Sjur Usken

Views on new technologies and business opportunities from Sjur Usken

And the Cisc 7940 phones leaks its password hash..


With some help from Sean in the US, Sandro and I could access a Cisco 7940 phone (with a SIP stack) from the Internet. We called it from our public ip (showed as 192.168.1.1).

[ Fri Apr 10 21:16:16 2009 ](192.168.1.1/32) Proxy auth:
[‘Digest username=”5555914760″,realm=”localhost”,uri=”sip:192.168.2.2″,response=”a718dsf8c742799f1c22fbcd1d4637d801b”,nonce=”a”,algorithm=MD5’]
[ Fri Apr 10 21:16:16 2009 ](192.168.1.1/32) The phone rings on extension 5555914760
[ Fri Apr 10 21:16:16 2009 ](192.168.1.1/32) Launching the password cracker
[ Fri Apr 10 21:16:18 2009 ](192.168.1.1/32) Password was not guessed
[ Fri Apr 10 21:16:18 2009 ](192.168.1.1/32) Use the SIP Digest Cracker to perform an extensive bruteforce
[ Fri Apr 10 21:16:18 2009 ](192.168.1.1/32) username: 5555914760
[ Fri Apr 10 21:16:18 2009 ](192.168.1.1/32) nonce: a
[ Fri Apr 10 21:16:18 2009 ](192.168.1.1/32) realm: localhost
[ Fri Apr 10 21:16:18 2009 ](192.168.1.1/32) uri: sip:192.168.2.2
[ Fri Apr 10 21:16:18 2009 ](192.168.1.1/32) method: BYE
[ Fri Apr 10 21:16:18 2009 ](192.168.1.1/32) response: a7188cfwet742799f1c22fbcd1d4637d801b

Then we could start our brute forcing of the password, and then either log-in and receive calls as Sean, or make outbound calls as him. Next phone to test is the Snom phone.
[ad]

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: