Penetration Testing mailing list archives
Re: IP Telephony pen-test and VLAN's
From: Marco Ivaldi <raptor () 0xdeadbeef info>
Date: Fri, 19 May 2006 11:47:53 +0200 (CEST)
On Wed, 17 May 2006, Chris Serafin wrote: [snip]
I work exclusively in the Cisco IPT industry and I come from a security background so I would love to chat about this with you/the community:)
Here's some additional information about Cisco CallManager (verified on version 4.1.3): # nmap -sV x.x.x.x Starting nmap 3.50 ( http://www.insecure.org/nmap/ ) at 2006-05-11 14:31 CEST Interesting ports on x.x.x.x: (The 1646 ports scanned but not shown below are in state: closed) PORT STATE SERVICE VERSION 80/tcp open http Microsoft IIS webserver 5.0 102/tcp open iso-tsap? 135/tcp open msrpc Microsoft Windows msrpc 139/tcp open netbios-ssn 443/tcp open ssl/http Microsoft IIS webserver 5.0 445/tcp open microsoft-ds Microsoft Windows 2000 microsoft-ds 1433/tcp open ms-sql-s? 1720/tcp open H.323/Q.931? 2000/tcp open callbook? 2001/tcp open dc? 2002/tcp open globe? 3389/tcp open microsoft-rdp Microsoft Terminal Service (Windows 2000 Server) 8009/tcp open ajp13? [...] # nmap -sU x.x.x.x Starting nmap 3.50 ( http://www.insecure.org/nmap/ ) at 2006-05-11 14:40 CEST Interesting ports on x.x.x.x: (The 1466 ports scanned but not shown below are in state: closed) PORT STATE SERVICE 67/udp open dhcpserver 68/udp open dhcpclient 69/udp open tftp 123/udp open ntp 137/udp open netbios-ns 138/udp open netbios-dgm 161/udp open snmp 445/udp open microsoft-ds 500/udp open isakmp 1434/udp open ms-sql-m 3456/udp open IISrpc-or-vat 4321/udp open rwhois Nmap run completed -- 1 IP address (1 host up) scanned in 9.655 seconds After a very quick analysis on a production system (non-default), the box seems to be pretty well patched. Of course YMMV;) I found an information leak on TFTP (port 69/udp), which allows downloading (upload is forbidden) of some configuration files, like: /MOH/SampleAudioSource.xml Annunciator.xml RingList.xml (there are also some .wav and .raw sound samples, and so on) Finally, the web interface can also be accessed at this url (not sure if it presents any differences from https://10.23.0.254/ccmadmin): https://10.23.0.254/ccmservice According to the on-line documentation, the default account should be CCMAdministrator/ciscocisco, although i've not verified it. I've not be able to perform a full test on the appliance yet, but i'm planning to do so in the near future. Stay tuned. Cheers, -- Marco Ivaldi Antifork Research, Inc. http://0xdeadbeef.info/ 3B05 C9C5 A2DE C3D7 4233 0394 EF85 2008 DBFD B707 ------------------------------------------------------------------------------ This List Sponsored by: Cenzic Concerned about Web Application Security? Why not go with the #1 solution - Cenzic, the only one to win the Analyst's Choice Award from eWeek. As attacks through web applications continue to rise, you need to proactively protect your applications from hackers. Cenzic has the most comprehensive solutions to meet your application security penetration testing and vulnerability management needs. You have an option to go with a managed service (Cenzic ClickToSecure) or an enterprise software (Cenzic Hailstorm). Download FREE whitepaper on how a managed service can help you: http://www.cenzic.com/news_events/wpappsec.php And, now for a limited time we can do a FREE audit for you to confirm your results from other product. Contact us at request () cenzic com for details. ------------------------------------------------------------------------------
Current thread:
- IP Telephony pen-test and VLAN's Frank Bussink (May 16)
- Re: IP Telephony pen-test and VLAN's Sn0rkY (May 17)
- Re: IP Telephony pen-test and VLAN's Jason Ostrom (May 17)
- Re: IP Telephony pen-test and VLAN's Chris Serafin (May 18)
- RE: IP Telephony pen-test and VLAN's Paul Melson (May 21)
- Re: IP Telephony pen-test and VLAN's Chris Serafin (May 18)
- Re: IP Telephony pen-test and VLAN's Chris Serafin (May 17)
- <Possible follow-ups>
- Re: IP Telephony pen-test and VLAN's Mark Teicher (May 17)
- Re: IP Telephony pen-test and VLAN's Sheran Gunasekera (May 18)
- Re: IP Telephony pen-test and VLAN's Marco Ivaldi (May 21)