54934f4ccd
Add a section explaining the relationship to setec-mitm and which files are generic core vs camera-specific. No file moves — clone-and-run UX preserved.
SetecSuite — Camera MITM Framework
A modular IoT camera pentesting toolkit for intercepting, analyzing, and testing the security of cloud-connected IP cameras. Built for authorized security research on devices you own.
This is the camera-specific case study fork. It bundles the generic setec-mitm core plus a fully built-out target plugin for the Javiscam 2604 / UBox / UBIA camera family — UBox cloud client, OAM HMAC forging, CVE-2025-12636 / CVE-2021-28372 / CVE-2023-6322 verifiers, firmware multi-version fetcher, OTA bucket probe, and a 146-endpoint API fuzzer wordlist. It's the engine that produced the camhak.seteclabs.io research report. Clone, run, point at the camera. No additional setup.
If you want the bare framework without any of the camera-specific code, use setec-mitm instead. Both share the same core; cam-mitm is what you get when you fill in the
targets/javiscam_2604/plugin slot all the way.
File layout — generic core vs camera-specific
The same code organisation that setec-mitm formalises with its targets/ plugin system is present here, just inlined into the top-level directories. Mapping:
| File / dir | Generic core or camera plugin? |
|---|---|
mitm.py, gui.py |
Generic core — Controller + PyQt6 GUI + curses TUI |
services/arp_spoof.py |
Generic core |
services/dns_spoof.py |
Generic core |
services/http_server.py |
Generic core (peek-before-wrap on :443) |
services/udp_listener.py |
Generic core |
services/sniffer.py |
Generic core (conntrack original-dst lookup, protocol fingerprinting) |
services/intruder_watch.py |
Generic core |
inject/packet.py |
Generic core |
utils/log.py |
Generic core (1 GiB rotation) |
utils/proto.py |
Generic core (12+ protocol fingerprints) |
regen_cert.sh |
Generic core |
api/server.py |
Generic core (REST API on :9090) |
api/ubox_client.py |
Camera plugin — UBox cloud client + OAM HMAC signing |
api/firmware_fetch.py |
Camera plugin — multi-version check_version/v3 caller |
api/ota_bucket_probe.py |
Camera plugin — Tencent COS OTA bucket enumerator |
api/cve_checks.py |
Camera plugin — CVE-2025-12636 / CVE-2021-28372 / CVE-2023-6322 verifiers |
api/fuzzer.py |
Camera plugin — 146 hardcoded UBox endpoints + ~600 wordlist |
gui.py Cloud API tab |
Camera plugin UI |
gui.py Fuzzer tab |
Camera plugin UI |
gui.py CVEs tab |
Camera plugin UI |
site/ |
Camera research output — published as camhak.seteclabs.io |
If you want to retarget this engine at a different device, the cleaner path is to use the generic setec-mitm and write your own targets/<your_brand>/plugin.py rather than fork this one.
Features
- ARP Spoofing — MITM positioning between camera and gateway with automatic ARP table restoration on exit
- DNS Interception — Spoof cloud domain resolution to redirect camera traffic through your machine
- HTTP/HTTPS MITM — Auto-generated SSL certificates, full request/response logging with hex dumps
- Raw Packet Sniffer — Catches all camera traffic on any port, detects new connections in real-time
- UDP Capture — Dedicated listeners for P2P master services (port 10240) and other protocols
- Cloud API Client — Authenticate to vendor cloud APIs, enumerate devices, extract credentials and firmware info
- API Fuzzer — Endpoint discovery via wordlist, parameter mutation (SQLi, IDOR, type confusion, overflow), and authentication bypass testing
- Packet Injection — Craft and send raw UDP, ARP, DNS, and Ethernet frames
- REST API — External control interface on port 9090 for AI-assisted automated testing and integration with other tools
- TUI — Full terminal interface with scrolling logs, status bar, command history, and color-coded output
Requirements
- Linux (tested on Ubuntu/Debian ARM64 and x86_64)
- Python 3.10+
- Root access (required for raw sockets, ARP, iptables)
openssl(for certificate generation)
No external Python packages required — uses only the standard library.
