SetecLabs/cam-mitm
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases 1 Wiki Activity
Files
800052acc2db897861bfc3e8370529a2aacfc1d7
cam-mitm/README.md
sssnake 800052acc2 Initial commit — SetecSuite Camera MITM Framework 
Original tooling from the Camhak research project (camera teardown of a
rebranded UBIA / Javiscam IP camera). PyQt6 GUI on top of a curses TUI on
top of a service controller; per-service start/stop, intruder detection,
protocol fingerprinting, OAM HMAC signing, CVE verifiers, OTA bucket
probe, firmware fetcher, fuzzer, packet injection.

Tabs: Dashboard, Live Log, Intruders, Cloud API, Fuzzer, Inject, CVEs,
Config, Help. Real-time per-packet protocol detection, conntrack-based
original-destination lookup, log rotation at 1 GiB.

See SECURITY_PAPER.md for the full writeup, site/index.html for the
public report, README.md for usage. Run with:
    sudo /usr/bin/python3 gui.py

Co-authored by Setec Labs.
2026-04-09 08:14:18 -07:00

179 lines
6.2 KiB
Markdown
Raw Blame History

# SetecSuite — Camera MITM Framework
A modular IoT camera pentesting toolkit for intercepting, analyzing, and testing the security of cloud-connected IP cameras. Built for authorized security research on devices you own.
## Features
- **ARP Spoofing** — MITM positioning between camera and gateway with automatic ARP table restoration on exit
- **DNS Interception** — Spoof cloud domain resolution to redirect camera traffic through your machine
- **HTTP/HTTPS MITM** — Auto-generated SSL certificates, full request/response logging with hex dumps
- **Raw Packet Sniffer** — Catches all camera traffic on any port, detects new connections in real-time
- **UDP Capture** — Dedicated listeners for P2P master services (port 10240) and other protocols
- **Cloud API Client** — Authenticate to vendor cloud APIs, enumerate devices, extract credentials and firmware info
- **API Fuzzer** — Endpoint discovery via wordlist, parameter mutation (SQLi, IDOR, type confusion, overflow), and authentication bypass testing
- **Packet Injection** — Craft and send raw UDP, ARP, DNS, and Ethernet frames
- **REST API** — External control interface on port 9090 for AI-assisted automated testing and integration with other tools
- **TUI** — Full terminal interface with scrolling logs, status bar, command history, and color-coded output
## Requirements
- Linux (tested on Ubuntu/Debian ARM64 and x86_64)
- Python 3.10+
- Root access (required for raw sockets, ARP, iptables)
- `openssl` (for certificate generation)
No external Python packages required — uses only the standard library.
## Installation
```bash
git clone <repo_url> /path/to/setec_suite/cam-mitm
cd /path/to/setec_suite/cam-mitm
sudo python3 mitm.py
```
## Usage
### Quick Start
```bash
cd /home/snake/setec_suite/cam-mitm
sudo python3 mitm.py
```
### TUI Commands
#### MITM Services
| Command | Description |
|---------|-------------|
| `start` | Start all MITM services (ARP, DNS, HTTP/S, UDP, sniffer) |
| `stop` | Stop all services and restore ARP tables |
| `status` | Show running service status |
#### Configuration
| Command | Description |
|---------|-------------|
| `config` | Show current settings |
| `set <key> <value>` | Change a setting |
| `save` | Save config to disk |
Configurable keys: `camera_ip`, `camera_mac`, `our_ip`, `router_ip`, `iface`, `api_email`, `api_password`, `rest_port`, `fuzzer_threads`, `fuzzer_delay`
#### Cloud API
| Command | Description |
|---------|-------------|
| `login` | Authenticate to vendor cloud API |
| `devices` | List devices and extract credentials |
| `firmware` | Check firmware version |
| `services` | Query device cloud services |
| `families` | List account families/groups |
| `api <endpoint>` | Raw POST to any API endpoint |
#### Fuzzer
| Command | Description |
|---------|-------------|
| `fuzz endpoints` | Discover hidden API endpoints via wordlist |
| `fuzz params <endpoint>` | Test parameter mutations on an endpoint |
| `fuzz auth` | Test authentication bypass techniques |
| `fuzz stop` | Stop a running fuzz job |
| `fuzz results` | Save results to JSON file |
#### Packet Injection
| Command | Description |
|---------|-------------|
| `inject udp <ip> <port> <hex>` | Send a UDP packet with hex payload |
| `inject arp_reply <src_ip> <dst_ip>` | Send a spoofed ARP reply |
| `inject dns_query <domain>` | Send a DNS query |
### REST API
The built-in REST API (default port 9090) enables external tool integration and AI-assisted automated testing workflows.
#### Endpoints
| Method | Path | Description |
|--------|------|-------------|
| GET | `/status` | Service status, flags, config |
| GET | `/logs?count=N` | Recent log entries |
| GET | `/devices` | Cached device list |
| GET | `/config` | Current configuration |
| GET | `/fuzz/results` | Fuzzer results |
| POST | `/start` | Start MITM services |
| POST | `/stop` | Stop MITM services |
| POST | `/config` | Update config `{"key": "value"}` |
| POST | `/command` | Execute TUI command `{"cmd": "..."}` |
| POST | `/api` | Proxy cloud API call `{"endpoint": "...", "data": {}}` |
| POST | `/fuzz/endpoints` | Start endpoint fuzzer |
| POST | `/fuzz/params` | Start param fuzzer `{"endpoint": "..."}` |
| POST | `/fuzz/auth` | Start auth bypass fuzzer |
| POST | `/fuzz/stop` | Stop fuzzer |
| POST | `/inject` | Send packet `{"type": "udp", "dst_ip": "...", ...}` |
#### Example: AI-Automated Testing
```bash
# Start MITM
curl -X POST http://localhost:9090/start
# Run endpoint fuzzer
curl -X POST http://localhost:9090/fuzz/endpoints
# Check results
curl http://localhost:9090/fuzz/results | python3 -m json.tool
# Send custom API request
curl -X POST http://localhost:9090/api \
-H "Content-Type: application/json" \
-d '{"endpoint": "user/device_list", "data": {}}'
# Inject a packet
curl -X POST http://localhost:9090/inject \
-H "Content-Type: application/json" \
-d '{"type": "udp", "dst_ip": "10.0.0.47", "dst_port": 10240, "payload": "deadbeef", "payload_hex": true}'
```
## Project Structure
```
cam-mitm/
├── mitm.py # Entry point + TUI + controller
├── config.py # Persistent JSON configuration
├── services/
│ ├── arp_spoof.py # ARP cache poisoning
│ ├── dns_spoof.py # DNS response spoofing
│ ├── http_server.py # HTTP/HTTPS interception with SSL
│ ├── udp_listener.py # UDP protocol capture
│ └── sniffer.py # Raw packet monitor
├── api/
│ ├── ubox_client.py # Vendor cloud API client
│ ├── fuzzer.py # API security fuzzer
│ └── server.py # REST API for external integration
├── inject/
│ └── packet.py # Packet crafting and injection
└── utils/
└── log.py # Shared logging utilities
```
## TUI Navigation
| Key | Action |
|-----|--------|
| Enter | Execute command |
| Up/Down Arrow | Command history |
| Page Up/Down | Scroll log |
| Home/End | Jump to oldest/newest log |
| Escape | Clear input |
| Ctrl+C | Graceful shutdown |
## Legal
This tool is intended for authorized security testing on devices you own. Unauthorized interception of network traffic is illegal. Always obtain proper authorization before testing.
## License
MIT
## Author
sssnake — Setec Labs
Reference in New Issue View Git Blame Copy Permalink