--- title: "554 - Rtsp" weight: 554-8554 date: "2026-03-10T10:03:28+08:00" lastmod: "2026-03-10T13:26:55+08:00" --- 💡 **学习提示**: 本文档介绍 **554-8554 - RTSP** 的渗透测试方法,适合信息安全初学者和从业人员参考。 ⚠️ **法律声明**: 本文档仅供学习和授权测试使用。未经授权的系统测试可能违反法律法规。 --- > > The transmission of streaming data itself is not a task of RTSP. Most RTSP servers use the Real-time Transport 协议 (RTP) in conjunction with Real-time Control 协议 (RTCP) for media stream delivery. However, some vendors implement proprietary transport protocols. The RTSP server software from RealNetworks, for example, also used RealNetworks' proprietary Real Data Transport (RDT). **默认 ports:** 554,8554 ``` PORT STATE SERVICE 554/tcp open rtsp ``` ### Key Details **RTSP** is similar to HTTP but designed specifically for media streaming. It's defined in a straightforward specification which can be found here: [RTSP – RFC2326](https://tools.ietf.org/html/rfc2326) Devices might allow **unauthenticated** or **authenticated** access. To check, a "DESCRIBE" request is sent. A basic example is shown below: `DESCRIBE rtsp://: RTSP/1.0\r\nCSeq: 2` Remember, the correct formatting includes a double "\r\n" for a consistent response. A "200 OK" response indicates **unauthenticated access**, while "401 Unauthorized" signals the need for authentication, revealing if **Basic** or **Digest authentication** is required. For **Basic authentication**, you encode the username and password in base64 and include it in the request like so: `DESCRIBE rtsp://: RTSP/1.0\r\nCSeq: 2\r\nAuthorization: Basic YWRtaW46MTIzNA==` This example uses "admin" and "1234" for the credentials. Here's a **Python script** to send such a request: ```python import socket req = "DESCRIBE rtsp://: RTSP/1.0\r\nCSeq: 2\r\nAuthorization: Basic YWRtaW46MTIzNA==\r\n\r\n" s = socket.socket(socket.AF_INET, socket.SOCK_STREAM) s.connect(("192.168.1.1", 554)) s.sendall(req) data = s.recv(1024) print(data) ``` **Basic authentication** is simpler and preferred. **Digest authentication** requires careful handling of the authentication details provided in the "401 Unauthorized" response. This overview simplifies the process of accessing RTSP streams, focusing on **Basic authentication** for its simplicity and practicality in initial attempts. ### 信息收集 Lets get information about valid methods and URLs are supported and try to brute-force the access (if needed) to get access to the content. ```bash nmap -sV --script "rtsp-*" -p ``` #### Viewing the RTSP Stream with [ffplay](https://ffmpeg.org/ffplay.html) Once you've discovered a valid RTSP path (e.g., `/mpeg4`, `/live.sdp`) and confirmed access (unauthenticated or with credentials), you can use `ffplay` to stream the feed: ```bash ffplay -rtsp_transport tcp rtsp:///mpeg4 -x 2560 -y 1440 ``` - `-rtsp_transport tcp`: Use TCP instead of UDP for more reliable streaming - `-x`, `-y`: Optional flags to control video resolution - Replace `` and path as needed #### [暴力破解](../generic-hacking/brute-force.md#rtsp) #### **Other useful programs** To bruteforce: [https://github.com/Tek-安全-Group/rtsp_authgrinder](https://github.com/Tek-安全-Group/rtsp_authgrinder) [**Cameradar**](https://github.com/Ullaakut/cameradar) - Detect open RTSP hosts on any accessible target - Get their public info (hostname, port, camera model, etc.) - Launch automated dictionary attacks to get their stream route (for example /live.sdp) - Launch automated dictionary attacks to get the username and password of the cameras - Generate thumbnails from them to check if the streams are valid and to have a quick preview of their content - Try to create a Gstreamer pipeline to check if they are properly encoded - Print a summary of all the informations Cameradar could get #### 参见 32100-udp-pentesting-pppp-cs2-p2p-cameras.md --- ### 搜索引擎语法 #### FOFA ```bash # FOFA 搜索语法 port="554" ``` #### Shodan ```bash # Shodan 搜索语法 port:554 ``` #### ZoomEye ```bash # ZoomEye 搜索语法 port:554 ``` --- ## 📖 参考资料 - [HackTricks - 554-rtsp](https://book.hacktricks.wiki/en/network-services-pentesting/554-rtsp.html)