Installation
git clone <repo_url> /path/to/setec_suite/cam-mitm
cd /path/to/setec_suite/cam-mitm
sudo python3 mitm.py
Usage
Quick Start
cd /home/snake/setec_suite/cam-mitm
sudo python3 mitm.py
TUI Commands
MITM Services
| Command | Description |
|---|---|
start |
Start all MITM services (ARP, DNS, HTTP/S, UDP, sniffer) |
stop |
Stop all services and restore ARP tables |
status |
Show running service status |
Configuration
| Command | Description |
|---|---|
config |
Show current settings |
set <key> <value> |
Change a setting |
save |
Save config to disk |
Configurable keys: camera_ip, camera_mac, our_ip, router_ip, iface, api_email, api_password, rest_port, fuzzer_threads, fuzzer_delay
Cloud API
| Command | Description |
|---|---|
login |
Authenticate to vendor cloud API |
devices |
List devices and extract credentials |
firmware |
Check firmware version |
services |
Query device cloud services |
families |
List account families/groups |
api <endpoint> |
Raw POST to any API endpoint |
Fuzzer
| Command | Description |
|---|---|
fuzz endpoints |
Discover hidden API endpoints via wordlist |
fuzz params <endpoint> |
Test parameter mutations on an endpoint |
fuzz auth |
Test authentication bypass techniques |
fuzz stop |
Stop a running fuzz job |
fuzz results |
Save results to JSON file |
Packet Injection
| Command | Description |
|---|---|
inject udp <ip> <port> <hex> |
Send a UDP packet with hex payload |
inject arp_reply <src_ip> <dst_ip> |
Send a spoofed ARP reply |
inject dns_query <domain> |
Send a DNS query |
REST API
The built-in REST API (default port 9090) enables external tool integration and AI-assisted automated testing workflows.
Endpoints
| Method | Path | Description |
|---|---|---|
| GET | /status |
Service status, flags, config |
| GET | /logs?count=N |
Recent log entries |
| GET | /devices |
Cached device list |
| GET | /config |
Current configuration |
| GET | /fuzz/results |
Fuzzer results |
| POST | /start |
Start MITM services |
| POST | /stop |
Stop MITM services |
| POST | /config |
Update config {"key": "value"} |
| POST | /command |
Execute TUI command {"cmd": "..."} |
| POST | /api |
Proxy cloud API call {"endpoint": "...", "data": {}} |
| POST | /fuzz/endpoints |
Start endpoint fuzzer |
| POST | /fuzz/params |
Start param fuzzer {"endpoint": "..."} |
| POST | /fuzz/auth |
Start auth bypass fuzzer |
| POST | /fuzz/stop |
Stop fuzzer |
| POST | /inject |
Send packet {"type": "udp", "dst_ip": "...", ...} |
Example: AI-Automated Testing
# Start MITM
curl -X POST http://localhost:9090/start
# Run endpoint fuzzer
curl -X POST http://localhost:9090/fuzz/endpoints
# Check results
curl http://localhost:9090/fuzz/results | python3 -m json.tool
# Send custom API request
curl -X POST http://localhost:9090/api \
-H "Content-Type: application/json" \
-d '{"endpoint": "user/device_list", "data": {}}'
# Inject a packet
curl -X POST http://localhost:9090/inject \
-H "Content-Type: application/json" \
-d '{"type": "udp", "dst_ip": "10.0.0.47", "dst_port": 10240, "payload": "deadbeef", "payload_hex": true}'
Project Structure
cam-mitm/
├── mitm.py # Entry point + TUI + controller
├── config.py # Persistent JSON configuration
├── services/
│ ├── arp_spoof.py # ARP cache poisoning
│ ├── dns_spoof.py # DNS response spoofing
│ ├── http_server.py # HTTP/HTTPS interception with SSL
│ ├── udp_listener.py # UDP protocol capture
│ └── sniffer.py # Raw packet monitor
├── api/
│ ├── ubox_client.py # Vendor cloud API client
│ ├── fuzzer.py # API security fuzzer
│ └── server.py # REST API for external integration
├── inject/
│ └── packet.py # Packet crafting and injection
└── utils/
└── log.py # Shared logging utilities
TUI Navigation
| Key | Action |
|---|---|
| Enter | Execute command |
| Up/Down Arrow | Command history |
| Page Up/Down | Scroll log |
| Home/End | Jump to oldest/newest log |
| Escape | Clear input |
| Ctrl+C | Graceful shutdown |
Legal
This tool is intended for authorized security testing on devices you own. Unauthorized interception of network traffic is illegal. Always obtain proper authorization before testing.
License
MIT
Author
sssnake — Setec Labs