# SetecSuite — Camera MITM Framework

A modular IoT camera pentesting toolkit for intercepting, analyzing, and testing the security of cloud-connected IP cameras. Built for authorized security research on devices you own.

> **This is the camera-specific case study fork.** It bundles the generic [setec-mitm](https://repo.seteclabs.io/SetecLabs/setec-mitm) core *plus* a fully built-out target plugin for the Javiscam 2604 / UBox / UBIA camera family — UBox cloud client, OAM HMAC forging, CVE-2025-12636 / CVE-2021-28372 / CVE-2023-6322 verifiers, firmware multi-version fetcher, OTA bucket probe, and a 146-endpoint API fuzzer wordlist. It's the engine that produced the **[camhak.seteclabs.io](https://camhak.seteclabs.io)** research report. Clone, run, point at the camera. No additional setup.

> If you want the bare framework without any of the camera-specific code, use [setec-mitm](https://repo.seteclabs.io/SetecLabs/setec-mitm) instead. Both share the same core; cam-mitm is what you get when you fill in the `targets/javiscam_2604/` plugin slot all the way.

## File layout — generic core vs camera-specific

The same code organisation that setec-mitm formalises with its `targets/` plugin system is present here, just inlined into the top-level directories. Mapping:

| File / dir | Generic core or camera plugin? |
|---|---|
| `mitm.py`, `gui.py` | **Generic core** — Controller + PyQt6 GUI + curses TUI |
| `services/arp_spoof.py` | **Generic core** |
| `services/dns_spoof.py` | **Generic core** |
| `services/http_server.py` | **Generic core** (peek-before-wrap on :443) |
| `services/udp_listener.py` | **Generic core** |
| `services/sniffer.py` | **Generic core** (conntrack original-dst lookup, protocol fingerprinting) |
| `services/intruder_watch.py` | **Generic core** |
| `inject/packet.py` | **Generic core** |
| `utils/log.py` | **Generic core** (1 GiB rotation) |
| `utils/proto.py` | **Generic core** (12+ protocol fingerprints) |
| `regen_cert.sh` | **Generic core** |
| `api/server.py` | **Generic core** (REST API on :9090) |
| `api/ubox_client.py` | **Camera plugin** — UBox cloud client + OAM HMAC signing |
| `api/firmware_fetch.py` | **Camera plugin** — multi-version `check_version/v3` caller |
| `api/ota_bucket_probe.py` | **Camera plugin** — Tencent COS OTA bucket enumerator |
| `api/cve_checks.py` | **Camera plugin** — CVE-2025-12636 / CVE-2021-28372 / CVE-2023-6322 verifiers |
| `api/fuzzer.py` | **Camera plugin** — 146 hardcoded UBox endpoints + ~600 wordlist |
| `gui.py` Cloud API tab | **Camera plugin** UI |
| `gui.py` Fuzzer tab | **Camera plugin** UI |
| `gui.py` CVEs tab | **Camera plugin** UI |
| `site/` | **Camera research output** — published as `camhak.seteclabs.io` |

If you want to retarget this engine at a different device, the cleaner path is to use the generic [setec-mitm](https://repo.seteclabs.io/SetecLabs/setec-mitm) and write your own `targets/<your_brand>/plugin.py` rather than fork this one.

## Features

- **ARP Spoofing** — MITM positioning between camera and gateway with automatic ARP table restoration on exit
- **DNS Interception** — Spoof cloud domain resolution to redirect camera traffic through your machine
- **HTTP/HTTPS MITM** — Auto-generated SSL certificates, full request/response logging with hex dumps
- **Raw Packet Sniffer** — Catches all camera traffic on any port, detects new connections in real-time
- **UDP Capture** — Dedicated listeners for P2P master services (port 10240) and other protocols
- **Cloud API Client** — Authenticate to vendor cloud APIs, enumerate devices, extract credentials and firmware info
- **API Fuzzer** — Endpoint discovery via wordlist, parameter mutation (SQLi, IDOR, type confusion, overflow), and authentication bypass testing
- **Packet Injection** — Craft and send raw UDP, ARP, DNS, and Ethernet frames
- **REST API** — External control interface on port 9090 for AI-assisted automated testing and integration with other tools
- **TUI** — Full terminal interface with scrolling logs, status bar, command history, and color-coded output

## Requirements

- Linux (tested on Ubuntu/Debian ARM64 and x86_64)
- Python 3.10+
- Root access (required for raw sockets, ARP, iptables)
- `openssl` (for certificate generation)

No external Python packages required — uses only the standard library.

