OSINT Modules

OSINT Modules

Passive and semi-passive intelligence gathering modules for device identification, vulnerability research, and pre-engagement reconnaissance. These modules minimize active interaction with target systems.

---

Module Index

Module Path	Description
osint/fcc_id_lookup	Query FCC Equipment Authorization database
osint/camera_url_generator	Generate known camera stream URLs by vendor/model
osint/keygen/huawei_hg8245_wpa_keygen	Derive default WPA key from Huawei HG8245 BSSID
osint/keygen/easybox_wpa_keygen	Derive WPA2 default key from EasyBox MAC
osint/shodan_dorks	Pre-built Shodan dorks for embedded device discovery
osint/zoomeye_dorks	ZoomEye queries for IoT device enumeration
osint/github_recon	Search GitHub for public firmware and credentials

---

FCC-ID Lookup

Retrieve hardware documentation, internal photos, and RF test reports from the FCC Equipment Authorization database using the FCC ID on a device label.

exf > use osint/fcc_id_lookup
exf (FCCIDLookup) > show options

Options:
  Name    Current Setting  Required  Description
  ----    ---------------  --------  -----------
  FCC_ID                   yes       FCC ID code from device label (e.g. PD5-WNR3500U)
  OUTPUT                   no        Save results to file

exf (FCCIDLookup) > set FCC_ID XMR201811EC21A
exf (FCCIDLookup) > run

[*] Querying fccid.io for XMR201811EC21A...
[+] Device Found:
    Product Name  : EC21 Mini PCIe
    Manufacturer  : Quectel Wireless Solutions
    Grantee Code  : XMR
    Frequencies   : 700 MHz, 850 MHz, 1700 MHz, 1900 MHz, 2100 MHz
    Filing Date   : 2018-11-15
[*] Documents:
    [1] Test Report (RF)     - https://fccid.io/XMR201811EC21A/RF-Exposure
    [2] User Manual          - https://fccid.io/XMR201811EC21A/Users-Manual
    [3] External Photos      - https://fccid.io/XMR201811EC21A/External-Photos
    [4] Internal Photos      - https://fccid.io/XMR201811EC21A/Internal-Photos

exf (FCCIDLookup) > set FCC_ID PD5-WNR3500U
exf (FCCIDLookup) > run

[+] FCC ID: PD5-WNR3500U
    Grantee      : NETGEAR Inc.
    Product      : WNR3500U Wireless-N Gigabit Router
    Frequency    : 2.4GHz / 5GHz
    Grant Date   : 2009-11-18
    Internal Photos: https://fccid.io/PD5-WNR3500U/Internal-Photos

Tips:

• FCC IDs appear on labels inside battery compartments, on bottom stickers, or engraved on the PCB
• Format: GRANTEE_CODE-PRODUCT_CODE (e.g., 2AUER-U620A)
• Internal photos reveal chipset, antenna layout, and potential debug headers
• Use with osint/github_recon to find open-source firmware for the identified chipset

---

Camera URL Generator

Generate known RTSP stream paths and HTTP snapshot URLs for a specified camera vendor and model, based on the iSpy camera database format.

exf > use osint/camera_url_generator
exf (CameraURL) > show options

Options:
  Name         Current Setting  Required  Description
  ----         ---------------  --------  -----------
  VENDOR       hikvision        yes       Camera vendor name
  MODEL                         no        Specific model (e.g. DS-2CD2143G2)
  OUTPUT_FILE                   no        Save URL list to file
  ALL_VENDORS  false            no        Dump all known URLs for all vendors

exf (CameraURL) > set VENDOR hikvision
exf (CameraURL) > set MODEL DS-2CD2143G2
exf (CameraURL) > run

[+] Known stream URLs for Hikvision DS-2CD2143G2:
    [1] rtsp://<ip>:554/Streaming/Channels/101
    [2] rtsp://<ip>:554/Streaming/Channels/102
    [3] rtsp://<ip>:554/h264/ch1/main/av_stream
    [4] rtsp://<ip>:554/h264/ch1/sub/av_stream
    [5] http://<ip>/ISAPI/Streaming/channels/1/picture
    [6] http://<ip>/onvif/device_service
    [7] rtsp://<ip>/cam/realmonitor?channel=1&subtype=0

exf (CameraURL) > set VENDOR dahua
exf (CameraURL) > run

[+] Known stream URLs for Dahua:
    [1] rtsp://<ip>:554/cam/realmonitor?channel=1&subtype=0
    [2] rtsp://<ip>:554/cam/realmonitor?channel=1&subtype=1
    [3] rtsp://<ip>/h264/ch1/main/av_stream
    [4] http://<ip>/cgi-bin/snapshot.cgi?channel=1
    [5] http://<ip>/cgi-bin/mjpg/video.cgi?channel=1

# Generate wordlist for RTSP route brute-force
exf (CameraURL) > set OUTPUT_FILE /tmp/hikvision_routes.txt
exf (CameraURL) > run
[*] Saved 7 URLs to /tmp/hikvision_routes.txt

# Combine with RTSP attack
exf > use exploits/cameras/multi/rtsp_cameradar_attack
exf (RTSP Attack) > set target 192.168.1.100
exf (RTSP Attack) > set CUSTOM_ROUTES /tmp/hikvision_routes.txt
exf (RTSP Attack) > run

Coverage: 300+ camera vendors from the iSpy open camera database.

