ReddRadar
Agent skill
onvifscan
ONVIF device security scanner for testing authentication and brute-forcing credentials. Use when you need to assess security of IP cameras or ONVIF-enabled devices.
Install this agent skill to your Project
npx add-skill https://github.com/aiskillstore/marketplace/tree/main/skills/brownfinesecurity/onvifscan
SKILL.md
Onvifscan - ONVIF Security Scanner
You are helping the user scan ONVIF devices for security issues including authentication bypasses and weak credentials using the onvifscan tool.
Tool Overview
Onvifscan is an ONVIF device security scanner that can:
- Test for unauthenticated access to ONVIF endpoints
- Perform credential brute-forcing attacks
Instructions
When the user asks to scan ONVIF devices, test IP cameras, or assess IoT device security:
-
Determine scan type:
auth: Authentication and access control testing (recommended to start)brute: Credential brute-forcing on password-protected endpoints
-
Get target information:
- Ask for the device URL/IP
- Determine which scan type to run
- Check if they have custom wordlists
-
Execute the scan:
- Use the onvifscan command from the iothackbot bin directory
- Format:
onvifscan <subcommand> <url> [options]
Subcommands
Auth Scan
Tests ONVIF endpoints for authentication requirements:
onvifscan auth http://192.168.1.100
Options:
-v, --verbose: Show full XML responses-a, --all: Test ALL endpoints including potentially destructive ones--format text|json|quiet: Output format
Brute Force
Attempts credential brute-forcing on protected endpoints:
onvifscan brute http://192.168.1.100
Options:
--usernames <file>: Custom usernames wordlist (default: built-in onvif-usernames.txt)--passwords <file>: Custom passwords wordlist (default: built-in onvif-passwords.txt)--format text|json|quiet: Output format
Examples
Quick auth check on a device:
onvifscan auth 192.168.1.100
Auth check with verbose output:
onvifscan auth http://192.168.1.100:8080 -v
Brute force with custom wordlists:
onvifscan brute 192.168.1.100 --usernames custom-users.txt --passwords custom-pass.txt
Important Notes
- URLs can omit
http://- it will be added automatically - Auth scan is non-destructive and safe to run
- Use
-aflag with caution - may test destructive endpoints - Brute force is rate-limited to prevent device overload (max 20 attempts by default)
- Built-in wordlists located in
wordlists/directory
Recommended Agent Skills
Expand your agent's capabilities with these related and highly-rated skills.
aiskillstore/marketplace
perigon-backend
Perigon ASP.NET Core + EF Core + Aspire conventions
aiskillstore/marketplace
perigon-agent
Pointers for Copilot/agents to apply Perigon conventions
aiskillstore/marketplace
perigon-angular
Angular 21+ standalone/Material/signal conventions for Perigon WebApp
aiskillstore/marketplace
fastapi-mastery
Comprehensive FastAPI development skill covering REST API creation, routing, request/response handling, validation, authentication, database integration, middleware, and deployment. Use when working with FastAPI projects, building APIs, implementing CRUD operations, setting up authentication/authorization, integrating databases (SQL/NoSQL), adding middleware, handling WebSockets, or deploying FastAPI applications. Triggered by requests involving .py files with FastAPI code, API endpoint creation, Pydantic models, or FastAPI-specific features.
aiskillstore/marketplace
context7-efficient
Token-efficient library documentation fetcher using Context7 MCP with 86.8% token savings through intelligent shell pipeline filtering. Fetches code examples, API references, and best practices for JavaScript, Python, Go, Rust, and other libraries. Use when users ask about library documentation, need code examples, want API usage patterns, are learning a new framework, need syntax reference, or troubleshooting with library-specific information. Triggers include questions like "Show me React hooks", "How do I use Prisma", "What's the Next.js routing syntax", or any request for library/framework documentation.
aiskillstore/marketplace
browser-use
Browser automation using Playwright MCP. Navigate websites, fill forms, click elements, take screenshots, and extract data. Use when tasks require web browsing, form submission, web scraping, UI testing, or any browser interaction.
Didn't find tool you were looking for?