playbooks

home / skills / brownfinesecurity / iothackbot / wsdiscovery

wsdiscovery skill

/skills/wsdiscovery

This skill helps you discover and enumerate WS-Discovery devices like ONVIF cameras on your network, returning endpoints, device details, and service locations.

npx playbooks add skill brownfinesecurity/iothackbot --skill wsdiscovery

Review the files below or copy the command above to add this skill to your agents.

Files (1)
SKILL.md
2.5 KB
---
name: wsdiscovery
description: WS-Discovery protocol scanner for discovering and enumerating ONVIF cameras and IoT devices on the network. Use when you need to discover ONVIF devices, cameras, or WS-Discovery enabled equipment on a network.
---

# Wsdiscovery - WS-Discovery Protocol Scanner

You are helping the user discover and enumerate devices using the WS-Discovery protocol (commonly used by ONVIF cameras and IoT devices) using the wsdiscovery tool.

## Tool Overview

Wsdiscovery implements the WS-Discovery protocol to discover network devices that support this standard. It's particularly useful for finding ONVIF cameras, network video recorders (NVRs), and other IoT devices that advertise themselves via WS-Discovery.

## Instructions

When the user asks to discover ONVIF devices, find network cameras, or scan for WS-Discovery devices:

1. **Understand the target**:
   - Ask for the target hostname or IP address
   - Determine if they want verbose output (full XML responses)
   - Decide on output format

2. **Execute the scan**:
   - Use the wsdiscovery command from the iothackbot bin directory
   - Basic usage: `wsdiscovery <hostname_or_ip>`
   - For verbose output: `wsdiscovery <hostname_or_ip> -v`
   - For JSON output: `wsdiscovery <hostname_or_ip> --format json`

3. **Output formats**:
   - `--format text` (default): Human-readable colored output with device details
   - `--format json`: Machine-readable JSON
   - `--format quiet`: Minimal output

## What It Discovers

The tool extracts and displays:
- IP addresses and ports
- Endpoint references (device UUIDs)
- Device types
- Manufacturer information
- Device names and models
- Hardware versions
- Serial numbers
- Firmware versions
- Location information
- Service endpoints (XAddrs) - URLs for device management
- Metadata versions

## Examples

Discover devices on a specific host:
```bash
wsdiscovery 192.168.1.100
```

Discover with full XML responses:
```bash
wsdiscovery 192.168.1.100 -v
```

Output device information as JSON:
```bash
wsdiscovery 192.168.1.100 --format json
```

Scan network broadcast address to find all devices:
```bash
wsdiscovery 239.255.255.250
```

## Important Notes

- WS-Discovery uses multicast/broadcast discovery
- Devices must support the WS-Discovery protocol to be found
- Common with ONVIF cameras, printers, and network media devices
- Service endpoints (XAddrs) can be used with onvifscan for further testing
- The tool parses ONVIF-specific scope information when available

Overview

This skill implements a WS-Discovery protocol scanner focused on discovering and enumerating ONVIF cameras and other WS-Discovery enabled IoT devices on a network. It locates devices that advertise via multicast, extracts identifying metadata, and can present results in human or machine-friendly formats. Use it to quickly inventory cameras, NVRs, and compatible network devices for assessment or follow-up testing.

How this skill works

The tool sends WS-Discovery probes (including multicast to 239.255.255.250) and listens for probe matches from devices that implement the protocol. It parses responses to extract IPs, ports, endpoint references (UUIDs), device types, manufacturer/model, firmware and serial data, service endpoints (XAddrs), and ONVIF scope metadata. Output can be plain text, verbose XML, or JSON for automation.

When to use it

  • You need to find ONVIF cameras or NVRs on a local network segment.
  • You want a quick inventory of WS-Discovery enabled IoT devices.
  • Preparing targets for targeted ONVIF or web UI testing.
  • Automating discovery and exporting results to tools that consume JSON.
  • Validating that devices are advertising correct metadata (model, firmware).

Best practices

  • Run against a single host or the multicast address (239.255.255.250) depending on scope.
  • Use verbose (-v) only when you need the raw XML responses for debugging.
  • Prefer JSON output (--format json) for downstream parsing or pipelines.
  • Combine XAddrs with ONVIF tooling for authentication and deeper enumeration.
  • Perform discovery from the same network segment as the target to avoid multicast filtering.

Example use cases

  • Discover all ONVIF cameras on a subnet via multicast to build an asset list.
  • Probe a specific IP to confirm device model, firmware, and management endpoints.
  • Export discovery results as JSON for integration with inventory or pentest frameworks.
  • Collect raw XML responses for troubleshooting device discovery or scope parsing.
  • Feed discovered XAddrs into onvif scanners to enumerate services and credentials.

FAQ

Do devices have to be on the same subnet?

Yes — WS-Discovery uses multicast/broadcast, so discovery typically requires running from the same network segment or through network infrastructure that forwards multicast.

What output should I use for automation?

Use --format json for machine-readable output; it contains IPs, XAddrs, UUIDs, and metadata suitable for scripts and scanners.