---

Shodan Dorks

Pre-built Shodan search queries for discovering embedded devices in public IP space.

exf > use osint/shodan_dorks
exf (ShodanDorks) > set CATEGORY cameras
exf (ShodanDorks) > run

[+] Shodan Dorks - IP Cameras:

Hikvision:
  port:554 "RTSP/1.0 200 OK"
  http.title:"HIKVISION" port:80
  Server: "DNVRS-Webs"

Dahua:
  port:37777
  http.title:"DahuaWebView"
  "WWW-Authenticate: Digest realm=\"Login to"

Axis:
  http.title:"Axis Network Camera"
  port:554 Server:"AXIS"

Generic RTSP:
  port:554 "rtsp://"
  port:8554 "RTSP/1.0"

exf (ShodanDorks) > set CATEGORY routers
exf (ShodanDorks) > set VENDOR zte
exf (ShodanDorks) > run

[+] Shodan Dorks - ZTE Routers:

ZTE GPON ONTs:
  http.title:"ZTE GPON" port:80
  http.html:"ZXHN" port:80
  Server: "GoAhead-Webs" "ZTE"

ZTE ADSL/VDSL:
  http.title:"ZTE" port:80 "H298A"
  http.html:"ETHCheat"

exf (ShodanDorks) > set CATEGORY ics
exf (ShodanDorks) > run

[+] Shodan Dorks - ICS/OT:

Modbus:
  port:502 "Modbus"

Siemens S7:
  port:102

SCADA/HMI Web Interfaces:
  http.title:"SCADA" port:80
  http.title:"HMI" port:443
  http.html:"Industrial Control"

Exposed PLCs:
  port:44818 "EtherNet/IP"
  port:47808 "BACnet"

---

ZoomEye Dorks

ZoomEye queries optimized for IoT device enumeration (covers IPv6 and regions with lower Shodan penetration).

exf > use osint/zoomeye_dorks
exf (ZoomEyeDorks) > set CATEGORY cameras
exf (ZoomEyeDorks) > run

[+] ZoomEye Dorks - Cameras:

Hikvision:
  app:"Hikvision netcam"
  title:"HIKVISION"

Dahua:
  app:"Dahua DVR"
  title:"DahuaWebView"

Reolink:
  app:"Reolink"
  title:"Reolink"

GPON ONTs with open camera ports:
  port:554 country:BR

---

Default WPA Key Generators

EasyBox (Arcadyan) WPA2 Keygen

EasyBox routers use a deterministic factory algorithm to derive the WPA2 PSK from the device MAC address.

exf > use exploits/routers/easybox/easybox_wpa_keygen
exf (EasyBoxKeygen) > set MAC AA:BB:CC:DD:EE:FF
exf (EasyBoxKeygen) > run

[+] Device MAC  : AA:BB:CC:DD:EE:FF
[+] WPA2 PSK    : 3f2d9a1b
[!] This is the likely factory WPA2 password for this EasyBox device

# If MAC is unknown - extract from router web UI
exf (EasyBoxKeygen) > set target 192.168.1.1
exf (EasyBoxKeygen) > run
[*] No MAC supplied - attempting to extract from web UI at 192.168.1.1...
[+] MAC found: AA:BB:CC:DD:EE:FF
[+] WPA2 PSK    : 3f2d9a1b

Huawei HG8245 WPA Keygen

exf > use osint/keygen/huawei_hg8245_wpa_keygen
exf (HuaweiWPAKeygen) > set MAC CC:2D:1B:00:11:22
exf (HuaweiWPAKeygen) > run

[*] Computing WPA key for MAC: CC:2D:1B:00:11:22
[+] Derived WPA key: K3F7B
[!] Affects: Huawei HG8245, HG8247 deployed by ISPs

---

GitHub Recon

Search GitHub for public firmware, configuration files, default credentials, and security research targeting specific devices.

exf > use osint/github_recon
exf (GitHubRecon) > set VENDOR "zte"
exf (GitHubRecon) > set QUERY "ZXHN firmware exploit"
exf (GitHubRecon) > run

[*] Searching GitHub for: zte ZXHN firmware exploit
[+] Results:
    [1] user/zte-h268n-exploit  - ZTE H268N credential disclosure PoC (47 stars)
    [2] researcher/zte-gpon     - GPON ONT research notes, firmware analysis
    [3] pentest/isp-cpe-vulns   - Collection of ISP CPE vulnerabilities including ZTE

exf (GitHubRecon) > set VENDOR "hikvision"
exf (GitHubRecon) > set QUERY "CVE-2021-36260"
exf (GitHubRecon) > run

[+] Results:
    [1] Aiminsun/cve-2021-36260    - PoC exploit for Hikvision RCE
    [2] consultant/hik-rce-scanner - Bulk scanner for CVE-2021-36260

---

Home | ISP Device Modules | RTSP Camera Engine