Tuesday 20 December 2011, by Cedric Baillet
How could it be consider as feasible to develop a new script to scan voip environment and create something new and useful?
A though question isn’t it? After some thinking and a strong envy to play in lab for some time now, I came to the conclusion that free scanning scripts where not adapt to enterprise voip and do not exploit all the possibilities of being connected directly in the IP Phone VLAN.
Thus my first target is Cisco IP Phone. The embedded Cisco IP Phone web server makes it an easy target full of interesting stuff. Moreover, the piece of information collected should render feasible the possibility to get the phone’s config file directly from TFTP server. Indeed, it is much easier once we do know the name of the file. Brute forcing TFTP is just not really convincing. Trying to get it with proper name is truly effective. You will find in annex A of the document a sample of the config file. It should help you consider how interesting it could be to get this file.
Other equipment offer less possibilities but could nevertheless provide information such as: • SIP/SIPS (TCP/UDP) enable • Embedded web server • Web server banner • Editor identification through Mac address
To finish, one last module that is starting to go out of scanning field: IP Phone web interface testing to verify that default login/passord have been changed.