Last week we distributed a new version of VOIPPACK with the following new tools:
- vp_cucmjailbreak : Given an ssh username and password for CUCM's restricted shell, this script creates a new root user and installs MOSDEF
- vp_ciscophonescanner : Searches for Cisco phones on the target network by using HTTP and DNS probes
- vp_cucmtftplist : Makes use of CUCM's "TFTP" server to list the phone's mac addresses / phone names
Trixbox / FreePBX environment:
- vp_fopextensionenum : Enumerates extensions on FreePBX through the flash operator panel
- vp_freepbx_exec1 : Installs MOSDEF on vulnerable Trixbox or FreePBX servers given a username and password for the admin interface
- vp_mgcpscanner : A generic MGCP network scanner
Additionally we improved vp_sipenumerate to be able to scan Asterisk servers regardless of the alwaysauthreject option in Asterisk and work better wtih vp_bypassalwaysreject too!
What does cucmjailbreak do?
This is a new tool that automates the procedure outlined on Recurity lab's blog and allows CANVAS to install MOSDEF. This effectively allows you to use stolen Cisco Call manager credentials to fully compromise the server. The following video demonstrates the tool in action:
What does fopextensionenum do?
When trying to gain access to phone extensions on a target PBX server, attackers first need to find out which extensions exist on the server. Typically one would use features in SIP to do this, however an easier method is to abuse the Flash Operator Panel (FOP) to enumerate extensions easily. The following video demonstrates the tool in action:
What does ciscophonescanner do?
This tool scans a target IP address range and extracts the names of each phone found. It currently does this by making use of 2 methods: reverse DNS names and connecting to the HTTP interface of the Cisco phone. Video demo:
What about the other tools?
- CUCM TFTP list tool (vp_cucmtftplist) makes use of the Cisco CallManager's special TFTP server which allows listing of the files on the TFTP server
- FreePBX exec1 tool (vp_freepbx_exec1) allows installation of MOSDEF on a target vulnerable Trixbox and FreePBX by abusing an unpatched php script in the administrative section. This leads to root access to the target server
- We also added a generic MGCP scanner (vp_mgcpscanner) which helps finding devices that speak the protocol
That's it for now. For more information about VOIPPACK take a look at the products page.