Skip to main content
BloodCat supports 9 major IP camera manufacturers, each with specific RTSP path configurations and default user accounts. The CamLib class in lib/camlib.py provides brand-specific configurations for optimal camera access.

Overview

Each camera brand has:
  • Default usernames: Common administrative accounts for the brand
  • RTSP paths: Known streaming endpoint paths for accessing camera feeds
BloodCat uses these configurations to efficiently test camera access during penetration tests.

Supported Brands

Default Users
  • admin
  • root
  • supervisor
RTSP Paths
Streaming/Channels/101
Streaming/Channels/102
live.sdp
videoMain
media/video1
media/video2
Hikvision is one of the world’s largest camera manufacturers. The Streaming/Channels/101 and 102 paths are commonly used for main and sub-streams.
Default Users
  • root
  • system
RTSP Paths
cam/realmonitor?channel=1&subtype=0
cam/realmonitor?channel=1&subtype=1
live.sdp
videoMain
media/video1
media/video2
Dahua cameras use the cam/realmonitor endpoint with channel and subtype parameters to specify stream quality.
Default Users
  • admin
RTSP Paths
ucast/1/1
stream1
live.sdp
videoMain
media/video1
media/video2
Uniview cameras typically use the ucast path for unicast streaming.
Default Users
  • root
  • admin
RTSP Paths
axis-media/media.amp
axis-cgi/mjpg/video.cgi
axis-cgi/media.cgi
live.sdp
Axis cameras use distinctive axis-media and axis-cgi paths for their streaming endpoints.
Default Users
  • admin
RTSP Paths
SNC/media/media.amp
live.sdp
videoMain
Sony cameras use the SNC/media path structure for their RTSP streams.
Default Users
  • admin
RTSP Paths
live.sdp
live
videoMain
videoSub
Vivotek cameras support both main and sub-stream access through videoMain and videoSub paths.
Default Users
  • admin
RTSP Paths
cam/realmonitor?channel=1&subtype=0
live.sdp
videoMain
media/video1
media/video2
stream1
stream2
h264
h265
videoSub
ch0_0.h264
ch1_0.h264
user=admin_password=123456_channel=1_stream=0.sdp
live/ch00_0
0
1
11
12
h264Preview_01_main
h264Preview_01_sub
TVT has the most extensive path list (19 paths) as these cameras often use various OEM configurations and path structures.
Default Users
  • admin
RTSP Paths
Streaming/Channels/101
Streaming/Channels/102
live.sdp
videoMain
media/video1
Milesight uses a similar path structure to Hikvision cameras.

Brand Configuration Matrix

BrandDefault UsersPath CountPrimary Path Pattern
Hikvisionadmin, root, supervisor6Streaming/Channels/
Dahuaroot, system6cam/realmonitor?
Univiewadmin6ucast/
Axisroot, admin4axis-media/
Sonyadmin3SNC/media/
Vivotekadmin4videoMain/Sub
TVTadmin19Mixed (OEM paths)
Reolinkadmin3h264Preview_
Milesightadmin5Streaming/Channels/

Implementation Reference

Each brand configuration is implemented as a method in the CamLib class (lib/camlib.py:15-127). The methods return a tuple of (users, paths) that BloodCat uses during brute-force operations. 
class CamLib():
    def Hikvision(self):
        paths = [
            'Streaming/Channels/101', 
            'Streaming/Channels/102',  
            'live.sdp',
            'videoMain',
            'media/video1',
            'media/video2',
        ]
        users = ['admin', 'root', 'supervisor']
        return (users, paths)
These configurations are based on manufacturer documentation and real-world camera deployments. BloodCat automatically selects the appropriate configuration based on RTSP banner detection.

Build docs developers (and LLMs) love

Get started for freeTalk to us