an endpoint \|
			\| `fuzz auth` \| Test authentication bypass techniques \|
			\| `fuzz stop` \| Stop a running fuzz job \|
			\| `fuzz results` \| Save results to JSON file \|

			`#### Packet Injection`
			`\| Command \| Description \|`
			`\|---------\|-------------\|`
			\| `inject udp <ip> <port> <hex>` \| Send a UDP packet with hex payload \|
			\| `inject arp_reply <src_ip> <dst_ip>` \| Send a spoofed ARP reply \|
			\| `inject dns_query <domain>` \| Send a DNS query \|

			`### REST API`

			`The built-in REST API (default port 9090) enables external tool integration and AI-assisted automated testing workflows.`

			`#### Endpoints`

			`\| Method \| Path \| Description \|`
			`\|--------\|------\|-------------\|`
			\| GET \| `/status` \| Service status, flags, config \|
			\| GET \| `/logs?count=N` \| Recent log entries \|
			\| GET \| `/devices` \| Cached device list \|
			\| GET \| `/config` \| Current configuration \|
			\| GET \| `/fuzz/results` \| Fuzzer results \|
			\| POST \| `/start` \| Start MITM services \|
			\| POST \| `/stop` \| Stop MITM services \|
			\| POST \| `/config` \| Update config `{"key": "value"}` \|
			\| POST \| `/command` \| Execute TUI command `{"cmd": "..."}` \|
			\| POST \| `/api` \| Proxy cloud API call `{"endpoint": "...", "data": {}}` \|
			\| POST \| `/fuzz/endpoints` \| Start endpoint fuzzer \|
			\| POST \| `/fuzz/params` \| Start param fuzzer `{"endpoint": "..."}` \|
			\| POST \| `/fuzz/auth` \| Start auth bypass fuzzer \|
			\| POST \| `/fuzz/stop` \| Stop fuzzer \|
			\| POST \| `/inject` \| Send packet `{"type": "udp", "dst_ip": "...", ...}` \|

			`#### Example: AI-Automated Testing`

			```bash
			`# Start MITM`
			`curl -X POST http://localhost:9090/start`

			`# Run endpoint fuzzer`
			`curl -X POST http://localhost:9090/fuzz/endpoints`

			`# Check results`
			`curl http://localhost:9090/fuzz/results \| python3 -m json.tool`

			`# Send custom API request`
			`curl -X POST http://localhost:9090/api \`
			`-H "Content-Type: application/json" \`
			`-d '{"endpoint": "user/device_list", "data": {}}'`

			`# Inject a packet`
			`curl -X POST http://localhost:9090/inject \`
			`-H "Content-Type: application/json" \`
			`-d '{"type": "udp", "dst_ip": "10.0.0.47", "dst_port": 10240, "payload": "deadbeef", "payload_hex": true}'`
			```

			`## Project Structure`

			```
			`cam-mitm/`
			`├── mitm.py # Entry point + TUI + controller`
			`├── config.py # Persistent JSON configuration`
			`├── services/`
			`│ ├── arp_spoof.py # ARP cache poisoning`
			`│ ├── dns_spoof.py # DNS response spoofing`
			`│ ├── http_server.py # HTTP/HTTPS interception with SSL`
			`│ ├── udp_listener.py # UDP protocol capture`
			`│ └── sniffer.py # Raw packet monitor`
			`├── api/`
			`│ ├── ubox_client.py # Vendor cloud API client`
			`│ ├── fuzzer.py # API security fuzzer`
			`│ └── server.py # REST API for external integration`
			`├── inject/`
			`│ └── packet.py # Packet crafting and injection`
			`└── utils/`
			`└── log.py # Shared logging utilities`
			```

			`## TUI Navigation`

			`\| Key \| Action \|`
			`\|-----\|--------\|`
			`\| Enter \| Execute command \|`
			`\| Up/Down Arrow \| Command history \|`
			`\| Page Up/Down \| Scroll log \|`
			`\| Home/End \| Jump to oldest/newest log \|`
			`\| Escape \| Clear input \|`
			`\| Ctrl+C \| Graceful shutdown \|`

			`## Legal`

			`This tool is intended for authorized security testing on devices you own. Unauthorized interception of network traffic is illegal. Always obtain proper authorization before testing.`

			`## License`

			`MIT`

			`## Author`

			`sssnake — Setec Labs`