Re: IP Telephony pen-test and VLAN's

[Marco Ivaldi <raptor () 0xdeadbeef info>]

On Wed, 17 May 2006, Chris Serafin wrote:

[snip]

> I work exclusively in the Cisco IPT industry and I come from a security
> background so I would love to chat about this with you/the community:)

Here's some additional information about Cisco CallManager (verified on
version 4.1.3):

# nmap -sV x.x.x.x

Starting nmap 3.50 ( http://www.insecure.org/nmap/ ) at 2006-05-11 14:31
CEST
Interesting ports on x.x.x.x:
(The 1646 ports scanned but not shown below are in state: closed)
PORT     STATE SERVICE       VERSION
80/tcp   open  http          Microsoft IIS webserver 5.0
102/tcp  open  iso-tsap?
135/tcp  open  msrpc         Microsoft Windows msrpc
139/tcp  open  netbios-ssn
443/tcp  open  ssl/http      Microsoft IIS webserver 5.0
445/tcp  open  microsoft-ds  Microsoft Windows 2000 microsoft-ds
1433/tcp open  ms-sql-s?
1720/tcp open  H.323/Q.931?
2000/tcp open  callbook?
2001/tcp open  dc?
2002/tcp open  globe?
3389/tcp open  microsoft-rdp Microsoft Terminal Service (Windows 2000
Server)
8009/tcp open  ajp13?

[...]

# nmap -sU x.x.x.x

Starting nmap 3.50 ( http://www.insecure.org/nmap/ ) at 2006-05-11 14:40
CEST
Interesting ports on x.x.x.x:
(The 1466 ports scanned but not shown below are in state: closed)
PORT     STATE SERVICE
67/udp   open  dhcpserver
68/udp   open  dhcpclient
69/udp   open  tftp
123/udp  open  ntp
137/udp  open  netbios-ns
138/udp  open  netbios-dgm
161/udp  open  snmp
445/udp  open  microsoft-ds
500/udp  open  isakmp
1434/udp open  ms-sql-m
3456/udp open  IISrpc-or-vat
4321/udp open  rwhois

Nmap run completed -- 1 IP address (1 host up) scanned in 9.655 seconds

After a very quick analysis on a production system (non-default), the box
seems to be pretty well patched. Of course YMMV;) I found an information
leak on TFTP (port 69/udp), which allows downloading (upload is forbidden)
of some configuration files, like:

/MOH/SampleAudioSource.xml
Annunciator.xml
RingList.xml
(there are also some .wav and .raw sound samples, and so on)

Finally, the web interface can also be accessed at this url (not sure if 
it presents any differences from https://10.23.0.254/ccmadmin):

https://10.23.0.254/ccmservice

According to the on-line documentation, the default account should be
CCMAdministrator/ciscocisco, although i've not verified it.

I've not be able to perform a full test on the appliance yet, but i'm 
planning to do so in the near future. Stay tuned.

Cheers,

-- 
Marco Ivaldi
Antifork Research, Inc.   http://0xdeadbeef.info/
3B05 C9C5 A2DE C3D7 4233  0394 EF85 2008 DBFD B707


------------------------------------------------------------------------------
This List Sponsored by: Cenzic

Concerned about Web Application Security? 
Why not go with the #1 solution - Cenzic, the only one to win the Analyst's 
Choice Award from eWeek. As attacks through web applications continue to rise, 
you need to proactively protect your applications from hackers. Cenzic has the 
most comprehensive solutions to meet your application security penetration 
testing and vulnerability management needs. You have an option to go with a 
managed service (Cenzic ClickToSecure) or an enterprise software 
(Cenzic Hailstorm). Download FREE whitepaper on how a managed service can 
help you: http://www.cenzic.com/news_events/wpappsec.php 
And, now for a limited time we can do a FREE audit for you to confirm your 
results from other product. Contact us at request () cenzic com for details.
------------------------------------------------------------------------------