## Installation

```bash
git clone <repo_url> /path/to/setec_suite/cam-mitm
cd /path/to/setec_suite/cam-mitm
sudo python3 mitm.py
```

## Usage

### Quick Start

```bash
cd /home/snake/setec_suite/cam-mitm
sudo python3 mitm.py
```

### TUI Commands

#### MITM Services
| Command | Description |
|---------|-------------|
| `start` | Start all MITM services (ARP, DNS, HTTP/S, UDP, sniffer) |
| `stop` | Stop all services and restore ARP tables |
| `status` | Show running service status |

#### Configuration
| Command | Description |
|---------|-------------|
| `config` | Show current settings |
| `set <key> <value>` | Change a setting |
| `save` | Save config to disk |

Configurable keys: `camera_ip`, `camera_mac`, `our_ip`, `router_ip`, `iface`, `api_email`, `api_password`, `rest_port`, `fuzzer_threads`, `fuzzer_delay`

#### Cloud API
| Command | Description |
|---------|-------------|
| `login` | Authenticate to vendor cloud API |
| `devices` | List devices and extract credentials |
| `firmware` | Check firmware version |
| `services` | Query device cloud services |
| `families` | List account families/groups |
| `api <endpoint>` | Raw POST to any API endpoint |

#### Fuzzer
| Command | Description |
|---------|-------------|
| `fuzz endpoints` | Discover hidden API endpoints via wordlist |
| `fuzz params <endpoint>` | Test parameter mutations on an endpoint |
| `fuzz auth` | Test authentication bypass techniques |
| `fuzz stop` | Stop a running fuzz job |
| `fuzz results` | Save results to JSON file |

#### Packet Injection
| Command | Description |
|---------|-------------|
| `inject udp <ip> <port> <hex>` | Send a UDP packet with hex payload |
| `inject arp_reply <src_ip> <dst_ip>` | Send a spoofed ARP reply |
| `inject dns_query <domain>` | Send a DNS query |

### REST API

The built-in REST API (default port 9090) enables external tool integration and AI-assisted automated testing workflows.

#### Endpoints

| Method | Path | Description |
|--------|------|-------------|
| GET | `/status` | Service status, flags, config |
| GET | `/logs?count=N` | Recent log entries |
| GET | `/devices` | Cached device list |
| GET | `/config` | Current configuration |
| GET | `/fuzz/results` | Fuzzer results |
| POST | `/start` | Start MITM services |
| POST | `/stop` | Stop MITM services |
| POST | `/config` | Update config `{"key": "value"}` |
| POST | `/command` | Execute TUI command `{"cmd": "..."}` |
| POST | `/api` | Proxy cloud API call `{"endpoint": "...", "data": {}}` |
| POST | `/fuzz/endpoints` | Start endpoint fuzzer |
| POST | `/fuzz/params` | Start param fuzzer `{"endpoint": "..."}` |
| POST | `/fuzz/auth` | Start auth bypass fuzzer |
| POST | `/fuzz/stop` | Stop fuzzer |
| POST | `/inject` | Send packet `{"type": "udp", "dst_ip": "...", ...}` |

#### Example: AI-Automated Testing

```bash
# Start MITM
curl -X POST http://localhost:9090/start

# Run endpoint fuzzer
curl -X POST http://localhost:9090/fuzz/endpoints

# Check results
curl http://localhost:9090/fuzz/results | python3 -m json.tool

# Send custom API request
curl -X POST http://localhost:9090/api \
  -H "Content-Type: application/json" \
  -d '{"endpoint": "user/device_list", "data": {}}'

# Inject a packet
curl -X POST http://localhost:9090/inject \
  -H "Content-Type: application/json" \
  -d '{"type": "udp", "dst_ip": "10.0.0.47", "dst_port": 10240, "payload": "deadbeef", "payload_hex": true}'
```

## Project Structure

```
cam-mitm/
├── mitm.py              # Entry point + TUI + controller
├── config.py            # Persistent JSON configuration
├── services/
│   ├── arp_spoof.py     # ARP cache poisoning
│   ├── dns_spoof.py     # DNS response spoofing
│   ├── http_server.py   # HTTP/HTTPS interception with SSL
│   ├── udp_listener.py  # UDP protocol capture
│   └── sniffer.py       # Raw packet monitor
├── api/
│   ├── ubox_client.py   # Vendor cloud API client
│   ├── fuzzer.py        # API security fuzzer
│   └── server.py        # REST API for external integration
├── inject/
│   └── packet.py        # Packet crafting and injection
└── utils/
    └── log.py           # Shared logging utilities
```

## TUI Navigation

| Key | Action |
|-----|--------|
| Enter | Execute command |
| Up/Down Arrow | Command history |
| Page Up/Down | Scroll log |
| Home/End | Jump to oldest/newest log |
| Escape | Clear input |
| Ctrl+C | Graceful shutdown |

## Legal

This tool is intended for authorized security testing on devices you own. Unauthorized interception of network traffic is illegal. Always obtain proper authorization before testing.

## License

MIT

## Author

sssnake — Setec Labs