Files

sssnake 54934f4ccd README: document generic core vs camera plugin file layout

Add a section explaining the relationship to setec-mitm and which files
are generic core vs camera-specific. No file moves — clone-and-run UX
preserved.

2026-04-09 08:46:27 -07:00

8.9 KiB

Raw Permalink Blame History

SetecSuite — Camera MITM Framework

A modular IoT camera pentesting toolkit for intercepting, analyzing, and testing the security of cloud-connected IP cameras. Built for authorized security research on devices you own.

This is the camera-specific case study fork. It bundles the generic setec-mitm core plus a fully built-out target plugin for the Javiscam 2604 / UBox / UBIA camera family — UBox cloud client, OAM HMAC forging, CVE-2025-12636 / CVE-2021-28372 / CVE-2023-6322 verifiers, firmware multi-version fetcher, OTA bucket probe, and a 146-endpoint API fuzzer wordlist. It's the engine that produced the camhak.seteclabs.io research report. Clone, run, point at the camera. No additional setup.

If you want the bare framework without any of the camera-specific code, use setec-mitm instead. Both share the same core; cam-mitm is what you get when you fill in the targets/javiscam_2604/ plugin slot all the way.

File layout — generic core vs camera-specific

The same code organisation that setec-mitm formalises with its targets/ plugin system is present here, just inlined into the top-level directories. Mapping:

File / dir	Generic core or camera plugin?
`mitm.py`, `gui.py`	Generic core — Controller + PyQt6 GUI + curses TUI
`services/arp_spoof.py`	Generic core
`services/dns_spoof.py`	Generic core
`services/http_server.py`	Generic core (peek-before-wrap on :443)
`services/udp_listener.py`	Generic core
`services/sniffer.py`	Generic core (conntrack original-dst lookup, protocol fingerprinting)
`services/intruder_watch.py`	Generic core
`inject/packet.py`	Generic core
`utils/log.py`	Generic core (1 GiB rotation)
`utils/proto.py`	Generic core (12+ protocol fingerprints)
`regen_cert.sh`	Generic core
`api/server.py`	Generic core (REST API on :9090)
`api/ubox_client.py`	Camera plugin — UBox cloud client + OAM HMAC signing
`api/firmware_fetch.py`	Camera plugin — multi-version `check_version/v3` caller
`api/ota_bucket_probe.py`	Camera plugin — Tencent COS OTA bucket enumerator
`api/cve_checks.py`	Camera plugin — CVE-2025-12636 / CVE-2021-28372 / CVE-2023-6322 verifiers
`api/fuzzer.py`	Camera plugin — 146 hardcoded UBox endpoints + ~600 wordlist
`gui.py` Cloud API tab	Camera plugin UI
`gui.py` Fuzzer tab	Camera plugin UI
`gui.py` CVEs tab	Camera plugin UI
`site/`	Camera research output — published as `camhak.seteclabs.io`

If you want to retarget this engine at a different device, the cleaner path is to use the generic setec-mitm and write your own targets/<your_brand>/plugin.py rather than fork this one.

Features

ARP Spoofing — MITM positioning between camera and gateway with automatic ARP table restoration on exit
DNS Interception — Spoof cloud domain resolution to redirect camera traffic through your machine
HTTP/HTTPS MITM — Auto-generated SSL certificates, full request/response logging with hex dumps
Raw Packet Sniffer — Catches all camera traffic on any port, detects new connections in real-time
UDP Capture — Dedicated listeners for P2P master services (port 10240) and other protocols
Cloud API Client — Authenticate to vendor cloud APIs, enumerate devices, extract credentials and firmware info
API Fuzzer — Endpoint discovery via wordlist, parameter mutation (SQLi, IDOR, type confusion, overflow), and authentication bypass testing
Packet Injection — Craft and send raw UDP, ARP, DNS, and Ethernet frames
REST API — External control interface on port 9090 for AI-assisted automated testing and integration with other tools
TUI — Full terminal interface with scrolling logs, status bar, command history, and color-coded output

Requirements

Linux (tested on Ubuntu/Debian ARM64 and x86_64)
Python 3.10+
Root access (required for raw sockets, ARP, iptables)
openssl (for certificate generation)

No external Python packages required — uses only the standard library.

