I have been trying to come up with a way to replace an H.264 RTSP video stream sent from an IP camera to a video surveillance system, with my own fake stream during a man in the middle attack. The ARP spoofing part is easy, as is monitoring the data. But instead of forwarding the legitimate stream, I'd like to inject my own using VLC streaming. I have been using an old Axis P1344 in my tests but I don't know if it matters which one it is. I have a number of cameras to use if someone has specific examples with another manufacturer.
Steps I have taken:
- Setup a stream on my MITM box using VLC, same URI structure as the surveillance system uses when connecting.
- Start ARP spoofing between camera and surveillance system without forwarding traffic, expecting the RTSP stream to be hitting my system. I guess something is hitting it but the video stream just dies on the surveillance system.
I'm assuming my approach is too naive and requires something that better simulates the camera <--> surveillance sytem communication. Looking at Wireshark, there seem to be a good 10 or so HTTP request-response rounds before the video starts to flow using RTSP when first connecting to the camera.
What approach should I use to move ahead? The two days I've spent on this haven't really yielded any results.
MJPEG would be a second acceptable solution. But it's not like the request is a simple image tag whose contents I could just replace.