Installation

git clone <repo_url> /path/to/setec_suite/cam-mitm
cd /path/to/setec_suite/cam-mitm
sudo python3 mitm.py

Usage

Quick Start

cd /home/snake/setec_suite/cam-mitm
sudo python3 mitm.py

TUI Commands

MITM Services

Command	Description
`start`	Start all MITM services (ARP, DNS, HTTP/S, UDP, sniffer)
`stop`	Stop all services and restore ARP tables
`status`	Show running service status

Configuration

Command	Description
`config`	Show current settings
`set <key> <value>`	Change a setting
`save`	Save config to disk

Configurable keys: camera_ip, camera_mac, our_ip, router_ip, iface, api_email, api_password, rest_port, fuzzer_threads, fuzzer_delay

Cloud API

Command	Description
`login`	Authenticate to vendor cloud API
`devices`	List devices and extract credentials
`firmware`	Check firmware version
`services`	Query device cloud services
`families`	List account families/groups
`api <endpoint>`	Raw POST to any API endpoint

Fuzzer

Command	Description
`fuzz endpoints`	Discover hidden API endpoints via wordlist
`fuzz params <endpoint>`	Test parameter mutations on an endpoint
`fuzz auth`	Test authentication bypass techniques
`fuzz stop`	Stop a running fuzz job
`fuzz results`	Save results to JSON file

Packet Injection

Command	Description
`inject udp <ip> <port> <hex>`	Send a UDP packet with hex payload
`inject arp_reply <src_ip> <dst_ip>`	Send a spoofed ARP reply
`inject dns_query <domain>`	Send a DNS query

REST API

The built-in REST API (default port 9090) enables external tool integration and AI-assisted automated testing workflows.

Endpoints

Method	Path	Description
GET	`/status`	Service status, flags, config
GET	`/logs?count=N`	Recent log entries
GET	`/devices`	Cached device list
GET	`/config`	Current configuration
GET	`/fuzz/results`	Fuzzer results
POST	`/start`	Start MITM services
POST	`/stop`	Stop MITM services
POST	`/config`	Update config `{"key": "value"}`
POST	`/command`	Execute TUI command `{"cmd": "..."}`
POST	`/api`	Proxy cloud API call `{"endpoint": "...", "data": {}}`
POST	`/fuzz/endpoints`	Start endpoint fuzzer
POST	`/fuzz/params`	Start param fuzzer `{"endpoint": "..."}`
POST	`/fuzz/auth`	Start auth bypass fuzzer
POST	`/fuzz/stop`	Stop fuzzer
POST	`/inject`	Send packet `{"type": "udp", "dst_ip": "...", ...}`

Example: AI-Automated Testing

# Start MITM
curl -X POST http://localhost:9090/start

# Run endpoint fuzzer
curl -X POST http://localhost:9090/fuzz/endpoints

# Check results
curl http://localhost:9090/fuzz/results | python3 -m json.tool

# Send custom API request
curl -X POST http://localhost:9090/api \
  -H "Content-Type: application/json" \
  -d '{"endpoint": "user/device_list", "data": {}}'

# Inject a packet
curl -X POST http://localhost:9090/inject \
  -H "Content-Type: application/json" \
  -d '{"type": "udp", "dst_ip": "10.0.0.47", "dst_port": 10240, "payload": "deadbeef", "payload_hex": true}'

Project Structure

cam-mitm/
├── mitm.py              # Entry point + TUI + controller
├── config.py            # Persistent JSON configuration
├── services/
│   ├── arp_spoof.py     # ARP cache poisoning
│   ├── dns_spoof.py     # DNS response spoofing
│   ├── http_server.py   # HTTP/HTTPS interception with SSL
│   ├── udp_listener.py  # UDP protocol capture
│   └── sniffer.py       # Raw packet monitor
├── api/
│   ├── ubox_client.py   # Vendor cloud API client
│   ├── fuzzer.py        # API security fuzzer
│   └── server.py        # REST API for external integration
├── inject/
│   └── packet.py        # Packet crafting and injection
└── utils/
    └── log.py           # Shared logging utilities

Key	Action
Enter	Execute command
Up/Down Arrow	Command history
Page Up/Down	Scroll log
Home/End	Jump to oldest/newest log
Escape	Clear input
Ctrl+C	Graceful shutdown

Legal

This tool is intended for authorized security testing on devices you own. Unauthorized interception of network traffic is illegal. Always obtain proper authorization before testing.

License

MIT

Author

sssnake — Setec Labs

8.9 KiB Raw Permalink Blame History